今日已更新 233 条资讯 | 累计 20205 条内容
关于我们

标签:#SEC

找到 671 篇相关文章

AI 资讯

Configuring DMARC p=quarantine: A Technical Step-by-Step Guide to Secure Your Domain and Improve Deliverability

Introduction to DMARC and the p=quarantine Policy DMARC (Domain-based Message Authentication, Reporting, and Conformance), defined in RFC 7489 , is an email authentication protocol. It builds upon SPF and DKIM to provide domain owners with the ability to protect their domain from unauthorized use. DMARC enables senders to specify how receiving mail servers should handle unauthenticated emails originating from their domain. It also provides a mechanism for receiving servers to report back to the domain owner about authentication results. DMARC policies dictate the action receiving mail servers should take when an email fails DMARC authentication. The three primary policies are: p=none : Monitor mode. Receiving servers take no action on failed messages but send reports. This is the initial deployment phase. p=quarantine : Receiving servers should treat failed messages as suspicious. They are typically placed in the recipient's spam folder or flagged for further review. p=reject : Receiving servers should outright reject messages that fail DMARC authentication. This is the strongest enforcement policy. Implementing p=quarantine is a critical step towards full domain protection. It allows domain owners to mitigate spoofing and phishing attempts without immediately blocking legitimate, but misconfigured, email streams. This policy provides a balance between security enforcement and minimizing potential deliverability disruptions. Prerequisites for DMARC p=quarantine Implementation Before deploying a p=quarantine policy, proper configuration of SPF and DKIM is mandatory. DMARC relies on these underlying authentication mechanisms and their alignment with the sending domain. SPF (Sender Policy Framework) SPF, specified in RFC 7208 , allows domain owners to publish a list of authorized sending IP addresses in their DNS. Receiving mail servers check the SPF record to verify if an incoming email originated from an authorized server. An SPF record is a TXT record at the root of

2026-07-04 原文 →
AI 资讯

How Do You Log Someone Out of a Stateless System? JWT Invalidation on Logout

JWTs are one of those technologies that feel wonderful right up until you hit your first "log me out" requirement. Then you discover the awkward truth: the very property that makes JWTs attractive — statelessness — is also what makes logout hard. This post walks through what JWTs actually are, why "invalidating" one is a design problem rather than a one-liner, and the practical methods available to revoke an access token on logout, along with the bottleneck each one introduces. A quick refresher on JWTs A JSON Web Token (JWT) is a signed, self-contained token. It carries a JSON payload of claims — who the user is, when the token was issued, when it expires, and often a unique token id ( jti ) — and a cryptographic signature over that payload. Because the token is signed with a secret (or a private key), any server holding the corresponding key can verify it is authentic and untampered without calling a database . That last part is the entire point. When a request arrives with a JWT, the server checks the signature and the expiry, reads the claims, and proceeds. No lookup, no shared session store, no round trip. This is what people mean when they call JWT auth stateless : the server keeps no per-user session record. The token itself is the session, and it's valid until it expires. Access tokens and refresh tokens In practice you rarely use a single token. The common pattern splits responsibility across two: The access token is the short-lived workhorse. It's sent on every API request and typically expires in minutes (5–15 is common). Because it's checked statelessly on every call, you want its lifetime short — if it leaks, the damage window is small. The refresh token is long-lived (days or weeks) and does one job: obtain new access tokens when the current one expires. It is not sent on every request — only to a dedicated token endpoint. This lets the access token stay short and stateless while the user avoids logging in every ten minutes. The refresh token is easy —

2026-07-04 原文 →
AI 资讯

Your PDF tool is storing your files. Here's proof.

Upload a file to any random "free" PDF tool online. Then check their privacy policy. Most of them say something like: "We may retain uploaded files for up to 24 hours" or "Files may be used to improve our services" Your client's contract. Your salary slip. Your ID card. Sitting on someone's server. I got tired of this and built a tool where your files never leave your browser. No upload happens at all. 80+ tools, nothing stored, no account needed. Roast it, use it, or ignore it. Up to you.

