I'm now CISO and Chief Hacking Officer at HackerOne. "The most rewarding parts of my career have been the times when I’ve hired hackers, rewarded independent hackers, defended hackers, and celebrated the achievements of hackers."
Remember, Google Chrome is very well sandboxed. So when you see a Chrome 0-day fixed by the team in isolation, you have to suspect another company (Microsoft?) is sitting on an unfixed sandbox escape. Usually (but not always) a Windows kernel bug. Often Win 7 only.
Red alert? "tl;dr: there is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve.":
[blog] Recovering "lost" treasure-filled floppy discs with an oscilloscope: , a project with Phil Pemberton. A fun project with a lot of nuance and experimentation.
[blog] "Reverse engineering a forgotten 1970s Intel dual core beast: 8271, a new ISA": A small team decapped / reversed an 8271; beautiful but shockingly large. Dual core! Larger than the 6502 CPU (right). Fascinating Intel history and a new Intel ISA!
On behalf of the HackerOne team, I’d like to apologize to the Ukrainian hacker community for the frustration and confusion that our poor communication has caused. We have not (and will not) block lawful payments to Ukraine.
I'm restoring a 35 year old floppy drive. In case you were wondering what the magnetic signal on a floppy disc looks like, wonder no further. This is a clean, strong (DFM encoded) signal from a 35 (!!) year old disc.
OMG. Does Intel have broken speculative execution? "AMD ...
does not allow memory references, including speculative references, that
access higher privileged data when running in a lesser privileged mode
when that access would result in a page fault."
Your other Halloween scare, looks like a Chrome 0-day: "CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and Alexey Kulaev at Kaspersky Labs on 2019-10-29
Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild."
Ok I'm in awe of
@tehjh
. Not 100% sure I've got it but did he speculatively execute (x64) a speculative program (BPF) by colliding the branch target buffer in order to leak via a cache side effect? Words cannot describe skullduggery of this magnitude.
Well that sucks. Sometimes, 35 year old floppies have failed glue so the magnetic particles fly off when you try and read them. Pretty picture to tell a thousand words:
"We can't repel firepower of that magnitude" said the strong iPhones as they fell to a full remote over-the-air WiFi compromise by
@laginimaineb
. Best research I've seen this year:
HackerOne supports its customers. We’re in close contact with Uber’s security team, have locked their data down, and will continue to assist with their investigation.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
There's something hauntingly beautiful watching all these iPhones die at slightly different times, as they get a WiFi broadcast packet of death. (from )
This is excellent by Apple. A ~6 year old phone still getting patches. It's great for security and great for those of us who see an upgrade as wasteful if the old device is functional. Still annoyed about loss of patches for my Pixel 2 after ~3 years.
I don't tweet a lot.... but when I do, it's a "must read" by
@fugueish
, "Prioritizing Memory Safety Migrations": , can't decide if the best bit is "mean-spirited packets" or "attacker is able to get at C/C++ attack surface, we must assume they can win."
As a technical community we've had to work _really_ hard to increase input latency despite continuing exponential improvement in computing power. No one would have thought it possible, but we've sucked so hard we did it. BTW, complexity also kills security. :(
If you're in Enterprise / Corporate security, I recommend reading and implementing this fresh take from Dropbox on 3rd party vendor security: TL;DR vendor questionnaires are a shit show and here's a better way. [forgot to amplify this when first posted]
Let me be clear: Chrome has consistently been a more secure browser than Safari for too many reasons to list in a tweet. Disgraceful from Apple, particularly answer
#4
:
Back in the UK for the first time in 8 years. Me: what's new? Cabbie (very serious): well, there's the Brexit thing but the big one was KFC running out of chicken.
Best bug bounty report ever?
"With great pleasure we would like to report that we have discovered a GraqhQL endpoint that discloses internal beer consumption at your offices."
iOS security can be summarized as two extremes. On one hand, Apple have invested significantly in security mitigations and many security layers. On the other hand, code quality is poor. Which factor dominates? Poor code quality. Attacker just cranks through the layers.
But having such a large and privileged attack surface reachable by anyone means the security of that code is paramount, and unfortunately the quality of the AWDL code was at times fairly poor and seemingly untested.
Am I the only one who's a fan of branded vulnerabilities? KRACK, ok got it, conversation started. CVE-2017-blablahonkhonk -- remind me, which one is that?
