Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

iPhone Hack Allegedly Used to Spy on China’s Uyghurs

Threatpost - 7 Květen, 2021 - 22:28
U.S. intelligence said that the Chaos iPhone remote takeover exploit was used against the minority ethnic group before Apple could patch the problem.
Kategorie: Hacking & Security

4 Major Privacy and Security Updates From Google You Should Know About

The Hacker News - 7 Květen, 2021 - 17:52
Google has announced a number of user-facing and under-the-hood changes in an attempt to boost privacy and security, including rolling out two-factor authentication automatically to all eligible users and bringing iOS-styled privacy labels to Android app listings. "Today we ask people who have enrolled in two-step verification (2SV) to confirm it's really them with a simple tap via a Google
Kategorie: Hacking & Security

80% of Net Neutrality Comments to FCC Were Fudged

Threatpost - 7 Květen, 2021 - 15:56
NY's AG: Millions of fake comments – in favor and against – came from a secret broadband-funded campaign or from a 19-year-old's fake identities.
Kategorie: Hacking & Security

6 Unpatched Flaws Disclosed in Remote Mouse App for Android and iOS

The Hacker News - 7 Květen, 2021 - 15:20
As many as six zero-days have been uncovered in an application called Remote Mouse, allowing a remote attacker to achieve full code execution without any user interaction. The unpatched flaws, collectively named 'Mouse Trap,' were disclosed on Wednesday by security researcher Axel Persinger, who said, "It's clear that this application is very vulnerable and puts users at risk with bad
Kategorie: Hacking & Security

New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations

The Hacker News - 7 Květen, 2021 - 14:56
An unknown threat actor with the capabilities to evolve and tailor its toolset to target environments infiltrated high-profile organizations in Asia and Africa with an evasive Windows rootkit since at least 2018. Called 'Moriya,' the malware is a "passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for
Kategorie: Hacking & Security

New Spectre Flaws in Intel and AMD CPUs Affect Billions of Computers

The Hacker News - 7 Květen, 2021 - 13:52
When Spectre, a class of critical vulnerabilities impacting modern processors, was publicly revealed in January 2018, the researchers behind the discovery said, "As it is not easy to fix, it will haunt us for quite some time," explaining the inspiration behind naming the speculative execution attacks. Indeed, it's been more than three years, and there is no end to Spectre in sight. A team of
Kategorie: Hacking & Security

New TsuNAME Flaw Could Let Attackers Take Down Authoritative DNS Servers

The Hacker News - 7 Květen, 2021 - 13:49
Security researchers Thursday disclosed a new critical vulnerability affecting Domain Name System (DNS) resolvers that could be exploited by adversaries to carry out reflection-based denial-of-service attacks against authoritative nameservers. The flaw, called 'TsuNAME,' was discovered by researchers from SIDN Labs and InternetNZ, which manage the national top-level internet domains '.nl' and '.
Kategorie: Hacking & Security

Počítače Dell mají kritickou bezpečnostní chybu. Týká se i herních modelů Alienware

Novinky.cz - bezpečnost - 7 Květen, 2021 - 11:49
Národní úřad pro kybernetickou a informační bezpečnost (NÚKIB) varoval před kritickou bezpečnostní chybou, která se týká počítačů a notebooků od společnosti Dell, a to včetně herních modelů Alienware. Oprava zranitelnosti je naštěstí již k dispozici.
Kategorie: Hacking & Security

Critical Flaws Hit Cisco SD-WAN vManage and HyperFlex Software

The Hacker News - 7 Květen, 2021 - 03:50
Networking equipment major Cisco has rolled out software updates to address multiple critical vulnerabilities impacting HyperFlex HX and SD-WAN vManage Software that could allow an attacker to perform command injection attacks, execute arbitrary code, and gain access to sensitive information. In a series of advisories published on May 5, the company said there are no workarounds that remediate
Kategorie: Hacking & Security

Qualcomm Chip Bug Opens Android Fans to Eavesdropping

Threatpost - 6 Květen, 2021 - 21:55
A malicious app can exploit the issue, which could affect up to 30 percent of Android phones.
Kategorie: Hacking & Security

Critical Cisco SD-WAN, HyperFlex Bugs Threaten Corporate Networks

Threatpost - 6 Květen, 2021 - 19:54
The networking giant has rolled out patches for remote code-execution and command-injection security holes that could give attackers keys to the kingdom.
Kategorie: Hacking & Security

Ryuk Ransomware Attack Sprung by Frugal Student

Threatpost - 6 Květen, 2021 - 19:26
The student opted for “free” software packed with a keylogger that grabbed credentials later used by "Totoro" to get into a biomolecular institute. 
Kategorie: Hacking & Security

Massive DDoS Attack Disrupts Belgium Parliament

Threatpost - 6 Květen, 2021 - 17:48
A large-scale incident earlier this week against Belnet and other ISPs has sent a wave of internet disruption across numerous Belgian government, scientific and educational institutions.
Kategorie: Hacking & Security

