Wednesday, December 26, 2018

2018-045: end of the year podcast!


Join the combined forces of:

Jerry Bell (@maliciousLink) from Defensive Security Podcast! (https://defensivesecurity.org/)

Bill Gardner from the "RebootIt! podcast"

https://itunes.apple.com/us/podcast/reboot-it/id1256466198?mt=2

 

Ms. Berlin and Bryan Brake for the end of the year podcast!

BrakeSec Podcast = www.brakeingsecurity.com

RSS: https://www.brakeingsecurity.com/rss


Here is a new episode of Brakeing Down Security Podcast!

Tuesday, December 18, 2018

2018-044: Mike Samuels discusses NodeJS hardening initiatives


Mike Samuels

https://twitter.com/mvsamuel


https://github.com/mikesamuel/attack-review-testbed

https://nodejs-security-wg.slack.com/



Hardening NodeJS

 

Speaking engagement talks:

A Node.js Security Roadmap at JSConf.eu - https://www.youtube.com/watch?v=1Gun2lRb5Gw

Improving Security by Improving the Framework @ Node Summit - https://vimeo.com/287516009

Achieving Secure Software through Redesign at Nordic.js - https://www.facebook.com/nordicjs/videos/232944327398936/?t=1781



What is a package: (holy hell, why is this so complicated?)

   

A package is any of:

  1. a) a folder containing a program described by a package.json file
  2. b) a gzipped tarball containing (a)
  3. c) a url that resolves to (b)
  4. d) a <name>@<version> that is published on the registry with ©
  5. e) a <name>@<tag> that points to (d)
  6. f) a <name> that has a latest tag satisfying (e)
  7. g) a git url that, when cloned, results in (a).


https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

 

https://blog.risingstack.com/node-js-security-checklist/

 

https://www.npmjs.com/package/trusted-types

https://github.com/WICG/trusted-types/issues/31


Here is a new episode of Brakeing Down Security Podcast!

Monday, December 10, 2018

2018-043-Adam-Baldwin, npmjs Director of Security, event stream post mortem, and making your package system more secure


Adam Baldwin (@adam_baldwin)

Director of Security, npm

 

https://foundation.nodejs.org/

https://spring.io/understanding/javascript-package-managers

 

Role in the NodeJS project

    Advisory? Active role? Maintain security modules?

    Are there any requirements to being a dev?

    Are there different roles in the NodeJS environment?

    Is there any review of system sensitive packages? (or has that ship sailed…)

 

Discussion of timeline from NodeJS security team

    When were you notified? (or were you notified at all?)

    What steps were taken to fix the issue?

    Lessons learned?

 

Official npm security policy: https://www.npmjs.com/policies/security (good stuff!)

 

Event-stream (initial bug report):   https://github.com/dominictarr/event-stream/issues/116

 

Only affected bitcoin Wallets from ‘Copay’

                    https://nakedsecurity.sophos.com/2018/11/28/javascript-library-used-for-sneak-attack-on-copay-bitcoin-wallet/

“Cue relief, mixed with frustration, for anyone not targeted. Developer Chris Northwood wrote :

We’ve wiped our brows as we’ve got away with it, we didn’t have malicious code running on our dev machines, our CI servers, or in prod. This time.” (

 

https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

“The damage this could have caused is incredible to think about. The projects that depend on this aren’t trivial either, Microsoft’s original Azure CLI depends on event-stream! Think of the systems that either develop that tool or run that tool. Each one of those potentially had this malicious code installed.”

 

https://thehackernews.com/2018/11/nodejs-event-stream-module.html

“The malicious code detected earlier this week was added to Event-Stream version 3.3.6, published on September 9 via NPM repository, and had since been downloaded by nearly 8 million application programmers.”

 

https://www.analyticsvidhya.com/blog/2018/07/using-power-deep-learning-cyber-security/

 

Hacker News (with comments): https://news.ycombinator.com/item?id=18534392

 

Official npm blog post: https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of

https://resources.whitesourcesoftware.com/blog-whitesource/top-5-open-source-security-vulnerabilities-november-2018

 

2017 package/user stats: https://www.linux.com/news/event/Nodejs/2016/state-union-npm

 

According to npmjs.org: over 800,000 packages (854,000 packages, 7 million+ individual versions)

 

Dependency hell in NodeJS:

https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/

    “Roughly 76% of Node shops use vulnerable packages, some of which are extremely severe; and open source projects regularly grow stale, neglecting to fix security flaws.”

 

History of NodeJS security issues:

 

ESLINT: https://nodesource.com/blog/a-high-level-post-mortem-of-the-eslint-scope-security-incident/

Left-pad: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

 

How to ensure this type of issue doesn’t happen again? (or is that possible, considering the ecosystem?)

What can devs, blueteams, or companies that live and die by NodeJS do to increase security, or assist in making NPM Security team’s job easier?

 

What the responsibility is of consumers of open source?

 

What can be done to ensure vetting for ‘important’ packages?

Can someone manage turnover? (or is that ship sailed?)

 

Security scanners:

https://geekflare.com/nodejs-security-scanner/

https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0

 

Threat assessment or ‘what could go wrong in the future’?

    Bad code

    “Trust issues”

    Repo corruption

    Hijacking packages

   

Keep up to date on NodeJS security issues:

https://nodejs.org/en/security/

https://groups.google.com/forum/#!forum/nodejs-sec

 

^ this is great for node, but if you want to stay up to date with security advisories in the ecosystem?

npmjs.com/advisories or @npmjs on twitter


https://rubysec.com/ -Ruby security group

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!

Sunday, December 2, 2018

2018-042-Election security processes in the state of Ohio


Where in the world is Ms. Amanda Berlin?

    Keynoting hackerconWV

 

Election Security

 

Cuyahoga County:

 

Intro: Jeremy Mio (@cyborg00101

Name?

Why are you here?

 

Discussing Ohio does election operations.

    Walk through the process

Pre-Elections

Elections Night

Post Elections

 

All about the C.I.A.

Votes must be confidential

Votes must not be compromised (integrity)

Voting should be available and without outage

 

Did a tabletop exercise with all counties in Ohio (impressive!)

    Gamified, using role-reversal

    Points based system

    Different technology has different point values

 

Physical security/chain of custody

Retention

 

EI-ISAC - election infra ISAC

https://www.cisecurity.org/services/albert/ - Albert system

https://www.cisecurity.org/best-practices-part-1/ - election security best practices

 

How does the Ohio election process stack up against other states?

 

Media Perception in Elections Hacking and threats

11 year olds ‘hacking election’

    Yes, good for a new article title

    Goes to show how easy it is to actually hack systems

        Train someone on SQLI, pwn the things

 

Elections Security Operations and Preparation

Technology types

    Ballot

    Booths

    Mail-in ballots

 

Securing election infra

    What can be done to make it more secure?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Here is a new episode of Brakeing Down Security Podcast!