今日已更新 213 条资讯 | 累计 20683 条内容
关于我们

标签:#SEC

找到 694 篇相关文章

AI 资讯

Meta’s own AI was exploited to hijack Instagram accounts

Meta's AI support chatbot helped hackers hijack Instagram accounts, as reported earlier by 404 Media. In a video shared on Telegram, a hacker shows how they could take over an account by asking Meta's chatbot to switch the email associated with someone else's profile and then reset the password. The issue, which Meta says has […]

2026-06-02 原文 →
AI 资讯

Device Code Flow: The Overlooked Phishing Vector (And How to Block It)

Device Code Flow abuse is not a new technique. Security teams have known for some time that this OAuth feature can be leveraged in phishing attacks to obtain tokens without stealing credentials. What is new is how accessible and scalable this attack has become. In April 2026, the FBI warned about a Phishing-as-a-Service (PhaaS) platform called Kali365, which operationalizes this exact technique. It allows even low-skilled attackers to run campaigns that trick users into entering device codes on legitimate Microsoft login pages — ultimately granting attackers OAuth tokens and acess to Microsoft 365 environments without triggering traditional authentication defenses. How Device Code Flow Works Device code flow is an authentication method designed for scenarios where a device has limited input options or lacks a convenient browser interface (such as smart TVs, IoT devices, or command-line tools). Instead of entering credentials directly on the device, the application generates a verification code and displays it. The user then switches to a secondary device (such as a laptop or smartphone), navigates to https://microsoft.com/devicelogin , and enters the provided code. After successfully authenticating, the identity provider securely links the session and grants the original device access to the requested resource. Why Device Code Flow Should Be Restricted In practice, many organizations don’t have a real or current business need for device code flow, yet leave it enabled—unnecessarily expanding their attack surface. Disabling it helps reduce exposure by removing a legacy or rarely used authentication path and reinforces modern controls. Microsoft recommends getting as close as possible to a full block. Start by auditing existing usage, validate whether any legitimate scenarios still require it, and strictly limit access only to well-defined, secured, and documented use cases (e.g., specific legacy tools). In all other cases, device code flow should be disabled by defau

2026-06-01 原文 →
AI 资讯

A Trailing Slash Bypassed AWS API Gateway Authorization

A security researcher found that adding a trailing slash to AWS HTTP API paths bypassed Lambda authorizer authentication entirely, enabling unauthenticated wire transfers at a fintech. The root cause is a path normalization mismatch between HTTP API's greedy route matching and its authorization layer. The same vulnerability class appeared in gRPC-Go via CVE-2026-33186. By Steef-Jan Wiggers

2026-06-01 原文 →
AI 资讯

It ran it works: I audited my own security platform and found a detection engine that never ran

I build a security platform. Last night I stopped adding features and did something less fun and more honest: I sat down to make every capability prove it actually works — end to end, with real data, demanding a real pass or fail. "It ran" is not a pass. A page that renders is not a feature. A green checkmark is a claim, not evidence. So I went capability by capability and tried to break each one. I found four real bugs and one of them was a gut-punch: a whole detection engine that was wired into the UI, unit-tested, and never actually ran in production. Here's how the night went. The rule: drive it, don't admire it My method was boring on purpose. For each capability: Feed it real input through the real entry point (CLI or API), not a test fixture. Check the data actually landed (query the DB, don't trust the success message). Feed it a malicious input and a benign input — it has to fire on one and stay quiet on the other. The detection engine passed cleanly. I threw a PsExec process event at it and it lit up: $ zds-core detection eval --event '{"event_type":"process_create","process_name":"psexec.exe"}' 1 alert ( s ) : [ high] PsExec Execution — ( matched: map[process_name:psexec.exe] ) A wevtutil cl Security event tripped a critical "Log Clearing" rule. A plain notepad.exe matched nothing. Good — it detects, and it doesn't cry wolf. (Small UX papercut I fixed while I was there: if you forgot the event_type field, the engine silently matched nothing and printed "no rules matched" — which reads exactly like "you're safe." Now it warns you that the event can't match any rule. Silence that looks like safety is the most dangerous output a security tool can produce.) The one that hurt: ITDR Identity Threat Detection and Response. The engine has detectors for impossible travel, credential spraying, brute force, privilege escalation. All unit-tested. All green. I ran the real flow: POST two login events for one user — New York, then London thirty minutes later. That's ~5

