Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
47 Stories
All Topics

Cloudflare Blog Icon Cloudflare Blog

Cloudflare goes interplanetary with IPFS Gateway

it's exciting to see Cloudflare bridging the gap between IPFS and the traditional web. Cloudflare’s IPFS Gateway is an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer. We hope our gateway, hosted at cloudflare-ipfs.com, will serve as the platform for many new highly-reliable and security-enhanced web applications. For those who want a deep dive into IPFS check out the show we did with Juan Benet – The Changelog #204.

read more...

Bert Hubert blog.powerdns.com

Firefox is considering a move to third party DNS lookups

Specifically, they are considering making CloudFlare the default nameserver. A new feature called "Trusted Recursive Resolver" (TRR) could be turned on by default, and therefore override the DNS changes you've configured in your network. Cloudflare says it takes your privacy more seriously than telecommunication service providers do because this DNS query will be encrypted, unlike regular DNS. They also promise not to sell your data or engage in user profiling. Cloudflare and Mozilla have set out a privacy policy that rules out any form of customer profiling. Their story is that many ISPs are doing user profiling and marketing, and that moving your DNS to Cloudflare is therefore a win for your privacy. This is a deep subject with many, many layers. Dig deep on this one. So, the question is — under what circumstances would it be OK for Cloudflare (or any other third party) to take over our DNS by default?

read more...

Fedor Indutny darksi.de

HashWick V8 vulnerability

Get the backstory on the Hash Seed guessing game and HashWick from Fedor Indutny: About one year ago, I've discovered a way to do a Denial-of-Service (DoS) attack on a local Node.js instance. The process involved sending huge amounts of data to the HTTP server running on the same machine as the attacker, and measuring the timing differences between various payloads. Given that the scope of attack was limited to the same machine, it was decided by V8 team and myself that the issue wasn't worth looking in yet. Nevertheless, a blog post was published. This year, I had a chance to revisit the Hash Seed guessing game with restored enthusiasm and new ideas. The results of this experiment are murky, and no fix is available yet in V8. Thus all V8 release lines are vulnerable to the HashWick attack. Fedor also mentioned that this issue was disclosed responsibly and this blog post was published 90+ days after the initial report.

read more...

Eric Holmes Medium

Here's how Eric Holmes gained commit access to Homebrew in 30 minutes

This post from Eric Holmes details how package managers can be used in supply chain attacks — specifically, in this case, a supply chain attack on Homebrew — which is used by hundreds of thousands of people, including "employees at some of the biggest companies in Silicon Valley." On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core. If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers?

read more...

Brian Krebs krebsonsecurity.com

Reddit breach highlights limits of SMS-based authentication

The cause is a 2FA fail with either SIM security or a mobile number port-out scam as the point of failure. Brian Krebs writes for KrebsOnSecurity: Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor. In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. Another typical scheme involves mobile number port-out scams, wherein the attacker impersonates a customer and requests that the customer’s mobile number be transferred to another mobile network provider. Were you exposed? ...between June 14 and 18 an attacker compromised several employee accounts at its cloud and source code hosting providers. Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

read more...

Without Boats boats.gitlab.io

I sign my git commits with bpb (not pgp or gpg)

Right now, the only way to sign your git commits is to use PGP signatures (this is all git is able to integrate with). After a less than desirable experience using GPG, without wrote bpb in Rust to replace GPG. I’ve been taking steps toward trying to sign and verify the data in the repo's index without shipping a copy of GPG with Rust to every user. This means I need to implement enough of the PGP protocol to create signatures and public keys that git will accept as valid. I’ve done this in a library which I’ve named pbp, this stands for Pretty Bad Protocol. This library implements parsing and generation for a small subset of the PGP protocol...

read more...

Chrome blog.google

HTTP 'not secure'

Chrome security has reached a milestone — Chrome will now mark http as “not secure”. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users. Also, check out this episode of HTTP203 with Emily Schechter (Product Manager on the Chrome Security team)

read more...

Brendan Eich brave.com

Brave's private tabs now with Tor (in beta)

It's nice to see Tor being baked into Brave! Tor is now available to the masses. Today we’re releasing our latest desktop browser Brave 0.23 which features Private Tabs with Tor, a technology for defending against network surveillance. This new functionality, currently in beta, integrates Tor into the browser and gives users a new browsing mode that helps protect their privacy not only on device but over the network. Do you use Brave on the daily? I have it installed, but I don't use it on a daily basis. Also — Brendan Eich tweeted this to give credit where credit is due and this tweet about the relays added.

read more...

