Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
62 Stories
All Topics

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples. Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, … It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

read more...

The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts. They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

read more...

Adam Stacoviak changelog.com

The Cryptography Research Group at Microsoft released Microsoft SEAL to encrypt and secure sensitive data in the cloud

If you’ve been watching the news, you know that the latest data breach involved Marriott exposing 500 million guest reservations from its Starwood database. The kicker is that the unauthorized access to the Starwood guest database stretches back to 2014. That’s FOUR YEARS of unfettered access to this database! It’s breaches like these that helped motivate the team at the Cryptography Research Group at Microsoft to be “extremely excited” to announce the release of Microsoft SEAL (Simple Encrypted Arithmetic Library) as open source under the MIT License.

read more...

The Changelog The Changelog #325

A good open source password manager? Inconceivable!

Perry Mitchell joined the show to talk about the importance of password management and his project Buttercup — an open source password manager built around strong encryption and security standards, a beautifully simple interface, and freely available on all major platforms. We talked through encryption, security concerns, building for multiple platforms, Electron and React Native pros and woes, and their future plans to release a hosted sync and team service to sustain and grow Buttercup into a business that’s built around its open source.

read more...

Cory Doctorow Boing Boing

The newest malware vector in open source

As the title for the linked post from Cory Doctorow says, all you have to do is “become an admin on dormant, widely-used open source projects” and then do your thing. Many open source projects attain a level of “maturity” where no one really needs any new features and there aren’t a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive. Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity. This presents a scary social-engineering vector for malware… We’ll be talking with Dominic Tarr about the details shared in Issue #116 on event-stream later today on The Changelog (the episode will hit RSS feeds next week). Chime in below if you’d like to add questions/thoughts to our planned discussion.

read more...

Tanya Janca Medium

Why I love password managers

Tanya leads with this as a disclaimer “This article is for beginners in security or other IT folk, not experts.” — which means this is a 101 level post BUT is a highly important topic. Share as needed. Passwords are awful … software security industry expects us to remember 100+ passwords, that are complex (variations of upper & lowercase, numbers and special characters), that are supposed to be changed every 3 months, with each one being unique. Obviously this is impossible for most people. Tanya goes on to say… If you work in an IT environment, you absolutely must have a password manager. I strongly suggest that anyone who uses a computer regularly and has multiple passwords to remember to get one, even if you don’t consider yourself tech savvy. I fully agree. I also use 1Password and have done so for as long as I can possibly remember.

read more...

Safari adage.com

Apple's new anti-tracking feature in Safari takes toll

The irony here is that the site we’re linking to for this story is FULL of display ads. The web and mobile web for content sites, blogs, and the like tend to borderline on a confusing and/or terrible experience because of ads, modals, takeover screens, content that seems like content but is just content in disguise…then, THEN…the retargeting. I can see why Apple, with their focus on the users privacy, that this feature is a Safari thing and being lead by Apple. The feature—blandly dubbed “Intelligent Tracking Prevention,” or “ITP 2”— is the second major iteration of its anti-tracking tool, which was first introduced last year. The update prevents marketers from targeting Safari users across the web. For example, someone who visits Nike’s website can’t be targeted elsewhere on the web, such as Google search or the New York Times website. I’m all for websites finding ways to make money from smart relationships, partnerships, and “ads,” but they must be delivered in well-mannered and tasteful ways that does not objectify the reader or their privacy.

read more...

Electron buttercup.pw

The open source password manager you deserve

Buttercup claims to be secure, simple, and free. That’s a powerful trio if it can deliver on its promises. It has a cross-platform desktop app (thanks in part to Electron), iOS and Android apps, and extensions for every major browser. That’s a lot! Especially for an open source project created primarily by just two people. Could this steal marketshare from the big guns such as 1Password and LastPass?

read more...

Caroline Haskins motherboard.vice.com

Old school 'sniffing' attacks can still reveal your browsing history

Several major browsers you and I use everyday are capable of leaking our browsing history, and they all know about it. Caroline Haskins at Motherboard writes: Most modern browsers—such as Chrome, Firefox, and Edge … have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user’s web history, per new research from the University of California San Diego. In a statement provided to Motherboard via email, senior engineering manager of Firefox security Wennie Leung said that Firefox will “prioritize our review of these bugs based on the threat assessment.” Google spokesperson Ivy Choi told Motherboard in an email that they are aware of the issue and are “evaluating possible solutions.” Ben Adida shared this on Twitter: When first web history sniffing attacks came out, I suggested we had to change the notion of a visited link: a link would be marked visited by origin (edges, not nodes.) That was considered too dramatic a change. Maybe it’s necessary after all. Who’s ready to dig into this research and share how vulnerable we really are and what types of malicious websites could/would extract our browsing history? If you do, let us know so we can link it up.

read more...

Bitcoin github.com

Square's Bitcoin cold storage solution

Why cold storage? Because security: For security purposes, Square stores a reserve of Bitcoins in an offline setting. By having these funds offline, we reduce attack surface and hence risk of theft. Square can move the funds offline at any time, but moving them back online requires a multi-party signing ceremony. They can also embed programming logic into the cold storage modules, so that only Square-owned addresses can receive the funds. That’s defense-in-depth, right there. Bitcoin’s latest bull run is over, but those who believe in decentralized money continue to toil away… building the future they want to exist.

read more...

