Bare metal clouds are hard

The problem, explains Eclypsium, is that a miscreant could rent a bare-metal server instance from a provider, then exploit a firmware-level vulnerability, such as one in UEFI or BMC code, to gain persistence on the machine, and the ability to covertly monitor every subsequent use of that server. In other words, injecting spyware into the server’s motherboard software, which runs below and out of sight of the host operating system and antivirus, so that future renters of the box will be secretly snooped on.

» about 500 words

Hard solutions to container security

The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host.

From Aleksa Sarai explaining the latest Linux container vulnerability.

To me, the underlying message here is: Containers are Linux.

From Scott McCarty washing his hands of it.

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.

From the Kata Containers website. The project is intended to be “compatible with the OCI specification for Docker containers and CRI for Kubernetes” while running those containers in a VM instead of a namespace.

The future of Kubernetes is Virtual Machines, not Containers.

From Paul Czarkowski, discussing multitennancy problems and solutions for Kubernetes.

The day-to-day drudgery of state sponsored hacking

After a review of bids and testing the capabilities of some of the exploits offered, the team decided to build its own malware. “This is the only inexpensive way to get to the iPhone, except for the [Israeli] solution for 7 million and that’s only for WhatsApp,” explained one team member in a message. “We still need Viber, Skype, Gmail, and so on.” The same was true of the Android and Windows malware and the back-end tools used to manage the campaign. Rather than using zero-day exploits, the organization relied on a combination of physical access, spear-phishing, and other techniques to inject its espionage tools onto the targeted devices.

From Sean Gallagher in ArsTechnica on the details leaked from a state sponsored malware effort.

Solving Problems In Secret

Matt Blaze computer and information science at University of Pennsylvania and blogs about security at Exhaustive Search. His recent post on mistakes in spying techniques, protocols, and hardware caught my interest: Indeed, the recent history of electronic surveillance is a veritable catalog of cautionary tales of technological errors, risks and unintended consequences. Sometime mishaps lead […] » about 400 words

SSH Tunneling Examples

Most of my work is available publicly, but some development is hosted on a private SVN that’s hidden behind a firewall. Unfortunately, my primary development server is on the wrong side of that particular firewall, so I use the following command to bridge the gap: ssh -R 1980:svn_host:80 That creates a reverse tunnel through […] » about 200 words

Evil Evil

A quick Google search of reveals more than a few people wondering why it’s iframed on their websites. The answer is that the site has been compromised.

Unfortunately for the fellow who asked me the question at WordCamp, solving the problem can be a bit of a chore. Keeping your WordPress installation up to date is important, as there are some known security flaws in older versions, but most of the attacks that crackers use are targeted elsewhere. Your passwords, all your server apps, the PHP config, your hosting control panel, and other users all must go under the microscope when trying to find security holes.

Crime vs. Highways. Or, Internet Security Is A Social (Not Technical) Problem

Stefan Savage, speaking in a segment on March 13’s On The Media, asked: The question I like to ask people is, what are you going to do to the highway system to reduce crime. And when you put it that way, it sounds absolutely ridiculous, because while criminals do use the highway, no rational person […] » about 400 words

Fly Safe, Fly Without ID

This is an old one, but because I’m in the air again today it’s worth digging up this up. Defense Tech long ago pointed out The Identity Project‘s position on showing ID for air travel:

If a 19 year-old college student can get a fake ID to drink, why couldn’t a bad person get one, too? And no matter how sophisticated the security embedded into the ID, wouldn’t a well-financed terrorist be able to falsify that, too? The answer to both questions is obviously ‘yes’.

Honest people, on the other hand, go to Pro-Life rallies. Honest people go to Pro-Choice rallies, too. Honest people attend gun shows. Honest people protest the actions of the President of the United States. Honest people fly to political conventions. What if those with the power to put people on a ‘no fly’ list decided that they didn’t like the reason for which you wanted to travel? The honest people wouldn’t be going anywhere.

Plugin Options Pages in WordPress 2.7

WordPress 2.7 requires that plugins explicitly white list their options using a couple new functions. WordPress MU has required this security measure for a while, and it’s nice to see an evolved form of it brought to the core code. Migrating Plugins and Themes to 2.7 article in the codex offers some guidance, but here’s how it works:

First, register each option for your plugin during the admin_init action:

``` function myplugin_admin_init(){ register_setting( 'my-options-group', 'my-option-name-1', 'absint' ); register_setting( 'my-options-group', 'my-option-name-2', 'wp_filter_nohtml_kses' ); } add_action( 'admin_init', 'myplugin_admin_init' ); ```

In the example above, the value for my-option-name-1 will be filtered by absint before being saved to the options table. my-option-name-2 will be stripped of any HTML by wp_filter_nohtml_kses.

Then build a form like this prototype:

``` ```