InfoQ Homepage Security Content on InfoQ
-
Disabling Google 2FA Doesn't Need 2FA
A developer's machine, compromised by attackers, was able to use Safari auto-fill to log into passwords.google.com, disable 2FA and extract passwords without notification. InfoQ spoke to Amos (@fasterthanlime) on Twitter about his experience and advice for others who might find themselves in the same situation. Read on to find out what happened, and what you should do to protect your assets.
-
Security as a Product - a Coordination Game between DevOps and InfoSec
Kelly Shortridge, a product and strategy expert in information security, has described how security should be treated as a product. Analyzing the "we mindset" and game theory she puts forth DevOps and InfoSec as a coordination game.
-
Elasticsearch 7.7 Brings Asynchronous Search, Secure Keystore and More
Elastic, the search company, has released Elasticsearch 7.7.0. This release introduces asynchronous search, password protected keystore, performance improvement on time sorted queries, two new aggregates and first release of packaging for ARM(non x86) platform.
-
WebAssembly: Building a Secure-by-Default Ecosystem - Lin Clark at WebAssembly Summit
Lin Clark, principal research engineer at Mozilla focusing on WebAssembly and Rust, discussed at the WebAssembly Summit the security challenges WebAssembly must address. Clark explained how the nano-process proposal strives to provide portable, secure-by-default WebAssembly modules.
-
Microsoft Announces the General Availability of DCsv2-VM from Azure Confidential Computing
Recently, Microsoft announced the general availability of DCsv2-series virtual machines (VMs). With these VMs, customers can deliver applications that protect data while in use.
-
DNSSEC Root KSK Ceremony 41 Taking Place on Thursday
The DNSSEC signing ceremony, which takes place as an in-person event every three months, will be a combined physical and virtual event on Thursday at 17:00 UTC. The next few months' signing keys for the DNSSEC root nameservers will take place, but not all of the keyholders will be physically present due to travel restrictions caused by COVID-19. Find out how the ceremony has been adapted.
-
jQuery 3.5 Released, Fixes XSS Vulnerability
Timmy Willison released jQuery 3.5, which fixes a cross-site scripting (XSS) vulnerability found in its HTML parser. The Snyk open source security platform estimates that 84% of all websites may be impacted by jQuery XSS vulnerabilities. jQuery 3.5 also adds missing methods for the positional selectors :even and :odd in preparation for the complete removal of positional selectors in jQuery 4.
-
Safari Blocks Third-Party Cookies by Default
Safari joins privacy-focused web browsers like Tor and Brave in blocking third-party cookies by default in a move aimed at taking a step forward in web privacy. Google will not support third-party cookie blocking by default for all Chrome users until 2022. Third-party cookie blocking by default may disable login fingerprinting, and some cross-site request forgery attacks.
-
Pandemic Shines Security Spotlight on Zoom Collaboration Risks
COVID-19 self-isolation has resulted in Zoom growing from 10m to 200m daily users. This has highlighted issues with Zoom's data privacy, security practices and meeting configurations. Bruce Schneier and other security commentators have provided insights into these issues. While governments and major companies have banned it, Zoom started a 90-day security hardening stint with former Facebook CSO.
-
AWS Announces the General Availability of New Security Service: Amazon Detective
Recently, Amazon announced the general availability of Amazon Detective. This new security service in AWS allows customers to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
-
Let's Encrypt is Revoking Three Million Certificates on March 4
Non-profit certificate authority Let's Encrypt, which provides X.509 certificates for TLS encryption at no charge, has announced it will revoke customer certificates today due to a bug in their Boulder CA software.
-
Microsoft Releases Application Inspector, a Tool for Examining Code Security
In a recent blog post, Microsoft announced an open source tool that developers can use to detect security vulnerabilities in their software solutions. The tool is called Microsoft Application Inspector and is available on GitHub. As organizations try to reduce their time to market, oversights may occur. Application Inspector can be used to identify malicious code used in third-party libraries.
-
Keeping Credentials Safe, Google Introduces Cloud Secret Manager
In a recent blog post, Google announced a new service, called Secret Manager, for managing credentials, API keys and certificates when using Google Cloud Platform. The service is currently in beta and the intent of this service is to reduce secret sprawl within an organization’s cloud deployment and ensure there is a single source of truth for managing credentials.
-
Can We Build Trustable Hardware? Andrew Huang at 36C3
Andrew “bunnie” Huang recently presented at 36C3 on ‘Open Source is Insufficient to Solve Trust Problems in Hardware’ with an accompanying blog post ‘Can We Build Trustable Hardware?’ His central point is that Time-of-Check to Time-of-Use is very different for hardware versus software, and so open source is less helpful in mitigating the array of potential attacks in the threat model.
-
Kubernetes the Very Hard Way with Large Clusters at Datadog
Laurent Bernaille from Datadog talked at the Velocity conference in Berlin about the challenges of operating large self-managed Kubernetes clusters. Bernaille focused on how to configure resilient and scalable control planes, why and how to rotate certificates frequently, and the need for using networking plugins for efficient communication in Kubernetes.