Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
116 Stories
All Topics

The Changelog The Changelog #377

Meet Algo, your personal VPN in the cloud

The commercial VPN industry is a minefield to navigate and many open source solutions are a pain to use or ill-suited for the task. Algo VPN, on the other hand, is a self-hosted personal VPN designed for ease of deployment and security. It uses the securest industry standards, builds on rock-solid solutions like WireGuard and Ansible, and runs on an ever-growing list of cloud hosting providers.

On this episode Dan Guido –CEO of security firm Trail of Bits and Algo’s creator– joins Jerod to discuss the project in depth.

Filippo Valsorda github.com

age is a simple, modern, and secure file encryption tool

It features small explicit keys, no config options, and UNIX-style composability.

$ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age -d -i key.txt data.tar.gz.age > data.tar.gz

If Rust is more your thing, check out the perfectly named port: rage.

Docker github.com

Minify and secure your docker containers (30x?)

DockerSlim promises a lot:

docker-slim will optimize and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don’t need reducing the attack surface for your container. What if you need some of those extra things to debug your container? You can use dedicated debugging side-car containers for that.

Their minification examples are impressive…

EFF Icon EFF

It's official: EFF's Certbot goes 1.0

Certbot was first released in 2015, and since then it has helped more than two million website administrators enable HTTPS by automatically deploying Let’s Encrypt certificates. Let’s Encrypt is a free certificate authority that EFF helped launch in 2015, now run for the public’s benefit through the Internet Security Research Group (ISRG).

A lot of progress has been made since we first talked about Let’s Encrypt on The Changelog.

WebAssembly bytecodealliance.org

Building a secure by default, composable future for WebAssembly

Mozilla, Fastly, Intel, and Red Hat are forming a “Bytecode Alliance”, which is described as:

a new industry partnership coming together to forge WebAssembly’s outside-the-browser future by collaborating on implementing standards and proposing new ones.

Their aim:

We have a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations. And based on advances rapidly emerging in the WebAssembly community, we believe we can make this vision real.

Security seems to be at the dead center of this alliance. Click through for an in-depth rundown of why this is a problem and what they plan to do about it. Also, some awesome code cartoons from Lin Clark (I assume).

Cloud blog.trailofbits.com

Algo – your personal VPN in the cloud

The linked article is an excellent introduction to Algo, which is effectively a set of Ansible scripts that set up a Wireguard and IPSEC VPN for you.

Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need. And it’s free.

For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.

Algo’s list of features (and anti-features) is compelling and most VPN services are terrible. 👀

Twitter Icon Twitter

I bet you could've guessed Equifax's username and password...

Jane Lytvynenko went digging through the Equifax class-action suit and uncovered some absolute gems:

Furthermore, Equifax employed the username “admin” and the password “admin” to protect a portal used to manage credit disputes, a password that “is a surefire way to get hacked.” This portal contained a vast trove of personal information.

Hanlon’s razor often applies in security breaches like these, but I can’t see this as anything but pure negligence by Equifax’s technical teams. There’s more:

Equifax also failed to encrypt sensitive data in its custody… admitted that sensitive personal information relating to hundreds of millions of Americans was not encrypted… Not only was this information unencrypted, but it was also accessible through a public-facing, widely used website.

Filed under you-gotta-be-freakin-kiddin-me

The New Stack Icon The New Stack

New cryptojacking worm found in docker containers

Jack Wallen:

A new cryptojacking worm, named Graboid, has been spread into more than 2,000 Docker hosts, according to the Unit 42 researchers from Palo Alto Networks. This is the first time such a piece of malware has spread via containers within the Docker Engine (specifically docker-ce).

Scary stuff, and (at the moment) difficult to detect & prevent:

We’ve reached a point with containers where security must be constantly on the front burner. Antivirus and anti-malware applications currently have no means of analyzing and cleaning containers and container images. That’s the heart of the issue.

Graboid may be the first malware to target containers, but it certainly won’t be the last.

Security osquery.io

Query your OS like a database

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

osquery> SELECT name, path, pid FROM processes WHERE on_disk = 0;
name = Drop_Agent
path = /Users/jim/bin/dropage
pid = 561

Node.js github.com

Jsfuzz – a coverage-guided fuzzer for testing JavaScript/Node packages

Fuzzing for safe languages like nodejs is a powerful strategy for finding bugs like unhandled exceptions, logic bugs, security bugs that arise from both logic bugs and Denial-of-Service caused by hangs and excessive memory usage.

As we recently learned on Go Time: pessimists write tests, fuzz functions, and sleep well at night. 💤

Liran Tal Snyk

Sequelize ORM found vulnerable to SQL injection

SQL injection is a serious vulnerability, effectively allowing an attacker to run roughshod over your entire database. If you’re using Sequelize, drop everything (pun unintended) and get patched up.

As a testament for Sequelize’s commitment to security and protecting their users as fast as possible, they promptly responded and released fixes in the 3.x and 5.x branches of the library, remediating the vulnerability and providing users with an upgrade path for SQL injection prevention.

Security github.com

A dead simple VPN

Works out of the box. No lousy documentation to read. No configuration file. No post-configuration. Run a single-line command on the server, a similar one on the client and you’re done. No firewall and routing rules to manually mess with.

This looks like a nice alternative to the many vpn-as-a-service offerings out there if you’re up for hosting it yourself.

CNCF Icon CNCF

Open sourcing the Kubernetes security audit

The CNFC has been funding security audits of projects since last year. With CoreDNS, Envoy, and Prometheus taken care of, Kubernetes itself recently received the treatment.

The assessment yielded a significant amount of knowledge pertaining to the operation and internals of a Kubernetes cluster. Findings and supporting documentation from the assessment has been made available today, and can be found here.

If you don’t want the full report, the linked announcement lists some of the major takeaways.

Liran Tal Snyk

Staying ahead of security vulnerabilities with security patches

Liran Tal:

How do you cope with the issues of libraries having security vulnerabilities but there’s no fix yet? With open source packages this might even be more apparent than ever. Maintainers are rightfully not in any contract to provide you support, yet you rely on third-party software by volunteers.

In this piece I want to show you how we’ve adopted surgical patches to help remove this burden and risk from users.

The New Stack Icon The New Stack

Capital One's cloud misconfiguration woes have been an industry-wide fear

Developers and IT decision-makers should not be surprised by the recent Capital One data breach: Misconfigurations have long been the top cloud security concern. A new StackRox survey of IT decision-makers supports this finding as 60% of respondents are more worried about misconfigurations or exposures, as compared to attacks and generic vulnerabilities.

We’re not 💯 on what exactly happened, but the evidence is pointing toward a misconfigured firewall.

Forbes Icon Forbes

Developers don't understand CORS

Fascinating look at the underpinnings of the big Zoom vulnerability announced last week, including an excellent discussion of how a lack of understanding may have led to this huge fiasco. Author Chris Foster:

What this says to me is that Zoom may have needed to get this feature out and did not understand CORS. They couldn’t make the AJAX requests without the browser disallowing the attempt. Instead, they built this image hack to work around CORS. By doing this, they opened Zoom up to a big vulnerability because not only can the Zoom website trigger operations in the native client and access the response, but every other website on the internet can too.

0:00 / 0:00