2026-06-01 原文 →
AI 资讯

How I passed the AWS Security Specialty and how you can too

Introduction to AWS certifications First things first, lets understand what the AWS Security Specialty certification is and where it fits in the AWS certification ecosystem. AWS certifications are divided into levels, each one targeting a different stage of your journey: Practitioner Associate Professional Specialty The practitioner level is where most people start. It focuses on foundational cloud concepts and basic AWS knowledge. As of today, there are two certifications at this level: AWS Cloud Practitioner AWS AI Practitioner The Cloud Practitioner covers core concepts like IAM, security, availability, pricing, and general cloud architecture. The AI Practitioner follows a similar structure, but focused on AI concepts and AWS AI services. The associate level is where things start to get more practical. At this level, you are expected to understand how to design and build solutions using AWS services. Some well-known certifications here are: Solutions Architect Associate Developer Associate SysOps Administrator The professional level goes much deeper. Here, you are expected to design complex architectures, handle trade offs, and make decisions based on real world constraints. The main certifications are: Solutions Architect Professional DevOps Engineer Professional Finally, we have the specialty certifications. These are focused on specific domains and require deep knowledge in a particular area. Examples include: Security Specialty Machine Learning Specialty (Retired) Advanced Networking Specialty And this is exactly where things start to get serious. At this level, AWS is no longer testing if you understand the services. It's testing if you can actually apply them in complex, real world scenarios. What it is and who this certification is for The AWS Security Specialty is one of the most difficult certifications in your AWS journey. This exam expects that you already know the basics and are comfortable with complex and long detailed scenarios that you often come

2026-06-01 原文 →
AI 资讯

Your MCP servers can read your SSH keys. Anthropic just fixed that.

Every MCP server you run locally executes with your full filesystem and network permissions. That means the GitHub MCP server, the Slack one, that third-party tool you installed from npm last week — all of them can read your SSH keys, .env files, and credential stores by default. Anthropic just open-sourced the fix: sandbox-runtime , the sandboxing layer they built for Claude Code. One-line wrap, no Docker, OS-level enforcement. What actually changed srt (the Sandbox Runtime CLI) enforces filesystem and network restrictions on any process using native OS primitives: macOS : Uses sandbox-exec with dynamically generated Seatbelt profiles Linux : Uses bubblewrap for containerization + network namespace isolation Network filtering : HTTP/HTTPS traffic routes through an HTTP proxy; other TCP goes through SOCKS5 — both enforce your domain allowlists Install it: npm install -g @anthropic-ai/sandbox-runtime Wrap an MCP server in your .mcp.json — change command from npx to srt , move the rest to args : { "mcpServers" : { "filesystem" : { "command" : "srt" , "args" : [ "npx" , "-y" , "@modelcontextprotocol/server-filesystem" ] } } } Then configure what the process is actually allowed to touch in ~/.srt-settings.json : { "filesystem" : { "denyRead" : [ "~/.ssh" ], "allowWrite" : [ "." ], "denyWrite" : [ "~/sensitive-folder" ] }, "network" : { "allowedDomains" : [ "api.github.com" , "*.npmjs.org" ] } } The result: the MCP server can work in your project directory, talk to the domains it needs, and nothing else. Why this matters The threat model is real. An MCP server running compromised code — or simply a server with more ambient access than it needs — can exfiltrate your SSH keys, read your .env files, or phone home to arbitrary hosts. This isn't theoretical; it's the same class of supply-chain risk that exists for any untrusted npm package, except MCP servers are typically long-running processes with broad system access. srt is designed secure-by-default : processes start wit

2026-06-01 原文 →
AI 资讯

JWT Explained: What's Actually Inside That Token (with a free decoder)

