AntonВыступил на митапе по аутентификации/авторизации, который организовал коллега и "свободный художник" в сфере IAM (см https://t.me/unauthz):
Dan 🌈Hi all! I'm at @foss_north today, enjoying the super interesting talks about open source, development tools, and general nerdery. 
I live to meet people and talk tech so please say hi if you see me. I'm wearing a white cap with a cute little monster on it. :)
Oh and I'm also speaking this afternoon about #authz as a dev workflow, so feel free to come through and learn something about that if you like. 
👋 Very stoked to announce that I will be speaking at #OWASP #Snowfroc this Friday at 11:00 in the Great Hall. The talk is entitled "Patterns of failure in modern #authorization" and it's mostly about why #authz is getting harder (instead of easier). I'll be citing some academic research but also looking at some interesting examples of authz failure at some fairly large, well-known brands. Hope to see you there! 🎤
p.s. I've never been to #Denver so looking forward to checking the city out a bit too. If you have suggestions for things to do (read: eat), let me know! 😄
Augustine CorreaExcited to be speaking at @fossasia
🚀 This year, I'm diving deep into Identity and Access Management (#IAM) for #OSS.
All are welcome and I encourage all knowledge levels to attend: Don't be intimidated by "advanced security"! I'm breaking down complex concepts into easy-to-understand explanations, with a historical perspective to give context.
1️⃣Explore #AuthN #AuthZ 🔐
2️⃣ @keycloak Primer 🌐
3️⃣Best Practices for #OSS 🛡️
That Saar 💎#30MinsLearning Day 8: Today, I read the code of UserManager.CreateAsync(), it relies on the PasswordStore to set the password hash, then calls the UserStore to create the user in real - like in db. The responsibilities are quite clear. >>>🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ
#30MinsLearning Day 7: Today, I sit down and read the `/register` endpoint code. Most of them is easy, validate the email, and create the user. This part, though, I don't understand why: 🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ
OpenFGA🎉 Last week of Hacktoberfest! 🎉 The OpenFGA community has several issues labeled for Hacktoberfest—perfect for newcomers and veterans alike. From quick doc fixes to tackling bugs, all contributions are welcome.
Jump in, contribute, and grab some Hacktoberfest swag while there's still time! Let's wrap up October with a strong open source push. 🛠️
➡️ Learn about Hacktoberfest: https://hacktoberfest.com
卡拉今天看了什麼網路捷徑檔案安全機制繞過漏洞遭到利用超過一年,攻擊者用於散布數種竊資軟體 | iThome
Link📌 Summary:微軟在今年2月例行更新中修補了網路捷徑檔案安全繞過漏洞CVE-2024-21412,但駭客卻利用這項漏洞來散布多種竊資軟體,攻擊範圍涵蓋北美、西班牙和泰國。資安業者Fortinet在分析中發現,攻擊者製作指向特定遠端伺服器的惡意URL檔案,並在受害電腦下載LNK檔案,誘使受害者執行該檔案,從而推進攻擊。研究人員看到駭客使用兩種不同程式碼注入工具來繞過防禦,最終在受害電腦植入竊資軟體。
🎯 Key Points:
1. 微軟在今年2月修補了網路捷徑檔案安全繞過漏洞CVE-2024-21412,但駭客利用它散布竊資軟體。
2. 資安業者Fortinet發現,攻擊者製作指向特定遠端伺服器的惡意URL檔案,並誘使受害者執行以推進攻擊。
3. 研究人員看到駭客使用兩種程式碼注入工具,最終在受害電腦植入竊資軟體。
4. Fortinet發現,駭客利用Steam社群網站作為Dead Drop Resolver來埋藏C2來源。
🔖 Keywords:
#CVE-2024-21412
#Fortinet
#Water Hydra
#Lumma Stealer
#Meduza Stealer
#ACR Stealer
#PowerShell
#HTA指令碼
#Edge主程式圖示
#LNK檔案
#forfiles
#mshta
#Imghippo
#GdipBitmapGetPixel
#HijackLoader
#Steam社群網站
#Dead Drop Resolver
#Docker
#AuthZ
#OpenAI
#GPT-4o mini
#Meta Llama 3
83r71nA critical flaw in Docker Engine, tracked as CVE-2024-41110, allows attackers to bypass authorization plugins under specific conditions. This vulnerability, with a CVSS score of 10.0, indicates maximum severity. It involves exploiting an API request with a Content-Length set to 0, tricking the Docker daemon into forwarding the request without the body to the AuthZ plugin, potentially leading to incorrect approval of the request. This issue was initially discovered in 2018 and fixed in Docker Engine v18.09.1 in January 2019, but it wasn't applied to subsequent versions until recently. Versions affected include those up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, assuming AuthZ is used for access control decisions. Users relying on AuthZ plugins are at risk unless they update to versions 23.0.14 and 27.1.0 released on July 23, 2024. Docker Desktop versions up to 4.32.0 are also affected, though the chance of exploitation is low due to the need for local access to the host and the absence of AuthZ plugins in default configurations. Docker advises updating to the latest version to mitigate potential threats.
https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
#cybersecurity #docker #vulnerability #cve #authz #dockerengine #dockerdesktop #api #plugins #threat #update
Docker Security Advisory: AuthZ Plugin Bypass Regression in Docker Engine | Docker
Certain versions of Docker Engine have a security vulnerability that could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users.
Habr[Перевод] Использование Verified Permissions для реализации точной авторизации в высоконагруженных приложениях
Техники оптимизации функции авторизации в современных веб-приложениях. В статье рассматриваются эффективные подходы к управлению точной авторизацией с использованием Amazon Verified Permissions ( читай Cedar Engine ). Вы узнаете о техниках пакетной авторизации и кэширования ответов, которые помогут значительно повысить производительность и отзывчивость приложений. Читать
https://habr.com/ru/companies/bercut/articles/829576/
#авторизация #bercut #беркут #authz #authorization #Policyascode #вебприложения #web_application
