Oct 09 2023

Chalk: Open-source software security and infrastructure visibility tool

Category: Open Network,Security Toolsdisc7 @ 10:38 am

Chalk is a free, open-source tool that helps improve software security. You add a single line to your build script, and it will automatically collect and inject metadata into every build artifact: source code, binaries, and containers.

Gaining visibility

Chalk enables complete visibility across the development process, from the first time a developer creates the code to the entire lifetime a container hosting is running.

Chalk is a convenient tool for compliance by producing SBOMs, embedding code provenance details, and digitally signing them. You can then send these to your preferred location as a report. Additionally, without added effort, you can achieve SLSA level 2 compliance even before SLSA level 1 becomes a mandated standard.

Usage scenarios

“Interestingly, early design partners are constantly developing new use cases, but the classic ones are still unique because nothing else solves those today. The canonical one is knowing what code is in production and what is not. “Prod or not”. That basic use case means most users can shut off code scanning on the majority of their code repos, shutting down the noise and the busy work people have to do looking at it, but also saving massive amounts of money on wasted tools licenses,” Mark Curphey, Co-Founder of Crash Override, told Help Net Security.

“A great and topical one is automatically generating software security supply chain reports. Chalk will generate an SBOM, add build provenance data about where the code came from and who built it, something required by the US gov directives and where no other automated solution exists, and then to top it all, digitally signs it all in a report and sends it to a central report registry. That use case is huge, just huge,” he concluded.

The source code for Chalk is available on GitHub.

Tags: Open-source software security


Jan 23 2023

The U.S. ‘No Fly List’ Found On the Open Internet

Category: Information Security,Open NetworkDISC @ 10:13 am

The Ohio-based airline, CommuteAir, responsible for the incident confirmed the legitimacy of the data to the media.

The No Fly List and other sensitive files were discovered by Maia Arson Crimew, a Swiss security researcher and hacker, while searching for Jenkins servers on Shodan.

A Swiss hacker by the name of Maia Arson Crimew discovered an unsecured server run by the Ohio-based airline, CommuteAir, a United Express carrier. The hacker claims they found the server while searching for Jenkins servers on Shodan, a specialized search engine used by cybersecurity researchers to locate exposed servers and misconfigured databases on the Internet.

After a while of skimming through the files, Crimew claimed to have found a file labelled “NoFly.csv,” which turned out to be a legitimate U.S. no-fly, terrorist watch list from 2019.

The 80-MB exposed file, first reported on by the Daily Dot, is a smaller subset of the U.S. government’s Terrorist Screening Database, maintained and used by the DOJ, FBI, and Terrorist Screening Center (TSC).

With over 1.5 million entries, the file contains the first names, last names, and dates of birth of people with suspected or known ties to terrorist organizations.

This should not come as a surprise, since the US (along with China) topped the 2021 list of countries that exposed the most misconfigured databases online.

The leak of the No Fly List should not be a jaw-dropper, as in August 2021, the US government’s secret terrorist watchlist with two million records was exposed online. However, the watchlist was exposed on a misconfigured server hosted on a Bahrain IP address instead of a US one.

As for the latest breach, CommuteAir confirmed the legitimacy of the data, stating that it was a version of the federal no-fly list from approximately four years ago. CommuteAir told the Daily Dot that the unsecured server had been used for testing purposes and was taken offline before the Daily Dot published their article.

They have also reported the data exposure to the Cybersecurity and Infrastructure Security Agency (CISA).CommuteAir further confirms that the server did not expose any customer information, based on an initial investigation. However, the same cannot be said for the safety of the employees’ data.

On the other hand, the hacker, Crimew claims in their report to have found extensive personally identifiable information (PII) about 900 of the crewmates including their full names, addresses, phone numbers, passport numbers, pilot’s license numbers and much more. User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed, said crime.

The U.S. ‘No Fly List’ Found On the Open Internet
Screenshot from the exposed data (Credit: Maia Arson Crimew)

The list contained notable figures such as the Russian arms dealer Victor Bout who was recently freed in exchange for the WNBA star Brittney Griner. Since the list contained over 16 potential aliases for him, many other entries in the list are likely aliases of the same person and the number of individuals is far less than 1.5 million. 

Certain names on the list also belong to suspected members of the IRA, the Irish paramilitary organization. The list contained someone as young as 8 years old, based on their birth date, according to crime. 

The majority of the names, however, appeared to be of Arabic or Middle Eastern descent, along with Hispanic and Anglican-sounding names. The entire dataset is available on the official website of DDoSecrets, upon request.

Although it is rare for this list to be leaked and is considered highly secretive, it is not labelled as a classified document due to the number of agencies and individuals that access it. 

In a statement to the Daily Dot, TSA stated that it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”

1,001 REASONS YOU MIGHT BE ON THE NO FLY LIST: 1,001 Reasons You Might Be On The No Fly List

Tags: No Fly List, OSINT


Jun 28 2022

Latest OpenSSL version is affected by a remote memory corruption flaw

Category: Information Security,Linux Security,Open NetworkDISC @ 7:50 am

Expert discovered a remote memory-corruption vulnerability affecting the latest version of the OpenSSL library.

Security expert Guido Vranken discovered a remote memory-corruption vulnerability in the recently released OpenSSL version 3.0.4. The library was released on June 21, 2022, and affects x64 systems with the AVX-512 instruction set.

“OpenSSL version 3.0.4, released on June 21th 2022, is susceptible to remote memory corruption which can be triggered trivially by an attacker. BoringSSL, LibreSSL and the OpenSSL 1.1.1 branch are not affected. Furthermore, only x64 systems with AVX512 support are affected. The bug is fixed in the repository but a new release is still pending.” reads the post published by Vranken.

