Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
100 Stories
All Topics

Liran Tal Snyk

Sequelize ORM found vulnerable to SQL injection

SQL injection is a serious vulnerability, effectively allowing an attacker to run roughshod over your entire database. If you’re using Sequelize, drop everything (pun unintended) and get patched up. As a testament for Sequelize’s commitment to security and protecting their users as fast as possible, they promptly responded and released fixes in the 3.x and 5.x branches of the library, remediating the vulnerability and providing users with an upgrade path for SQL injection prevention.

read more

CNCF Icon CNCF

Open sourcing the Kubernetes security audit

The CNFC has been funding security audits of projects since last year. With CoreDNS, Envoy, and Prometheus taken care of, Kubernetes itself recently received the treatment. The assessment yielded a significant amount of knowledge pertaining to the operation and internals of a Kubernetes cluster. Findings and supporting documentation from the assessment has been made available today, and can be found here. If you don’t want the full report, the linked announcement lists some of the major takeaways.

read more

Liran Tal Snyk

Staying ahead of security vulnerabilities with security patches

Liran Tal: How do you cope with the issues of libraries having security vulnerabilities but there’s no fix yet? With open source packages this might even be more apparent than ever. Maintainers are rightfully not in any contract to provide you support, yet you rely on third-party software by volunteers. In this piece I want to show you how we’ve adopted surgical patches to help remove this burden and risk from users.

read more

The New Stack Icon The New Stack

Capital One's cloud misconfiguration woes have been an industry-wide fear

Developers and IT decision-makers should not be surprised by the recent Capital One data breach: Misconfigurations have long been the top cloud security concern. A new StackRox survey of IT decision-makers supports this finding as 60% of respondents are more worried about misconfigurations or exposures, as compared to attacks and generic vulnerabilities. We’re not 💯 on what exactly happened, but the evidence is pointing toward a misconfigured firewall.

read more

Forbes Icon Forbes

Developers don't understand CORS

Fascinating look at the underpinnings of the big Zoom vulnerability announced last week, including an excellent discussion of how a lack of understanding may have led to this huge fiasco. Author Chris Foster: What this says to me is that Zoom may have needed to get this feature out and did not understand CORS. They couldn’t make the AJAX requests without the browser disallowing the attempt. Instead, they built this image hack to work around CORS. By doing this, they opened Zoom up to a big vulnerability because not only can the Zoom website trigger operations in the native client and access the response, but every other website on the internet can too.

read more

Jonathan Leitschuh Medium

Zoom's zero day bug bounty write-up

By now you’ve probably heard about Zoom’s zero day bug that exposed 4+ million webcams to the bidding of nefarious hackers. Security researcher Jonathan Leitschuh shared the full background and details on InfoSec Write-ups: This vulnerability was originally responsibly disclosed on March 26, 2019. This initial report included a proposed description of a ‘quick fix’ Zoom could have implemented by simply changing their server logic. It took Zoom 10 days to confirm the vulnerability. The first actual meeting about how the vulnerability would be patched occurred on June 11th, 2019, only 18 days before the end of the 90-day public disclosure deadline. During this meeting, the details of the vulnerability were confirmed and Zoom’s planned solution was discussed. However… If you use Zoom or if you’ve EVER installed Zoom, read Jonathan’s write-up and take appropriate action to update Zoom or to remove the lingering web server it leaves behind. Confirm if the server is present by running lsof -i :19421 in Terminal.

read more

Wired Icon Wired

The clever cryptography behind Apple's 'Find My' feature

In upcoming versions of iOS and macOS, the new Find My feature will broadcast Bluetooth signals from Apple devices even when they’re offline, allowing nearby Apple devices to relay their location to the cloud… it turns out that Apple’s elaborate encryption scheme is also designed not only to prevent interlopers from identifying or tracking an iDevice from its Bluetooth signal, but also to keep Apple itself from learning device locations, even as it allows you to pinpoint yours. WIRED with a fascinating explanation of an utterly fascinating scheme.

read more

npm blog.npmjs.org

npm token scanning extending to GitHub

The npm team is collaborating with GitHub on a new service that will automatically check for tokens that might have been accidentally pushed up to a repository and then automatically revoke them if they are valid. This will help to quickly mitigate attack vectors that might arise from the accidental oversharing of credentials for projects. From the post: Whenever you commit or push a change to GitHub in a public repository and an npm token is found in the change, it is sent to npm for validation. If it’s valid, we will revoke it and notify the maintainer of this action via email.

