Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
51 Stories
All Topics

John Gruber daringfireball.net

Daring Fireball on Facebook giving advertisers your shadow contact info

Commentary on commentary here, but seriously — we obviously track news on privacy and security — Gruber's paraphrase from Kashmir Hill's post on Gizmodo is priceless. Here is Gruber's take... Hill: Facebook, are you doing this terrible thing? Facebook: No, we don’t do that. Hill, months later: Here’s academic research that shows you do this terrible thing. Facebook: Yes, of course we do that. I agree with Gruber on Facebook being a morally criminal enterprise. Also, I try to avoid Facebook, aside from my wife's usage, at all costs. I'm even leery of Instagram, which is sad because one of my professional hobbies is photography. Gruber says: At this point I consider Facebook a criminal enterprise. Maybe not legally, but morally. How in the above scenario is Facebook not stealing Ben’s privacy?

read more...

Matthew Green blog.cryptographyengineering.com

Why I’m done with Chrome

Like many of you reading this, you're probably signed into a Google service when browsing the web — Google apps (G Suite), YouTube, Gmail, etc. The line between browser (Chrome) and your signed in services was clear before, and now it's not. Matthew Green, Cryptographer and Professor at Johns Hopkins University, writes on his personal blog: What changed? A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you. However, and this is important: Google developers claim this will not actually start synchronizing your data to Google — yet. Thankfully I have been using Brave a whole lot more recently and I've really been enjoying an internet where display ads aren't ruining the experience, and where my privacy isn't being harvested as I use it.

read more...

Gervasio Marchand g3rv4.com

Want a secure browser? Disable your extensions

Gervasio Marchand: While working on Taut (aka BetterSlack) I noticed that a browser extension could do lots and lots of harm. On this article, I explain how the only way to browse safely is to completely avoid them (or to be really really involved in managing them). If you're thinking, "But open source!" click through and see what Gervasio has to say about that. He also includes some examples of extensions that went rogue or were hacked and how one could abuse the system.

read more...

Cloudflare Blog Icon Cloudflare Blog

Cloudflare goes interplanetary with IPFS Gateway

it's exciting to see Cloudflare bridging the gap between IPFS and the traditional web. Cloudflare’s IPFS Gateway is an easy way to access content from the InterPlanetary File System (IPFS) that doesn’t require installing and running any special software on your computer. We hope our gateway, hosted at cloudflare-ipfs.com, will serve as the platform for many new highly-reliable and security-enhanced web applications. For those who want a deep dive into IPFS check out the show we did with Juan Benet – The Changelog #204.

read more...

Bert Hubert blog.powerdns.com

Firefox is considering a move to third party DNS lookups

Specifically, they are considering making CloudFlare the default nameserver. A new feature called "Trusted Recursive Resolver" (TRR) could be turned on by default, and therefore override the DNS changes you've configured in your network. Cloudflare says it takes your privacy more seriously than telecommunication service providers do because this DNS query will be encrypted, unlike regular DNS. They also promise not to sell your data or engage in user profiling. Cloudflare and Mozilla have set out a privacy policy that rules out any form of customer profiling. Their story is that many ISPs are doing user profiling and marketing, and that moving your DNS to Cloudflare is therefore a win for your privacy. This is a deep subject with many, many layers. Dig deep on this one. So, the question is — under what circumstances would it be OK for Cloudflare (or any other third party) to take over our DNS by default?

read more...

Fedor Indutny darksi.de

HashWick V8 vulnerability

Get the backstory on the Hash Seed guessing game and HashWick from Fedor Indutny: About one year ago, I've discovered a way to do a Denial-of-Service (DoS) attack on a local Node.js instance. The process involved sending huge amounts of data to the HTTP server running on the same machine as the attacker, and measuring the timing differences between various payloads. Given that the scope of attack was limited to the same machine, it was decided by V8 team and myself that the issue wasn't worth looking in yet. Nevertheless, a blog post was published. This year, I had a chance to revisit the Hash Seed guessing game with restored enthusiasm and new ideas. The results of this experiment are murky, and no fix is available yet in V8. Thus all V8 release lines are vulnerable to the HashWick attack. Fedor also mentioned that this issue was disclosed responsibly and this blog post was published 90+ days after the initial report.

read more...

Eric Holmes Medium

Here's how Eric Holmes gained commit access to Homebrew in 30 minutes

This post from Eric Holmes details how package managers can be used in supply chain attacks — specifically, in this case, a supply chain attack on Homebrew — which is used by hundreds of thousands of people, including "employees at some of the biggest companies in Silicon Valley." On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core. If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers?

read more...

Brian Krebs krebsonsecurity.com

Reddit breach highlights limits of SMS-based authentication

The cause is a 2FA fail with either SIM security or a mobile number port-out scam as the point of failure. Brian Krebs writes for KrebsOnSecurity: Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor. In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. Another typical scheme involves mobile number port-out scams, wherein the attacker impersonates a customer and requests that the customer’s mobile number be transferred to another mobile network provider. Were you exposed? ...between June 14 and 18 an attacker compromised several employee accounts at its cloud and source code hosting providers. Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.

read more...

