Hasty Briefsbeta

All tags

#security

683 stories total

Bilingual

Be Careful with Obsidian
6 months ago
- Obsidian's source code is closed and its macOS app lacks a checksum.
- Obsidian is not distributed through the Mac App Store, raising questions about sandboxing and security.
- Users often grant Obsidian access to sensitive folders, increasing potential risks.
- Community Plugins, while popular, add another layer of security concerns.
- The situation is somewhat similar to VSCode, but VSCode is open-source and benefits from stricter reviews.
- Obsidian's philosophy and utility are praised, but its security risks need more attention.
Did You Know That There Are Camera-Less iPhones?
6 months ago
- Some industries require camera-less iPhones due to security concerns.
- Companies like NonCam specialize in removing cameras from iPhones for sensitive workplaces.
- Camera-less iPhones are used in nuclear plants, military bases, and religious schools.
- NonCam sells pre-modified iPhones and DIY conversion kits for removing cameras.
- Prices for camera-less iPhones are significantly higher than their original retail prices.
- Removing cameras from new iPhones can be particularly painful for technicians.
- Front-facing cameras, including those used for FaceID, must also be removed.
- Modified iPhones without cameras look unusual, especially newer models designed for advanced photography.
Cisco opensourced MCP-Scanner for finding vulnerabilties in MCP server
6 months ago
- MCP Scanner is a Python tool for scanning MCP servers and tools for security vulnerabilities.
- It combines Cisco AI Defense inspect API, YARA rules, and LLM-as-a-judge for detection.
- Features include multiple modes (CLI, REST API), multi-engine security analysis, and comprehensive scanning.
- Supports explicit authentication control, OAuth, and custom endpoints.
- Allows customizable YARA rules and provides detailed vulnerability reports.
- Requires Python 3.11+, uv package manager, and optional API keys for Cisco AI Defense and LLM providers.
- Installation can be done via pip or from source with uv.
- Configuration involves setting environment variables for API keys and endpoints.
- CLI usage includes scanning known configs, remote servers, and stdio servers with various flags.
- Programmatic usage is supported via Python SDK with async capabilities.
- API server provides REST endpoints for integrating scanning into applications.
- Supports multiple output formats: summary, detailed, table, by_severity, and raw JSON.
- Documentation includes architecture, authentication, programmatic usage, API reference, and output formats.
- Licensed under Apache 2.0 and available on GitHub.
FreeBSD now builds reproducibly and without root privilege
6 months ago
- FreeBSD can now be built without requiring root privileges, enhancing security and simplifying automated builds.
- Changes are available in the FreeBSD development branch and will be merged into FreeBSD 15.0.
- Release artifacts like ISO images, VM images, and cloud disk images can now be built without root access.
- The removal of root privileges reduces the attack surface and enables safer build environments.
- FreeBSD has introduced improvements for reproducible builds, ensuring identical source inputs produce identical binary outputs.
- Key reproducibility improvements include normalized timestamps, stable file ordering, and consistent build environments.
- Reproducible builds enhance trust, debugging, auditing, and maintainability of the software supply chain.
- FreeBSD's CI and build infrastructure can now operate in unprivileged containers and restricted environments.
- Contributors can build complete FreeBSD releases locally without elevated privileges.
Are these real CVEs? VulDB entries for dnsmasq rely on replacing config files
6 months ago
- Multiple questionable CVEs were reported against dnsmasq and Kamailio SIP server.
- The exploits require replacing the default configuration file with a malicious one, which is impractical since an attacker with such access can directly alter configurations.
- The issue highlights potential flaws in CVE assignment when exploits require unrealistic preconditions.
The Geomys Standard of Care
6 months ago
- Professionalizing open source maintenance allows for safer and more reliable projects through standards.
- The Geomys Standard of Care was developed by surveying recent supply chain compromises and expert feedback.
- Covers maintenance philosophy, stability, dependency management, security, vulnerability handling, licensing, and more.
- Future goals include adopting binary transparency tools and periodic reviews of browser extensions and OAuth apps.
- Projects under this standard include Go standard library packages, Staticcheck, Gotraceui, and more.
- Code review, complexity management, static analysis, and strict backwards compatibility are emphasized.