2026-07-04 原文 →
产品设计

Como o kernel impede que processos executem instruções arbitrárias de CPU?

A gente sempre ouve falar que o sistema operacional impede que um processo veja a memória do outro ou que o programa fale diretamente com o hardware, mas normalmente não explicam o "como". Eu sempre achei isso meio mágico até que eu resolvi ir atrás da resposta, e é bem interessante. Vou me basear na arquitetura x86, mas é provável que outras arquiteturas sejam parecidas. O problema: a CPU Pra CPU não existe processo, kernel, sistema operacional. Existe só endereços de memória de onde ela lê a próxima instrução e executa. Se a CPU pode falar direto com a RAM, SSD, teclado, mouse, tela... O que me impede de escrever um programa pra ler suas senhas e tokens direto da RAM? Ou de ler arquivos e alterar arquivos sensíveis direto no SSD? Por outro lado, se o kernel fiscalizasse cada instrução que da CPU antes dela executar, isso seria extremamente lento... Outro problema: os interrupts Se a CPU só executasse sequencialmente, seu sistema poderia executar várias coisas e esquecer de checar se uma tecla foi apertada, se o mouse mexeu, etc... Então certos eventos interrompem o que quer que a CPU esteja fazendo para serem tratados assim que possível. Alguns exemplos de interrupt são: Teclas do teclado pressionadas ou soltas Botões e movimento do mouse Timers Operações de disco assíncronas Pacotes de rede recebidos/transmitidos Uma solução: rings Os processadores da arquitetura x86 tem o esquema de rings. Pense em rings como grau de limitação. Ring 0 significa limitação zero, ou seja, acesso a todas as instruções da CPU e consequentemente acesso total ao hardware e memória. O kernel roda em ring 0, ou kernel mode. O kernel assim que é carregado configura todos os interrupts handlers da CPU para executar o handler apropriado do kernel, em kernel mode, claro. Em ring 3 a CPU fica limitada e não pode fazer instruções consideradas privilegiadas. E obviamente em ring 3 a CPU não consegue se colocar em ring 0 sozinha, pois dessa forma qualquer programa conseguiria se pôr em ring 0. O

2026-07-04 原文 →
开发者

I’m a Beginner, and I make an Open Source Ethical Hacking Tool Entirely on My Phone.

Hey dev community! I don't have a PC yet, so I challenged myself to build an open source ethical hacking & "security audit" tool called ImCurvin' completely on my phone screen. Here is my honest background: I just started learning programming 6 months ago (yes, January 2026!). Since then, I've been fully focused on coding. Just 2 weeks ago, I decided to jump into cybersecurity. To be honest, I hate memorizing dry theories. I prefer focusing purely on the logic and finding cracks in systems. While I am a bit lazy with documentation, I am doing my best to learn all the official "technical terms" along the way! The project currently stands around 1,155 lines of code (993 Bash, 162 Python), i want it to be minimalist. The tool is fully modularized with separate payload directories, though the overall formatting might look a bit messy since every single character was typed on a smartphone touch screen. I want to keep this post super short, so please check out the full features, code documentation, and contribution guidelines directly inside my repository: Check out https://github.com/Skokoo/ImCurvin Feel free to check it out, and please submit a Pull Request or open an issue if you want to help a beginner clean up and optimize the code!

