Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Crystal Valley Farm Coop Hit with Ransomware

Threatpost - 48 min 1 sek zpět
It's the second agricultural business to be seized this week and portends a bitter harvest with yet another nasty jab at critical infrastructure.
Kategorie: Hacking & Security

Netgear SOHO Security Bug Allows RCE, Corporate Attacks

Threatpost - 22 Září, 2021 - 21:41
The issue lies in a parental-control function that's always enabled by default, even if users don't configure for child security.
Kategorie: Hacking & Security

Unpatched Apple Zero-Day in macOS Finder Allows Code Execution

Threatpost - 22 Září, 2021 - 19:22
All a user needs to do is click on an email attachment, and boom – the code is silently executed without the victim knowing. It affects Big Sur and prior versions of macOS.
Kategorie: Hacking & Security

How REvil May Have Ripped Off Its Own Affiliates

Threatpost - 22 Září, 2021 - 18:50
A newly discovered backdoor and double chats could have enabled REvil ransomware-as-a-service operators to hijack victim cases and snatch affiliates’ cuts of ransom payments.
Kategorie: Hacking & Security

VMware Warns of Ransomware-Friendly Bug in vCenter Server

Threatpost - 22 Září, 2021 - 18:17
VMware urged immediate patching of the max-severity, arbitrary file upload flaw in Analytics service, which affects all appliances running default 6.5, 6.7 and 7.0 installs.
Kategorie: Hacking & Security

Distroless Builds Are Now SLSA 2

Google Security Blog - 22 Září, 2021 - 18:00
Posted by Priya Wadhwa and Appu Goundan, Google Open Source Security Team
A few months ago we announced that we started signing all distroless images with cosign, which allows users to verify that they have the correct image before starting the build process. Signing our images was our first step towards fully securing the distroless supply chain. Since then, we’ve implemented even more accountability in our supply chain and are excited to announce that distroless builds have achieved SLSA 2. SLSA is a security framework for increasing supply chain security, and Level 2 ensures that the build service is tamper resistant.


This means that in addition to a signature, each distroless image now has an associated signed provenance. This provenance is an in-toto attestation and includes information around how each image was built, what command was run, and what build system was used. It also includes any special parameters that were passed in, the exact commit the images were built at, and more. This provenance is a useful tool for builds that need to be audited in the future.

SLSA 2 Requirement

Distroless

Source - Version controlled

Source code in Github

Build - Scripted build

Build script exists as a Tekton Pipeline, invoked as a Google Cloud Build step

Build - Build service

All steps run on Kubernetes with Tekton

Provenance - Available

Provenance is available in the rekor transparency log as an in-toto attestation

Provenance - Authenticated

Provenance is signed with the distroless GCP KMS key

Provenance - Service generated

Provenance is generated by Tekton Chains from a Tekton TaskRun



Achieving SLSA 2 required some changes to the distroless build pipeline: we set up Tekton Pipelines and Tekton Chains in a GKE cluster to automate building images and generating provenance. Every time a pull request is merged to the distroless Github repo, a Tekton Pipeline is triggered. This Pipeline builds the distroless images, and Tekton Chains is responsible for generating signed provenance for each image. Tekton Chains stores the signed provenance alongside the image in an OCI registry and also stores a record of the provenance in the rekor transparency log.

Don't trust us?


You can try the build yourself. Because distroless builds are reproducible, all the information to replicate the build is in the provenance, and you or a trusted third party can build the image yourselves and verify the build is correct by matching image digests.


You can verify an attestation for a distroless image with cosign and the distroless public key:

$ cosign verify-attestation -key cosign.pub gcr.io/distroless/base@sha256:4f8aa0aba190e375a5a53bb71a303c89d9734c817714aeaca9bb23b82135ed91


Verification for gcr.io/distroless/base@sha256:4f8aa0aba190e375a5a53bb71a303c89d9734c817714aeaca9bb23b82135ed91 --

The following checks were performed on each of these signatures:

  - The cosign claims were validated

  - The signatures were verified against the specified public key

  - Any certificates were verified against the Fulcio roots.


...