- Dependency management avoids automatic tools like Dependabot, focusing on govulncheck and isolated CI jobs.
- Phishing-resistant authentication is mandatory for critical accounts, with strict modes enabled where possible.
- Long-lived credentials are avoided; hardware-bound SSH keys are preferred.
- CI security includes zizmor for GitHub Actions, read-only workflows by default, and cache poisoning mitigations.
- Third-party access is limited; project abandonment leads to archiving rather than handover.
- Availability monitoring and transparency logging are in place for critical endpoints and domains.
- Vulnerability handling includes documented reporting mechanisms, honoring embargoes, and accurate CVE reporting.
- Permissive licenses like BSD-3-Clause, MIT, and Apache-2.0 are used.
- Geomys is funded by companies like Smallstep, Ava Labs, and Tailscale, ensuring sustainable open source maintenance.
Understanding the Worst .NET Vulnerability
6 months ago
- Microsoft issued a critical vulnerability CVE-2025-55315 with a CVSS score of 9.9, the highest ever.
- The vulnerability involves HTTP request smuggling in ASP.NET Core, allowing attackers to bypass security features.
- HTTP request smuggling exploits differences in how proxy and destination servers parse ambiguous HTTP requests.
- Attackers can use this to login as different users, bypass CSRF checks, perform injection attacks, and more.
- The specific vulnerability in CVE-2025-55315 involves invalid chunk extensions in Transfer-Encoding: chunked requests.
- Microsoft has patched the vulnerability in supported versions of .NET (8, 9, 10), but older versions remain vulnerable.
- Recommendations include updating to patched versions, enforcing HTTP/2 or HTTP/3, and avoiding direct request stream manipulation.
- Azure App Services (AAS) users are protected as the proxy has been patched, but other hosting services may still be vulnerable.
Reconsider W3C Recommendation status of XSLT 2.0 and XSLT 3.0
6 months ago
- XSLT 2.0 and 3.0 are not widely implemented, with only Saxon providing complete support.
- Interoperability is compromised as XSLT 2.0 and 3.0 lack multiple independent implementations.
- Security concerns arise due to Saxon's default vulnerability to XXE attacks.
- The W3C's recommendation status for XSLT 2.0 and 3.0 is questioned due to non-compliance with W3C principles.
- Calls for XSLT 2.0 and 3.0 to be marked as obsolete due to these issues.
Breaking Trusted Execution Environments
6 months ago
- Trusted Execution Environments (TEEs) aim to provide hardware-backed data privacy and integrity, but modern implementations by Intel and AMD are vulnerable to physical memory interposition attacks.
- A DDR5 memory interposition device can be built cheaply using off-the-shelf components, allowing attackers to inspect all memory traffic, including encrypted data.
- The attack exploits deterministic encryption in TEEs, enabling comparison of encrypted data blocks to infer plaintext content.
- Secret attestation keys from Intel TDX and AMD SEV-SNP can be extracted, compromising the security of confidential virtual machines (CVMs).
- Nvidia's GPU Confidential Computing is also vulnerable, as extracted attestation keys can be used to bypass TEE protections for AI workloads.
- The portable version of the attack device fits into a 17" briefcase, making it easy to deploy in various environments.
- Real-world impacts include potential financial losses in cryptocurrency services and breaches in cloud computing security.
- Mitigation strategies are limited, as TEE vendors consider physical attacks out of scope, emphasizing the need for enhanced physical security measures.
Tailscale Services
6 months ago
- Tailscale Services announced, enabling virtual Tailscale IPv4/IPv6 address pairs (TailVIPs) for logical resources.
- Services provide unique MagicDNS names and act as policy units for access control.
- Tailscale Services can replace traditional load balancing with intelligent routing.
- Early adopters used Services for CI pipelines, database proxies, and internal applications.
- Services architecture includes TailVIPs, MagicDNS, endpoints, and service hosts.
- Service hosts require validation and can be auto-approved based on tags or IPs.
- Access to services is controlled via Grants, specifying source and destination.
- Services support high availability through multiple hosts and intelligent routing.
- Tailscale Services are in open beta, with future features like Configuration Audit Logs planned.
- Future enhancements may include state validation, API registration, and third-party proxy integration.
Mullvad DNS
6 months ago
- Mullvad provides encrypted DNS services using DNS over HTTPS (DoH) and DNS over TLS (DoT) to protect queries from third-party snooping.
- The service is designed for use when disconnected from Mullvad VPN, as VPN-connected queries already benefit from encryption.
