Tag Archives: security

SecureStore 0.100: KISS, git-versioned secrets management for rust

Posted on by Mahmoud Al-Qudsi
Reply

A few days ago, we published a new version of both the securestore library/crate and the ssclient CLI used to create, manage, and retrieve secrets from SecureStore vaults, an open and cross-language protocol for KISS secrets management. SecureStore vaults provide a more secure and far more reliable solution to storing secrets in environment variables and a simpler and less error prone alternative to network-based secrets management solutions, and make setting up development environments a breeze.

For some background, the SecureStore protocol (first published in 2017) is an open specification and cross-language library/frontend for securely storing encrypted secrets versioned in git, alongside your code. We have implementations available in rust (crate, cli) and for C#/.NET (api and cli, nuget) and the specification is purposely designed to be both easy-to-use and easy-to-port to other languages or frameworks.

This is the first update with (minor) breaking changes to the securestore public api, although pains have been taken to ensure that most common workflows won’t break. The changes are primarily to improve ergonomics when retrieving secrets from rust, and come with completely rewritten docs and READMEs (for the project, the lib, and the cli).

Continue reading

CVE-2022-23968: Xerox vulnerability allows unauthenticated users to remotely brick network printers (UPDATED)

Posted on by Mahmoud Al-Qudsi
Reply

In the world of network security, it pays to always remember that many (if not most!) security bugs start off their lives as seemingly innocuous “regular” bugs, and it’s only by diligently considering how aberrant behavior – say, incorrect results returned for particular inputs or a mere “stability issue” that turns out to actually be a use-after-free causing the observed crashes – could be abused by determined malicious actors that the underlying security implications become obvious. This has great benefits: for instance, it can be argued that it wasn’t until Microsoft started taking BSoDs that could be triggered by unprivileged users seriously, recognizing them for the open backdoors most of them were, that Windows actually became usably stable.

Of course, then there are the bugs that have such blatantly obvious security implications that it would be hard to qualify them as wolves in sheep’s clothing. Someone encountering such a bug, even if not particularly security-minded, would be forced to immediately recognize the risk they pose even if only because they have to deal with its consequences. This post is about such a security bug that I encountered in the same vein as many others in the past: simply trying to do something completely unrelated and running into a vulnerability that made the task at hand that much harder.

Continue reading

Regarding Twitter’s “new login from unknown device” alerts…

Posted on by Mahmoud Al-Qudsi
7

One nice thing that’s come about from the increased scrutiny that online security has been receiving is that it’s gone from being considered paranoid to becoming completely expected to be notified regarding incidents such as new logins, password changes, failed 2FA attempts, and other security-related activity. But any time a metric gets noticed, it also gets gamified and either decreases in value or ceases to be relevant altogether – a principal first documented by British economist Charles Goodhart and now known as Goodhart’s Law and demonstrated in this wonderful Sketch Plantations depiction:

Continue reading

SecureStore: the open secrets container format

Posted on by Mahmoud Al-Qudsi
Reply

It’s been a while since we first released our SecureStore.NET library for C# and ASP.NET developers back in 2017, as a solution for developers looking for an uncomplicated way of safely and securely storing secrets without needing to build and maintain an entire infrastructure catering to that end. Originally built way back in 2015 to support secrets storage in legacy ASP.NET applications, SecureStore.NET has been since updated for ASP.NET Core and UWP desktop application development, and now we’re proud to announce the release of SecureStore 1.0 with multi-platform and cross-framework support, with an updated schema making a few more features possible and official implementations in C#/.NET and Rust.

Continue reading

Transparent encryption and decryption in rust with cryptostreams

Posted on by Mahmoud Al-Qudsi
2

C# developers have long been spoiled when it comes to quickly and easily getting up and running with encryption thanks to the .NET CryptoStream  class, which wraps a Stream instance in a second Stream that automatically encrypts/decrypts anything read/written to/from it before passing it along to the underlying Stream. Long story short, it makes it ridiculously easy to add encryption or decryption facilities to an existing pipeline, as after setting up the CryptoStream instance you can just treat it like any other Stream object and read or write to it normally.

