今日已更新 63 条资讯 | 累计 20533 条内容
关于我们

标签:#Security

找到 674 篇相关文章

AI 资讯

How OpenAI Built a Secure Windows Sandbox for Codex Agents

OpenAI details Codex Windows sandbox architecture, showing how SIDs, ACLs, restricted tokens, and dedicated sandbox accounts enable safe execution of autonomous coding tasks. The design balances isolation with real developer workflows and shows how OS security primitives must be composed for AI agents on local development environments. By Leela Kumili

2026-06-05 原文 →
开发者

Top 10 Non-Human Identity Security Tools and Platforms for 2026

TL;DR: Non-human identities (service accounts, API keys, workload identities, certificates, OAuth apps, machine-to-machine access) now outnumber humans over 1:1 in most cloud-native orgs. The biggest security risks are unmanaged lifecycle, overprivileged access, and exposed credentials across SDLC and cloud environments, not just secret storage. The best NHI security tools in 2026 fall into four major categories: Secrets Detection and Exposure Prevention NHI Lifecycle and Governance Platforms Machine Identity and Certificate Management Vault and Authorization Extensions Most enterprises require layered coverage across detection, governance, and lifecycle automation. Adopting this multi-layered strategy enables organizations not only to find leaks but also to close the structural gaps that allow them to occur. Why Non-Human Identities Are the Fastest-Growing Attack Surface in 2026 In 2026, attackers rarely try to " hack passwords ". Instead, they exploit the massive, often unmonitored web of non-human identities (NHIs) that power modern automation. They specifically look for hardcoded API keys, overprivileged service accounts, stale OAuth tokens, misconfigured workload identities, unrotated certificates, and shadow SaaS integrations that slip through the cracks of traditional security programs. This is a problem because machine identities far outnumber human users. However, most security programs rely on frameworks designed for human-centric access. IAM Strategy for CISOs: Securing Non-Human Identities Thankfully, top non-human identity protection tools help secure this critical attack surface. By understanding the categories of enterprise NHI security solutions, you can build a strategy that provides complete visibility and robust security controls across your entire infrastructure. What Do Non-Human Identities (NHIs) Include Today? Non-human identities are the digital identities used by machines, services, and applications to authenticate and communicate with other

2026-06-05 原文 →
AI 资讯

Your Security Scanner Found 7 Missing Headers. Don't Fix Them Blindly.

Your security scanner just came back with 6 flagged items. All missing HTTP headers. You did what any reasonable developer does: Googled each one, copy-pasted the recommended config, and shipped a fix in 20 minutes. Job done. Security score green. PR merged. You also probably shipped at least two of them wrong. Here is the thing nobody tells you about HTTP security headers: knowing what to add is the easy part. Understanding why it matters, when it actually doesn't, and how a misconfigured one breaks your app in production — that's where most developers fall short. This isn't another "add these 7 headers to secure your app" post. This is the one that explains what's actually happening. First, The Contrarian Take Missing a security header is not automatically a vulnerability. If you do bug bounties, this will save you a rejection. If you're a dev, it'll save you from cargo-culting configs that don't apply to your app. Context is king. X-Frame-Options: DENY is a valid security header. YouTube doesn't use it. Because the entire point of YouTube is for people to embed its videos in iframes. Applying that header would break a core product feature. That's not a security oversight — it's a deliberate design decision. A missing Content-Security-Policy header is not a vulnerability in itself. It only becomes relevant if you already have an XSS problem to mitigate. CSP is defense-in-depth. Not a fix for a broken input sanitisation layer. This matters because a lot of developers (and worse, automated scanners) treat these headers like a binary checklist. Present = secure. Missing = vulnerable. Reality is messier than that. Now — with that said — let's talk about what each one actually does. #1. HTTP Strict Transport Security (HSTS) Most developers think HSTS is just "force HTTPS." It's more precise than that. When your app redirects http:// to https:// , that first request is still unencrypted. For a fraction of a second, on a public network, that window exists. An attacker on

