Readit News logoReadit News
kafrofrite commented on Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised   socket.dev/blog/ongoing-s... · Posted by u/jamesberthoty
kafrofrite · 3 months ago
It's probably not trivial to implement and there's already a bunch of problems that need solving (e.g., trusting keys etc.) but... I think that if we had some sort of lightweight code provenance (on top of my head commits are signed from known/trusted keys, releases are signed by known keys, installing signed packages requires verification), we could probably make it somewhat harder to introduce malicious changes.

Edit: It looks like there's already something similar using sigstore in npm https://docs.npmjs.com/generating-provenance-statements#abou.... My understanding is that its use is not widespread though and it's mostly used to verify the publisher.

kafrofrite commented on The Chrome VRP Panel has decided to award $250k for this report   issues.chromium.org/issue... · Posted by u/alexcos
colbyn · 5 months ago
Suppose someone wanted to dive into other projects with the ambition of finding high value bugs. Besides chromium what would you recommend or consider? What would be your thought process for deciding what projects to look into?
kafrofrite · 5 months ago
The answer to your question is WebKit (because iOS), kernels (XNU, Linux, Windows) etc. In case you are not familiar with the domain I'd start with user-space exploitation and relevant write ups to get my feet wet. You'll find plenty of write ups, blogs etc. so I'll skip those. Some of the books I generally found interesting are [1],[2], [3]. There's more to that, including fundamental concepts of CS (e.g., compilers and optimization in JITs, OS architecture etc.). I believe also https://p.ost2.fyi/dashboard has some relevant training.

[1] https://nostarch.com/zero-day

[2] https://nostarch.com/hacking2.htm

[3] https://ia801309.us.archive.org/26/items/Wiley.The.Shellcode...

kafrofrite commented on Apple Confirms Zero-Day Attacks Hitting macOS Systems   securityweek.com/apple-co... · Posted by u/fortran77
bigiain · a year ago
> Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

Is kinda weasel-wordy, if you read it with sufficient cynicism.

Its doesn't rule out them also being aware of reports (or actual instances) of it being exploited on iOS or Apple silicon Macs.

It _might_ actually mean "Apple could not deny in a lawsuit that it's been sent a report of this being exploited on Intel Macs."

kafrofrite · a year ago
Most probably what Apple means is that since their codebase is shared, the vulnerability exists across devices. This does not mean that the vulnerability is actively exploited in iOS nor that it will not be actively exploited as part of some other campaign.
kafrofrite commented on Apple Confirms Zero-Day Attacks Hitting macOS Systems   securityweek.com/apple-co... · Posted by u/fortran77
TekMol · a year ago
The article sounds like it also applies to iOS

    The company urged users across the Apple
    ecosystem to apply the urgent iOS 18.1.1,
    macOS Sequoia 15.1.1 and the older iOS 17.7.2.
And that it is web based

    maliciously crafted web content may lead
    to arbitrary code execution
Has this happened before? That iPhones had a security hole that could be exploited over the web?

kafrofrite · a year ago
> Has this happened before? That iPhones had a security hole that could be exploited over the web? Yes, there were exploits in the past that could be exploited remotely, including some that were used for jailbreaking.
kafrofrite commented on I looked through attacks in my access logs   nishtahir.com/i-looked-th... · Posted by u/thunderbong
pferde · 2 years ago
An interesting thing that I've noticed is that some of the attackers watch the Certificate Transparency logs for newly issued certificates to get their targets.

I've had several instances of a new server being up on a new IP address for over a week, with only a few random probing hits in access logs, but then, maybe an hour after I got a certificate from Let's Encrypt, it suddenly started getting hundreds of hits just like those listed in the article. After a few hours, it always dies down somewhat.

The take-away is, secure your new stuff as early as possible, ideally even before the service is exposed to the Internet.

kafrofrite · 2 years ago
I work as a security engineer and, yes, the CT logs are extremely useful not only for identifying new targets the moment you get a certificate but also for identifying patterns in naming your infra (e.g., dev-* etc.).

A good starting point for hardening your servers is CIS Hardening Guides and the relevant scripts.

kafrofrite commented on AI and Mass Spying   schneier.com/blog/archive... · Posted by u/hendler
bonyt · 2 years ago
I think another aspect of this is mass criminal law enforcement enabled by AI.

Many of our criminal laws are written with the implicit assumption that it takes resources to investigate and prosecute a crime, and that this will limit the effective scope of the law. Prosecutorial discretion.

Putting aside for the moment the (very serious) injustice that comes with the inequitable use of prosecutorial discretion, let's imagine a world without this discretion. Perhaps it's contrived, but one could imagine AI making it at least possible. Even by the book as it's currently written, is it a better world?

Suddenly, an AI monitoring public activity can trigger an AI investigator to draft a warrant to be signed by an AI judge to approve the warrant and draft an opinion. One could argue that due process is had, and a record is available to the public showing that there was in fact probable cause for further investigation or even arrest.

Maybe a ticket just pops out of the wall like in Demolition Man, but listing in writing clearly articulated probable cause and well-presented evidence.