Encryption has been somewhat of a sore spot in the rust ecosystem after a few false starts with “native” rust encryption libraries that went nowhere, but today the rust community has fortunately adopted the OpenSSL bindings as the approach of choice, and the rust-openssl crate makes it easy to both bundle and consume the openssl bindings from rust in a cross-platform manner. What it doesn’t do is make encryption and decryption any easier than OpenSSL itself does.

Continue reading

Modern C++ isn’t memory safe, either

Posted on by Mahmoud Al-Qudsi
11

A recurring theme in just about all discussions revolving around the comparison of programming languages – apart from using the wrong tool for the job, adamantly pushing a language objectively/demonstrably inferior at x out of blind loyalty, bashing on languages you’ve never used or studied simply because you’ve seen firsthand how well received such comments can be, and worse – is acting off of stale information that no longer necessarily holds true.

At NeoSmart Technologies, we don’t just have one dog in the race; our software is developed in a multitude of languages, ranging from C/C++ to both desktop/web C#/ASP.NET, rust, [JS|TypeScript]/HTML/[LESS|CSS], (ba)sh scripting, and more.1 So it’s always interesting to observe these discussions (sometimes up close and personal and sometimes disinterestedly from afar) and observe what arguments remain standing once the dust has settled and the troops have gone home for the day.

Continue reading

  1. Gasp, yes, even PHP! 

Windows users vulnerable to Meltdown/Spectre until at least January 9, 2018

Posted on by NeoSmart Technologies
19

Security-conscious Windows users attempting to protect themselves against Meltdown and Spectre attacks in the wild are being met with a deceptive “Your device is up to date” message — but they’re not yet protected.

In the days following the disclosure of CPU cache attacks Meltdown and Spectre, hardware, kernel, and software developers have rushed to provide security updates for their respective devices and platforms in an (ongoing) effort to secure their users against the wide-ranging (and not yet fully understood/internalized) side-channel vulnerabilities disclosed a few days ago on the 3rd of January, 2018.

For those that aren’t up to date on these attacks – stop now, and read this excellent LWN article on Meltdown and Spectre; if you’re so inclined, you can even have a look at the original Google Project Zero article where it all started.1

Continue reading

  1. While the latter is more technical in nature, programming-inclined readers in the audience may find it to actually be easier to grok with its more definite and concrete approach, vs the somewhat abstract nature of pretty much all the other coverage out there. 

The Certificate Authority model does not work for LAN devices

Posted on by Mahmoud Al-Qudsi
18

HTTPS is the future and the future is (finally) here. Secure HTTP requests that provide end-to-end encryption between the client making the request and the server providing it with the requested content is finally making some headway, with almost a third of the top one million sites on the internet serving content over SSL, as of August 2017:1

But what this chart doesn’t show is an important subsection of HTTP traffic that is unfortunately infamous for a general lack of security: IoT. The “internet of things,” as it is called, is famous for fiascoes that have allowed hackers to break into the privacy of homes, spying on consumers via internet-enabled nanny cams, gaining access to so-called “smart locks” to break into houses, obtaining sensitive information, and exposing private content and data thanks to insecurely designed consumer products and services that live on the local network.

Continue reading

  1. Source: BuiltWith SSL trends 

A free LastPass to 1Password conversion utility

Posted on by NeoSmart Technologies
1

1Password and LastPass are probably the two best known names in the password storage business, both having been around from 2006 and 2008, respectively. Back in 2008, the internet was a very different place than it is today, especially when it comes to security. Since then, a lot has changed and the world has (hopefully) become a more security-conscious place – and security experts have come to a consensus on a lot of practices and approaches when it comes to encryption and the proper handling of sensitive data.

Both of these password managers are heavily vetted and constantly under scrutiny from security researchers, crackers, state security agencies, white hat hackers, and more with open bug bounty programs [1] [2] (though some considerably more generous than others), and are probably “safe” choices for the average computer user.. to an extent.

Continue reading

Which carry-on electronics are bigger than a cell phone?

Posted on by Mahmoud Al-Qudsi
Reply

From the “they clearly didn’t think this one through” department,1 comes news of the federal government’s new ban on “electronic devices larger than a cellphone” from eight Muslim-majority countries, ostensibly to defend against in-air terror attacks that could somehow come via a device that’s been x-rayed and powered on to ensure it works. But what’s a cell phone and how big is too big?

Continue reading

  1. The poor fellas in this department have been so overworked these past 60 days. They’ve really never put in this much overtime since, well, ever.