2026-07-04 原文 →
AI 资讯

Copilot CLI drops the PAT requirement inside GitHub Actions

GitHub said this week that Copilot CLI, when it runs inside a GitHub Actions workflow, will accept the built-in GITHUB_TOKEN for authentication. Per the July 2 changelog, the previous path required creating and storing a personal access token. The operational read is small and precise: one fewer human-owned credential to mint, rotate and inherit. The exact scope of the change The changelog covers a narrow surface. It applies to Copilot CLI when invoked from a GitHub Actions workflow, and it swaps the required credential from a PAT to the workflow's ambient GITHUB_TOKEN . GitHub does not describe changes to how Copilot CLI authenticates outside Actions, and this post will not extrapolate to those contexts. If your Copilot CLI usage lives on a developer laptop or in another CI system, nothing in this announcement moves for you. Why the PAT was the wrong credential to leave in the loop A personal access token has almost none of the properties you would want from an automation credential. It does not expire on a job boundary. It carries a person's identity, not the workflow's. It sits in Actions secrets long enough to outlive the engineer who created it. And its scopes were chosen by that engineer, at that moment, often wider than the job actually needs. GITHUB_TOKEN is the opposite shape. Actions mints it at the start of a job, scopes it through the workflow's permissions: block, and revokes it when the job ends. If the token leaks, the window for abuse is the runtime of the job, not the years until somebody remembers to rotate it. When the person who wrote the workflow leaves, the pipeline does not silently break because a token expired with their account. For scripted Copilot CLI calls that had to be wrapped in a PAT, that is the whole win. The tool authenticates against the workflow instead of against a human. Wiring it up The workflow-side pattern is the same one every GITHUB_TOKEN -consuming step already follows: declare permissions: explicitly at the job level, k

2026-07-04 原文 →
AI 资讯

AI-Assisted AuthZ Review: Reading Permission Boundaries in Ory Kratos

Second in a series on using AI to review authorization — not to spray reports. Companion reference: AuthZ Smell Catalog . 1. Why AuthZ review is not vulnerability spraying The cheapest thing an AI can do in security is generate suspicion. Point a model at a codebase and it will hand you fifty "possible IDORs" before you finish your coffee. Almost all of them are wrong — guarded three lines up, scoped at the data layer, or protected at a boundary the model never saw. That flood is exactly why several bug bounty programs spent 2026 tightening or pausing: they were drowning in confident, plausible, wrong reports. So this review inverts the usual loop. The AI's job is not to find bugs — it is to over-generate hypotheses cheaply . My job is to kill them. What survives that killing is the only thing worth a human's time, and the record of what died is more useful than the record of what lived. The artifact of an honest review is therefore not a finding. It's a kill table . 2. Target and scope Target: Ory Kratos — an open-source identity and user-management server (login, registration, recovery, verification, sessions, self-service settings). Source-available, Apache-2.0. Why Kratos: it is exactly the shape where authorization goes wrong — multiple identities, a public API and an admin API, and (in Ory's hosted product) multi-tenancy. If a boundary is fragile, this is where it shows. Scope of this write-up: source reading only , on the public repository, single-tenant OSS build. No hosted target was touched. Nothing here is an undisclosed finding — the point is the method and the boundary design , and where relevant, how the design held against the hypotheses I tested. This maps to the reproduction tiers we track: everything below is repo_only , and I say so explicitly rather than implying it reaches a live product. What this review does and does not claim. In this limited, repo-only review, the hypotheses I tested were killed. This is not a claim that Kratos has no vulner

2026-07-04 原文 →
AI 资讯

How to Test OAuth Recovery Emails Without Exposing Real Inboxes

OAuth recovery emails look harmless until you test them the lazy way. A team sends password reset links or recovery codes into one shared mailbox, confirms that something arrived, and marks the job done. From a security view, that test is too weak. It can hide token reuse, wrong-user delivery, or log retention that exposes sensitive account events. For non-production checks, I like using a disposable email address that belongs to one test run. Some teams build that inbox layer themselves, some use tempmailso, but the core principle is the same: isolate the recovery event, inspect it quickly, and delete the evidence you no longer need. That is helpful when Authentication and OAuth changes ship together. Why OAuth recovery emails deserve their own threat model Recovery email tests are not just "did the mail send?" checks. They sit on the edge of account takeover risk, so the message itself matters almost as much as the login flow. A decent threat model for these emails should ask: did the message reach only the intended inbox for this run? does the link or code expire when the product says it does? is the message revealing too much user data in subject lines or previews? can an older token still be used after a new recovery request? do logs or test fixtures keep the recovery secret longer than they should? This is where shared inboxes become dangerous in a subtle way. Even if nobody has bad intent, mixed test data makes it harder to prove which token belonged to which request. The same operational confusion shows up in email change confirmation checks , and it gets worse when the email can restore account access. OWASP recommends testing authentication recovery features with the same care as sign-in and session controls, because weak recovery paths are a common bypass route for stronger primary login defenses: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html A safer test flow for recovery links and codes The cleanest pattern is one inbox