If you've ever worked with auth, you've seen a JWT — a long string like eyJhbGci... split into three parts by dots. It looks cryptic, but it's surprisingly simple once you see inside. A JWT has three parts header.payload.signature Header – tells you the signing algorithm, e.g. {"alg":"HS256","typ":"JWT"} Payload – the claims (the actual data), e.g. {"sub":"123","name":"John","iat":1516239022} Signature – verifies the token wasn't tampered with (needs the secret/key) The header and payload are just Base64url-encoded JSON — not encrypted. That means anyone can read them. So: ⚠️ Never put secrets in a JWT payload. It's signed, not hidden. Decoding one yourself You can decode the payload in the browser console: const [, payload ] = token . split ( " . " ); console . log ( JSON . parse ( atob ( payload ))); Or, if you just want to paste a token and instantly see the header + payload (without sending it to a server), I built a free decoder that runs entirely in your browser: https://forgly.dev/tools/jwt-decoder Decoding ≠ verifying Reading a JWT is trivial. Trusting it is not — you must verify the signature on your server with the secret/public key before relying on any claim. Decoding just lets you inspect what's there. That's the whole mental model: a JWT is a readable, signed envelope — not a locked box.

2026-05-31 原文 →
AI 资讯

The Principle of Least Privilege: Operational Speed's Security Cost

The Principle of Least Privilege: Operational Speed's Security Cost While developing a production ERP, delayed shipment reports were always a headache. One of the main reasons behind incomplete reports was the complexity of privilege layers in the system and, often, excessive permissions granted. In this post, I will delve into the costs we pay when we stretch security boundaries in an effort to gain operational speed. The principle of least privilege is more than just a security concept; it's critically important for operational efficiency and system stability. In this article, I will explain the impact of the principle of least privilege on operational speed, the security risks it entails, and how I've tried to strike this balance with concrete examples from my practical experience. My goal is to move beyond superficial definitions and dive deep into this topic based on my real-world field experiences, providing actionable insights to readers. Why Does the Principle of Least Privilege Seem to Hinder Operational Speed? The general tendency is to provide instant access to all relevant tools and data to speed up a task. This can be appealing, especially in an emergency or before a critical delivery. However, the Principle of Least Privilege (PoLP) advocates the opposite: a user or system component should have the absolute minimum privileges required to perform its task. This might initially seem to slow down operational processes. For example, a development team having unlimited SELECT rights to a production database might facilitate running an urgent query. However, the same developer could accidentally run UPDATE or DELETE commands, causing serious damage to the system. Such an incident, instead of speeding up a query in the short term, could lead to hours of downtime and data loss. This is where the long-term risk posed by operational speed, which PoLP is thought to hinder, becomes apparent. Another example is a system administrator frequently using the sudo su co

2026-05-31 原文 →
AI 资讯

Claude vs Gemini Across 4 Security Domains: A Dead Heat — and the Hardening 63% of AI Code Skips

The interesting result isn't who won. It's that across four security domains, Claude and Gemini missed the same hardening steps — and if you've shipped AI-generated auth middleware this year, your code almost certainly has the same gaps, and your review didn't catch them either. For the record, the scoreboard: one Gemini win, two ties, one split — a statistical dead heat. That's the last time the winner matters in this article. Here's the number that should bother you more than any leaderboard: across 700 AI-generated functions scored by the rules I'm about to use, 63% shipped a vulnerability . So "which model writes more secure code?" is mostly the wrong question — I've run that leaderboard myself and argued it's the wrong frame. But people keep asking it, so I ran it properly — on the ESLint security plugins I wrote specifically to catch these bugs, each mapped to a CWE — to show you what actually matters. The setup Four domains, four of my plugins. For each, the same feature-only prompt (no "make it secure" hint — that's how people actually use these tools), generated once by Gemini 2.5 Flash via the Gemini CLI and once by Claude Sonnet 4.6 via the Claude CLI , then linted with the domain's plugin on recommended . Method honesty: this is Gemini Flash vs Claude Sonnet — the comparable price/latency tier each vendor's CLI defaults to (Pro and Opus are a separate bracket; more on that below). It compares CLI tooling, system prompt included, not raw models under controlled decoding. n=1 per domain — but I re-ran the JWT round, and both models landed on 5 findings again with the same core misses, so treat these as directional with stable failure modes, not ±0 gospel. The scorecard Domain Prompt Plugin Gemini Claude NestJS service users + auth + admin nestjs-security 2 6 JWT auth login + verify middleware jwt 5 5 MongoDB data layer Mongoose model + search mongodb-security 8 8 General API (injection) import + search + reset secure-coding 9 13* One Gemini win, two dead h