The issue can be easily exploited by threat actors and it will be addressed with the next release.

Google researcher David Benjamin that has analyzed the vulnerability argues that the bug does not constitute a security risk. Benjamin also found an apparent bug in the paper by Shay Gueron upon which the RSAZ code is based.

OpenSSL CVE-2021-3711

A Concise Guide to SSL/TLS for DevOps

Tags: OpenSSL


Apr 13 2022

The state of open source security in 2022

Category: Open NetworkDISC @ 10:19 am

In this video for Help Net Security, Kurt Seifried, Chief Blockchain Officer and Director of Special Projects at Cloud Security Alliance, talks about the state of open source security in 2022.

Open source is everywhere, it’s in everything, and everyone is using it. It is safe to say that almost any solution with a web server or a web client uses open source.

The alternative to leveraging the knowledge and experience of open source implementations is to write software from scratch, but “reinventing the wheel” can be costly – both in terms of resources and time.

Open source offers a competitive advantage and it’s mostly free, but in 40 years, a solid, sustainable model to support the majority of open source projects still hasn’t been found.

open source security

Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information

👇 Please Follow our LI page…

Tags: Open source security


Apr 27 2021

The hybrid office will create great opportunities—for companies and cybercriminals

Category: Information Security,Open Network,Zero trustDISC @ 10:22 pm

Spring is always a time of renewal, but never more so than this year. After our long winter of forced isolation, the increased accessibility of safe and effective vaccines has many looking forward to shutting off Zoom, putting on some real pants, and emerging to see friends and colleagues in person for the first time in more than a year. Normality, it seems, is just around the corner.

Yet the world has been irrevocably changed by the past year, and the businesses, schools, and other workplaces that we enter back into won’t be the same as the ones we left last March. 

The pandemic accelerated long-standing trends in workplaces across sectors as companies quickly embraced remote work and stood up infrastructure to enable their employees to remain productive while working from home. 

Today we are finding that many of these developments are pretty good—enabling employees to work and be productive from anywhere without the headaches of a commute or a noisy office. And so, as the economy begins to reopen, many are looking for ways to make these temporary solutions more permanent and merge them with more “traditional” forms of working to create a sort of hybrid work environment. 

These new hybrid workplaces will create new opportunities for businesses and will allow us to create organizations that are more flexible, productive, and accessible than ever before. But they can also open up new avenues of uncertainty that could threaten every organization. And make no mistake—cybercriminals know this and are finding ways to take advantage of these vulnerabilities. 

Visit Fortune for the full post.

Tags: Remote Working Policy


Nov 04 2008

Open Network and Security

Category: Information Security,Open NetworkDISC @ 7:54 pm

Made and uploaded by John Manuel - JMK{{#if: |...

Open networks are heterogeneous environment where users like to use all the applications and systems at any given time. In a heterogeneous environment, each department run different hardware and software, but you can control the protocols which will work on this environment.

Universities are famous for open network. Most Universities network is comprised of a Bank (To give loan to students), a restaurant, and a bookstore which have credit card processing ability. Students, alumni, researchers, employee and staff need access to utilize resources. Now how would you control access if same person assume all the roles mentioned above. Universities are basically transient communities, where users come back and plug-in their new devices and expect an immediate access to all the resources. Where the reputation of openness is challenge at every step of the way, now the question is how can they maintain reputation and yet control the environment based on security policies.

Reasonable security can be accomplished by focusing on a process rather than adding yet another security control. The process is based on risk assessment program where you assess your critical assets based on threat and vulnerability pair and measure the likelihood and impact of a threat if a given vulnerability is exploited.

The process start with knowing your assets – Network registration will detect when you plug-in your new equipment. Before you get an access, it detects a hardware address and username. You can also control common misconfigurations and noncompliance issues with network registration process. Some vulnerability management systems discover assets and perform vulnerability and security configuration assessment to proactively identify and prioritize risks. New vulnerabilities are accessed from trusted site on a regular basis and when vulnerabilities are identified, the management system needs to have an ability to remediate to comply with the information security policy.

Most of the departments in an open network contains different systems and applications and basically have different security appetite. Distributed IT Governance can address this issue where you develop policies and procedures which fit their needs and hand it over to the department to comply.
Open network requires pretty much open borders, Instead of securing the network/system emphasis should be on data protection.

[TABLE=9]

Recent news from AT&T to make its network open where customers can use any handset of their choice, perhaps a reaction to in response to recent moves from Verizon and Google to promote open network. Specifically Verizon announced that it would allow “any device” and “any application” to operate on its network. These open networks does provide flexibility for customers but at the same time burden lies on the shoulders of the corporations to provide right balance of security and privacy with availability of the network.

In an open network, reasonable security can be achieved by embracing ISO 27k standard and eventually acquiring ISO 27001 (ISMS) certification. Information Security Management System (ISMS) can be a great value added process to manage ongoing monitoring, maintaining and for process improvement of an open network. ISMS as a process in-place provides reasonable security safeguard to your information and certainly help to minimize the liability in the court of law.

End-to-End Network Security: Defense-in-Depth by Omar Santos
httpv://www.youtube.com/watch?v=zTJSMjYd9c4

(Free Two-Day Shipping from Amazon Prime). Great books

Reblog this post [with Zemanta]




Tags: AT&T, Computers, Credit card, data protection, heterogeneous, impact, Information Security, Information Security Management System, isms, iso 27001, ISO 27k, ISO/IEC 27001, IT Governance, likelihood, Network registration, Omar Santos, Reasonable security, risk assessment program, security controls, threat, Universities network, Verizon, vulnerability, vulnerability management systems