今日已更新 328 条资讯 | 累计 20300 条内容
关于我们

标签:#Security

找到 665 篇相关文章

开发者

Connecting Sophos Central to a Copilot Studio Agent with Power Automate

I wanted a chat agent that could pull security alerts from Sophos Central on demand. Type "get Sophos alerts" into a Copilot Studio chat, get back a readable answer. No dashboard, no manual API calls. It works now, end to end. Agent calls a Power Automate flow, the flow talks to the Sophos API, and the response comes back formatted in chat. This post is how I got there, including the bugs that ate most of my time. The shape of the thing Three pieces: A Copilot Studio agent that the user talks to A Power Automate flow that does the actual API work The Sophos Central API on the other end The agent does not call Sophos directly. It calls the flow, the flow handles auth and the request, and the result gets passed back to the agent to format. Keeping the API logic in the flow means the agent stays simple. The flow The flow is named Sophos - Get Alerts , living in a solution called Sophos Integration . Here is the structure: [Trigger: When Copilot Studio calls a flow] | [Init ClientId] - String (Sophos Client ID) [Init ClientSecret] - String (Sophos Client Secret) [Init TenantId] - String (your Sophos tenant ID) [Init ApiHost] - https://api-<region>.central.sophos.com | [HTTP Get Token] POST https://id.sophos.com/api/v2/oauth2/token Header: Content-Type: application/x-www-form-urlencoded Body: grant_type=client_credentials&client_id={ClientId}&client_secret={ClientSecret}&scope=token | [Parse Token] - extract access_token | [HTTP Get Alerts] GET {ApiHost}/common/v1/alerts Headers: Authorization: Bearer {access_token} X-Tenant-ID: {TenantId} Accept: application/json | [Return value(s) to PVA: AlertsResponse = body('HTTP_Get_Alerts')] Auth is OAuth client credentials. You request a token, then use it as a bearer token on the alerts call. The tenant ID goes in an X-Tenant-ID header, not the URL. Where the credentials live This is the part people will have opinions about, so let me be upfront. The Sophos client ID, secret, and tenant ID are stored as flow-scoped variables wit

2026-06-23 原文 →
AI 资讯

Stop returning the same "blocked" error from your agent guardrail

If you run deny-by-default tool guards on AI agents, your refusal is a security decision — not a logging afterthought. I watched one source mutate a malformed tool call ~1,400 times against a production agent in a weekend. Every identical BLOCKED response was feedback for the attacker's automated search: same input shape → same refusal → "colder," changed shape → changed response → "warmer." A Keysight paper (arXiv:2606.20470) quantifies it: deterministic detect-and-block lets attack success rate approach 1 as the query budget grows, because predictable refusals feed model-guided search. Their detect-and-misdirect approach cuts the ASR upper bound by up to ~2 orders of magnitude. The cheap version of the fix, in pseudocode: ​ # BEFORE: a stable refusal = a label for the attacker's search def on_blocked ( call ): return { " error " : " TOOL_CALL_BLOCKED " , " code " : 4031 } # identical every time # AFTER: vary a non-operational response so the deny path isn't a compass def on_blocked ( call ): # return a controlled, plausible-but-non-operational response; # randomize shape/latency so block != stable signal return misdirect ( call , vary = [ " shape " , " delay " , " message " ]) Caveats from doing this in prod: It makes YOUR debugging harder (your own false positives now look noisy too) — log the real reason internally, only vary the external response. Varying text isn't enough if latency still leaks. Treat timing + error-shape as part of the response surface. Open question I don't have a clean answer to: does misdirection just move the oracle one layer up into side channels? I maintain an open-source deny-by-default firewall for agent tool calls (agent-airlock), which is how I had the logs to catch this. The lesson generalizes to any guardrail: a denied call's response is attack surface.

2026-06-23 原文 →
AI 资讯

New Dimensions of Onchain Threats, Accelerated by AI.