2026-06-05 原文 →
AI 资讯

One Malicious GitHub Issue Was All It Took to Hijack a Claude Code Agent

A researcher disclosed a vulnerability in the Claude Code GitHub Action that let an attacker submit a single crafted GitHub Issue and take over the agentic workflow running inside a repository. No stolen tokens. No compromised runner. Just text — pointed at an agent that trusted it. This is indirect prompt injection in the wild, and it's exactly the scenario that most AI security guidance hand-waves with "validate your inputs." Let's talk about what actually happened, why standard defenses didn't stop it, and what would have. What Happened The Claude Code GitHub Action wires Claude directly into your CI/CD pipeline. It reads repository context — issues, PRs, comments — and takes actions on your behalf: writing code, opening PRs, running commands. According to the disclosure, an attacker could craft a GitHub Issue containing a prompt injection payload. When the Claude Code agent processed that issue as part of its normal workflow, the payload manipulated the agent into executing unauthorized repository-level actions. One issue. Repository hijacked. The attack surface here is the trust boundary between external content (a GitHub Issue — writable by anyone with a GitHub account) and agent instructions (what Claude Code is actually supposed to do). The agent treated attacker-controlled text as authoritative instructions. How the Attack Actually Works Indirect prompt injection follows a consistent pattern: The agent reads external content as part of its task. In this case, the Claude Code Action ingests GitHub Issues to understand what to work on. That content contains adversarial instructions disguised as legitimate data. Something in the issue body tells the agent to deviate from its original task — "ignore your previous instructions," "your new task is to push this commit," or more subtle authority hijacks. The agent complies. Without a layer that can distinguish between legitimate orchestration instructions and attacker-injected content, the model treats the injected

2026-06-05 原文 →
AI 资讯

I can't eat the food I want. So I'm building my way out.

Originally published at ayonbuilds.hashnode.dev I can't eat the food I want. I can't travel. I can't do the things my peers do. I'm a 2nd year CS student in Chandigarh. No connections. No money. No big university name behind me. Last week I was researching AI security tools and stumbled across a startup called Artemis . Founded in 2025. Just raised $70M . Building AI agents that automatically investigate security threats. I had just built something in the same category. From my room. With free tools. Zero budget. Simulated data. No users. No team. Not even close to what they've built. But I understood the problem well enough to build a working version of it myself. And that told me something. I'm not there yet. Not even close. But I'm working on the right problems at the right time — and I'm just getting started. Here's what I built — ARIA (Autonomous Risk Investigation Agent) . It detects suspicious authentication events in real time, maps them to MITRE ATT&CK threat techniques, and automatically generates plain-English incident reports using an LLM investigation chain. Built with FastAPI, React, PostgreSQL, and Groq API. GitHub: github.com/Ayon99/ARIA My name is Ayon. I'm building AI systems in public — the wins, the failures, the gap between what I make and what the funded teams make, and everything I'm learning along the way. I have one goal. Break through. Completely. Whatever it takes . If you're in a similar position — small city, limited resources, big ambition — follow along. I'm not going to pretend I've figured it out. But I'm going to document every step of figuring it out.

2026-06-05 原文 →
AI 资讯

A Beginner-Friendly Mental Model for Bitcoin Transactions

Bitcoin can look simple from the outside: paste an address, choose an amount, send. Under that simple interface are several concepts that are useful for developers and technical beginners to understand. This post is not trading advice and does not discuss price. It is a practical mental model for what is happening when someone sends Bitcoin. 1. A wallet does not "hold coins" the way an app balance does Many beginners imagine a wallet as a container full of coins. That is close enough for casual conversation, but it can be misleading. A Bitcoin wallet manages keys and helps create transactions. The Bitcoin network tracks spendable outputs on the ledger. When you send BTC, the wallet constructs a transaction that spends previous outputs and creates new outputs. You do not need to master every detail on day one, but the high-level idea matters: control of keys controls the ability to spend. 2. An address is a destination, not an identity A Bitcoin address is where funds can be sent. It is not a username and it is not automatically tied to a person in the way a social profile is. Before sending, beginners should check the address carefully. A small copy-paste mistake can be permanent. Malware can also replace clipboard contents, so visually checking the beginning and ending characters is a useful habit. For larger transfers, a tiny test transaction can reduce risk. 3. Fees are about block space Bitcoin transactions compete for limited block space. A fee is not a tip to a company. It is part of the transaction economics that helps miners decide which transactions to include. When the network is busy, low-fee transactions may wait longer. When the network is quieter, confirmations may happen faster. The beginner lesson is simple: do not assume "sent" means "fully settled." Check confirmations and understand that fee choice can affect waiting time. 4. The mempool is a waiting area Before a transaction is confirmed in a block, it may sit in the mempool, which is a pool of u

2026-06-05 原文 →
AI 资讯

Web Security: OWASP Top 10 and How to Fix Them (2026)