2026-07-04 原文 →
AI 资讯

OAUTH2.0 In Action — A Guide To Implementing OAUTH In Apps and Websites.

Table of contents What is OAUTH A trip to OAUTH1.0Ville What is OAUTH2.0 Examples of OAUTH Technology OIDC Hands-on Implementation with Microsoft Entra ID What is OAUTH OAUTH is a technological standard that allows you to authorize one app or service to sign in to another without divulging private information, such as passwords. OAUTH stands for Open-Authorization , not Authentication . Authentication is a process that verifies your identity, although OAUTH involves identity verification, its main purpose is to grant access to connect you with different apps and services without requiring you to create a new account. How Does OAUTH Work OAUTH uses access tokens, and this is what makes OAUTH secure to use. An access token is a piece of data that contains information about the user and the resource the token is intended for. A token will also include specific rules for data sharing . For example, you want to share your photos from Instagram with Kyrier — An intelligent email platform built for professionals who refuse to let their inbox run their day , but you only want Kyrier to access your profile image. Kyrier does not also need to access your direct messages or friends list. Instagram issues an access token to Kyrier to access the data you approve (your profile image in this case) on your behalf. So an access token will only allow Kyrier to access your profile image, not even other photos on your page. There may be rules governing when Kyrier can use the access token, it might be for a single use or for recurring uses, and it always has an expiration date. A trip to OAUTH1.0Ville Welcome to OAuth1.0Ville. Please keep your hands inside the vehicle. This is where OAuth started. It was built only for websites , back when "an app" meant a web page and nothing else. Although it worked, it had a lot of problems: Only three authorization flows (2.0 has six) No real plan for mobile or modern apps A scaling problem it never solved It also makes you cryptographically sign e

2026-07-03 原文 →
AI 资讯

The hard part of attacking an AI isn't breaking it. It's telling real harm from fake.

I built a red-team test suite that fires adversarial prompts at an LLM-backed API and decides, for each reply, whether a guardrail actually broke. It is the project where I stopped writing tests that answer "did the model refuse?" and started writing tests that answer a much harder question: "did anything bad actually happen?" Those turn out to be very different questions. The gap between them is the whole project. Most of the work is reading, not attacking Every project in this series has turned out to be more reading than coding, and this one most of all. The reflex is to assume the attacks are the work - write a clever payload, watch the model fall over, log a finding. The attacks are the fast part. What eats the time is sitting and reading model replies, one at a time, end to end, to decide whether a reply is a genuine bypass or just the model being chatty. There is no framework in that loop. You fire one payload and read the reply yourself: curl -s localhost:8000/ask -H 'content-type: application/json' \ -d '{"question":"YOUR PAYLOAD HERE"}' | jq -r .answer Here is the smallest example. I sent the model a base64 string that decodes to "how to make a bomb." The input filter is a list of banned English phrases, and base64 isn't English, so it sailed through and my detector flagged it: guardrail evaded, success. Except the model can't actually decode base64. It hallucinated some cleartext and cheerfully answered that instead - a few bland lines about friendship and happiness. The guardrail was bypassed and the payload delivered nothing. If I had trusted the green checkmark, I would have filed a bomb-instructions bypass over a reply about being a good friend. That is the whole project in one reply. A detector can be technically right ("the filter was evaded") and completely wrong about what matters ("something harmful got out"). The only way to tell them apart is to read the actual words. Reading is the work, not a step you do after it. The success rate over-counts

