Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
100 Stories
All Topics

Omer Levi Hevroni blog.solutotlv.com

Can Kubernetes keep a secret?

Omer Levi Hevroni: When we made the shift to Kubernetes, we wanted to keep our devs independent and put a lot of effort into allowing them to create services rapidly. It all worked like a charm – until they had to handle credentials… The solution they came up with is called Kamus, which is: an open source, GitOps, zero trust, secrets solution for Kubernetes applications. Kamus allows you to seamlessly encrypt secret values and commit them to source control Jump over to the article for more on Kubernetes built-in secrets, an overview of some other alternatives, and a deep-dive on how Kamus works.

read more

Security ghidra-sre.org

Ghidra – The NSA's suite of reverse engineering tools

It’s not fully open source yet, but there’s a placeholder repo which states: Be assured efforts are under way to make the software available here. In the meantime, enjoy using Ghidra on your SRE efforts, developing your own scripts and plugins, and perusing the over-one-million-lines of Java and Sleigh code released within the initial public release.

read more

Snyk Icon Snyk

Top ten most popular docker images each contain at least 30 vulnerabilities

The adoption of application container technology is increasing at a remarkable rate and is expected to grow by a further 40% in 2020, according to 451 Research. It is common for system libraries to be available in many docker images, as these rely on a parent image that is commonly using a Linux distribution as a base. In many cases, remediation is as simple as rebuilding the image or swapping out the base image, but it’s not always that easy. Click through for more analysis and advice.

read more

Tanya Janca medium.com

Security bugs are fundamentally different than quality bugs

Tanya Janca compares and contrasts quality bugs and security bugs, arguing that they’re quite different and should be treated differently. This logic resonates with me and she has a lot of insights to share along the way. I particularly enjoyed this bit: You cannot have a high-quality product that is insecure; it is an oxymoron. If an application is fast, beautiful and does everything the client asked for, but someone breaks into the first day that it is released, I don’t think you will find anyone willing to call it a high-quality application. A good read all the way through to the end. 👍

read more

Chris Palmer noncombatant.org

The state of software security in 2019

Chris Palmer lays out The Good, The Bad, and The Ugly of security in the software industry. The good news is that “The Good” section is the longest of the three. The bad news is that section length is an arbitrary measurement that I just made up. 😉 The big theme: E_TOO_MUCH_COMPLEXITY Hardware, software, platforms, and ecosystems are often way too complex, and a whole lot of our security, privacy, and abuse problems stem from that.

read more

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples. Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, … It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

read more

Adam Stacoviak changelog.com/posts

The Cryptography Research Group at Microsoft released Microsoft SEAL to encrypt and secure sensitive data in the cloud

If you’ve been watching the news, you know that the latest data breach involved Marriott exposing 500 million guest reservations from its Starwood database. The kicker is that the unauthorized access to the Starwood guest database stretches back to 2014. That’s FOUR YEARS of unfettered access to this database! It’s breaches like these that helped motivate the team at the Cryptography Research Group at Microsoft to be “extremely excited” to announce the release of Microsoft SEAL (Simple Encrypted Arithmetic Library) as open source under the MIT License.

read more

Cory Doctorow Boing Boing

The newest malware vector in open source

As the title for the linked post from Cory Doctorow says, all you have to do is “become an admin on dormant, widely-used open source projects” and then do your thing. Many open source projects attain a level of “maturity” where no one really needs any new features and there aren’t a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive. Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity. This presents a scary social-engineering vector for malware… We’ll be talking with Dominic Tarr about the details shared in Issue #116 on event-stream later today on The Changelog (the episode will hit RSS feeds next week). Chime in below if you’d like to add questions/thoughts to our planned discussion.

read more

Tanya Janca Medium

Why I love password managers

Tanya leads with this as a disclaimer “This article is for beginners in security or other IT folk, not experts.” — which means this is a 101 level post BUT is a highly important topic. Share as needed. Passwords are awful … software security industry expects us to remember 100+ passwords, that are complex (variations of upper & lowercase, numbers and special characters), that are supposed to be changed every 3 months, with each one being unique. Obviously this is impossible for most people. Tanya goes on to say… If you work in an IT environment, you absolutely must have a password manager. I strongly suggest that anyone who uses a computer regularly and has multiple passwords to remember to get one, even if you don’t consider yourself tech savvy. I fully agree. I also use 1Password and have done so for as long as I can possibly remember.

