Kategorie

Researchers have identified two vulnerabilities in the company’s crowd-sourced Offline Finding technology that could jeopardize its promise of privacy.

Microsoft's regularly scheduled March Patch Tuesday updates address 89 CVEs overall.

Posted by Kim Lewandowski & Dan Lorenc, Google Open Source Security Team

One of the fundamental security issues with open source is that it’s difficult to know where the software comes from or how it was built, making it susceptible to supply chain attacks. A few recent examples of this include dependency confusion attack and malicious RubyGems package to steal cryptocurrency.

Today we welcome the announcement of sigstore, a new project in the Linux Foundation that aims to solve this issue by improving software supply chain integrity and verification.

Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine. To address this we need to make it possible to verify the provenance of all software - including open source packages. We talked about the importance of this in our recent Know, Prevent, Fix post.

The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code. Sigstore also has the added benefit of being backed by transparency logs, which means that all the certificates and attestations are globally visible, discoverable and auditable.

Sigstore is designed with open source maintainers, for open source maintainers. We understand long-term key management is hard, so we've taken a unique approach of issuing short-lived certificates based on OpenID Connect grants. Sigstore also stores all activity in Transparency Logs, backed by Trillian so that we can more easily detect compromises and recover from them when they do occur. Key distribution is notoriously difficult, so we've designed away the need for them by building a special Root CA just for code signing, which will be made available for free.

We have a working prototype and proof of concepts that we're excited to share for feedback. Our goal is to make it seamless and easy to sign and verify code:

It has been fun collaborating with the folks from Red Hat and the open source community on this project. Luke Hinds, one of the lead developers on sigstore and Security Engineering Lead at Red Hat says, "I am very excited about sigstore and what this means for improving the security of software supply chains. sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner." We couldn’t agree more.

Mike Malone, the CEO of Smallstep, helped with the overall design of sigstore. He adds, “In less than a generation, open source has grown from a niche community to a critical ecosystem that powers our global economy and institutions of society and culture. We must ensure the security of this ecosystem without undermining the open, decentralized collaboration that makes it work. By building on a clever composition of existing technologies that respect privacy and work at scale, sigstore is the core infrastructure we need to solve this fundamental problem. It’s an ambitious project with potential for global impact. I’m impressed by the rapid progress that’s been made by Google, Red Hat, and Linux Foundation over the past few months, and I’m excited to hear feedback from the broader community.”

While we are happy with the progress that has been made, we know there is still work to be done before this can be widely relied upon. Upcoming plans for sigstore include: hardening the system, adding support for other OpenID Connect providers, updating documentation and responding to community feedback.

Sigstore is in its early days, but we're really excited about its future. Now is a great time to provide feedback, try out the tooling and get involved with the project as design details are still being refined.

Despite an explosion in the sheer amount of stolen data available on the Dark Web, the value of personal information is holding steady, according to the 2021 Dark Web price index from Privacy Affairs. That leaves these thriving dirty data dealers in a familiar predicament — they need to lock down their growing businesses for […]

The critical flaws exist in Adobe Framemaker, Connect and the Creative Cloud desktop application for Windows.

A never-before-seen malware-dropper, Clast82, fetches the AlienBot and MRAT malware in a savvy Google Play campaign aimed at Android users.

Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari.

Webshells explained, with some (safe) examples you can try at home if you want to learn more.

Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect

The SolarWinds Sunburst attack has been in the headlines since it was first discovered in December 2020.  As the so-called layers of the onion are peeled back, additional information regarding how the vulnerability was exploited, who was behind the attack, who is to blame for the attack, and the long-term ramifications of this type of supply chain vulnerabilities continue to be actively

A malicious web shell deployed on Windows systems by leveraging a previously undisclosed zero-day in SolarWinds' Orion network monitoring software may have been the work of a possible Chinese threat group. In a report published by Secureworks on Monday, the cybersecurity firm attributed the intrusions to a threat actor it calls Spiral. Back on December 22, 2020, Microsoft disclosed that a second

Hackerskému útoku čelily minulý týden ve čtvrtek systémy veřejné správy, kyberzločinci zneužili nezáplatovanou chybu Microsoft Exchange Serveru. Česko nicméně není jedinou zemí, na kterou se počítačoví piráti zaměřili – výrazný vzestup útoků ve spojitosti s Exchange Serverem pozorují bezpečnostní experti z antivirové společnosti Kaspersky také v dalších státech Evropy a USA.

Apple has released out-of-band patches for iOS, macOS, watchOS, and Safari web browser to address a security flaw that could allow attackers to run arbitrary code on devices via malicious web content. Tracked as CVE-2021-1844, the vulnerability was discovered and reported to the company by Clément Lecigne of Google's Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability

The European Banking Authority (EBA) on Sunday said it had been a victim of a cyberattack targeting its Microsoft Exchange Servers, forcing it to temporarily take its email systems offline as a precautionary measure. "As the vulnerability is related to the EBA's email servers, access to personal data through emails held on that servers may have been obtained by the attacker," the Paris-based

Americký výrobce antivirového softwaru McAfee prodá svoji podnikovou divizi konsorciu vedenému firmou Symphony Technology Group (STG) za čtyři miliardy USD (89 miliard Kč). Firma se nadále hodlá zaměřit na kybernetickou bezpečnost pro běžné spotřebitele, uvádí podnik v prohlášení.

Microsoft on Friday warned of active attacks exploiting unpatched Exchange Servers carried out by multiple threat actors, as the hacking campaign is believed to have infected tens of thousands of businesses, government entities in the U.S., Asia, and Europe. The company said "it continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious

A new research has yielded yet another means to pilfer sensitive data by exploiting what's the first "on-chip, cross-core" side-channel in Intel Coffee Lake and Skylake processors. Published by a group of academics from the University of Illinois at Urbana-Champaign, the findings are expected to be presented at the USENIX Security Symposium coming this August. While information leakage attacks

A new side-channel attack takes aim at Intel's CPU ring interconnect in order to glean sensitive data.

Researchers warn two critical bugs impacting multiple QNAP firmware versions are under active attack.

I see you/And what you do - So be aware/Before you share - And if in doubt/Don't give it out!