Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
168 Stories
All Topics

Google Icon Google

Google is funding rewrites of critical OSS projects in memory-safe languages

Dan Lorenc, from Google’s Infrastructure Security Team:

Software written in unsafe languages often contains hard-to-catch bugs that can result in severe security vulnerabilities, and we take these issues seriously at Google. That’s why we’re expanding our collaboration with the Internet Security Research Group to support the reimplementation of critical open-source software in memory-safe languages.

Notice he said “expanding our collaboration”, which must mean they’ve been doing this for a bit, but I wasn’t aware of the effort? An uplifting trend, regardless. Work is well underway:

The new Rust-based HTTP and TLS backends for curl and now this new TLS library for Apache httpd are an important starting point in this overall effort. These codebases sit at the gateway to the internet and their security is critical in the protection of data for millions of users worldwide.

Security securitylab.github.com

How to get root on Ubuntu 20.04 by pretending nobody’s /home

Kevin Backhouse:

I am a fan of Ubuntu, so I would like to help make it as secure as possible. I have recently spent quite a bit of time looking for security vulnerabilities in Ubuntu’s system services, and it has mostly been an exercise in frustration…

This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu. With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves. I have made a short demo video, to show how easy it is.

This particular vulnerability is regarding the GUI, so your Ubuntu servers are unaffected. Still, 👀

Docker cloudberry.engineering

Dockerfile security best practices

8 common security issues when using Docker and how to avoid them. Here’s a sampler:

Avoid curl bashing

Pulling stuff from internet and piping it into a shell is as bad as it could be. Unfortunately it’s a widespread solution to streamline installations of software.

The risk is the same framed for supply chain attacks and it boils down to trust. If you really have to curl bash, do it right…

Josh Aas abetterinternet.org

Memory safe ‘curl’ for a more secure internet

We recently talked with Josh Aas on The Changelog #389 about securing the web with Let’s Encrypt. At the tail end of the conversation Josh shared his passion for memory safety, saying “we need to rewrite all the software that we already wrote in C and C++, and replace it. “ My guess is that this move with Daniel and curl takes us several steps further in this direction.

Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe. Today we’re excited to announce that we’re working with Daniel Stenberg, author of ubiquitous curl software, and WolfSSL, to make critical parts of the curl codebase memory safe. … ISRG is funding Daniel to work on adding support for Hyper as an HTTP back-end for curl. Hyper is a fast and safe HTTP implementation written in Rust.

Apple samcurry.net

We hacked Apple for 3 months: here’s what we found

Six white-hat hackers spent a few months on Apple’s bug bounty program:

There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.

This is a report of their findings: how they did it, vulnerabilities found, and how Apple responded to each one.

Utku Sen utkusen.com

Security by obscurity is underrated

Utku Sen:

In the information security field, we have developed lots of thoughts that can’t be discussed (or rarely discussed):

  • Never roll your own crypto
  • Always use TLS
  • Security by obscurity is bad

I certainly learned these in my Infosec classes in college. Back then I didn’t really question it much, because what did I know? But I definitely remember thinking, “Okay security by obscurity is bad, but maybe why not do it anyway? Defense in depth, right?” Back to Utku:

Most of them are very generally correct. However, I started to think that people are telling those because everyone is telling them. And, most of the people are actually not thinking about exceptional cases. In this post, I will raise my objection against the idea of “Security by obscurity is bad”.

Security github.com

Endlessh – an SSH tarpit that slowly sends an endless banner

The idea here is you put your real SSH server on a different port and let Endlessh lock up the script kiddies for hours and even days.

Since the tarpit is in the banner before any cryptographic exchange occurs, this program doesn’t depend on any cryptographic libraries. It’s a simple, single-threaded, standalone C program. It uses poll() to trap multiple clients at a time.

I’m not sure if this is actually a good idea or just fun to put into practice like those people who dedicate their precious free time scambaiting.

Troy Hunt troyhunt.com

I'm open sourcing the Have I Been Pwned code base

Troy Hunt:

Let me just cut straight to it: I’m going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.

It’s not open source yet, but it will be and Troy lays out his thinking and the process in this excellent write-up. Since HIBP’s data is both sensitive and the entire point of the software, there will be special consideration taken with it:

I need to really clearly break this part of the discussion out because whilst open sourcing the code base is one thing, how the data is handled is quite another. There’s no way to sugar coat this so I’ll just lay it out bluntly: HIBP only exists due to a whole bunch of criminal activity resulting in data that’s ultimately ended up in my possession.

Then there’s the privacy side of it all: my own personal data is in those breaches and your data almost certainly is too because there are literally billions of people that have been impacted by data breaches. Regardless of how broadly that information is circling, I still need to ensure the same privacy controls prevail across the breach data itself even as the code base becomes more transparent. That’s non-trivial. Doable, but non-trivial.

Tanya Janca shehackspurple.dev

Where can we learn threat modelling?

The linked post is Tanya Janca advising on where (and how) you can learn threat modelling for yourself. What’s threat modelling?

… a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be prioritized.

See also: Matrin Fowler’s guide to threat modelling for developers.

0:00 / 0:00