A solid primer on using
openssl to encrypt all the things, which in this day and age is a skill that shoiuld be taught in secondary school right alongside how to bake a cake and change a tire.
A solid primer on using
We have to stop insisting that software updates, etc. need to be distributed over HTTPS. Let me tell you why this is not an ideal way of going about it.
Anyone on the inside know why they didn’t shift to GitHub years ago?
We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account).
While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical.
The memo points to the two malicious commits.
This week we’re talking about big security breaches with Neil Daswani, renowned security expert, best-selling author, and Co-Director of Stanford University’s Advanced CyberSecurity Program. His book, Big Breaches: Cybersecurity Lessons for Everyone helped to guide this conversation. We cover the six common key causes (aka vectors) that lead to breaches, which of these causes are exploited most often, recent breaches such as the Equifax breach (2017), the Capital One breach (2019), and the more recent Solarwinds breach (2020).
A pre-installed and pre-configured set of tools for folks interested in reverse engineering and/or malware analysis on Windows systems.
Obviously, you can download such tools from their own website and install them by yourself in a new VM. But if you download retoolkit, it can probably save you some time. Additionally, the tools come pre-configured so you’ll find things like x64dbg with a few plugins, command-line tools working from any directory, etc. You may like it if you’re setting up a new analysis VM.
Note they say “a new analysis VM”. Do NOT install this on anything but a virtual machine.
The main purpose of security.txt is to help make things easier for companies and security researchers when trying to secure platforms. Thanks to security.txt, security researchers can easily get in touch with companies about security issues.
It’s currently an Internet draft that has been submitted for RFC review, which means they’re taking contributions from the public. Seems like a good idea to me.
If you’ve ever been alarmed by how many security vulnerabilities your Docker image has, even after you’ve installed security updates, here’s what’s going on—your image may actually be fine!
Dan Lorenc, from Google’s Infrastructure Security Team:
Software written in unsafe languages often contains hard-to-catch bugs that can result in severe security vulnerabilities, and we take these issues seriously at Google. That’s why we’re expanding our collaboration with the Internet Security Research Group to support the reimplementation of critical open-source software in memory-safe languages.
Notice he said “expanding our collaboration”, which must mean they’ve been doing this for a bit, but I wasn’t aware of the effort? An uplifting trend, regardless. Work is well underway:
The new Rust-based HTTP and TLS backends for curl and now this new TLS library for Apache httpd are an important starting point in this overall effort. These codebases sit at the gateway to the internet and their security is critical in the protection of data for millions of users worldwide.
monsoon is a so-called command-line HTTP enumerator: A tool that iterates over a list of values, for example a word list or a range of integers, and sends one HTTP request per item towards a given server.
The team behind monsoon enumerated some common examples in their introductory blog post.
Terence Eden on 2FA:
Use 2FA to prevent attackers masquerading as you. And use a password manager to prevent fake sites masquerading as real sites.
Container security is often overlooked topic, as people assume that containers are secure by default - which is not true. One of the ways to secure container workloads in Docker and Kubernetes is to leverage
seccomp profiles and this advanced feature of container runtimes is explained and shown in this article.
Penetration testing is when you (or someone you authorize) run a security assessment of a computer system by trying to break in to it.
In this repo, Carlos Polop (who is a pentester and cyber security researcher) shares his methodology for pentesting. This is just one piece of a larger collection of Carlos’ HackTricks book.
electron-native-notify - because hey, that’s a malicious package!
Mundane is backed by BoringSSL (Google’s fork of OpenSSL that is used in Chrome, Android, et al) and is built to be “difficult to misuse, ergonomic, and performant (in that order)”.
Not all developers understand what are the risks of command injections in Node.js applications and I see it more often when I triage security vulnerabilities. In this article I’m featuring a practical walk-through of an actual CVE for a Node.js module which has a command injection vulnerability.
sops is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault and PGP.
Securing containers is a complex task. The problem space is broad, vendors are on fire, there are tons of checklists and best practices and it’s hard to prioritize solutions. So if you had to implement a container security strategy from where would you start?
Ron Perris from Snyk this checklist of React security best practices to help you and your team find and fix security issues in your React applications. I’ll show you how to automatically test your React code for security-related errors and automatically fix them.
I am a fan of Ubuntu, so I would like to help make it as secure as possible. I have recently spent quite a bit of time looking for security vulnerabilities in Ubuntu’s system services, and it has mostly been an exercise in frustration…
This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu. With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves. I have made a short demo video, to show how easy it is.
This particular vulnerability is regarding the GUI, so your Ubuntu servers are unaffected. Still, 👀
Troy Hunt on just how easy it is to fool us humans with sneaky URLs that look like our most common and trusted domains, why a bunch of proposed solutions to this problem fall short, and what he believes are some actual solutions we can put in practice today.
Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don’t need to do it yourself.
What’s not to love?
8 common security issues when using Docker and how to avoid them. Here’s a sampler:
Avoid curl bashing
Pulling stuff from internet and piping it into a shell is as bad as it could be. Unfortunately it’s a widespread solution to streamline installations of software.
The risk is the same framed for supply chain attacks and it boils down to trust. If you really have to curl bash, do it right…
We recently talked with Josh Aas on The Changelog #389 about securing the web with Let’s Encrypt. At the tail end of the conversation Josh shared his passion for memory safety, saying “we need to rewrite all the software that we already wrote in C and C++, and replace it. “ My guess is that this move with Daniel and curl takes us several steps further in this direction.
Memory safety vulnerabilities represent one of the biggest threats to Internet security. As such, we at ISRG are interested in finding ways to make the most heavily relied-upon software on the Internet memory safe. Today we’re excited to announce that we’re working with Daniel Stenberg, author of ubiquitous curl software, and WolfSSL, to make critical parts of the curl codebase memory safe. … ISRG is funding Daniel to work on adding support for Hyper as an HTTP back-end for curl. Hyper is a fast and safe HTTP implementation written in Rust.
Six white-hat hackers spent a few months on Apple’s bug bounty program:
There were a total of 55 vulnerabilities discovered with 11 critical severity, 29 high severity, 13 medium severity, and 2 low severity reports. These severities were assessed by us for summarization purposes and are dependent on a mix of CVSS and our understanding of the business related impact.
This is a report of their findings: how they did it, vulnerabilities found, and how Apple responded to each one.
In the information security field, we have developed lots of thoughts that can’t be discussed (or rarely discussed):
- Never roll your own crypto
- Always use TLS
- Security by obscurity is bad
I certainly learned these in my Infosec classes in college. Back then I didn’t really question it much, because what did I know? But I definitely remember thinking, “Okay security by obscurity is bad, but maybe why not do it anyway? Defense in depth, right?” Back to Utku:
Most of them are very generally correct. However, I started to think that people are telling those because everyone is telling them. And, most of the people are actually not thinking about exceptional cases. In this post, I will raise my objection against the idea of “Security by obscurity is bad”.