Hackers, HackerOne's Bug Bounty Program just cleared the $1,000,000 rewards milestone! Thanks so much for helping secure the platform. The creativity in your reports is spectacular, representing novel, elusive (and sometimes severe!) findings that no other security tool can find.
In maths, they have the Erdos number. In Infosec, I think we now have the Horn number. This is the number of times you have to read Spectre variant
#2
before you get it.
I don't think site isolation is a "mitigation" for Spectre. I think failure to align web security boundaries (sites) with OS security boundary primitives (processes) is a browser design error that only Chromium has an answer for (thanks to years of investment). /cc:
@nasko
Starting today, we're experimenting on Chrome stable with a Following feature. You can choose websites to follow, and their RSS updates will appear on Chrome's new tab page. We've been working on this for a while & I'm super excited to hear what people think 👇
Interesting new attacks against TLS, targeting the underlying protocols: A quick, practical tip: don't re-use the same hostname for different TLS-protected protocols, and don't use a wildcard cert covering different hostnames with different protocols.
Google is often much stronger than Apple at security.... but this is one area where Apple spanks Google. I have a Pixel 2 and it's still a very fast and capable phone. This is disappointing not just for the security, but also for the waste.
Hackers, an important one. e.g.: we heard that CVSS "PR" is handled inconsistently (should be PR:None for self-sign-up). We're transparently listing a set of Detailed Platform Standards for consistency across programs. Need your help -- what to cover next?
Ok. Read this, an article I loved earlier this year, "reading kernel memory from user mode", via "Abusing speculative execution". It was a negative result. Did someone flip it positive?
Dropbox is hiring for security, all roles. This includes hiring in Seattle! We're hosting an evening of talks, snacks and drinks at the (awesome!) Dropbox Seattle office on Feb 15th. RSVP:
A huge thank you to
@HarshDRanjan1
for patience relating to report . Severity went Medium -> High; bounty raised. Good programs will re-evaluate reports with rational arguments. Hackers, thanks for the CVSS "Privileges Required" feedback. Action underway.
Dropbox will be publishing a lot more about security initiatives and technology in 2018. Some interesting posts in the works; for now here's a high-level opener:
Hackers, we're listening to feedback around the platform retesting feature. As a step to improvement, customers can now tag more than $50 when approving a retest. To respect your time, $50 remains a strict minimum.
Great post by the V8 team on their Spectre journey:
Some thought provokers, "offensive research advanced much faster than our defensive research" and particularly "engineering effort diverted to combating Spectre was disproportionate to its threat level"
[blog] Weak bits floppy disc protection: an alternate origins story on 8-bit: I found an unusually sophisticated 1980s protection and the author had a great story how it came about.
The 4th law of thermodynamics: all video conferencing software will expand its energy requirements to precisely match 100% utilization of the host machine, no matter how powerful.
It must be an easy life to have the job title "Offensive Security Engineer". Roll into the office late, flip off a few developers who introduced XSS, and then your work is done for the day?
British English is best English. "At one point, Forcefully Unmap Complete Kernel With Interrupt Trampolines, aka FUCKWIT, was mulled by the Linux kernel team, giving you an idea of how annoying this has been for the developers."
.
@doctorow
See . In my experience, the most common form of anti-disclosure bullying is abusing business relationships. i.e. some SVP or CEO calls up some SVP or CEO (of the company where the researcher works), rants and makes threats, etc.
Hackers, important! Share if you can. We request more data on programs. Got a valid report? The "Give feedback" button is active. Rant if necessary, but please take time for the great programs too. We will help programs improve, and highlight programs that respect norms and you.
Thanks LinkedIn. I must decline to press the "unlock insights" button based on these samples.
"Chris, over 20,000 people in San Francisco Bay Area share your first name"
"Thinking about a raise? $60,000 is the median salary for the title Chief Of Security in United States."
Hackers, I think this one's important. You deserve transparency as a matter of fairness and platform integrity. It is now mandatory for programs to always show time-to-bounty related statistics. (Example is from a leading program.)
Every Bug Bounty Program has areas for improvement. IMHO, the mark of a Gold Standard BBP is accepting feedback with humility and making updates. In this instance, we had a bounty table inconsistency. I approved $60,000 in retroactive payouts and we straightened out the table.