Post details
Your two-factor authentication code is: 9 DO NOT SHARE THIS CODE WITH ANYONE.

Your two-factor authentication code is: 9 DO NOT SHARE THIS CODE WITH ANYONE.
A question for #infosec practitioners. I've found an abandoned AWS bucket from a very large company. It serves all the images & fonts in their billing emails. I defensively registered it to prevent an attacker from injecting malicious content into the emails I receive. Then I emailed their security.txt contact to inform them and offering to transfer it back (for free, obviously). Was that the right thing to do? Should I have waited for a response from them before securing the bucket?
I just wrote the following on a GitHub issue. I don't understand why people have not learned this yet: ⚠️ NEVER SEND POTENTIAL SECURITY ISSUES PUBLICLY. If the security issue is concrete, it also poses all the users at risk because the maintainers might not have time to act.Matteo Collina (@matteocollina)Tue, 27 Dec 2022 17:04 GMT
Performing arbitrary executions with Renovate (2 mins read).
How to run Renovate for one-off package upgrades, rather than using it for longer term maintenance.
The massive push for software supply-chain integrity and transparency has left organizations struggling to secure their pipelines and manage vulnerabilities. Existing tooling doesn’t support supply chain security natively and requires users to bolt on critical features like signatures, provenance, and software bills of material (SBOM). Everything you need to know about securing the software supply chain.
The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose
Infosys has a lot to say about security You can check out their website for a lot of buzwords , but it’s clear from all the stock photos that they take security Very Seriously Indeed ™️. However, from what I’ve found recently, it seems that Infosys use the following Comprehensive Management-Endorsed Proficiently Driven Cybersecurity Strategy and Framework items: Don’t use AWS roles or temporary credentials for your developers Instead, use IAM user keys and give them all FullAdminAccess permissions Never rotate these keys and store them as plaintext in git Use these keys to protect what appears to be medical data about COVID patients Have someone publish those keys and the code in a public package to pypi Keep those keys active for days after leakage Make nonsensical pull requests to try and remove all references to the leak The Leak This morning I woke up to a very strange pull request on my pypi-data project.
Public listings have made sensitive data searchable due to misconfigured third-party services
Extracting the dependency tree from Renovate for given repositories (4 mins read).
Creating a (hacky) solution to retrieve the dependency graph from Renovate for a set of repositories.
14 comments
Many of us use one-time passwords (OTP) regularly to log into different services. Most probably rely on Google Authenticator and similar tools. But what about building one by ourselves?
Announcing vulnerability management for Go, to help developers learn about known vulnerabilities in their dependencies.
The other day someone claimed a hostname on a domain I own and it took me a while to track down how. After a lot of digging around, trying to figure out how the hijack was accomplished, it turns out it was via GitHub Pages.
A tool for securing CI/CD workflows with version pinning. - GitHub - sethvargo/ratchet: A tool for securing CI/CD workflows with version pinning.
Idea for Open Source/Startup: monetising the supply chain (2 mins read).
An idea I've had for how to better distribute support to Open Source libraries in the supply chain for your software.
1. Buy expired NPM maintainer email domains. 2. Re-create maintainer emails 3. Take over packages 4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed 5. Enjoy world domination.Lance R. Vick ( @lrvick@mastodon.social ) (@lrvick)Mon, 09 May 2022 21:20 +0000
*sigh* 🥃
Jason Kikta 🌻 (@kikta)Mon, 09 May 2022 17:29 +0000
The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, this …
Recommended read: CVE-2022-21449: Psychic Signatures in Java – Neil Madden https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/
If you need to verify the ID of the OAuth application, check the number at the end of the url like github.com/orgs/<org>/policies/applications/145909 coming from the github.com/organizations/<org>/settings/oauth_application_policy page.
chrismo (@the_chrismo)Sat, 16 Apr 2022 02:42 +0000
spent way too long making this
Alex Strook ⚡🐭 (@AlexStrook)Wed, 13 Apr 2022 16:12 +0000
Setup some MFA stuff last night and the amount of this is so annoying:
Matt Brunt (@Brunty)Wed, 13 Apr 2022 08:00 +0000
Lightspin obtains credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension.
