Changelog

Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
15 Stories
All Topics

iOS Icon motherboard.vice.com

Someone published the source code to iBoot (a critical piece of iOS) on GitHub

This is being called "the biggest leak in history", which is probably not true (remember when Gizmodo got its grubby paws on the iPhone 4?). But it's likely the biggest leak in Apple software history. Motherboard says it... could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. That's plausible. iBoot is responsible for ensuring a trusted boot of the O/S. The specific version posted was from iOS 9, but this portion of code probably doesn't get updated as often as the Music app, so it's likely still relevant. Apple promptly posted a DMCA takedown request, and the source code is no longer publicly available. But we developers know all to well that once source code is made public, there's no taking it private again.

read more...
logged by @jerodsanto 2018-02-08T14:39:54.81557Z permalink #ios #security

Security Icon www.rdegges.com

Please stop using Local Storage

Randall Degges examines the good and bad uses of Local Storage. tldr, don't use it to store sensitive data. Almost every day I stumble across a new website storing sensitive user information in local storage and it bothers me to know that so many developers are opening themselves up to catastrophic security issues by doing so. Let’s have a heart-to-heart and talk about local storage and why you should stop using it to store session data.

read more...
logged by @adamstac 2018-01-28T05:56:15.515292Z permalink #security #database

Medium Icon Medium

Meltdown and Spectre Explained

If some or most of what you've heard or read about Meltdown and Spectre has gone over your head, then you should 💯 read this technical explainer from Matt Klein (also known for being the creator of Envoy). Matt: I have not seen a good mid-level introduction to the vulnerabilities and mitigations. In this post I’m going to attempt to correct that by providing a gentle introduction to the hardware and software background required to understand the vulnerabilities, a discussion of the vulnerabilities themselves, as well as a discussion of the current mitigations. Matt goes on to share graphic charts of CPUs, virtual memory, and code samples to breakdown the exploit.

read more...
logged by @adamstac 2018-01-18T22:28:24.667005Z permalink #security

Security Icon spectreattack.com

Meltdown and Spectre

Everything you need to know about the Meltdown and Spectre bug. Q: Am I affected by the bug? A: Most certainly, yes. Q: Can I detect if someone has exploited Meltdown or Spectre against me? A: Probably not. The exploitation does not leave any traces in traditional log files. Q: Which systems are affected by Meltdown? A: Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995. Uh oh. 😱

read more...
logged by @adamstac 2018-01-07T04:59:44.381717Z permalink #security

Hackernoon Icon Hackernoon

I'm harvesting credit card numbers and passwords from your site. Here's how.

This is pretty scary regardless if it's based on a true story or not. When I first wrote this code back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site. Lucky for me, we live in an age where people install npm packages like they’re popping pain killers. So, npm was to be my distribution method. I would need to come up with some borderline-useful package that people would install without thinking — my Trojan horse. Oh and then there was this — this is an excellent opportunity for taking over npm packages and injecting malware by malicious people.

read more...
logged by @adamstac 2018-01-07T04:54:29.129835Z permalink #security

Rails Icon github.com

passwordless

A project after my own heart: 🗝 Add authentication to your Rails app without all the icky-ness of passwords We've been password-free on Changelog.com for awhile now. It's not without drawbacks, but you can definitely sleep better knowing that even a database breach can't compromise your users' passwords. Because there aren't any.

read more...
logged by @jerodsanto 2017-12-12T17:59:00.010714Z permalink #rails #security
0:00 / 0:00