2026-05-31 原文 →
AI 资讯

Are Claude skills safe in 2026? What the Snyk ToxicSkills audit actually found

{/* JSON-LD schema is generated server-side in app/blog/[slug]/page.tsx , do not re-add an inline block here, it crashes<br> MDX&#39;s Acorn parser on the leading <code>{</code>. */}</p> <h2> <a name="tldr" href="#tldr" class="anchor"> </a> TL;DR </h2> <p>In February 2026, Snyk published the <a href="https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/">ToxicSkills audit</a>, the first large-scale security review of the public Claude Code skills ecosystem. It scanned 3,984 skills from ClawHub and skills.sh. Findings:</p> <ul> <li><strong>13.4%</strong> contained critical-level issues</li> <li><strong>36%</strong> carried prompt-injection payloads</li> <li><strong>1,467</strong> distinct malicious payloads</li> <li><strong>91%</strong> of confirmed malware combined natural-language jailbreaks with executable shell payloads</li> </ul> <p>If you install a Claude Code skill today without reading its source, the probability that it can read your env vars, exfiltrate <code>~/.ssh/</code>, or chain a bash pipeline that bypasses your deny rules is real and measurable. This post is the cheat sheet for evaluating a skill before you install it. The CTA at the bottom is <a href="https://dev.to/skillvault">SkillVault</a>, the bundle we ship for teams who want this work already done.</p> <h2> <a name="why-the-question-is-suddenly-loadbearing" href="#why-the-question-is-suddenly-loadbearing" class="anchor"> </a> Why the question is suddenly load-bearing </h2> <p>Claude Code skills shipped as an open spec in December 2025. By March 2026, MCP downloads were tracking at 97 million per month, and the most-installed marketplace skill had passed 564,000 installs. <a href="https://venturebeat.com/security/claude-code-512000-line-source-leak-attack-paths-audit-security-leaders">Anthropic&#39;s source leak</a> on March 31, 2026 made the abstract attack surface visceral: the <code>bashSecurity.ts</code> module has 23 numbered security checks, suggesting each was a real incide

2026-05-30 原文 →
开发者

Microsoft is threatening legal action for disclosing exploits

Microsoft is facing criticism for its handling of zero-day exploits. Someone going by the name Nightmare Eclipse has been publicly feuding with the company, posting proof-of-concept exploit code. Some of their posts suggest that they're a disgruntled former employee. But what caught cyber security researcher Kevin Beaumont's eye was how Microsoft has responded. Microsoft suggests […]

2026-05-30 原文 →
AI 资讯

Coding agents should not hold write credentials.

I have been thinking a lot about coding agents lately. Not really about whether they can write good code, because usually they can, sometimes they can't. That part is obvious. But the risk is shifting from wrong answers to wrong outcomes. The part that feels more important to me is this: should the agent actually own the write authority? We already don't trust humans without roles, limits, reviews, and accountability. Developers use PRs, pilots use checklists, bank clerks have transfer limits. Capable agents need the same structure, but machine-readable. Right now a lot of setups still look roughly like this: agent reads the repo agent decides what to change agent has a GitHub token agent creates commits, branches, or PRs I don't think this is the right default. The agent can reason. The agent can inspect files. The agent can propose changes. But the moment it can directly create external impact, the problem changes. It is no longer just: did the agent say something wrong? It becomes: did the agent create the wrong outcome? That is a much more expensive failure mode. Intent is not authority The pattern I like more is simple: agent reads directly agent proposes intent a boundary decides an adapter materializes only admitted work So the agent does not get the write credentials. It submits a structured intent instead, which could look like: { "operation" : "write" , "target" : { "repo" : "example/app" , "branch" : "main" , "path" : "docs/config/agent-policy.md" }, "source_state" : { "blob_sha" : "8f31c2..." }, "requested_effect_hash" : "sha256:..." } This is then not a command anymore, it is a suggestion, or an intent. The system still has to decide whether this proposed outcome should exist. That decision layer can check things like: is this actor allowed? is this repo allowed? is this path in scope? does the source state still match? is this operation allowed? was the same effect already created? should this become a reviewable PR? Only after that should there be an

2026-05-30 原文 →