read more

Security troyhunt.com

The future of Have I Been Pwned

Troy Hunt: It’s time for HIBP to grow up. It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own. HIBP is an international treasure, IMHO. It’s pretty cool to see how it has transformed Troy’s life along the way: HIBP may only be less than 6 years old, but it’s the culmination of a life’s work. I still have these vivid memories stretching back to the mid-90’s when I first started building software for the web and had a dream of creating something big; “Isn’t it amazing that I can sit here at home and write code that could have a real impact on the world one day”

read more

Python anvilventures.com

Reverse engineering the Dropbox client

Dropbox’ concept is still deceptively simple. Here’s a folder. Put files in it. Now it syncs. Move to another computing device. It syncs. The folder and files are there now too! The amount of work that goes on behind the scenes of such an application is staggering though. If you’ve ever wondered how Dropbox works, or you’ve always wanted to reverse engineer some code but didn’t know how to get started, read this. We managed to successfully reverse engineer Dropbox, write decryption and injection tools for it that work with current Dropbox clients based on Python 3.6 releases and successfully reverse engineer features and enable them.

read more

Mozilla Icon Mozilla

Mozilla has published their 2019 Internet Health Report

The report focuses on 5 questions about the internet. Is it safe? How open is it? Who is welcome? Who can succeed? Who controls it? The answer is complicated, and the report doesn’t make any particular conclusions so much as share a series of research & stories about each topic. Includes some fascinating looks at what’s going on in AI, inclusive design, open source, decentralization and more.

read more

GitHub dependabot.com

Dependabot has been acquired by GitHub

More news out of today’s GitHub Satellite event, this time from a security angle. The implications of this acquisition from the horse’s mouth: We’re integrating Dependabot directly into GitHub, starting with security fix PRs 👮‍♂️ You can still install Dependabot from the GitHub Marketplace whilst we integrate it into GitHub, but it’s now free of charge 🎁 We’ve doubled the size of Dependabot’s team; expect lots of great improvements over the coming months 👩‍💻👨‍💻👩‍💻👨‍💻👩‍💻👨‍💻 Congrats to Grey, Harry and Philip!

read more

GitHub Icon GitHub

Are you aware of the recent Git ransomware incident?

Today, Atlassian Bitbucket, GitHub, and GitLab are issuing a joint blog post in a coordinated effort to help educate and inform users of the three platforms on secure best practices relating to the recent Git ransomware incident. So what happened? On Thursday, May 2, the security teams of Atlassian Bitbucket, GitHub, and GitLab learned of a series of user account compromises across all three platforms. These account compromises resulted in a number of public and private repositories being held for ransom by an unknown actor. Each of the teams investigated and assessed that all account compromises were the result of unintentional user credential leakage by users or other third-parties, likely on systems external to Bitbucket, GitHub, or GitLab. The security and support teams of all three companies have taken and continue to take steps to notify, protect, and help affected users recover from these events.

read more

Liran Tal DEV.to

How to securely build Docker images for Node.js

Liran Tal: Developers, often lacking insights into the intricacies of Docker, may set out to build their Node.js-based docker images by following naive tutorials which lack good security approaches in how an image is built. One of these nuances is the use of proper permissions when building Docker images. To minimize exposure, opt-in to create a dedicated user and a dedicated group in the Docker image for the application; use the USER directive in the Dockerfile to ensure the container runs the application with the least privileged access possible.

read more

James Fisher jameshfisher.com

The inception bar: a new phishing method

Welcome to HSBC, the world’s seventh-largest bank! Of course, the page you’re reading isn’t actually hosted on hsbc.com; it’s hosted on jameshfisher.com. But when you visit this page on Chrome for mobile and scroll a little way, the page is able to display itself as hsbc.com - and worse, the page is able to jail you in this fake browser! Scary stuff since there is no known protection against this attack. It seems to be up to the Chrome team to figure out a solution.

read more

Y Combinator Icon Y Combinator

Docker Hub has been hacked

Attention Docker Hub users — Docker Hub has been hacked, so check your email to read the report from Kent Lamb, Director of Docker Support and take appropriate action. Here are the details… During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds. From lugg on Hacker News: If you got an email you should: Change your password on https://hub.docker.com Check https://github.com/settings/security Reconnect oAuth for automated builds Rollover effected passwords and API keys stored in private repos / containers

read more

Tidelift Icon Tidelift

Up to 20% of your application dependencies may be unmaintained

We recently added a new feature Tidelift subscribers can use to discover unmaintained dependencies. After taking an early look at the data we’re getting back, it appears that about 10-20% of commonly-in-use OSS packages aren’t actively maintained. Click through for an explainer on how they define “unmaintained” as well as a link to their tool for analyzing your app’s dependencies (email required).

read more

0:00 / 0:00