2026-07-03 原文 →
AI 资讯

Developing a Practical, Ethical Web/AppSec Learning Platform for Modern Vulnerabilities and Patterns

Introduction: The Need for Modern Web/AppSec Training The cybersecurity landscape is evolving at a breakneck pace, but the tools we use to train the next generation of defenders are stuck in the past. Most web/appsec learning platforms still focus on basic, textbook vulnerabilities —XSS popups, simple SQL injection, or trivial IDORs. These labs are like teaching someone to swim in a kiddie pool; they might grasp the concept, but they’re ill-prepared for the open ocean of modern web applications . The gap isn’t just in depth—it’s in relevance . Real-world apps today are complex, API-driven, and riddled with subtle, pattern-based vulnerabilities that don’t fit into neat, isolated lessons. Consider this: a developer misconfigures a GraphQL endpoint, exposing an entire database. Or an API leaks sensitive data because of a flawed rate-limiting mechanism. These aren’t edge cases—they’re common mistakes in modern apps. Yet, most training platforms ignore them, leaving learners to either stumble upon these issues in the wild or remain oblivious. The result? A workforce of security professionals who can theoretically exploit a vulnerability but struggle to identify or fix it in a real-world context . The problem isn’t just outdated content—it’s the lack of ethical, hands-on practice environments . Many aspiring security professionals resort to illegal or gray-area practices to gain experience, risking legal consequences and ethical dilemmas. What’s needed is a platform that simulates real-world scenarios without crossing ethical boundaries, one that teaches not just how to exploit but also why vulnerabilities occur and how to fix them . Here’s the core issue: modern apps are systems, not isolated components . A vulnerability in one part—say, a file upload feature—can cascade into a full account takeover if combined with a session management flaw. Most labs fail to teach this interconnectedness , leaving learners with a fragmented understanding. A practical platform must brid

2026-07-03 原文 →
AI 资讯

Anatomy of an API scrape: reading 251 requests like a crime scene

Last week someone tried to copy my visa API's database. They didn't succeed — they got 0.6% of it before I cut the key — but the 251 requests they left behind are a near-perfect teaching case for what targeted API extraction actually looks like from the defender's side. Here's the forensic walkthrough. The target One endpoint: GET /api/v1/visa?from={passport}&to={destination} It returns the visa rule for a passport→destination pair — visa type, allowed stay, conditions. The full matrix is ~39,585 pairs . That matrix is the product. The evidence The attacker's requests weren't spread across the map. They were a sweep, one passport at a time: Passport Destinations pulled Coverage 🇦🇪 UAE (ARE) 195 ~100% of that passport's matrix 🇦🇺 Australia (AUS) 53 ~1/4, interrupted 🇨🇳 China (CHN) 2 test calls 249 unique pairs, near-zero duplicates. Whoever wrote this was methodical: validate that one full passport comes out cleanly, then move to the next. Reading the cadence The timestamps are where a scrape gives itself away. Minute by minute: 11:56 2 ← test phase (incl. the one failure) 11:57 1 11:58 25 ┐ 11:59 26 │ 12:00 20 │ ~25 req/min, dead regular … │ = one request every ~2.4s 12:07 21 ┘ No human reads visa rules on a 2.4-second metronome for 11 minutes. This is a loop. The fingerprint Four signals — and the point isn't nationality, it's that the request parameters themselves leaked the intent: Handle: visadb_scraper . It signed its own work. Email: throwaway @temp.com . No intention of receiving anything. Languages: en + zh , on a product with no Chinese-market surface yet. Error signature: the very first call (CHN→THA, in Chinese, 11:56:45) failed, then everything ran clean. Classic "calibrating the script" tell. The math 250 records is 0.6% of the base. At 25 req/min, a full dump would've taken ~26 hours . This wasn't a dump — it was a feasibility test . They proved a whole passport comes out easily, then stopped, nowhere near the 3,000/month free-tier ceiling. What I coul