And you can find the provenance for the image in the rekor transparency log with the rekor-cli tool. For example, you could find the provenance for the above image by using the image’s digest and running:

$ rekor-cli search --sha sha256:4f8aa0aba190e375a5a53bb71a303c89d9734c817714aeaca9bb23b82135ed91


af7a9687d263504ccdb2759169c9903d8760775045c6e7554e365ec2bf29f6f8


$ rekor-cli get --uuid af7a9687d263504ccdb2759169c9903d8760775045c6e7554e365ec2bf29f6f8 --format json | jq -r .Attestation | base64 --decode | jq


{

  "_type": "distroless-provenance",

  "predicateType": "https://tekton.dev/chains/provenance",

  "subject": [

    {

      "name": "gcr.io/distroless/base",

      "digest": {

        "sha256": "703a4726aedc9ec7a7e32251087565246db117bb9a141a7993d1c4bb4036660d"

      }

    },

    {

      "name": "gcr.io/distroless/base",

      "digest": {

        "sha256": "d322ed16d530596c37eee3eb57a039677502aa71f0e4739b0272b1ebd8be9bce"

      }

    },

    {

      "name": "gcr.io/distroless/base",

      "digest": {

        "sha256": "2dfdd5bf591d0da3f67a25f3fc96d929b256d5be3e0af084db10952e5da2c661"

      }

    },

    {

      "name": "gcr.io/distroless/base",

      "digest": {

        "sha256": "4f8aa0aba190e375a5a53bb71a303c89d9734c817714aeaca9bb23b82135ed91"

      }

    },

    {

      "name": "gcr.io/distroless/base",

      "digest": {

        "sha256": "dc0a793d83196a239abf3ba035b3d1a0c7a24184856c2649666e84bc82fc5980"

      }

    },

    {

      "name": "gcr.io/distroless/base-debian10",

      "digest": {

        "sha256": "2dfdd5bf591d0da3f67a25f3fc96d929b256d5be3e0af084db10952e5da2c661"

      }

    },

    {

      "name": "gcr.io/distroless/base-debian10",

      "digest": {

        "sha256": "703a4726aedc9ec7a7e32251087565246db117bb9a141a7993d1c4bb4036660d"

      }

    },

    {

      "name": "gcr.io/distroless/base-debian10",

      "digest": {

        "sha256": "4f8aa0aba190e375a5a53bb71a303c89d9734c817714aeaca9bb23b82135ed91"

      }

    },

    {

      "name": "gcr.io/distroless/base-debian10",

      "digest": {

        "sha256": "d322ed16d530596c37eee3eb57a039677502aa71f0e4739b0272b1ebd8be9bce"

      }

    },

    {

      "name": "gcr.io/distroless/base-debian10",

      "digest": {

        "sha256": "dc0a793d83196a239abf3ba035b3d1a0c7a24184856c2649666e84bc82fc5980"

      }

    },

    {

      "name": "gcr.io/distroless/base-debian11",

      "digest": {

        "sha256": "c9507268813f235b11e63a7ae01526b180c94858bd718d6b4746c9c0e8425f7a"

      }

    },

    {

      "name": "gcr.io/distroless/cc",

      "digest": {

        "sha256": "4af613acf571a1b86b1d3c50682caada0b82024e566c1c4c2fe485a70f3af47d"

      }

    },

    {

      "name": "gcr.io/distroless/cc",

      "digest": {

        "sha256": "2c4bb6b7236db0a55ec54ba8845e4031f5db2be957ac61867872bf42e56c4deb"

      }

    },

    {

      "name": "gcr.io/distroless/cc",

      "digest": {

        "sha256": "2c4bb6b7236db0a55ec54ba8845e4031f5db2be957ac61867872bf42e56c4deb"

      }

    },

    {

      "name": "gcr.io/distroless/cc-debian10",

      "digest": {

        "sha256": "4af613acf571a1b86b1d3c50682caada0b82024e566c1c4c2fe485a70f3af47d"

      }

    },

    {

      "name": "gcr.io/distroless/cc-debian10",

      "digest": {

        "sha256": "2c4bb6b7236db0a55ec54ba8845e4031f5db2be957ac61867872bf42e56c4deb"

      }

    },

    {

      "name": "gcr.io/distroless/cc-debian10",

      "digest": {

        "sha256": "2c4bb6b7236db0a55ec54ba8845e4031f5db2be957ac61867872bf42e56c4deb"

      }

    },

    {

      "name": "gcr.io/distroless/java",

      "digest": {

        "sha256": "deb41661be772c6256194eb1df6b526cc95a6f60e5f5b740dda2769b20778c51"

      }

    },

    {

      "name": "gcr.io/distroless/nodejs",

      "digest": {

        "sha256": "927dd07e7373e1883469c95f4ecb31fe63c3acd104aac1655e15cfa9ae0899bf"

      }

    },

    {

      "name": "gcr.io/distroless/nodejs",

      "digest": {

        "sha256": "927dd07e7373e1883469c95f4ecb31fe63c3acd104aac1655e15cfa9ae0899bf"

      }

    },

    {

      "name": "gcr.io/distroless/nodejs",

      "digest": {

        "sha256": "f106757268ab4e650b032e78df0372a35914ed346c219359b58b3d863ad9fb58"

