InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Half of 4 Million Public Docker Hub Images Found to Have Critical Vulnerabilities
A recent analysis of around 4 million Docker Hub images by cyber security firm Prevasio found that 51% of the images had exploitable vulnerabilities. A large number of these were cryptocurrency miners, both open and hidden, and 6,432 of the images had malware.
-
How SAD DNS Works
SAD DNS is a new variant of DNS cache poisoning that allows an attacker to inject malicious DNS records into a DNS cache, thus redirecting any traffic to their own server and become a man-in-the-middle (MITM).
-
Git 2.29 Introduces Experimental Support for SHA-256
The latest version of Git experimentally enables using SHA-256 instead of SHA-1 for file hashing, thus removing a long-standing vulnerability which in principle allowed an attacker to forge a counterfeited repository with a HEAD not distinguishable from the original's.
-
GitHub Code Scanning Is out of Beta
One year ago GitHub announced the acquisition of Semmle, maker of a semantic code analysis engine powered by the Semmle QL query language. After a few months in beta, GitHub is now announcing the availability of its new CodeQL-based code scanning capability for all public and private repos.
-
Snyk Releases Enhanced Vulnerability Prioritization Features
Snyk has announced the release of a number of new features to simplify prioritizing security vulnerabilities. This includes a new, proprietary algorithm to assess and provide a score for each identified issue. This approach takes into account the maturity of the exploit and can analyze if the affected code is reachable through application execution.
-
AWS Announces the General Availability of New Security Service: Amazon Detective
Recently, Amazon announced the general availability of Amazon Detective. This new security service in AWS allows customers to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
-
Yelp Open-Sources Fuzz-Lightyear, A Swagger-Based IDOR Vulnerability Detector
Business directory and crowd-sourced review service, Yelp, has open-sourced their in-house security testing framework, fuzz-lightyear, that identifies Insecure Direct Object Reference (IDOR) vulnerabilities.
-
Microsoft Patches Severe Crypto32.dll Vulnerability
Microsoft has released patches for various versions of Windows 10 and Windows Server 2019 and 2016 to fix a severe vulnerability affecting system validation of Elliptic Curve Cryptography (ECC) certificates. This vulnerability enables an attacker to spoof the validity of a certificate chain and signature validation and requires prompt patching.
-
Poor Random Number Generation Makes 1 in Every 172 RSA Certificates Vulnerable
Research report by firm KeyFactor shows many IoT and network devices are using weak digital certificates that make them vulnerable to attack. Researchers Jonathan Kilgallin and Ross Vasko analyzed 75 million RSA certificates and found 1 in 172 keys share a factor with another, which means they can be easily cracked.
-
Microsoft Exploring Rust as the Solution for Safe Software
Microsoft has been recently experimenting with Rust to improve the safety of their software. In a talk at RustFest Barcelona, Microsoft engineers Ryan Levick and Sebastian Fernandez explained the challenges they faced in using Rust at Microsoft. Part of Microsoft's journey with Rust included rewriting a low-level Windows component, as Adam Burch explained.
-
Microsoft Releases Azure Sentinel, a Cloud Native SIEM, to General Availability
In a recent blog post, Microsoft announced the general availability of Sentinel, a Security Information and Event Management (SIEM) service in Azure, providing customers with intelligent security analytics across their enterprise. With the GA of Azure Sentinel, Microsoft now enters the SIEM market.
-
GitHub Improves Vulnerability Workflows and Becomes CVE Numbering Authority
Along with Semmle acquisition, GitHub has disclosed a number of improvements aimed to make it easier for maintainers and developers to fix and protect against vulnerabilities. This includes the possibility of creating a security advisory and assigning it a CVE number directly from GitHub UI.
-
GitHub to Integrate Semmle Code Analysis for Continuous Vulnerability Detection
With the acquisition of startup Semmle, GitHub aims to make continuous vulnerability detection part of their continuous integration/continuous deployment service.
-
Five 0-Day iOS Vulnerability Chains Have Been Exploited for Years
A collection of fourteen vulnerabilities affecting almost every iOS versions from iOS 10 to iOS 12 enabled a number of hacked Websites to gain control of their visitors' devices and steal a wealth of private data aver at least two years, Google Threat Analysis Group (TAG) engineer Ian Beer wrote. These vulnerabilities are not new. What is new is the discovery of their active exploit in the wild.
-
Robot Social Engineering: Brittany Postnikoff at QCon New York
At QCon New York, Brittany Postnikoff presented “Robot Social Engineering: Social Engineering Using Physical Robots”. Quoting findings from academic research literature, she demonstrated that humans can often be manipulated via robots. A core message of the talk was the need for security and privacy to be part of any robot's fundamental design.