Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
108 Stories
All Topics

WebAssembly bytecodealliance.org

Building a secure by default, composable future for WebAssembly

Mozilla, Fastly, Intel, and Red Hat are forming a “Bytecode Alliance”, which is described as: a new industry partnership coming together to forge WebAssembly’s outside-the-browser future by collaborating on implementing standards and proposing new ones. Their aim: We have a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations. And based on advances rapidly emerging in the WebAssembly community, we believe we can make this vision real. Security seems to be at the dead center of this alliance. Click through for an in-depth rundown of why this is a problem and what they plan to do about it. Also, some awesome code cartoons from Lin Clark (I assume).

read more

Cloud blog.trailofbits.com

Algo – your personal VPN in the cloud

The linked article is an excellent introduction to Algo, which is effectively a set of Ansible scripts that set up a Wireguard and IPSEC VPN for you. Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need. And it’s free. For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you. Algo’s list of features (and anti-features) is compelling and most VPN services are terrible. 👀

read more

Liran Tal Snyk

JavaScript frameworks security report 2019

Liran Tal: In this report, we investigate the state of security for both the Angular and React ecosystems, looking at best practices, secure coding, and security vulnerabilities in React, Angular, and other frontend projects such as Bootstrap, Vue.js, and jQuery. Inside you will find the report in it’s digital format as a PDF to download and review offline.

read more

Twitter Icon Twitter

I bet you could've guessed Equifax's username and password...

Jane Lytvynenko went digging through the Equifax class-action suit and uncovered some absolute gems: Furthermore, Equifax employed the username “admin” and the password “admin” to protect a portal used to manage credit disputes, a password that “is a surefire way to get hacked.” This portal contained a vast trove of personal information. Hanlon’s razor often applies in security breaches like these, but I can’t see this as anything but pure negligence by Equifax’s technical teams. There’s more: Equifax also failed to encrypt sensitive data in its custody… admitted that sensitive personal information relating to hundreds of millions of Americans was not encrypted… Not only was this information unencrypted, but it was also accessible through a public-facing, widely used website. Filed under you-gotta-be-freakin-kiddin-me

read more

The New Stack Icon The New Stack

New cryptojacking worm found in docker containers

Jack Wallen: A new cryptojacking worm, named Graboid, has been spread into more than 2,000 Docker hosts, according to the Unit 42 researchers from Palo Alto Networks. This is the first time such a piece of malware has spread via containers within the Docker Engine (specifically docker-ce). Scary stuff, and (at the moment) difficult to detect & prevent: We’ve reached a point with containers where security must be constantly on the front burner. Antivirus and anti-malware applications currently have no means of analyzing and cleaning containers and container images. That’s the heart of the issue. Graboid may be the first malware to target containers, but it certainly won’t be the last.

read more

Security osquery.io

Query your OS like a database

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes. osquery> SELECT name, path, pid FROM processes WHERE on_disk = 0; name = Drop_Agent path = /Users/jim/bin/dropage pid = 561

read more

Node.js github.com

Jsfuzz – a coverage-guided fuzzer for testing JavaScript/Node packages

Fuzzing for safe languages like nodejs is a powerful strategy for finding bugs like unhandled exceptions, logic bugs, security bugs that arise from both logic bugs and Denial-of-Service caused by hangs and excessive memory usage. As we recently learned on Go Time: pessimists write tests, fuzz functions, and sleep well at night. 💤

read more

Liran Tal Snyk

Sequelize ORM found vulnerable to SQL injection

SQL injection is a serious vulnerability, effectively allowing an attacker to run roughshod over your entire database. If you’re using Sequelize, drop everything (pun unintended) and get patched up. As a testament for Sequelize’s commitment to security and protecting their users as fast as possible, they promptly responded and released fixes in the 3.x and 5.x branches of the library, remediating the vulnerability and providing users with an upgrade path for SQL injection prevention.