- Features include content blocking (ads, trackers, malware, etc.), QNAME minimization, and anycast routing for reliability.
- Configuration guides are provided for various platforms including web browsers (Firefox, Chrome), mobile OS (Android, iOS), and desktop OS (Windows, macOS, Linux).
- Users can verify the service is working via Mullvad's DNS leak check tool, ensuring queries route to the nearest server.
- Specific DNS server locations are listed, with options for unfiltered DNS or content-blocked variants.
- Content blocking works by lying about the existence of blocked hostnames, preventing their loading.
- Notes include deprecation of old hostnames and IPs, and recommendations against using encrypted DNS with SOCKS5 proxy.
Tor Browser 15.0
6 months ago
- Tor Browser 15.0 is now available, based on Firefox ESR 140.
- Includes vertical tabs, tab groups, and a refreshed address bar for desktop users.
- Android version introduces screen lock for added security.
- Future updates will drop support for Android 5.0-7.0 and x86 CPUs due to technical challenges.
- WebAssembly (Wasm) management is now handled by NoScript for better security.
- Known issues include quirks with vertical tabs and web page loading problems on older Android devices.
- Encourages community support and feedback for ongoing development.
I'm Independently Verifying Go's Reproducible Builds
6 months ago
- Go 1.21 introduced automatic toolchain downloads for compiling modules requiring newer versions.
- Reproducible builds ensure the same binary output from source code regardless of environment.
- The Go Checksum Database logs checksums of toolchain Zip archives for public verification.
- Independent verification is crucial to ensure no backdoors are introduced by Google or attackers.
- Source Spotter, an independent auditor, verifies toolchain reproducibility and checksum consistency.
- Bootstrap toolchains are built from source to mitigate Trusting Trust attacks.
- Challenges include handling macOS signatures, linux-arm environment variables, and mistaken version entries.
- Source code transparency is suggested by publishing checksums or using Git commit IDs.
- Go's system balances usability and security, setting a standard for other ecosystems.
NPM flooded with malicious packages downloaded more than 86,000 times
6 months ago
- Attackers exploit NPM's Remote Dynamic Dependencies (RDD) to upload 126 malicious packages, downloaded over 86,000 times.
- RDD allows packages to download unvetted dependencies from untrusted domains, bypassing static analysis tools.
- PhantomRaven campaign uses HTTP URLs to fetch malicious dependencies, which remain invisible to developers and security scanners.
- Dependencies are downloaded fresh from attacker servers each time, avoiding caching or versioning checks.
- 80 malicious packages were still available as of the report's publication.
Show HN: Run a GitHub Actions step in a gVisor sandbox
6 months ago
- GitHub Actions with read-only permissions still receive a cache write token, allowing cache poisoning.
- No isolation between steps in a workflow as they run on the same VM with root access.
- Running untrusted code in a workflow with read-only permissions can lead to a false sense of security.
- This GitHub Action runs commands in an isolated gVisor sandbox to mitigate risks.
- The sandbox features include a root filesystem similar to ubuntu-24.04, overlayed access to GITHUB_WORKSPACE, and read-only access to tools installed by setup-* actions.
- Changes to the workspace inside the sandbox can persist on the host if 'persist-workspace-changes' is set to 'true', but this is not safe.
- The action detects and fails if actions/checkout has persisted authentication tokens in GITHUB_WORKSPACE.
- To use this action, disable credential persistence in the checkout step or set 'allow-checkout-credentials' to 'true' (not recommended).
- All tags use GitHub's Immutable Releases for security.
- Example workflow includes running Go tests with different versions and dependencies, staticcheck, and govulncheck in a sandboxed environment.
Chromium Browser DoS Attack via Document.title Exploitation
6 months ago
- Brash is a critical vulnerability in Chromium's Blink rendering engine, causing browsers to crash in 15-60 seconds.
- The exploit works by abusing the lack of rate limiting on the `document.title` API, allowing millions of DOM mutations per second.
- This saturation of the main thread disrupts the event loop, leading to browser collapse and high CPU usage.
- Affects all Chromium-based browsers (Chrome, Edge, Vivaldi, etc.), but Firefox and Safari are immune.
- The attack involves preloading 100 unique strings to maximize speed and avoid detection.
- Three phases: string generation, burst execution, and continuous updates leading to UI freeze.
- Impact includes system performance degradation, process halting, and potential for coordinated attacks.