TypeScript github.com

A secure TypeScript runtime on V8

If you need a JS runtime that supports TypeScript out of the box and has security as a top-most priority, star this repo and come back when it's no longer "Segfaulty". Feature bullets! 👇 No package.json, no npm. Not backwards compatible with Node Single executable Defaults to read-only file system access Always dies on uncaught errors Supports top-level await EDIT: it's worth noting that this project is by Ryan Dahl, inventor of Node.js.

read more...

Jessie Frazelle blog.jessfraz.com

Containers, security, and echo chambers

Jessie Frazelle: There seems to be some confusion around sandboxing containers as of late, mostly because of the recent launch of gvisor... There is a large amount of ignorance towards the existing defaults to make containers secure. Which is crazy since I have written many blog posts on it and given many talks on the subject. Jessie has been doing the yeoman's work of Linux kernel isolation and making containers secure for awhile now, but much of that work has been overlooked or disregarded by others in the community. I'm on the outside looking in at this situation, so it's tough to call exactly what's going on, but according to Jessie: When you work at a large organization you are surrounded by an echo chamber. So if everyone in the org is saying “containers are not secure,” you are bound to believe it and not research actual facts. That doesn't mean Jessie thinks containers are secure (click through to read her take on that). There's a lot to dig in to here and think about. I'll pull out one last point: I am not trying to throw shade at gvisor but merely clear up some FUD in the world of open source marketing. I truly believe that people choosing projects to use should research into them and not just choose something shiny that came out of Big Corp. Now that's a sentiment I can get behind! Oh, and listen to this related episode of The Changelog if you haven't yet. It's a must-listen for all developers.

read more...

Medium Icon Medium

An Efail postmortem

Efail caused a panic at the disco: ... some researchers in Europe published a paper with the bombshell title “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.” There were a lot of researchers on that team but in the hours after release Sebastian Schinzel took the point on Twitter for the group. Oh, my, did the email crypto world blow up. The following are some thoughts that have benefited from a few days for things to settle. Lots of interesting insights here, perhaps most controversially how the EFF's handling of the situation may have done more harm than good in the author's opinion. Also: we could stand to have a renewed appreciation for OpenPGP’s importance to not just email crypto, but the global economy. I can say I definitely have more appreciation for it after reading this than I did before. I hadn't thought about its influence (which is huge) outside of encrypted email.

read more...

Zack Whittaker zdnet.com

I asked Apple for all my data. Here's what was sent back.

Zack Whittaker writes for Zero Day: Apple gave me all the data it collected on me since I bought my first iPhone — in 2010. This is what has largely stood out to me in the ongoing discussion about what data the four have on me and how they use it... As insightful as it was, Apple's treasure trove of my personal data is a drop in the ocean to what social networks or search giants have on me, because Apple is primarily a hardware maker and not ad-driven, like Facebook and Google, which use your data to pitch you ads. Want to request your data? It takes just a few seconds...

read more...

Google Icon Google

gVisor – a sandboxed container runtime

Why does this exist? Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability. gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.

read more...

GitHub Icon GitHub

⚡️ Let's Encrypt strikes again, this time in your GitHub Pages

Parker Moore, on GitHub's blog: Today, custom domains on GitHub Pages are gaining support for HTTPS as well, meaning over a million GitHub Pages sites will be served over HTTPS. What's more: We have partnered with the certificate authority Let’s Encrypt on this project. As supporters of Let’s Encrypt’s mission to make the web more secure for everyone, we’ve officially become Silver-level sponsors of the initiative. If your custom domain uses CNAME or ALIAS records, no action is required to go HTTPS. If (like me), you have a custom domain using A records, follow along here.

read more...

Kubernetes github.com

A best practice guide to Kubernetes security

K8s is a powerful platform which can be abused in many ways if not configured properly. Contributors to this guide are running Kubernetes in production and worked on several K8s projects to learn about security flaws the hard way. This guide scores major points for having battle-hardened contributors. I also dig how they indicate the severity/importance of each topic with an emoji. Look out for the 💥s!

read more...

Griffin Byatt github.com

Sobelow – a security-focused static analyzer for the Phoenix framework

Yesterday, Griffin Byatt hit me up in Slack and let me know we had a few security holes. 😱 After a quick discussion about the magnitude of said holes, he informed me that he'd found them by running our code through his static analysis tool, Sobelow. Say what? For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. I asked Griffin if he'd be kind enough to open a PR with the fixes so we can link it up and use it to show folks how handy this tool is. So that's what he did and that's what I'm doing! 💚

read more...
0:00 / 0:00