Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
109 Stories
All Topics

Python anvilventures.com

Reverse engineering the Dropbox client

Dropbox’ concept is still deceptively simple. Here’s a folder. Put files in it. Now it syncs. Move to another computing device. It syncs. The folder and files are there now too! The amount of work that goes on behind the scenes of such an application is staggering though. If you’ve ever wondered how Dropbox works, or you’ve always wanted to reverse engineer some code but didn’t know how to get started, read this. We managed to successfully reverse engineer Dropbox, write decryption and injection tools for it that work with current Dropbox clients based on Python 3.6 releases and successfully reverse engineer features and enable them.

read more

Mozilla Icon Mozilla

Mozilla has published their 2019 Internet Health Report

The report focuses on 5 questions about the internet. Is it safe? How open is it? Who is welcome? Who can succeed? Who controls it? The answer is complicated, and the report doesn’t make any particular conclusions so much as share a series of research & stories about each topic. Includes some fascinating looks at what’s going on in AI, inclusive design, open source, decentralization and more.

read more

GitHub dependabot.com

Dependabot has been acquired by GitHub

More news out of today’s GitHub Satellite event, this time from a security angle. The implications of this acquisition from the horse’s mouth: We’re integrating Dependabot directly into GitHub, starting with security fix PRs 👮‍♂️ You can still install Dependabot from the GitHub Marketplace whilst we integrate it into GitHub, but it’s now free of charge 🎁 We’ve doubled the size of Dependabot’s team; expect lots of great improvements over the coming months 👩‍💻👨‍💻👩‍💻👨‍💻👩‍💻👨‍💻 Congrats to Grey, Harry and Philip!

read more

GitHub Blog Icon GitHub Blog

Are you aware of the recent Git ransomware incident?

Today, Atlassian Bitbucket, GitHub, and GitLab are issuing a joint blog post in a coordinated effort to help educate and inform users of the three platforms on secure best practices relating to the recent Git ransomware incident. So what happened? On Thursday, May 2, the security teams of Atlassian Bitbucket, GitHub, and GitLab learned of a series of user account compromises across all three platforms. These account compromises resulted in a number of public and private repositories being held for ransom by an unknown actor. Each of the teams investigated and assessed that all account compromises were the result of unintentional user credential leakage by users or other third-parties, likely on systems external to Bitbucket, GitHub, or GitLab. The security and support teams of all three companies have taken and continue to take steps to notify, protect, and help affected users recover from these events.

read more

Liran Tal DEV.to

How to securely build Docker images for Node.js

Liran Tal: Developers, often lacking insights into the intricacies of Docker, may set out to build their Node.js-based docker images by following naive tutorials which lack good security approaches in how an image is built. One of these nuances is the use of proper permissions when building Docker images. To minimize exposure, opt-in to create a dedicated user and a dedicated group in the Docker image for the application; use the USER directive in the Dockerfile to ensure the container runs the application with the least privileged access possible.

read more

James Fisher jameshfisher.com

The inception bar: a new phishing method

Welcome to HSBC, the world’s seventh-largest bank! Of course, the page you’re reading isn’t actually hosted on hsbc.com; it’s hosted on jameshfisher.com. But when you visit this page on Chrome for mobile and scroll a little way, the page is able to display itself as hsbc.com - and worse, the page is able to jail you in this fake browser! Scary stuff since there is no known protection against this attack. It seems to be up to the Chrome team to figure out a solution.

read more

Y Combinator Icon Y Combinator

Docker Hub has been hacked

Attention Docker Hub users — Docker Hub has been hacked, so check your email to read the report from Kent Lamb, Director of Docker Support and take appropriate action. Here are the details… During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds. From lugg on Hacker News: If you got an email you should: Change your password on https://hub.docker.com Check https://github.com/settings/security Reconnect oAuth for automated builds Rollover effected passwords and API keys stored in private repos / containers

read more

Tidelift Icon Tidelift

Up to 20% of your application dependencies may be unmaintained

We recently added a new feature Tidelift subscribers can use to discover unmaintained dependencies. After taking an early look at the data we’re getting back, it appears that about 10-20% of commonly-in-use OSS packages aren’t actively maintained. Click through for an explainer on how they define “unmaintained” as well as a link to their tool for analyzing your app’s dependencies (email required).

read more

Cloudflare Blog Icon Cloudflare Blog

1.1.1.1 + Warp

Cloudflare just launched a VPN for people who don’t know what V.P.N. stands for. …we think the market for VPNs as it’s been imagined to date is severely limited. Imagine trying to convince a non-technical friend that they should install an app that will slow down their Internet and drain their battery so they can be a bit more secure. Good luck. What’s interesting is the patience they’ve demonstrated with this launch. They first had to learn a thing or two about… …the failure conditions when a VPN app switched between cellular and WiFi, when it suffered signal degradation, tried to register with a captive portal, or otherwise ran into the different conditions that mobile phones experience in the field. The basic version of Warp is free. To put folks at ease (cause they’re a for-profit company), they’ve been transparent about their motives and shared “three primary ways this makes financial sense” for them.