Web Security: OWASP Top 10 and How to Fix Them (2026) Security isn't a feature you add later — it's built into every layer. Here's how the top 10 vulnerabilities work and how to prevent them. #1 Broken Access Control // ❌ Vulnerable: User can access anyone's data app . get ( ' /api/users/:id ' , ( req , res ) => { const user = await db . users . findById ( req . params . id ); res . json ( user ); // No check if requester owns this data! }); // ✅ Secure: Always verify ownership app . get ( ' /api/users/:id ' , async ( req , res ) => { // Check: Is the logged-in user requesting their OWN data? if ( req . params . id !== req . user . id && req . user . role !== ' admin ' ) { return res . status ( 403 ). json ({ error : ' Access denied ' }); } const user = await db . users . findById ( req . params . id ); res . json ( user ); }); // ✅ Better: Use middleware for all protected routes const requireOwnership = ( resourceType ) => async ( req , res , next ) => { const resource = await db [ resourceType ]. findById ( req . params . id ); if ( ! resource ) return res . status ( 404 ). json ({ error : ' Not found ' }); if ( resource . userId !== req . user . id && req . user . role !== ' admin ' ) { return res . status ( 403 ). json ({ error : ' Access denied ' }); } req . resource = resource ; // Attach for route handler next (); }; app . get ( ' /api/posts/:id ' , auth , requireOwnership ( ' posts ' ), ( req , res ) => { res . json ( req . resource ); }); #2 Cryptographic Failures // ❌ Storing passwords in plain text or weak hashing const password = " password123 " ; db . users . insert ({ email , password }); // NEVER DO THIS! // ✅ Proper password hashing with bcrypt const bcrypt = require ( ' bcrypt ' ); const SALT_ROUNDS = 12 ; // Higher = slower = more secure (12 is good balance) async function hashPassword ( password ) { return bcrypt . hash ( password , SALT_ROUNDS ); } async function comparePassword ( password , hash ) { return bcrypt . compare ( password , hash ); /

2026-06-05 原文 →
AI 资讯

Web Security Basics: Every Developer Must Know (2026)

Web Security: OWASP Top 10 and How to Fix Them (2026) Security isn't a feature you add later — it's built into every layer. Here's how the top 10 vulnerabilities work and how to prevent them. #1 Broken Access Control // ❌ Vulnerable: User can access anyone's data app . get ( ' /api/users/:id ' , ( req , res ) => { const user = await db . users . findById ( req . params . id ); res . json ( user ); // No check if requester owns this data! }); // ✅ Secure: Always verify ownership app . get ( ' /api/users/:id ' , async ( req , res ) => { // Check: Is the logged-in user requesting their OWN data? if ( req . params . id !== req . user . id && req . user . role !== ' admin ' ) { return res . status ( 403 ). json ({ error : ' Access denied ' }); } const user = await db . users . findById ( req . params . id ); res . json ( user ); }); // ✅ Better: Use middleware for all protected routes const requireOwnership = ( resourceType ) => async ( req , res , next ) => { const resource = await db [ resourceType ]. findById ( req . params . id ); if ( ! resource ) return res . status ( 404 ). json ({ error : ' Not found ' }); if ( resource . userId !== req . user . id && req . user . role !== ' admin ' ) { return res . status ( 403 ). json ({ error : ' Access denied ' }); } req . resource = resource ; // Attach for route handler next (); }; app . get ( ' /api/posts/:id ' , auth , requireOwnership ( ' posts ' ), ( req , res ) => { res . json ( req . resource ); }); #2 Cryptographic Failures // ❌ Storing passwords in plain text or weak hashing const password = " password123 " ; db . users . insert ({ email , password }); // NEVER DO THIS! // ✅ Proper password hashing with bcrypt const bcrypt = require ( ' bcrypt ' ); const SALT_ROUNDS = 12 ; // Higher = slower = more secure (12 is good balance) async function hashPassword ( password ) { return bcrypt . hash ( password , SALT_ROUNDS ); } async function comparePassword ( password , hash ) { return bcrypt . compare ( password , hash ); /

2026-06-05 原文 →
AI 资讯

Defense tech, AI, and fundraising take center stage at StrictlyVC Los Angeles on June 18

With just two weeks to go, StrictlyVC Los Angeles is quickly approaching. On Thursday, June 18, at The Aerospace Corporation Campus in El Segundo, investors, founders, and tech leaders will gather for an evening of conversation exploring some of the most consequential shifts taking place across venture capital, defense technology, artificial intelligence, and advanced industry. Secure your spot here. […]

2026-06-05 原文 →
AI 资讯

Defender zero-days CVE-2026-41091 and 45498 — what defenders should do today (May 2026)