Sometime in 2024 I had a Coinbase wallet on my laptop. I had created the wallet some months back, backed up and all, and just sent very little amount of $ETH to the wallet. Then in 2024 I was paid $100 for a gig which I sent to this wallet, I also sent another $650 worth of cryto as "savings". The next morning I decided to check my "savings", wallet was empty. At first I didn't believe that I was hacked, because I had some $1.50 or so worth of $ETH in the wallet for months and it was safe, so what happened? I traced the transaction history and there was the full detail of how someone sent some $ETH to the wallet, then moved out my "savings" and afterwards also took back the remaining $ETH from the one they had sent in for the attack. I checked on Twitter and saw many other posts of people who had experienced the same exploit, exactly the same pattern... and some of the people who lost their funds were experienced blockchain developers and crypto guys. I made a post about it, told my friends to avoid the wallet and tried to forget about the experience. Blockchain hit instant PMF for many, especially people in parts of the world where there are crazy high fees and bank charges. The moment people tried sending crypto and for a few cents in gas fees, there was no going back for them. The only issue has always been how to secure users' funds, desperate people will always find a way no matter how complex the UX was. After losing my savings I stopped using self custodial wallets and only used Centralized Exchanges for a while. I thought, even though that was a non-custodial wallet, the builders still should have ensured strong security and secure backups, so users don't lose funds unnecessarily. This happened to me when AI and LLMs were still at their early development stages. You can only imagine how sophiscated the attacks have gotten, now that AI and LLMs are very advanced and more capable. To put things in perspective, more than $640 million was lost to deFi hacks and

2026-06-23 原文 →
AI 资讯

We log into our own admin console with our own SAML. Here's what it caught.

There's a version of dogfooding that's a slogan, and a version where your own employees can't ship code until the bug is fixed. We run the second kind. The Authagonal staff console, the one we use to manage every tenant, authenticates through Authagonal itself: SAML single sign-on from our Entra directory, with SCIM deciding who gets in and what they can do. There is no separate admin password table. We deleted it. If our own SAML is broken, we are locked out of our own product. That's uncomfortable in exactly the useful way. It turns "SSO is an enterprise feature we support" into "SSO is the only way the people who built this get to work today." Here's what being our own customer caught. A trimmed build that broke signature verification We publish the auth server trimmed, to keep the image small. Trimming aggressively deletes code it can't prove is used, and reflection hides usage from it. .NET resolves its XML-signing crypto algorithms by name, reflectively, through CryptoConfig . The trimmer couldn't see those types were needed, removed them, and SignedXml quietly came back unable to build the algorithm. SAML signature verification, the step that proves the login is real, threw a null reference at runtime. The unit tests passed, because they ran against the untrimmed build where the types still existed. Only the trimmed production artifact failed, and it failed at the exact moment a human tried to sign in. We ship the auth server untrimmed now, with a healthy distrust of trimming anything near reflection-based crypto. If we only supported SAML rather than living on it, this is a customer's incident report instead of ours. Provisioning is the actual login Authenticating a user is the easy half of SSO. The hard half is deciding what they're allowed to do and keeping it in sync as people join and leave. We drive that with SCIM: Entra group membership maps to roles, resolved at the moment a token is issued, not copied once at account creation. Add someone to the righ

2026-06-23 原文 →
AI 资讯

We Scanned 10 Shopify Agency Websites. Here Is What We Found.

Last night I ran external security scans on the public websites of 10 leading Shopify and Shopify Plus agencies — the same scan any browser or attacker would see. No credentials, no special access. One agency scored an A. Three scored C- or below. The most common finding appeared on 9 of 10 sites. TL;DR 1 agency scored an A. 3 scored C- or below. 1 scored a D. The most common finding — missing security headers — appeared on 9 of 10 sites. 6 of 10 agencies have no HSTS at all. One agency has a session cookie without the Secure flag. That is the most concrete finding in the set. What was scanned Five categories per domain: TLS (HSTS presence and max-age), security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), cookie flags, DNS hardening (DNSSEC and CAA) and sensitive exposure paths. All scans run on 23 June 2026. This covers the agencies' own marketing sites — not the client stores they build. Results Agency Domain Score Grade 1Digital Agency 1digitalagency.com 94 A Acidgreen acidgreen.com.au 77 B 30 Acres 30acres.com.au 76 B Fourmeta fourmeta.com 76 B Blend Commerce blendcommerce.com 76 B Elkfox elkfox.com 76 B Charle Agency charleagency.com 62 C Fyresite fyresite.com 62 C Eastside Co eastsideco.com 58 C- Swanky Agency swankyagency.com 55 C- Blubolt blubolt.com 54 D Per-agency notes 1Digital Agency — A (94) HSTS at two years, X-Content-Type-Options and Referrer-Policy set correctly, Permissions-Policy restricting camera, microphone and geolocation, CSP frame-ancestors in place of X-Frame-Options. Only gap is HSTS missing includeSubDomains. Acidgreen — B (77) HSTS with two-year max-age, includeSubDomains and preload — the strongest TLS config in the set. But CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are all absent. Worth noting Acidgreen is multi-platform (Shopify Plus, Adobe Commerce, Magento) rather than Shopify-only. 30 Acres — B (76) A Shopify Plus Partner agency based in Byr