      }

    },

    {

      "name": "gcr.io/distroless/nodejs-debian10",

      "digest": {

        "sha256": "927dd07e7373e1883469c95f4ecb31fe63c3acd104aac1655e15cfa9ae0899bf"

      }

    },

    {

      "name": "gcr.io/distroless/nodejs-debian10",

      "digest": {

        "sha256": "f106757268ab4e650b032e78df0372a35914ed346c219359b58b3d863ad9fb58"

      }

    },

    {

      "name": "gcr.io/distroless/nodejs-debian10",

      "digest": {

        "sha256": "927dd07e7373e1883469c95f4ecb31fe63c3acd104aac1655e15cfa9ae0899bf"

      }

    },

    {

      "name": "gcr.io/distroless/python3",

      "digest": {

        "sha256": "aa8a0358b2813e8b48a54c7504316c7dcea59d6ae50daa0228847de852c83878"

      }

    },

    {

      "name": "gcr.io/distroless/python3-debian10",

      "digest": {

        "sha256": "aa8a0358b2813e8b48a54c7504316c7dcea59d6ae50daa0228847de852c83878"

      }

    },

    {

      "name": "gcr.io/distroless/static",

      "digest": {

        "sha256": "9acfd1fdf62b26cbd4f3c31422cf1edf3b7b01a9ecee00a499ef8b7e3536914d"

      }

    },

    {

      "name": "gcr.io/distroless/static",

      "digest": {

        "sha256": "e50641dbb871f78831f9aa7ffa59ec8f44d4cc33ae4ee992c9f4b046040e97f2"

      }

    },

    {

      "name": "gcr.io/distroless/static-debian10",

      "digest": {

        "sha256": "9acfd1fdf62b26cbd4f3c31422cf1edf3b7b01a9ecee00a499ef8b7e3536914d"

      }

    },

    {

      "name": "gcr.io/distroless/static-debian10",

      "digest": {

        "sha256": "e50641dbb871f78831f9aa7ffa59ec8f44d4cc33ae4ee992c9f4b046040e97f2"

      }

    }

  ],

  "predicate": {

    "invocation": {

      "parameters": [

        "MANIFEST_SUBSECTION={string 0 []}",

        "CHAINS-GIT_COMMIT={string 976c1c9bc178ac0371d8888d69893145c3df09f0 []}",

        "CHAINS-GIT_URL={string https://github.com/GoogleContainerTools/distroless []}"

      ],

      "recipe_uri": "task://distroless-provenance",

      "event_id": "531c282f-806e-41e4-b3ad-b596c4283381",

      "builder.id": "tekton-chains"

    },

    "recipe": {

      "steps": [

        {

          "entryPoint": "#!/bin/sh\nset -ex\n\n# get the digests for a subset of images built, and store in the IMAGES result\ngo run provenance/provenance.go images $(params.MANIFEST_SUBSECTION) > $(results.IMAGES.path)\n",

          "arguments": null,

          "environment": {

            "container": "provenance",

            "image": "docker.io/library/golang@sha256:cb1a7482cb5cfc52527c5cdea5159419292360087d5249e3fe5472f3477be642"

          },

          "annotations": null

        }

      ]

    },

    "metadata": {

      "buildStartedOn": "2021-09-16T00:03:04Z",

      "buildFinishedOn": "2021-09-16T00:04:36Z"

    },

    "materials": [

      {

        "uri": "https://github.com/GoogleContainerTools/distroless",

        "digest": {

          "revision": "976c1c9bc178ac0371d8888d69893145c3df09f0"

        }

      }

    ]

  }

}



As you might guess, our next step is getting distroless to SLSA 3, which will require adding non-falsifiable provenance and isolated builds to the distroless supply chain. Stay tuned for more!
Kategorie: Hacking & Security

TikTok, GitHub, Facebook Join Open-Source Bug Bounty

Threatpost - 22 Září, 2021 - 16:52
The initiative, run by HackerOne, aims to uncover dangerous code repository bugs that end up going viral across the application supply-chain.
Kategorie: Hacking & Security

Feds Sanctions SUEX Cryptocurrency Exchange for Laundering Ransomware Payouts

Threatpost - 22 Září, 2021 - 16:10
The action is the first of its kind in the U.S., as the government increases efforts to get a handle on cybercrime.
Kategorie: Hacking & Security

VMware patch bulletin warns: “This needs your immediate attention.”

Sophos Naked Security - 22 Září, 2021 - 14:46
"It is a matter of time before working exploits are available," warns VMware.

Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation

The Hacker News - 22 Září, 2021 - 14:25
Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that's involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts. "With over 100 available phishing templates that mimic known brands and services, the
Kategorie: Hacking & Security

Canonical gives administrators the chance to drag their feet a bit more on Ubuntu upgrades>

LinuxSecurity.com - 22 Září, 2021 - 13:51
There's good news for admins looking nervously at their aging Ubuntu boxes - a few more years of support is now on offer as Canonical brings 14.04 and 16.04 LTS into the 10-year fold.
Kategorie: Hacking & Security

New Nagios Software Bugs Could Let Hackers Take Over IT Infrastructures

The Hacker News - 22 Září, 2021 - 12:41
As many as 11 security vulnerabilities have been disclosed in Nagios network management systems, some of which could be chained to achieve pre-authenticated remote code execution with the highest privileges, as well as lead to credential theft and phishing attacks.  Industrial cybersecurity firm Claroty, which discovered the flaws, said flaws in tools such as Nagios make them an attractive
Kategorie: Hacking & Security

How Cynet's Response Automation Helps Organizations Mitigate Cyber Threats

The Hacker News - 22 Září, 2021 - 12:38
One of the determining factors of how much damage a cyber-attack cause is how fast organizations can respond to it. Time to response is critical for security teams, and it is a major hurdle for leaner teams. To help improve this metric and enhance organizations’ ability to respond to attacks quickly, many endpoint detection and response (EDR) and extended detection and response (XDR) vendors
Kategorie: Hacking & Security

10 nejobávanějších virů na českém internetu

Novinky.cz - bezpečnost - 22 Září, 2021 - 11:57
Spy.Agent.AES, Formbook či PSW.Fareit. To jsou jména tří škodlivých kódů, které v uplynulém měsíci obtěžovaly tuzemské uživatele počítačů nejčastěji. Vyplývá to z pravidelného žebříčku nejrozšířenějších kybernetických hrozeb, který sestavila antivirová společnost Eset.
Kategorie: Hacking & Security

Facebook investoval do bezpečnostních opatření za pět let přes 13 miliard dolarů

Novinky.cz - bezpečnost - 22 Září, 2021 - 09:30
Americká společnost Facebook v úterý na blogu oznámila, že od roku 2016 investovala přes 13 miliard dolarů (281,7 miliardy Kč) do bezpečnostních opatření. Reagovala tím na sérii článků listu The Wall Street Journal (WSJ) z minulého týdne. Deník v nich na základě uniklých dokumentů dokládá, že se Facebooku při potlačování řady vážných problémů, například dezinformací ohledně pandemie covidu-19, nedaří.
Kategorie: Hacking & Security

US Sanctions Cryptocurrency Exchange SUEX for Aiding Ransomware Gangs

The Hacker News - 22 Září, 2021 - 08:16
The U.S. Treasury Department on Tuesday imposed sanctions on Russian cryptocurrency exchange Suex for helping facilitate and launder transactions from at least eight ransomware variants as part of the government's efforts to crack down on a surge in ransomware incidents and make it difficult for bad actors to profit from such attacks using digital currencies. "Virtual currency exchanges such as
Kategorie: Hacking & Security

The Gap in Your Zero Trust Implementation

The Hacker News - 22 Září, 2021 - 06:18
Over the last several years, there have been numerous high-profile security breaches. These breaches have underscored the fact that traditional cyber defenses have become woefully inadequate and that stronger defenses are needed. As such, many organizations have transitioned toward a zero trust security model. A zero trust security model is based on the idea that no IT resource should be trusted
Kategorie: Hacking & Security

High-Severity RCE Flaw Disclosed in Several Netgear Router Models

The Hacker News - 22 Září, 2021 - 05:34
Networking equipment company Netgear has released patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system. <!--adsense--> Traced as CVE-2021-40847 (CVSS score: 8.1), the security weakness impacts the following models - R6400v2 (fixed in firmware version 1.0.4.120) R6700
Kategorie: Hacking & Security

VMware Warns of Critical File Upload Vulnerability Affecting vCenter Server

The Hacker News - 22 Září, 2021 - 05:22
VMware on Tuesday published a new bulletin warning of as many as 19 vulnerabilities in vCenter Server and Cloud Foundation appliances that a remote attacker could exploit to take control of an affected system. The most urgent among them is an arbitrary file upload vulnerability in the Analytics service (CVE-2021-22005) that impacts vCenter Server 6.7 and 7.0 deployments. "A malicious actor with
Kategorie: Hacking & Security

Europol Busts Major Crime Ring, Arrests Over 100 Online Fraudsters

The Hacker News - 22 Září, 2021 - 05:20
Law enforcement agencies in Italy and Spain have dismantled an organized crime group linked to the Italian Mafia that was involved in online fraud, money laundering, drug trafficking, and property crime, netting the gang about €10 million ($11.7 million) in illegal proceeds in just a year. "The suspects defrauded hundreds of victims through phishing attacks and other types of online fraud such
Kategorie: Hacking & Security
Syndikovat obsah