Without Boats boats.gitlab.io

I sign my git commits with bpb (not pgp or gpg)

Right now, the only way to sign your git commits is to use PGP signatures (this is all git is able to integrate with). After a less than desirable experience using GPG, without wrote bpb in Rust to replace GPG. I’ve been taking steps toward trying to sign and verify the data in the repo's index without shipping a copy of GPG with Rust to every user. This means I need to implement enough of the PGP protocol to create signatures and public keys that git will accept as valid. I’ve done this in a library which I’ve named pbp, this stands for Pretty Bad Protocol. This library implements parsing and generation for a small subset of the PGP protocol...

read more...

Chrome blog.google

HTTP 'not secure'

Chrome security has reached a milestone — Chrome will now mark http as “not secure”. Nearly two years ago, we announced that Chrome would eventually mark all sites that are not encrypted with HTTPS as “not secure”. This makes it easier to know whether your personal information is safe as it travels across the web, whether you’re checking your bank account or buying concert tickets. Starting today, we’re rolling out these changes to all Chrome users. Also, check out this episode of HTTP203 with Emily Schechter (Product Manager on the Chrome Security team)

read more...

Brendan Eich brave.com

Brave's private tabs now with Tor (in beta)

It's nice to see Tor being baked into Brave! Tor is now available to the masses. Today we’re releasing our latest desktop browser Brave 0.23 which features Private Tabs with Tor, a technology for defending against network surveillance. This new functionality, currently in beta, integrates Tor into the browser and gives users a new browsing mode that helps protect their privacy not only on device but over the network. Do you use Brave on the daily? I have it installed, but I don't use it on a daily basis. Also — Brendan Eich tweeted this to give credit where credit is due and this tweet about the relays added.

read more...

TypeScript github.com

A secure TypeScript runtime on V8

If you need a JS runtime that supports TypeScript out of the box and has security as a top-most priority, star this repo and come back when it's no longer "Segfaulty". Feature bullets! 👇 No package.json, no npm. Not backwards compatible with Node Single executable Defaults to read-only file system access Always dies on uncaught errors Supports top-level await EDIT: it's worth noting that this project is by Ryan Dahl, inventor of Node.js.

read more...

Jessie Frazelle blog.jessfraz.com

Containers, security, and echo chambers

Jessie Frazelle: There seems to be some confusion around sandboxing containers as of late, mostly because of the recent launch of gvisor... There is a large amount of ignorance towards the existing defaults to make containers secure. Which is crazy since I have written many blog posts on it and given many talks on the subject. Jessie has been doing the yeoman's work of Linux kernel isolation and making containers secure for awhile now, but much of that work has been overlooked or disregarded by others in the community. I'm on the outside looking in at this situation, so it's tough to call exactly what's going on, but according to Jessie: When you work at a large organization you are surrounded by an echo chamber. So if everyone in the org is saying “containers are not secure,” you are bound to believe it and not research actual facts. That doesn't mean Jessie thinks containers are secure (click through to read her take on that). There's a lot to dig in to here and think about. I'll pull out one last point: I am not trying to throw shade at gvisor but merely clear up some FUD in the world of open source marketing. I truly believe that people choosing projects to use should research into them and not just choose something shiny that came out of Big Corp. Now that's a sentiment I can get behind! Oh, and listen to this related episode of The Changelog if you haven't yet. It's a must-listen for all developers.

read more...

Medium Icon Medium

An Efail postmortem

Efail caused a panic at the disco: ... some researchers in Europe published a paper with the bombshell title “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.” There were a lot of researchers on that team but in the hours after release Sebastian Schinzel took the point on Twitter for the group. Oh, my, did the email crypto world blow up. The following are some thoughts that have benefited from a few days for things to settle. Lots of interesting insights here, perhaps most controversially how the EFF's handling of the situation may have done more harm than good in the author's opinion. Also: we could stand to have a renewed appreciation for OpenPGP’s importance to not just email crypto, but the global economy. I can say I definitely have more appreciation for it after reading this than I did before. I hadn't thought about its influence (which is huge) outside of encrypted email.

read more...

Zack Whittaker zdnet.com

I asked Apple for all my data. Here's what was sent back.

Zack Whittaker writes for Zero Day: Apple gave me all the data it collected on me since I bought my first iPhone — in 2010. This is what has largely stood out to me in the ongoing discussion about what data the four have on me and how they use it... As insightful as it was, Apple's treasure trove of my personal data is a drop in the ocean to what social networks or search giants have on me, because Apple is primarily a hardware maker and not ad-driven, like Facebook and Google, which use your data to pitch you ads. Want to request your data? It takes just a few seconds...

read more...

Google Icon Google

gVisor – a sandboxed container runtime

Why does this exist? Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability. gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.

read more...
0:00 / 0:00