read more

Swift github.com

Fuzzilli – a JavaScript engine fuzzer written in Swift

A (coverage-)guided fuzzer for dynamic language interpreters based on a custom intermediate language (“FuzzIL”) which can be mutated and translated to JavaScript. Not an official Google project, but written and maintained by Google engineer Samuel Groß. The README lays out quite a bit on the concept, implementation, and usage of the fuzzer, but there’s even more to learn in this presentation from Offensive Con 2019 and the associated master’s thesis for which the project was produced.

read more

Omer Levi Hevroni blog.solutotlv.com

Can Kubernetes keep a secret?

Omer Levi Hevroni: When we made the shift to Kubernetes, we wanted to keep our devs independent and put a lot of effort into allowing them to create services rapidly. It all worked like a charm – until they had to handle credentials… The solution they came up with is called Kamus, which is: an open source, GitOps, zero trust, secrets solution for Kubernetes applications. Kamus allows you to seamlessly encrypt secret values and commit them to source control Jump over to the article for more on Kubernetes built-in secrets, an overview of some other alternatives, and a deep-dive on how Kamus works.

read more

Security ghidra-sre.org

Ghidra – The NSA's suite of reverse engineering tools

It’s not fully open source yet, but there’s a placeholder repo which states: Be assured efforts are under way to make the software available here. In the meantime, enjoy using Ghidra on your SRE efforts, developing your own scripts and plugins, and perusing the over-one-million-lines of Java and Sleigh code released within the initial public release.

read more

Snyk Icon Snyk

Top ten most popular docker images each contain at least 30 vulnerabilities

The adoption of application container technology is increasing at a remarkable rate and is expected to grow by a further 40% in 2020, according to 451 Research. It is common for system libraries to be available in many docker images, as these rely on a parent image that is commonly using a Linux distribution as a base. In many cases, remediation is as simple as rebuilding the image or swapping out the base image, but it’s not always that easy. Click through for more analysis and advice.

read more

Tanya Janca medium.com

Security bugs are fundamentally different than quality bugs

Tanya Janca compares and contrasts quality bugs and security bugs, arguing that they’re quite different and should be treated differently. This logic resonates with me and she has a lot of insights to share along the way. I particularly enjoyed this bit: You cannot have a high-quality product that is insecure; it is an oxymoron. If an application is fast, beautiful and does everything the client asked for, but someone breaks into the first day that it is released, I don’t think you will find anyone willing to call it a high-quality application. A good read all the way through to the end. 👍

read more

Chris Palmer noncombatant.org

The state of software security in 2019

Chris Palmer lays out The Good, The Bad, and The Ugly of security in the software industry. The good news is that “The Good” section is the longest of the three. The bad news is that section length is an arbitrary measurement that I just made up. 😉 The big theme: E_TOO_MUCH_COMPLEXITY Hardware, software, platforms, and ecosystems are often way too complex, and a whole lot of our security, privacy, and abuse problems stem from that.

read more

Jake Archibald jakearchibald.com

What happens when packages go bad?

See what happens when a rogue evil dependency explores ways to attack the developer, server, the end user, plus other examples. Jake Archibald recently experienced a small hack (break-in) on an old website. As a thought exercise, he explored various scenarios with the kind of “powers an evil dependency could have, and what, if anything, could be done to prevent it.” Jake went on to say, … It’s been terrifying to think this through, and this is just for a static site. … For sites with a server component and database, it feels negligent to use packages you haven’t audited. With Copay, we’ve seen that attacks like this aren’t theoretical, yet the auditing task feels insurmountable.

read more

The Changelog The Changelog #326

The insider perspective on the event-stream compromise

Adam and Jerod talk with Dominic Tarr, creator of event-stream, the IO library that made recent news as the latest malicious package in the npm registry. event-stream was turned malware, designed to target a very specific development environment and harvest account details and private keys from Bitcoin accounts. They talk through Dominic’s backstory as a prolific contributor to open source, his stance on this package, his work in open source, the sequence of events around the hack, how we can and should handle maintainer-ship of open source infrastructure over the full life-cycle of the code’s usefulness, and what some best practices are for moving forward from this kind of attack.

read more

Adam Stacoviak changelog.com/posts

The Cryptography Research Group at Microsoft released Microsoft SEAL to encrypt and secure sensitive data in the cloud

If you’ve been watching the news, you know that the latest data breach involved Marriott exposing 500 million guest reservations from its Starwood database. The kicker is that the unauthorized access to the Starwood guest database stretches back to 2014. That’s FOUR YEARS of unfettered access to this database! It’s breaches like these that helped motivate the team at the Cryptography Research Group at Microsoft to be “extremely excited” to announce the release of Microsoft SEAL (Simple Encrypted Arithmetic Library) as open source under the MIT License.

read more

0:00 / 0:00