Investigating and prosecuting silly examples suddenly becomes possible. A CCTV camera catches someone finding a $20 bill on the street, and finds that they didn't report it on their tax return. The myriad of ways one can violate the CFAA. A passing mention of music piracy on a subway train can become an investigation and prosecution. Dilated pupils and a staggering gait could support a drug investigation. Heck, jaywalking tickets given out as though by speed camera. Who cares if the juice wasn't worth the squeeze when it's a cheap AI doing the squeezing.

Is this a better world, or have we just all subjected ourselves to a life hyper-analyzed by a motivated prosecutor.

Turning back in the general direction of reality, I'm aware that arguing "if we enforced all of our laws, it would be chaos" is more an indictment of our criminal justice system than it is of AI. I think that AI gives us a lens to imagine a world where we actually do that, however. And maybe thinking about it will help us build a better system.

kafrofrite · 2 years ago
IIRC, in [1] it mentioned a few examples of AI that exhibited the same bias that is currently present in the judicial system, banks etc.

[1] https://en.wikipedia.org/wiki/Weapons_of_Math_Destruction

kafrofrite commented on Stuxnet Source Code   github.com/research-virus... · Posted by u/Jimmc414
cies · 2 years ago
In Iran the copyrights of foreign works are not well protected. This lead to a lot of copying: western software and books are/were available for little more than the price of the writable CD-ROM or paper+ink you got it on. Translations of works were slightly more expensive, that the translator did have to get paid.

Since Windows (etc.) was free, and the university thought curriculum based largely on US uni-books, Windows is/was everywhere, even in sensitive environments. Window has the worst track record privacy and security (remember NSA_KEY?), and Iran got bitten by this very hard.

kafrofrite · 2 years ago
I'm not a fan of Windows but Stuxnet didn't happen because of Windows. Iran decided to spin up a nuclear program and Israel and the US had concerns and wanted to stop it. They had the resources to develop something tailored for this unique situation, which included windows, Siemens PLCs (IIRC), Centrifuges etc. and developed the malware based on their target. Even if their target used a different stack, they'd find a way to achieve the same result.
kafrofrite commented on Ask HN: Why do people use password managers?    · Posted by u/prakhar897
kafrofrite · 2 years ago
I'll try my best to explain everything (trying to avoid too much security lingo, hopefully).

A password manager is a big database of passwords. There is a master password that decrypts the database and from there you can use your passwords. Notice that hashes are one-way operations thus not used in password managers. The benefits of using a password manager are that that users need to remember and handle only one password, that of their password manager, the rest of the passwords are unique and can be rotated quickly. Ideally, your password manager does a few more things, including taking precautions against leaving traces of passwords in memory etc.

There's another part of commercial password managers which is mostly convenience functionality. Passwords are synced across devices, specific members access specific passwords etc.

Some people do use local password managers, depending on their threat model (i.e., who's after them) and their level of expertise/time on their hands. Setting up something locally requires taking additional precautions (such as permissions, screen locks etc.) that are typically handled by commercial password managers.

Reg. Okta, Okta is an identity provider. In theory, identity providers can provide strong guarantees regarding a user, i.e., "I authenticated him thus I gave him those token to pass around". Strong guarantees can include a number of things, including Multi-factor Authentication, VPN restrictions etc.

Funny story: during an internal red team engagement on a previous employer of mine, we took over the local password manager of a subset of the security org, twice. The first time, they had a VNC, unauthenticated, with the password manager running and the file unlocked. The second time, a team conveniently used Git to sync their password manager file, with their password tracked.

kafrofrite commented on I analyzed Stack Overflow for secrets   matan-h.com/analyze-stack... · Posted by u/matan-h
williamdclt · 2 years ago
> he asked me to conduct penetration tests against the major providers

That sounds madly illegal?

kafrofrite · 2 years ago
Most providers had a semi-automated process that granted you permission to conduct your pentest (assuming you'd share any findings reg. their infra with them). In reality though, most of the findings didn't come from poking around but from tapping the wire. I'd spin up VMs and tcpdump for hours, then look at the logs for odd packets, plaintext etc. etc. which makes it hard to detect such shenanigans

Edit: We went through the process for everything, including having a provider ship us a back-up solution to pentest. My desk became everyone's favourite place in the building :P

kafrofrite commented on I analyzed Stack Overflow for secrets   matan-h.com/analyze-stack... · Posted by u/matan-h
kafrofrite · 2 years ago
Reminded me of a funny story. Maybe a decade ago, when moving to the cloud was all the rage, my then employer decided to check whether the cloud was any good. Long story short, he asked me to conduct penetration tests against the major providers. In one of the providers I pivoted through some network and hit a webpage that looked like some sort of control plane panel (but required authentication so...). I decided to google part of the HTML and... A stack overflow thread pops up with the code and parts of the backend code/logic. So much win.
k

u/kafrofrite

KarmaCake day138April 10, 2020
About
kafrofrite@gmail.com
View Original