- Can be weaponized with delayed or scheduled execution, making it dangerous in critical scenarios.
- Potential real-world impacts: financial market disruption, medical emergencies, and fraud exploitation.
- Intended for educational and security research purposes only, with strict ethical guidelines.
The cryptography behind electronic passports
6 months ago
- Electronic passports (eMRTDs) contain embedded filesystems with personal data and cryptographic protocols.
- ICAO standards define the structure and security of electronic passports, including mandatory and optional data groups (DGs).
- Threat model includes preventing unauthorized reading, eavesdropping, forgery, and copying of passport data.
- Basic Access Control (BAC) uses MRZ data for key derivation but has security flaws like low entropy and offline brute-force vulnerability.
- Passive Authentication (PA) verifies passport data integrity via signatures from Country Signing Certificate Authority (CSCA).
- Active Authentication (AA) prevents copying by using a private key stored in the passport, but has relay attack vulnerabilities.
- Extended Access Control (EAC) improves security with Chip Authentication (CA) and Terminal Authentication (TA).
- Password Authenticated Connection Establishment (PACE) replaces BAC, using MRZ data more securely to prevent offline attacks.
- Threat model gaps include potential tracking if MRZ data is exposed and fingerprinting based on passport characteristics.
- Zero-knowledge identity proofs with passports raise security concerns, including data exposure and reliance on PA/AA/CA.
Today I Learned: Binfmt_misc
6 months ago
- binfmt_misc is a Linux kernel feature that allows execution of non-native binary formats by registering custom handlers.
- It works by recognizing files via magic bytes or extensions and invoking specified interpreters, managed through the /proc/sys/fs/binfmt_misc filesystem.
- A security risk involves using binfmt_misc to create backdoors by hijacking SUID binaries, allowing privilege escalation without traditional SUID flags.
- Detection is challenging as it leaves minimal traces, focusing on monitoring /proc/sys/fs/binfmt_misc for new handlers is recommended.
- The technique is temporary unless persistence mechanisms are established, offering a detection opportunity during system reboots.
New Cellebrite capability obtained in Teams meeting
6 months ago
- Someone leaked phone unlocking details from a Cellebrite Microsoft Teams call.
- GrapheneOS focuses on defending against exploit tools and unethical practices in the security industry.
- Cellebrite avoids disclosing specific capabilities of their technology to prevent misuse by criminals.
- GrapheneOS, Google, Samsung, and Apple are criticized by Cellebrite's authoritarian rhetoric.
- GrapheneOS advocates for ethical security practices and responsible disclosure.
- Exploit tools used unethically should be neutralized to protect human rights.
Intent to Deprecate and Remove XSLT
6 months ago
- XSLT v1.0, standardized in 1999, is outdated and has been superseded by JavaScript-based technologies like JSON+React.
- Chromium uses the unmaintained libxslt library, which poses significant security risks due to memory safety vulnerabilities.
- Client-side XSLT usage is now niche, with low usage metrics (0.01%-0.1% for XSLTProcessor API, 0.001% for declarative XSL).
- Chromium plans to deprecate and remove XSLT, with a detailed timeline starting from M143 (deprecation) to M164 (complete removal).
- A polyfill is available to mitigate breakage, restoring functionality for ~75% of affected sites with a single-line fix.
- Security benefits of removing XSLT outweigh compatibility risks, as it eliminates a vulnerable attack surface.
- Other browser engines (Gecko, WebKit) also support deprecating XSLT, though some web developers oppose the removal.
- The removal plan includes early warnings, origin trials, and enterprise policies to ease the transition.

first prev19next

About|Login

#security

Be Careful with Obsidian

Did You Know That There Are Camera-Less iPhones?

Cisco opensourced MCP-Scanner for finding vulnerabilties in MCP server

FreeBSD now builds reproducibly and without root privilege

Are these real CVEs? VulDB entries for dnsmasq rely on replacing config files

The Geomys Standard of Care

Understanding the Worst .NET Vulnerability

Reconsider W3C Recommendation status of XSLT 2.0 and XSLT 3.0

Breaking Trusted Execution Environments

Tailscale Services

Mullvad DNS

Tor Browser 15.0

I'm Independently Verifying Go's Reproducible Builds

NPM flooded with malicious packages downloaded more than 86,000 times

Show HN: Run a GitHub Actions step in a gVisor sandbox

Chromium Browser DoS Attack via Document.title Exploitation

The cryptography behind electronic passports

Today I Learned: Binfmt_misc

New Cellebrite capability obtained in Teams meeting

Intent to Deprecate and Remove XSLT