read more

CNCF Icon CNCF

Open sourcing the Kubernetes security audit

The CNFC has been funding security audits of projects since last year. With CoreDNS, Envoy, and Prometheus taken care of, Kubernetes itself recently received the treatment. The assessment yielded a significant amount of knowledge pertaining to the operation and internals of a Kubernetes cluster. Findings and supporting documentation from the assessment has been made available today, and can be found here. If you don’t want the full report, the linked announcement lists some of the major takeaways.

read more

Liran Tal Snyk

Staying ahead of security vulnerabilities with security patches

Liran Tal: How do you cope with the issues of libraries having security vulnerabilities but there’s no fix yet? With open source packages this might even be more apparent than ever. Maintainers are rightfully not in any contract to provide you support, yet you rely on third-party software by volunteers. In this piece I want to show you how we’ve adopted surgical patches to help remove this burden and risk from users.

read more

The New Stack Icon The New Stack

Capital One's cloud misconfiguration woes have been an industry-wide fear

Developers and IT decision-makers should not be surprised by the recent Capital One data breach: Misconfigurations have long been the top cloud security concern. A new StackRox survey of IT decision-makers supports this finding as 60% of respondents are more worried about misconfigurations or exposures, as compared to attacks and generic vulnerabilities. We’re not 💯 on what exactly happened, but the evidence is pointing toward a misconfigured firewall.

read more

Forbes Icon Forbes

Developers don't understand CORS

Fascinating look at the underpinnings of the big Zoom vulnerability announced last week, including an excellent discussion of how a lack of understanding may have led to this huge fiasco. Author Chris Foster: What this says to me is that Zoom may have needed to get this feature out and did not understand CORS. They couldn’t make the AJAX requests without the browser disallowing the attempt. Instead, they built this image hack to work around CORS. By doing this, they opened Zoom up to a big vulnerability because not only can the Zoom website trigger operations in the native client and access the response, but every other website on the internet can too.

read more

Jonathan Leitschuh Medium

Zoom's zero day bug bounty write-up

By now you’ve probably heard about Zoom’s zero day bug that exposed 4+ million webcams to the bidding of nefarious hackers. Security researcher Jonathan Leitschuh shared the full background and details on InfoSec Write-ups: This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However… If you use Zoom or if you’ve EVER installed Zoom, read Jonathan’s write-up and take appropriate action to update Zoom or to remove the lingering web server it leaves behind. Confirm if the server is present by running lsof -i :19421 in Terminal.

read more

Wired Icon Wired

The clever cryptography behind Apple's 'Find My' feature

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they’re offline, allowing nearby Apple devices to relay their location to the cloud… it turns out that Apple’s elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours. WIRED with a fascinating explanation of an utterly fascinating scheme.

read more

npm blog.npmjs.org

npm token scanning extending to GitHub

The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post: Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.

read more

Security troyhunt.com

The future of Have I Been Pwned

Troy Hunt: It’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own. HIBP is an international treasure, IMHO. It’s pretty cool to see how it has transformed Troy’s life along the way: HIBP may only be less than 6 years old, but it’s the culmination of a life’s work. I still have these vivid memories stretching back to the mid-90’s when I first started building software for the web and had a dream of creating something big; “Isn’t it amazing that I can sit here at home and write code that could have a real impact on the world one day”

read more

Python anvilventures.com

Reverse engineering the Dropbox client

Dropbox’ concept is still deceptively simple. Here’s a folder. Put files in it. Now it syncs. Move to another computing device. It syncs. The folder and files are there now too! The amount of work that goes on behind the scenes of such an application is staggering though. If you’ve ever wondered how Dropbox works, or you’ve always wanted to reverse engineer some code but didn’t know how to get started, read this. We managed to successfully reverse engineer Dropbox, write decryption and injection tools for it that work with current Dropbox clients based on Python 3.6 releases and successfully reverse engineer features and enable them.

read more

0:00 / 0:00