Recommended read: AWS RDS Vulnerability Leads to AWS Internal Service Credentials https://blog.lightspin.io/aws-rds-critical-security-vulnerability
🧠 Reminder that "beefstew" is not a good password. It is not Str0g4|\|off
Chris Heilmann (@codepo8)Tue, 05 Apr 2022 08:57 +0000
My bank: 🏦: I need you to jump through security hurdles to keep your money safe. Me: 🙋♀️: No problem! Cybersecurity is a process, not a destination! Also My Bank: 🏦: Whoa, whoa, whoa. 21 digit password? Let's not get crazy. Also, I have never seen the character "&" in my life.Brianna Wu (@BriannaWu)Tue, 29 Mar 2022 14:59 +0000
📢 On June 23rd, I will be presenting in @tweakers Summit 2022: How did the Log4j crew survive Log4shell? tweakers.net/partners/devsu… Game on! 🎮Volkan Yazıcı (@yazicivo)Tue, 29 Mar 2022 07:06 +0000
Wow, @Zoom's decision to bypass the security settings of their customers in order to boost its marketplace demand is a bold move, to put it mildly. CISOs discovering this after the fact will be fuming.Tobie Langel (@tobie)Mon, 28 Mar 2022 08:33 +0000
Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards (6 mins read).
How to use the OpenSSF Scorecards GitHub Action to audit your GitHub and GitHub Actions configuration, and a breakdown of some of the issues raised by it.
Since #Log4j you've heard how OSS vulns impact most orgs, how OSS is underfunded & we need to do more to help, but did you know OSS security has improved drastically in the last 4 years? In 2017, 35% of OSS libs used had a known flaw. In 2022 it's < 10% veracode.com/state-of-softw…Chris Wysopal (@WeldPond)Wed, 09 Feb 2022 19:36 GMT
Kelsey Hightower joins us from Google to discuss the question "Can DevSecOps be damaging?"
Eight years later, and this is now a thing 😃 gov.uk/security.txt No monetary reward (sadly, but I get why).Post details
Should GOV.UK Run A Bug Bounty? shkspr.mobi/blog/?p=9760Terence Eden (@edent)Tue, 04 Feb 2014 12:05 GMT
Terence Eden (@edent)Fri, 04 Feb 2022 07:43 GMT
Federal government memo: "Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum." Yes!Post details
The federal government just dropped a 29-pg memo laying out its "transition to a zero trust approach" A few surprises: ✴️ there's more in it than just zero-trust ✴️ it goes beyond what most orgs do today I read the whole thing so you don't have to... bastionzero.com/blog/i-read-th…Sharon Goldberg (@goldbe)Thu, 27 Jan 2022 14:52 GMT
Simon Willison (@simonw)Thu, 27 Jan 2022 19:21 GMT
Please do not teach the computers how to recognize us even with most of our facial features covered.
Post details
iOS 15.4 beta has a new ‘Use Face ID with a Mask’ option and the masked FaceID icon is absolutely adorable.
Sebastiaan de With (@sdw)Thu, 27 Jan 2022 19:38 GMT
Renaissance Mandalorian (@indik)Fri, 28 Jan 2022 03:42 GMT
Over 20 thousand servers have their iLO exposed to the internet, many are outdated and vulnerable i5c.us/d28276SANS ISC (@sans_isc)Wed, 26 Jan 2022 11:20 GMT
Recommended read: Linux system service bug gives root on all major distros, exploit released https://www.bleepingcomputer.com/news/security/linux-system-service-bug-gives-root-on-all-major-distros-exploit-released/
"Securing the (open source) software supply chain" naturally focuses attention "upstream" in the supply chain. And there is so much to do _downstream_ in how we assemble and operate software more securely. Improvements downstream don't need to wait on investments upstream.Matthew S. Wilson (msw) (@_msw_)Sun, 16 Jan 2022 17:18 GMT
Recommended read: 10 real-world stories of how we’ve compromised CI/CD pipelines https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/
Recommended read: Orca Security Discovers AWS Glue Vulnerability - Orca Security https://orca.security/resources/blog/aws-glue-vulnerability/
Imagine how much worse this could have been (and how long it would have gone undetected) if the change was siphoning AWS credentials instead of graffiti in the terminal.
Post details
Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT
Aidan W Steele (@__steele)Sun, 09 Jan 2022 23:22 GMT
Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT
Recommended read: In the aftermath of Log4Shell, three lessons that organisations must learn | Jetstack Blog https://www.jetstack.io/blog/log4shell-lessons-to-learn/
Recommended read: Are you building features for phishers? https://bradleyjkemp.dev/post/are-you-building-features-for-phishers/
You're currently viewing page 1 of 5, of 203 posts.