2026-06-23 原文 →
AI 资讯

Securing AI: Codex Operational Bugs, Claude Output Integrity, Copilot Context

Securing AI: Codex Operational Bugs, Claude Output Integrity, Copilot Context Today's Highlights This week's top security news highlights critical operational bugs impacting AI systems, alongside deeper dives into ensuring the integrity of AI-generated content. We also explore how improved context handling in AI coding assistants can subtly enhance generated code security. Codex logging bug may write TBs to local SSDs (Hacker News) Source: https://github.openai/codex/issues/28224 A recently disclosed bug in OpenAI's Codex has revealed a critical operational security concern: excessive logging that can lead to the rapid consumption of local SSD storage. This issue, documented on GitHub, highlights how seemingly innocuous software bugs can escalate into denial-of-service (DoS) vectors, particularly in resource-intensive AI environments. While not an exploit in the traditional sense, a system running out of disk space due to uncontrolled logging can halt operations, prevent critical updates, or even lead to data loss if not managed proactively. For developers and system administrators deploying AI models like Codex, this bug serves as a potent reminder of the importance of robust logging configurations and monitoring. Proactive measures, such as log rotation, size limits, and alerts for abnormal disk usage, become essential hardening techniques. This vulnerability underscores that operational stability is a key component of overall system security, especially when integrating complex AI tools into production environments where resource consumption can be unpredictable. Comment: This bug is a stark reminder that even sophisticated AI tools can have fundamental operational flaws. Monitoring disk usage and implementing strict log management policies are non-negotiable for AI deployments. The text in Claude Code’s “Extended Thinking” output (Hacker News) Source: https://patrickmccanna.net/the-text-in-claude-codes-extended-thinking-output-is-not-authentic/ An analysis of Cl

2026-06-23 原文 →
AI 资讯

Filter what your AI email agent sends and receives

An AI agent with its own mailbox reacts to whatever lands in it. That's the point, until a spam blast, a mailer-daemon loop, or an auto-reply triggers the agent into answering noise. The same goes the other way: an agent composing mail on its own can address the wrong person, leak to a test domain that slipped into production, or email a competitor because nobody told it not to. A human would catch these. An agent needs guardrails encoded somewhere it can't skip. Agent Accounts ship three admin resources for exactly this: Policies bundle limits and spam settings, Rules match mail on the way in or out and run actions like block or assign_to_folder , and Lists are reusable collections of domains or addresses that rules reference. This post covers all three from two angles: the HTTP API for your backend, and the Nylas CLI for inspecting and managing policies and rules from the terminal. Lists, workspaces, and the rule-evaluations audit log are API-only for now. I work on the CLI, so the terminal commands below are the ones I reach for. How Policies, Rules, and Lists fit together The three resources form a chain, and a workspace ties it to your accounts. A List holds values like domains or addresses. A Rule references lists through the in_list operator and describes conditions and actions. A Policy bundles limits and spam settings. A workspace carries one policy_id plus an array of rule_ids , and every Agent Account in that workspace inherits both. What matters here: you don't attach a policy or rule to an individual grant. You set policy_id and rule_ids on a workspace , and they apply to every account in it. Each application has a default workspace that holds any account you haven't placed elsewhere, so configuring that one workspace covers all your unassigned accounts at once. All three resources are application-scoped — they carry no grant ID in the path, and your API key identifies the application. Resource What it owns How it's referenced List A typed collection of

2026-06-23 原文 →
AI 资讯

Why I Log response.model on Every Claude Call (and You Should Too)

It is a one-line habit that has saved me more debugging time than any clever abstraction: I log which model actually answered every Claude request. Not which model I asked for. Which one responded. In 2026, with model fallbacks, fast-changing model strings, and routing logic, those are not always the same thing. Here is why the gap exists and what it has caught. The request model and the response model can differ You send model: "claude-fable-5" . You assume Fable 5 answered. But the response object tells you what actually served the request: const response = await client . messages . create ({ model : " claude-fable-5 " , max_tokens : 16000 , thinking : { type : " adaptive " }, messages : [{ role : " user " , content : prompt }], }); console . log ( " requested fable-5, served: " , response . model ); Most of the time they match. The interesting cases are when they do not. The Fable 5 safeguard fallback The reason this matters most in 2026 is Fable 5's safeguards. Fable 5 has hard guardrails in cybersecurity, biology, chemistry, and health. If your prompt trips one, the request does not just refuse. It silently falls back to Opus 4.8 to produce a safe answer. For my security work, this is a sharp edge. I run contract-analysis prompts that can look adversarial to a safeguard. If one trips, I am quietly getting Opus 4.8 output while believing I am getting Fable-tier reasoning. The quality difference on a hard audit is exactly the thing I paid double for, and it vanished without an error. The only way to know is to read response.model : if ( ! response . model . startsWith ( " claude-fable-5 " )) { logger . warn ( { requested : " claude-fable-5 " , served : response . model }, " Fable 5 request fell back, likely a safeguard trip " , ); } Without that log, a fallback is invisible until I notice the analysis got worse and have no idea why. Routing logic and config drift The other source of the gap is my own code. I have routing that picks a model based on task type and

