-
20 votes
-
Scams, American Express, and obfuscated Javascript
10 votes -
Help: I just received a mail from my own email, can't know if phishing or I'm hacked
I just received a mail from my own e-mail address, hosted on Gandi on my own domain name. It said that the sender has hacked me, used malware, keyloggers and RDP to get my passwords and copy all...
I just received a mail from my own e-mail address, hosted on Gandi on my own domain name. It said that the sender has hacked me, used malware, keyloggers and RDP to get my passwords and copy all my files to his own computer, and took videos of me while watching adult content using my webcam (I never noticed the light turning on for it). Claims they've been doing this for a few months. Gives a bitcoin address and wants $1000 (a sum I can't and won't give, don't even have a fraction of it) in 48 hrs, or else will share the videos with my contacts. It said something about a pixel the message included.
I viewed the message from K-9 mail on android (which didn't tell anything about pixels or whatnot), and when I went back on my computer to check the headers and stuff, the message was deleted.
Now, is this some sort of phishing or or have I really been pwned? I feel like it's just phishing, but the message deleting itself kinda gave me shills of fear. I promptly changed my password for the mail account.
10 votes -
Is Huawei a friend or foe in the battle for 5G dominance?
4 votes -
New Japanese law lets government hack IOT devices and warn owners they're vulnerable
8 votes -
How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc)
16 votes -
Our Software Dependency Problem
9 votes -
Remote Code Execution in apt/apt-get
19 votes -
If you installed PEAR PHP in the last 6 months, you may be infected.
8 votes -
Bomb threat, sextortion spammers abused weakness at GoDaddy.com
7 votes -
Why does apt not use https?
15 votes -
SELinux's approach (restrict everything unless explicitly permitted) is the opposite of Linux's (permit everything unless explicitly forbidden). That makes setup different,
4 votes -
Where should I put the 2FA recovery code for my password manager?
So I have all my passwords, TOTP backup codes, and account recovery codes in my password manager (Bitwarden.) In turn, Bitwarden is secured with a master password and TOTP 2FA. I have a recovery...
So I have all my passwords, TOTP backup codes, and account recovery codes in my password manager (Bitwarden.) In turn, Bitwarden is secured with a master password and TOTP 2FA. I have a recovery code for the 2FA in the event that I can't get to andOTP anymore (2FA app.) The thing is, where do I put that code? I can't put it in a note app or anything, because if I'm locked out of Bitwarden, I don't have my passwords. Do you see my problem? I was thinking about physically writing it down, but that makes me nervous because I might lose it. Are there any good solutions to this problem?
9 votes -
A Brief Look at Webhook Security
Preface Software security is one of those subjects that often gets overlooked, both in academia and in professional projects, unless you're specifically working with some existing security-related...
Preface
Software security is one of those subjects that often gets overlooked, both in academia and in professional projects, unless you're specifically working with some existing security-related element (e.g. you're taking a course on security basics, or updating your password hashing algorithm). As a result, we frequently see stories of rather catastrophic data leaks from otherwise reputable businesses, leaks which should have been entirely preventable with even the most basic of safeguards in place.
With that in mind, I thought I would switch things up and discuss something security-related this time.
Background
It's commonplace for complex software systems to avoid unnecessarily large expenses, especially in terms of technical debt and the capital involved in the initial development costs of building entire systems for e.g. geolocation or financial transactions. Instead of reinventing the wheel and effectively building a parallel business, we instead integrate with existing third-party systems, typically by using an API.
The problem, however, is that sometimes these third-party systems process requests over a long period of time, potentially on the order of minutes, hours, days, or even longer. If, for example, you have users who want to purchase something using your online platform, then it's not a particularly good idea to having potentially thousands of open connections to that third-party system all sitting there waiting multiple business days for funds to clear. That would just be stupid. So, how do we handle this in a way that isn't incredibly stupid?
There are two commonly accepted methods to avoid having to wait around:
- We can periodically contact the third-party system and ask for the current status of a request, or
- We can give the third-party system a way to contact us and let us know when they're finished with a request.
Both of these methods work, but obviously there will be a potentially significant delay in #1 between when a request finishes and when we know that it has finished (with a maximum delay of the wait time between status updates), whereas in #2 that delay is practically non-existent. Using #1 is also incredibly inefficient due to the number of wasted status update requests, whereas #2 allows us to avoid that kind of waste. Clearly #2 seems like the ideal option.
Method #2 is what we call a webhook.
May I see your ID?
The problem with webhooks is that when you're implementing one, it's far too easy to forget that you need to restrict access to it. After all, that third-party system isn't a user, right? They're not a human. They can't just give us a username and password like we want them to. They don't understand the specific requirements for our individual, custom-designed system.
But what happens if some malicious actor figures out what the webhook endpoint is? Let's say that all we do is log webhook requests somewhere in a non-capped file or database table/collection. Barring all other possible attack vectors, we suddenly find ourselves susceptible to that malicious actor sending us thousands, possibly millions of fraudulent data payloads in a small amount of time thanks to a botnet, and now our server's I/O utilization is spiking and the entire system is grinding to a halt--we're experiencing a DDoS!
We don't want just anyone to be able to talk to our webhook. We want to make sure that anyone who does is verified and trusted. But since we can't require a username and password, since we can't guarantee that the third-party system will even know how to make use of them, what can we do?
The answer is to use some form of token-based authentication--we generate a unique token, kind of like an ID card, and we attach it to our webhook endpoint (e.g.
https://example.com/my_webhook/{unique_token}
). We can then check that token for validity every time someone touches our webhook, ensuring that only someone we trust can get in.