John Gruber daringfireball.net

Daring Fireball on Facebook giving advertisers your shadow contact info

Commentary on commentary here, but seriously — we obviously track news on privacy and security — Gruber’s paraphrase from Kashmir Hill’s post on Gizmodo is priceless. Here is Gruber’s take… Hill: Facebook, are you doing this terrible thing? Facebook: No, we don’t do that. Hill, months later: Here’s academic research that shows you do this terrible thing. Facebook: Yes, of course we do that. I agree with Gruber on Facebook being a morally criminal enterprise. Also, I try to avoid Facebook, aside from my wife’s usage, at all costs. I’m even leery of Instagram, which is sad because one of my professional hobbies is photography. Gruber says: At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally. How in the above scenario is Facebook not stealing Ben’s privacy?

read more...

Matthew Green blog.cryptographyengineering.com

Why I’m done with Chrome

Like many of you reading this, you’re probably signed into a Google service when browsing the web — Google apps (G Suite), YouTube, Gmail, etc. The line between browser (Chrome) and your signed in services was clear before, and now it’s not. Matthew Green, Cryptographer and Professor at Johns Hopkins University, writes on his personal blog: What changed? A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. Thankfully I have been using Brave a whole lot more recently and I’ve really been enjoying an internet where display ads aren’t ruining the experience, and where my privacy isn’t being harvested as I use it.

read more...

Gervasio Marchand g3rv4.com

Want a secure browser? Disable your extensions

Gervasio Marchand: While working on Taut (aka BetterSlack) I noticed that a browser extension could do lots and lots of harm. On this article, I explain how the only way to browse safely is to completely avoid them (or to be really really involved in managing them). If you’re thinking, “But open source!” click through and see what Gervasio has to say about that. He also includes some examples of extensions that went rogue or were hacked and how one could abuse the system.

read more...

Cloudflare Blog Icon Cloudflare Blog

Cloudflare goes interplanetary with IPFS Gateway

it’s exciting to see Cloudflare bridging the gap between IPFS and the traditional web. Cloudflare’s IPFS Gateway is an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer. We hope our gateway, hosted at cloudflare-ipfs.com, will serve as the platform for many new highly-reliable and security-enhanced web applications. For those who want a deep dive into IPFS check out the show we did with Juan Benet – The Changelog #204.

read more...

Bert Hubert blog.powerdns.com

Firefox is considering a move to third party DNS lookups

Specifically, they are considering making CloudFlare the default nameserver. A new feature called “Trusted Recursive Resolver” (TRR) could be turned on by default, and therefore override the DNS changes you’ve configured in your network. Cloudflare says it takes your privacy more seriously than telecommunication service providers do because this DNS query will be encrypted, unlike regular DNS. They also promise not to sell your data or engage in user profiling. Cloudflare and Mozilla have set out a privacy policy that rules out any form of customer profiling. Their story is that many ISPs are doing user profiling and marketing, and that moving your DNS to Cloudflare is therefore a win for your privacy. This is a deep subject with many, many layers. Dig deep on this one. So, the question is — under what circumstances would it be OK for Cloudflare (or any other third party) to take over our DNS by default?

read more...

Fedor Indutny darksi.de

HashWick V8 vulnerability

Get the backstory on the Hash Seed guessing game and HashWick from Fedor Indutny: About one year ago, I’ve discovered a way to do a Denial-of-Service (DoS) attack on a local Node.js instance. The process involved sending huge amounts of data to the HTTP server running on the same machine as the attacker, and measuring the timing differences between various payloads. Given that the scope of attack was limited to the same machine, it was decided by V8 team and myself that the issue wasn’t worth looking in yet. Nevertheless, a blog post was published. This year, I had a chance to revisit the Hash Seed guessing game with restored enthusiasm and new ideas. The results of this experiment are murky, and no fix is available yet in V8. Thus all V8 release lines are vulnerable to the HashWick attack. Fedor also mentioned that this issue was disclosed responsibly and this blog post was published 90+ days after the initial report.

read more...

Eric Holmes Medium

Here's how Eric Holmes gained commit access to Homebrew in 30 minutes

This post from Eric Holmes details how package managers can be used in supply chain attacks — specifically, in this case, a supply chain attack on Homebrew — which is used by hundreds of thousands of people, including “employees at some of the biggest companies in Silicon Valley.” On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core. If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers?

read more...

Brian Krebs krebsonsecurity.com

Reddit breach highlights limits of SMS-based authentication

The cause is a 2FA fail with either SIM security or a mobile number port-out scam as the point of failure. Brian Krebs writes for KrebsOnSecurity: Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor. In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. Another typical scheme involves mobile number port-out scams, wherein the attacker impersonates a customer and requests that the customer’s mobile number be transferred to another mobile network provider. Were you exposed? …between June 14 and 18 an attacker compromised several employee accounts at its cloud and source code hosting providers. Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

read more...

Without Boats boats.gitlab.io

I sign my git commits with bpb (not pgp or gpg)

Right now, the only way to sign your git commits is to use PGP signatures (this is all git is able to integrate with). After a less than desirable experience using GPG, without wrote bpb in Rust to replace GPG. I’ve been taking steps toward trying to sign and verify the data in the repo’s index without shipping a copy of GPG with Rust to every user. This means I need to implement enough of the PGP protocol to create signatures and public keys that git will accept as valid. I’ve done this in a library which I’ve named pbp, this stands for Pretty Bad Protocol. This library implements parsing and generation for a small subset of the PGP protocol…

read more...

Chrome blog.google

HTTP 'not secure'

Chrome security has reached a milestone — Chrome will now mark http as “not secure”. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users. Also, check out this episode of HTTP203 with Emily Schechter (Product Manager on the Chrome Security team)

read more...
0:00 / 0:00