2026-06-22 原文 →
AI 资讯

Azure Key Vault: Where Every Secret in This Blog Actually Lives

I have written some version of "never hardcode secrets, store them in Key Vault instead" in at least five of my last nine posts on this blog. I never actually stopped to explain what that means in practice. This post fixes that, using the real secrets this very blog depends on: a database connection string, an admin panel password, and a set of GitHub deployment credentials. What Azure Key Vault Actually Is Azure Key Vault is a managed service for storing secrets, encryption keys, and certificates securely in the cloud. Instead of a password sitting in a configuration file or a public GitHub repository where anyone with read access can see it, the password lives in Key Vault - encrypted, access-controlled, and logged every single time it is read. Picture your code as a house with see-through walls - anyone looking at the repository can see everything inside, including any password left lying on the kitchen table. Key Vault is a bank vault a few streets away. Your code does not hold the password directly; it holds a key card that lets it walk over and request the password at the exact moment it is needed. Lose the key card, and you still cannot get into the vault without proper identity verification on top of it. Three Things Key Vault Stores Secrets are plain string values - passwords, connection strings, API keys, tokens. Keys are cryptographic keys used for encrypting and decrypting data, or for signing and verifying it. Certificates are X.509 certificates used for TLS or client authentication between services. Most applications, including this one, primarily use the Secrets feature. An Honest Admission About TechStackBlog's Own Setup This blog does not actually use Key Vault directly today. The database password lives in Azure App Service Configuration. The admin panel password and deployment credentials live in GitHub Secrets. For a single-application personal project, this is a perfectly reasonable and secure setup. Key Vault earns its place once you have multi

2026-06-22 原文 →
AI 资讯

88% of orgs hit an AI agent security incident — and half their agents run with no boundaries. That's an architecture problem.

A stat from 2026 that should stop you cold: 88% of organizations reported a confirmed or suspected AI agent security incident in the past year (92.7% in healthcare). And more than half of all agents run with no security oversight and no logging — naked. The problem isn't that the AI isn't smart enough. It's that almost nobody welded boundaries around it. And boundaries are exactly where rigor lives. The incident list: speed flooring it, boundaries naked The last couple of weeks of security signals line up scarily well: 88% of orgs reported confirmed/suspected AI agent incidents in the past year; healthcare 92.7% ; over half of agents have no security oversight or logging. Supply chain is the front door. A plugin-ecosystem supply-chain attack harvested agent credentials from 47 enterprise deployments ; attackers used them to reach customer data, financial records, and proprietary code — undetected for six months. A public skills marketplace at one point hosted 824 of 10,700 malicious "skills." Config is an attack surface. Check Point disclosed remote code execution in a popular coding agent via poisoned repository config files ; MCP (Model Context Protocol) is the connective tissue across nearly every incident this year — poisoned configs, malicious marketplace skills, unauthenticated exposed MCP servers. By early 2026, at least ten public incidents across six major AI coding tools were attributed to " agents acting with insufficient boundaries. " The industry's own summary: AI agent security in 2026 is a supply chain problem first, a prompt-injection problem second. And every one of these shares a single root cause — the agent can act, but there's no architectural boundary on what it can touch, change, or call. Why "naked" is inevitable: bolt-on boundaries always leak Why do half the agents run with no oversight? Because in the mainstream approach, boundaries are bolt-ons : an allow-list here, a gateway there, logs you read after the fact. The trouble: The tools an

2026-06-22 原文 →
AI 资讯

Article: Understanding ML Model Poisoning: How It Happens and How to Detect It

In this article, the author explores data poisoning as a threat to machine learning systems, covering techniques such as label flipping, backdoors, clean-label poisoning, and gradient manipulation. The article reviews real-world incidents, discusses the challenges of detecting poisoned data, and presents practical defenses, tools, and operational practices for securing ML training pipelines. By Igor Maljkovic

2026-06-22 原文 →