InfoQ Homepage Security Content on InfoQ
-
Q&A on Cloud Discovery Tool for Multi-Cloud Environments
Cloud Discovery is an open-source tool from Twistlock that connects to cloud providers and gets an inventory of all the various infrastructure resources deployed. Cloud Discovery gathers and reports resources metadata in an aggregated way. Furthermore, application security holes can be identified when there’s more visibility across environments, such as which resources are missing a firewall rule.
-
A Conversation about ZipSlip, NodeJS Security, and BBS Hacking
Earlier this year, the popular Bower package manager was found vulnerable to archive extraction, allowing attackers to write arbitrary files on a user's disk. As it turns out, the vector attacks used by this exploit have been known since the early days of BBS. InfoQ has taken the chance to speak with Liran Tal to learn more about software security, and NodeJS security in particular.
-
Adiantum Brings Disk Encryption to Low-End Smartphones
Adiantum is a new encryption algorithm for low-end smartphones, smartwatches, and other Android Pie devices that are too slow to use the Advanced Encryption Standard (AES) standard for storage encryption.
-
AWS Identity and Access Management Gains Tags and Attribute-Based Access Control
Amazon Web Services (AWS) recently enabled tags for IAM users and roles to ease the management of IAM resources. Notably, this release also includes the ability to embrace attribute-based access control (ABAC) and match AWS resources with IAM principals dynamically to "simplify permissions management at scale".
-
Dependabot Automatically Creates GitHub PRs to Fix Your Vulnerabilities
Leveraging GitHub Security Advisory API, Dependabot aims to help developers track their dependencies, monitoring the security of their programs, and making sure any potential vulnerabilities are removed as easily as possible by automatically creating PRs to resolve them.
-
XebiaLabs DevOps Platform Provides New Risk and Compliance Capability for Software Releases
XebiaLabs, a provider of DevOps and continuous delivery software tools, has launched new capabilities for custody, security and compliance risk assessment tracking for software releases via their DevOps Platform.
-
Protecting Artificial Intelligence from Itself
Applications using artificial intelligence can be fooled by adversarial examples, creating confusion in the model decisions. Input sanitization can help by filtering out improbable inputs before they are given to the model, argued Katharine Jarmul at Goto Berlin 2018. We need to start thinking of the models and the training data we put into them as potential security breaches, she said.
-
Microsoft Patches Active Internet Explorer Zero Day Exploit
Microsoft has issued an out-of-band update for a critical vulnerability in Internet Explorer (IE) scripting engine that could lead to remote code execution. The vulnerability is actively exploited in the wild, according to Tenable research engineer Satnam Narang, and users should update their systems as soon as possible.
-
Simplifying Blockchain Security Using Hyperledger Ursa
In a recent blog post, the Hyperledger project announced that their latest project, Hyperledger Ursa, has been accepted by the Technical Steering Committee (TSC). Ursa’s primary objective is to simplify and consolidate cryptographic libraries in a trusted, consumable manner for use in distributed ledger technology projects in an interoperable way.
-
HashiCorp Vault 1.0 Open Sources Auto-Unseal, Adds Batch Tokens
HashiCorp has released version 1.0 of Vault, their secrets management tool that open-sources the auto-unseal feature needed to continue using Vault server after a failure or a restart. In this version, a new type of token called batch is now available for ephemeral workloads. Another new feature is that service account tokens are now supported in Kubernetes auth to inject tokens into a pod.
-
GPUs Found Vulnerable to Side-Channel Attacks
Since Spectre and Meltdown were demonstrated at the beginning of 2018, researchers have been discovering many variants of side-channel vulnerabilities affecting both Intel and AMD CPUs. GPUs seemed instead to be immune to such attacks. Until now, that is.
-
Building Human Interfaces with Artificial Intelligence
AI helps us to build human interfaces based on speaking and writing, instead of using a keyboard or mouse; it allows humans to stay human. The biggest challenges are finding ways to tell systems what answers are unsatisfactory to help them learn, be transparent in what data is recorded and retained, and ensure that diversity and inclusion is part of our training data to prevent bias in AI systems.
-
PortSmash is the Latest Side-Channel Attack Affecting Intel CPUs
Researchers have devised a new kind of timing attack to steal information from a different process running on the same core with SMT/hyper-threading enabled. By carefully measuring port contention delays when sending instructions to a shared core, the researchers could recover a private key from a different process. Intel CPUs are probably not the only ones affected.
-
British Airways Data Breach Conducted via Malicious JavaScript Injection
British Airways reports two substantial data breaches this year, initially reporting in September the compromise of 244,000 credit card transactions in August and September, and further disclosing in October another 185,000 transactions from April through July.
-
Google Releases New Security Features for Compute Engine: Resource-Level IAM and IAM Conditions
Google announced two new Cloud Identity and Access Management (IAM) features to help customers manage their security and access control in the Google Compute Engine better. These features are the resource-level IAM to set policies on individual resources, and IAM conditions to grant access based on predefined conditions.