Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
145 Stories
All Topics

William Budington EFF

Ring doorbell app packed with third-party trackers

While I’m not exactly surprised at this headline and the findings shared by William Budington and the EFF, I AM, however, deeply disturbed that this is the world we now live in. So, what findings did the EFF share? Here’s a snippet…

Our testing, using Ring for Android version 3.21.1, revealed PII delivery to branch.io, mixpanel.com, appsflyer.com and facebook.com. Facebook, via its Graph API, is alerted when the app is opened and upon device actions such as app deactivation after screen lock due to inactivity. Information delivered to Facebook (even if you don’t have a Facebook account) includes time zone, device model, language preferences, screen resolution, and a unique identifier (anon_id), which persists even when you reset the OS-level advertiser ID.

Branch, which describes itself as a “deep linking” platform, receives a number of unique identifiers (device_fingerprint_id, hardware_id, identity_id) as well as your device’s local IP address, model, screen resolution, and DPI.

Some backstory on the acquisitions of Ring (and Nest)…

Google acquired Nest way back in January 2014 for $3.2 billion, in cash. Amazon acquired Ring in February 2018 for more than $1 billion. Coincidentally, Google reabsorbed Nest that very same month by folding Nest into its hardware division. The point is that those are a lot of BILLIONS. You don’t spend that many billions without a plan to make more billions. Sadly, selling access to sensitive data to third parties is a part of making those billions — at least for Ring.

The Changelog The Changelog #377

Meet Algo, your personal VPN in the cloud

The commercial VPN industry is a minefield to navigate and many open source solutions are a pain to use or ill-suited for the task. Algo VPN, on the other hand, is a self-hosted personal VPN designed for ease of deployment and security. It uses the securest industry standards, builds on rock-solid solutions like WireGuard and Ansible, and runs on an ever-growing list of cloud hosting providers.

On this episode Dan Guido –CEO of security firm Trail of Bits and Algo’s creator– joins Jerod to discuss the project in depth.

Filippo Valsorda github.com

age is a simple, modern, and secure file encryption tool

It features small explicit keys, no config options, and UNIX-style composability.

$ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age -d -i key.txt data.tar.gz.age > data.tar.gz

If Rust is more your thing, check out the perfectly named port: rage.

Docker github.com

Minify and secure your docker containers (30x?)

DockerSlim promises a lot:

docker-slim will optimize and secure your containers by understanding your application and what it needs using various analysis techniques. It will throw away what you don’t need reducing the attack surface for your container. What if you need some of those extra things to debug your container? You can use dedicated debugging side-car containers for that.

Their minification examples are impressive…

EFF Icon EFF

It's official: EFF's Certbot goes 1.0

Certbot was first released in 2015, and since then it has helped more than two million website administrators enable HTTPS by automatically deploying Let’s Encrypt certificates. Let’s Encrypt is a free certificate authority that EFF helped launch in 2015, now run for the public’s benefit through the Internet Security Research Group (ISRG).

A lot of progress has been made since we first talked about Let’s Encrypt on The Changelog.

WebAssembly bytecodealliance.org

Building a secure by default, composable future for WebAssembly

Mozilla, Fastly, Intel, and Red Hat are forming a “Bytecode Alliance”, which is described as:

a new industry partnership coming together to forge WebAssembly’s outside-the-browser future by collaborating on implementing standards and proposing new ones.

Their aim:

We have a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations. And based on advances rapidly emerging in the WebAssembly community, we believe we can make this vision real.

Security seems to be at the dead center of this alliance. Click through for an in-depth rundown of why this is a problem and what they plan to do about it. Also, some awesome code cartoons from Lin Clark (I assume).

Cloud blog.trailofbits.com

Algo – your personal VPN in the cloud

The linked article is an excellent introduction to Algo, which is effectively a set of Ansible scripts that set up a Wireguard and IPSEC VPN for you.

Algo automatically deploys an on-demand VPN service in the cloud that is not shared with other users, relies on only modern protocols and ciphers, and includes only the minimal software you need. And it’s free.

For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.

Algo’s list of features (and anti-features) is compelling and most VPN services are terrible. 👀

Twitter Icon Twitter

I bet you could've guessed Equifax's username and password...

Jane Lytvynenko went digging through the Equifax class-action suit and uncovered some absolute gems:

Furthermore, Equifax employed the username “admin” and the password “admin” to protect a portal used to manage credit disputes, a password that “is a surefire way to get hacked.” This portal contained a vast trove of personal information.

Hanlon’s razor often applies in security breaches like these, but I can’t see this as anything but pure negligence by Equifax’s technical teams. There’s more:

Equifax also failed to encrypt sensitive data in its custody… admitted that sensitive personal information relating to hundreds of millions of Americans was not encrypted… Not only was this information unencrypted, but it was also accessible through a public-facing, widely used website.

Filed under you-gotta-be-freakin-kiddin-me

The New Stack Icon The New Stack

New cryptojacking worm found in docker containers

Jack Wallen:

A new cryptojacking worm, named Graboid, has been spread into more than 2,000 Docker hosts, according to the Unit 42 researchers from Palo Alto Networks. This is the first time such a piece of malware has spread via containers within the Docker Engine (specifically docker-ce).

Scary stuff, and (at the moment) difficult to detect & prevent:

We’ve reached a point with containers where security must be constantly on the front burner. Antivirus and anti-malware applications currently have no means of analyzing and cleaning containers and container images. That’s the heart of the issue.

Graboid may be the first malware to target containers, but it certainly won’t be the last.

Security osquery.io

Query your OS like a database

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.

osquery> SELECT name, path, pid FROM processes WHERE on_disk = 0;
name = Drop_Agent
path = /Users/jim/bin/dropage
pid = 561

Node.js github.com

Jsfuzz – a coverage-guided fuzzer for testing JavaScript/Node packages

Fuzzing for safe languages like nodejs is a powerful strategy for finding bugs like unhandled exceptions, logic bugs, security bugs that arise from both logic bugs and Denial-of-Service caused by hangs and excessive memory usage.

As we recently learned on Go Time: pessimists write tests, fuzz functions, and sleep well at night. 💤

Liran Tal Snyk

Sequelize ORM found vulnerable to SQL injection

SQL injection is a serious vulnerability, effectively allowing an attacker to run roughshod over your entire database. If you’re using Sequelize, drop everything (pun unintended) and get patched up.

As a testament for Sequelize’s commitment to security and protecting their users as fast as possible, they promptly responded and released fixes in the 3.x and 5.x branches of the library, remediating the vulnerability and providing users with an upgrade path for SQL injection prevention.

Security github.com

A dead simple VPN

Works out of the box. No lousy documentation to read. No configuration file. No post-configuration. Run a single-line command on the server, a similar one on the client and you’re done. No firewall and routing rules to manually mess with.

This looks like a nice alternative to the many vpn-as-a-service offerings out there if you’re up for hosting it yourself.

0:00 / 0:00