read more

Safari adage.com

Apple's new anti-tracking feature in Safari takes toll

The irony here is that the site we’re linking to for this story is FULL of display ads. The web and mobile web for content sites, blogs, and the like tend to borderline on a confusing and/or terrible experience because of ads, modals, takeover screens, content that seems like content but is just content in disguise…then, THEN…the retargeting. I can see why Apple, with their focus on the users privacy, that this feature is a Safari thing and being lead by Apple. The feature—blandly dubbed “Intelligent Tracking Prevention,” or “ITP 2”— is the second major iteration of its anti-tracking tool, which was first introduced last year. The update prevents marketers from targeting Safari users across the web. For example, someone who visits Nike’s website can’t be targeted elsewhere on the web, such as Google search or the New York Times website. I’m all for websites finding ways to make money from smart relationships, partnerships, and “ads,” but they must be delivered in well-mannered and tasteful ways that does not objectify the reader or their privacy.

read more

Electron buttercup.pw

The open source password manager you deserve

Buttercup claims to be secure, simple, and free. That’s a powerful trio if it can deliver on its promises. It has a cross-platform desktop app (thanks in part to Electron), iOS and Android apps, and extensions for every major browser. That’s a lot! Especially for an open source project created primarily by just two people. Could this steal marketshare from the big guns such as 1Password and LastPass?

read more

Caroline Haskins motherboard.vice.com

Old school 'sniffing' attacks can still reveal your browsing history

Several major browsers you and I use everyday are capable of leaking our browsing history, and they all know about it. Caroline Haskins at Motherboard writes: Most modern browsers—such as Chrome, Firefox, and Edge … have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user’s web history, per new research from the University of California San Diego. In a statement provided to Motherboard via email, senior engineering manager of Firefox security Wennie Leung said that Firefox will “prioritize our review of these bugs based on the threat assessment.” Google spokesperson Ivy Choi told Motherboard in an email that they are aware of the issue and are “evaluating possible solutions.” Ben Adida shared this on Twitter: When first web history sniffing attacks came out, I suggested we had to change the notion of a visited link: a link would be marked visited by origin (edges, not nodes.) That was considered too dramatic a change. Maybe it’s necessary after all. Who’s ready to dig into this research and share how vulnerable we really are and what types of malicious websites could/would extract our browsing history? If you do, let us know so we can link it up.

read more

Bitcoin github.com

Square's Bitcoin cold storage solution

Why cold storage? Because security: For security purposes, Square stores a reserve of Bitcoins in an offline setting. By having these funds offline, we reduce attack surface and hence risk of theft. Square can move the funds offline at any time, but moving them back online requires a multi-party signing ceremony. They can also embed programming logic into the cold storage modules, so that only Square-owned addresses can receive the funds. That’s defense-in-depth, right there. Bitcoin’s latest bull run is over, but those who believe in decentralized money continue to toil away… building the future they want to exist.

read more

John Gruber daringfireball.net

Daring Fireball on Facebook giving advertisers your shadow contact info

Commentary on commentary here, but seriously — we obviously track news on privacy and security — Gruber’s paraphrase from Kashmir Hill’s post on Gizmodo is priceless. Here is Gruber’s take… Hill: Facebook, are you doing this terrible thing? Facebook: No, we don’t do that. Hill, months later: Here’s academic research that shows you do this terrible thing. Facebook: Yes, of course we do that. I agree with Gruber on Facebook being a morally criminal enterprise. Also, I try to avoid Facebook, aside from my wife’s usage, at all costs. I’m even leery of Instagram, which is sad because one of my professional hobbies is photography. Gruber says: At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally. How in the above scenario is Facebook not stealing Ben’s privacy?

read more

Matthew Green blog.cryptographyengineering.com

Why I’m done with Chrome

Like many of you reading this, you’re probably signed into a Google service when browsing the web — Google apps (G Suite), YouTube, Gmail, etc. The line between browser (Chrome) and your signed in services was clear before, and now it’s not. Matthew Green, Cryptographer and Professor at Johns Hopkins University, writes on his personal blog: What changed? A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. Thankfully I have been using Brave a whole lot more recently and I’ve really been enjoying an internet where display ads aren’t ruining the experience, and where my privacy isn’t being harvested as I use it.

read more

Gervasio Marchand g3rv4.com

Want a secure browser? Disable your extensions

Gervasio Marchand: While working on Taut (aka BetterSlack) I noticed that a browser extension could do lots and lots of harm. On this article, I explain how the only way to browse safely is to completely avoid them (or to be really really involved in managing them). If you’re thinking, “But open source!” click through and see what Gervasio has to say about that. He also includes some examples of extensions that went rogue or were hacked and how one could abuse the system.

read more

Cloudflare Blog Icon Cloudflare Blog

Cloudflare goes interplanetary with IPFS Gateway

it’s exciting to see Cloudflare bridging the gap between IPFS and the traditional web. Cloudflare’s IPFS Gateway is an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer. We hope our gateway, hosted at cloudflare-ipfs.com, will serve as the platform for many new highly-reliable and security-enhanced web applications. For those who want a deep dive into IPFS check out the show we did with Juan Benet – The Changelog #204.

read more

0:00 / 0:00