CISO Challenge: Check Your Cybersecurity Skills On This New Competition Site

The Hacker News - 6 Květen, 2021 - 16:56
InfoSec leaders tend to be a specific type. Their jobs require them to think of possible threats, take actions that may not pay immediate results, plan for unknown security risks, and react quickly when emergencies arise, often before the morning's first coffee. The high-stakes position also means that CISOs need to keep their knowledge and skills sharp – you can never really know what's around
Kategorie: Hacking & Security

Making the Internet more secure one signed container at a time

Google Security Blog - 6 Květen, 2021 - 16:54
Posted by Priya Wadhwa, Jake Sanders, Google Open Source Security Team
With over 16 million pulls per month, Google’s `distroless` base images are widely used and depended on by large projects like Kubernetes and Istio. These minimal images don’t include common tools like shells or package managers, making their attack surface (and download size!) smaller than traditional base images such as `ubuntu` or `alpine`. Even with this additional protection, users could still fall prey to typosquatting attacks, or receive a malicious image if the distroless build process was compromised – making users vulnerable to accidentally using a malicious image instead of the actual distroless image. This problem isn’t unique to distroless images – until now, there just hasn’t been an easy way to verify that images are what they claim to be.

Introducing Cosign

Cosign simplifies signing and verifying container images, aiming to make signatures invisible infrastructure – basically, it takes over the hard part of signing and verifying software for you.

We developed cosign in collaboration with the sigstore project, a Linux Foundation project and a non-profit service that seeks to improve the open source software supply chain by easing the adoption of cryptographic software signing, backed by transparency log technologies.

We’re excited to announce that all of our distroless images are now signed by cosign! This means that all users of distroless can verify that they are indeed using the base image they intended to before kicking off image builds, making distroless images even more trustworthy. In fact, Kubernetes has already begun performing this check in their builds.

As we look to the future, Kubernetes SIG Release's vision is to establish a consumable, introspectable, and secure supply chain for the project. By collaborating with the sigstore maintainers (who are fellow Kubernetes contributors) to integrate signing and transparency into our supply chain, we hope to be an exemplar for standards in the cloud native (and wider) tech industry, said Stephen Augustus, co-chair for Kubernetes SIG Release.

How it works
To start signing distroless we integrated cosign into the distroless CI system, which builds and pushes images via Cloud Build. Signing every distroless image was as easy as adding an additional Cloud Build step to the Cloud Build job responsible for building and pushing the images. This additional step uses the cosign container image and a key pair stored in GCP KMS to sign every distroless image. With this additional signing step, users can now verify that the distroless image they’re running was built in the correct CI environment.


Right now, cosign can be run as an image or as a CLI tool. It supports:

  • Hardware and KMS signing
  • Bring-your-own PKI
  • Our free OIDC PKI (Fulcio)
  • Built-in binary transparency and timestamping service (Rekor)

Signing distroless with cosign is just the beginning, and we plan to incorporate other sigstore technologies into distroless to continue to improve it over the next few months. We also can’t wait to integrate sigstore with other critical projects. Stay tuned here for updates! To get started verifying your own distrolesss images, check out the distroless README and to learn more about sigstore, check out sigstore.dev.
Kategorie: Hacking & Security

S3 Ep31: Apple zero-days, Flubot scammers and PHP supply chain bug [Podcast]

Sophos Naked Security - 6 Květen, 2021 - 16:28
Latest episode - listen now! (And please share with your friends.)

České domácnosti čelí téměř 10 000 hackerských útoků každý den

Novinky.cz - bezpečnost - 6 Květen, 2021 - 16:14
Krádeže uživatelských hesel, podvodné webové stránky, útoky na bankovní účty či nejrůznější mobilní hrozby. Škodlivé kódy číhají na uživatele internetu prakticky na každém kroku. To potvrzují i nová data bezpečnostních expertů, podle nichž čelí tuzemské domácnosti bezmála 10 000 hackerských útoků každý den.
Kategorie: Hacking & Security

Firefox for Android gets critical update to block cookie-stealing hole

Sophos Naked Security - 6 Květen, 2021 - 15:53
This browser update is for everyone, but it's for Android users particularly.

20 nejhloupějších hesel na internetu

Novinky.cz - bezpečnost - 6 Květen, 2021 - 15:41
Vždy na první květnový čtvrtek připadá mezinárodní den hesel. V souvislosti s tím se sluší připomenout, jak nepoučitelní lidé jsou. Bezpečnost hesel na internetu totiž příliš neřeší. Z nejnovějšího žebříčku vyplývá, že nejpoužívanějším heslem na síti byla v roce 2020 číselná kombinace 123456. Ta se na prvním místě umístila již několikátý rok za sebou, přestože bezpečnostní experti před ní neustále varují.
Kategorie: Hacking & Security

New Qualcomm Chip Bug Could Let Hackers Spy On Android Devices

The Hacker News - 6 Květen, 2021 - 14:18
Cybersecurity researchers have disclosed a new security vulnerability in Qualcomm's mobile station modems (MSM) that could potentially allow an attacker to leverage the underlying Android operating system to slip malicious code into mobile phones, undetected. "If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and
Kategorie: Hacking & Security
Syndikovat obsah