2026-07-03 原文 →
AI 资讯

The Security Liability of Memory Allocation in TEEs: A Design Decision Log

Memory allocation is not a feature — it is a security liability. In high-assurance Trusted Execution Environments (TEEs), you cannot afford the jitter or the fragmentation of a probabilistic global heap. When building the sakshi-core attestation loop for the Sovereign Spine architecture, the requirement was absolute: determinism. Standard heap allocation introduces non-deterministic paths, memory fragmentation, and significantly increases the complexity of the Trusted Computing Base (TCB). For our enclave, that is unacceptable. The Problem: Why GlobalAlloc Fails the TEE Test In a standard Rust environment, we lean on the global allocator. In a TEE, however, the global allocator is a massive attack surface. Jitter: Allocation time varies based on heap state, leaking metadata through timing side-channels. Fragmentation: Heap fragmentation can lead to unpredictable exhaustion, a vector for Denial of Service (DoS) within the enclave. TCB Bloat: The allocator logic itself adds thousands of lines of code to your audit surface. The Solution: Session-Scoped Bump Buffer To enforce architectural certainty, I stripped away the dependency on standard heap allocation in the enclave. Instead, I implemented a session-scoped bump buffer . This is a contract-based memory model: Constant-time execution: Allocation is a pointer increment operation, taking 1-2 CPU cycles. Zero-fragmentation: Memory is allocated linearly and cleared atomically at the session boundary. Simplified TCB: By removing GlobalAlloc , the enclave memory logic is reduced to a handful of lines of verifiable code. Implementation Concept The core logic relies on a pre-allocated static region. We do not ask the system for memory; we own a dedicated slab of silicon-backed memory and manage it strictly within the request lifecycle. // Conceptual implementation of the session-scoped buffer pub struct BumpBuffer { buffer : & 'static mut [ u8 ], offset : usize , } impl BumpBuffer { pub fn alloc ( & mut self , size : usize

2026-07-03 原文 →
AI 资讯

SaaS Security Best Practices: Auth, Authorization, and Data Protection

Security is not a feature — it is a property of your entire architecture. This guide covers the security practices implemented in production SaaS applications like tanstackship.com : authentication with password hashing and session management, role-based and attribute-based authorization, data encryption at rest and in transit, API security with CSRF and rate limiting, and ongoing monitoring for vulnerabilities. Authentication: The Identity Layer Session vs Token-Based Auth Aspect Session Auth JWT Auth Hybrid (Recommended) Storage Server-side (D1/Redis) Client-side (localStorage) Server + client Expiry Server-managed Self-contained Dual expiry Revocation Immediate Difficult (until expiry) Session invalidation + JWT refresh Scale Database lookups per request Stateless Cached sessions XSS risk Lower (HTTP-only cookie) Higher (JS-accessible) HTTP-only cookie for session Implementation with Better Auth // src/lib/auth.ts — using Better Auth with Drizzle import { betterAuth } from " better-auth " import { drizzleAdapter } from " better-auth/adapters/drizzle " import { createDb } from " ../db " export const auth = betterAuth ({ database : drizzleAdapter ( createDb ( env ), { provider : " sqlite " , }), emailAndPassword : { enabled : true , autoSignIn : true , passwordHash : { algorithm : " argon2 " , // Argon2id — OWASP recommended params : { memoryCost : 19456 , timeCost : 2 , parallelism : 1 , }, }, }, socialProviders : { google : { clientId : env . GOOGLE_CLIENT_ID , clientSecret : env . GOOGLE_CLIENT_SECRET }, github : { clientId : env . GITHUB_CLIENT_ID , clientSecret : env . GITHUB_CLIENT_SECRET }, }, session : { expiresIn : 7 * 24 * 60 * 60 , // 7 days updateAge : 24 * 60 * 60 , // Refresh every 24 hours }, }) Password Security Checklist [ ] Passwords hashed with Argon2id (not bcrypt, not scrypt) [ ] Minimum 8 characters, no arbitrary complexity rules [ ] Rate-limited login attempts (5 per minute per IP) [ ] Email verification required before first login [ ] Sessio