Class is in Session
Just as there are two commonly accepted models for how to handle receiving updates from third-party systems, there are also two common models for how to assign a webhook to those systems:
- Hard-coding the webhook in your account settings, or
- Passing a webhook as part of request payload.
Model #1 is, in my experience, the most common of the two. In this model, our authentication token is typically directly linked to some user or user-like object in our system. This token is intended to be persisted and reused indefinitely, only scrapped in the event of a breach or a termination of integration with the service that uses it. Unfortunately, if the token is present within the URL, it's possible for your token to be viewed in plaintext in your logs.
In model #2, it's perfectly feasible to mirror the behavior of model #1 by simply passing the same webhook endpoint with the same token in every new request; however, there is a far better solution. We can, instead, generate a brand new token for each new request to the third-party system, and each new token can be associated with the request itself on our own system. Rather than only validating the token itself, we then validate that the token and the request it's supposed to be associated with are both valid. This ensures that even in the event of a breach, a leaked authentication token's extent of damage is limited only to the domain of the request it's associated with! In addition, we can automatically expire these tokens after receiving a certain number of requests, ensuring that a DDoS using a single valid token and request payload isn't possible. As with model #1, however, we still run into problems of token exposure if the token is present in the URL.
Model #2 treats each individual authentication token not as a session for an entire third-party system, but as a session for a single request on that system. These per-request session tokens require greater effort to implement, but are inherently safer due to the increased granularity of our authentication and our flexibility in allowing ourselves to expire the tokens at will.
Final Thoughts
Security is hard. Even with per-request session tokens, webhooks still aren't as secure as we might like them to be. Some systems allow us to define tokens that will be inserted into the request payload, but more often than not you'll find that only a webhook URL is possible to specify. Ideally we would stuff those tokens right into the POST request payload for all of our third-party systems so they would never be so easily exposed in plaintext in log files, but legacy systems tend to be slow to catch up and newer systems often don't have developers with the security background to consider it.
Still, as far as securing webhooks goes, having some sort of cryptographically secure authentication token is far better than leaving the door wide open for any script kiddie having a bad day to waltz right in and set the whole place on fire. If you're integrating with any third-party system, your job isn't to make it impossible for them to get their hands on a key, but to make it really difficult and to make sure you don't leave any gasoline lying around in case they do.
8 votes -
The 773 Million Record "Collection #1" Data Breach
24 votes -
VOIPO.com data leak
7 votes -
These are all the federal HTTPS websites that’ll expire soon because of the US government shutdown
8 votes -
For owners of Amazon’s Ring security cameras, strangers may have been watching too
10 votes -
The State of Software Security In 2019
9 votes -
The infiltrator: A former Marine working for the private security firm TigerSwan infiltrated an array of anti-Dakota Access pipeline groups at Standing Rock and beyond
12 votes -
USB-IF Launches USB Type-C™ Authentication Program
8 votes -
The State of Open Source Security Survey is open
6 votes -
At Blind, a security lapse revealed private complaints from Silicon Valley employees
13 votes -
Advocating for privacy in Australia
9 votes -
The FBI has seized the domains of fifteen DDoS-for-hire services, and filed criminal charges against three people associated with them
10 votes -
Project Zero discovered multiple severe vulnerabilities in VBScript by using their grammar fuzzing engine
5 votes -
Potential impact of two IoT security and privacy laws on tech industry
6 votes -
German cybersecurity chief: Anyone have any evidence of Huawei naughtiness? We won't be having a word with local firms until then
11 votes -
What happens when packages go bad?
15 votes -
Cloudflare is providing services to at least seven designated foreign terrorist organizations and militant groups
12 votes -
A Confusing Dependency
13 votes -
After audit, no Chinese surveillance implants in Supermicro boards found
10 votes -
Cybersecurity books recommended by top security researchers
8 votes -
Which setting on router should be used to secure home network?
Like millions of people, I have a router at home, with WiFi and admin passwords set up. If an attacker request comes in, there are no port forwarding rules set, and the router should say "hey...
Like millions of people, I have a router at home, with WiFi and admin passwords set up.
If an attacker request comes in, there are no port forwarding rules set, and the router should say "hey request from the internet, I don't know to which device you want to go, sorry I'll drop you then", and I'm secure. But I don't think it's that simple. If a packet from the outer network can attack my LAN without using port forwarding, how?
Which router settings should I be really looking for to make home LAN more secure? Or what are the keywords of network security to start with?
11 votes -
Amazon admits it exposed customer email addresses, but refuses to give details
14 votes -
Google Releases Security Updates for Chrome (Remote Code Execution?)
5 votes -
Review of controls for certain emerging technologies
4 votes -
BlackBerry buys cybersecurity firm Cylance for $1.4 billion
5 votes -
When will security go back to normal?
9 votes -
The Web is still a DARPA weapon
12 votes -
Tunneling into a private network through JavaScript
7 votes -
Unsecured database of millions of SMS text messages exposed password resets and two-factor codes
19 votes -
Japan cybersecurity minister admits he has never used a computer
25 votes -
Beyond Passwords: 2FA, U2F and Google Advanced Protection
7 votes -
Using Wi-Fi to “see” behind closed doors is easier than anyone thought
12 votes -
VirtualBox E1000 Guest-to-Host Escape Vulnerability
16 votes -
There’s no plan B for port security
9 votes -
"Password killer" solutions aren't widely adopted because of usability reasons - even though they may be technically inferior, everyone understands passwords
21 votes -
could we have a warrant canary sitting at the page footer?
an actual picture of a canary would be cute and then if it's removed we know, or just a small line like the non-profit disclaimer is currently.
21 votes -
Kernel RCE caused by buffer overflow in Apple's ICMP packet-handling code (CVE-2018-4407) [macOS & iOS]
4 votes