Microsoft published two Defender vulnerabilities on May 19, 2026 that are being actively exploited in the wild, and CISA has already pushed both into the Known Exploited Vulnerabilities catalog. If you run Windows endpoints, this is a same-week update item, not a "schedule it for the next maintenance window" item. The patches exist, the abuse is happening, and the BOD 22-01 deadline for federal civilian agencies is June 3, 2026. what follows: what happened, who needs to act, and what to do today before someone else makes the decision for you. What's being exploited CVE-2026-41091 is an Elevation of Privilege bug in Microsoft Defender's scanning logic, rated Important. The root cause is improper link resolution before file access. An authenticated local attacker plants symbolic links or NTFS junctions that point at attacker-controlled paths, then triggers Defender to follow them. Defender operates with SYSTEM privileges during scan operations, so the file actions Defender performs on those crafted targets execute as SYSTEM. Net result: a non-admin local user gets full SYSTEM on the host. The attacker needs an authenticated session already. That sounds like a high bar until you remember that initial-access malware lands at user-level, then chains a local privilege escalation to get persistence and lateral-movement capability. CVE-2026-41091 is the second-stage tool intrusion sets are looking for. The Hacker News and BleepingComputer both confirm the in-the-wild abuse is happening. CVE-2026-45498 is a Denial of Service in the Microsoft Defender Antimalware Platform itself. Attackers can trigger a platform-level crash that takes Defender's protection capabilities offline. The exploitation pattern here is the obvious one: kill the EDR/AV before deploying the actual payload, get a clean window for follow-on actions, restore Defender or leave it broken depending on how careful the operator is. CISA's KEV listing tells you this is being chained operationally, not a theoreti

2026-06-05 原文 →
AI 资讯

Ansible Vault — Managing Secrets Securely in Ansible and AWX — My DevOps Journey By Sireesha

One thing I kept putting off when I started with Ansible was properly securing my secrets. Passwords, API keys, tokens — they were just sitting in plain text inside my vars files. I knew it was wrong but it worked and I kept moving forward. Then I started thinking about what happens when this goes into GitLab. Anyone with access to the repo can see every password. That's when I properly sat down and learned Ansible Vault — and honestly I wish I'd done it from day one. In this blog I'll walk through how I use Ansible Vault from the command line and then how I handle it properly inside AWX so scheduled jobs and workflow templates can still run without someone manually typing a password every time. What is Ansible Vault? Ansible Vault is a built-in feature that lets you encrypt sensitive data — passwords, keys, tokens — so they can be safely stored in your playbooks and pushed to GitLab without exposing anything. The beauty of it is that it works right inside your existing YAML files. Your playbook structure doesn't change — Vault just encrypts the values that need protecting. What I Was Doing Before — The Wrong Way This is what my vars file looked like before Vault: # vars/main.yml ubuntu_sudo_password : MyPassword123 db_password : SuperSecret456 api_token : abcd1234efgh5678 Pushed straight to GitLab. Anyone with repo access could read every single one of those. Not good. Encrypting a Single Value with Ansible Vault The first thing I learned was how to encrypt just a single variable value — not the entire file. This is cleaner because the rest of the vars file stays readable. ansible-vault encrypt_string 'MyPassword123' --name 'ubuntu_sudo_password' It asks you to create a vault password — this is the master password you'll use to decrypt later. Enter it twice: New Vault password: Confirm New Vault password: The output looks like this: ubuntu_sudo_password : !vault | $ANSIBLE_VAULT;1.1;AES256 6638643965323633646262656665333738623539613862393436316162336466383462343733

2026-06-04 原文 →
AI 资讯

Cyber SH Agent — Goated AI for Hackers

Who I Am I’m neo4 — a red teamer with ~3 years of offensive security experience, a hardcore Linux/Arch culture operator, and a Python developer who thrives in the terminal. My workflow is pure hacker logic: OPSEC first, root‑level control always. I’ve been recognized by Disney’s Vulnerability Disclosure Program for responsible disclosure, and I build tools that merge hacker culture with AI. Why I Built Cyber SH Agent Most AI tools today are cloud‑locked, API‑dependent, and surveillance‑heavy. That doesn’t fit hacker culture. So I built Cyber SH Agent — an offline AI CLI operator that runs locally, no servers, no API keys, no data leaks. Repo: https://github.com/neo4-svg/cybersh.git 🔧 Core Features Agent Mode → AI controls your CLI with system access. Sec Mode → Bug bounty & penetration testing expert. Vibe Mode → Creative coding & UI/UX assistance. Code Mode → Production‑ready code generation. Chat Mode → General AI assistant. All 100% offline — runs GGUF models via llama-cpp-python. No servers, no API keys, no data leaving your machine. hope you like it!

2026-06-04 原文 →
AI 资讯

Hacking Meta’s AI Chatbot

Hackers are convincing Meta’s AI support chatbot to let them take over other peoples’ accounts: A video posted on X showed the step-by-step process to hack someone’s Instagram account. The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker; the hacker then shares the verification code with the chatbot, which prompts the chatbot to show a button to “Reset Password.” The hacker enters a new password and takes over the victim’s account...

2026-06-04 原文 →