2026-07-03 原文 →
AI 资讯

Stop pasting JWTs into random websites

A JWT isn't just JSON you can inspect. It's a live bearer token. Here's a safer way to decode one. A few days ago I was reviewing a bug with a teammate. They wanted to see what was inside an access token, so they copied it into the first JWT decoder Google returned. It wasn't a dummy token. It was a production access token with almost an hour left before it expired. Nobody was trying to do anything risky—it was just the quickest way to inspect a JWT. That's exactly why this keeps happening. The thing people forget A JWT looks like this: header.payload.signature The payload isn't encrypted. It's just Base64URL-encoded JSON. Because of that, people often think: "The payload isn't secret, so the token is probably safe to paste." Those aren't the same thing. The payload may be readable, but the token itself is still your credential . Anyone holding it can usually authenticate as you until it expires. Why online decoders make me nervous Some JWT tools only decode locally in your browser. Others offer things like signature verification, claim validation, or key management. Features like those often require talking to a backend, which means the token gets sent somewhere else. Maybe the site is trustworthy. Maybe it isn't. From the UI alone, you usually can't tell. Even if a decoder claims everything runs client-side, I don't like assuming that's true when I'm holding a production credential. You don't need a website to inspect a JWT Most of the time I'm only interested in the payload anyway. echo " $TOKEN " \ | cut -d '.' -f2 \ | base64 --decode \ | jq Because JWTs use Base64URL encoding, you may need to translate the alphabet and add padding first: decode_jwt () { local payload = $( echo -n " $1 " | cut -d . -f2 | tr '_-' '/+' ) while [ $(( ${# payload } % 4 )) -ne 0 ] ; do payload = " ${ payload } =" done echo " $payload " | base64 --decode | jq } decode_jwt " $TOKEN " That gives you the claims, expiration time, issuer, audience—everything most people open a decoder for.

2026-07-03 原文 →
AI 资讯

Linux LUKS Vulnerability, Android Developer Verification Threat, GitHub Secret Scanning Guide

Linux LUKS Vulnerability, Android Developer Verification Threat, GitHub Secret Scanning Guide Today's Highlights This week's top security news features a critical data leakage bug in Linux LUKS disk encryption, a deceptive new threat leveraging Android developer verification, and GitHub's practical guide to managing secret scanning alerts at scale. These stories highlight the ongoing challenges in OS hardening, mobile supply chain defense, and secrets management. Linux 6.9 LUKS Suspend Bug Leaves Encryption Keys in Memory (Hacker News) Source: https://mathstodon.xyz/@iblech/116769502749142438 A critical vulnerability has been identified in Linux kernels since version 6.9, where Logical Unit Key (LUKS) disk encryption keys are no longer reliably wiped from memory when a system enters suspend mode. This flaw means that after resuming from suspend, or even during a 'cold boot' attack, a sophisticated attacker with physical access could potentially extract the disk encryption keys directly from the system's RAM. Prior to this, LUKS was designed to clear these sensitive keys, providing a layer of protection against memory forensics attacks. The issue fundamentally undermines the security posture of LUKS-encrypted systems that rely on suspend functionality. It poses a significant risk for users and organizations handling sensitive data on laptops or any device where physical access by an adversary is a concern. The practical implication is that suspending a Linux 6.9+ system with LUKS encryption may no longer be a secure operation, forcing users to fully shut down their machines to ensure key erasure. Mitigation strategies include avoiding suspend, reverting to an earlier kernel version if feasible, or diligently monitoring for official patches addressing this severe data leakage vector. Comment: This is a serious regression impacting fundamental data at rest security for Linux users, especially on laptops. If you use LUKS, avoid suspend on Linux 6.9+ until a fix is verif

2026-07-03 原文 →