Rory McCune

@[email protected]
1,032 Followers
341 Following
784 Posts
Containers, Security, Kubernetes, Hillwalking
Personal Sitehttps://www.mccune.org.uk/
Bloghttps://raesene.github.io/
Container Security Sitehttps://www.container-security.site
GitHubhttps://github.com/raesene/
Rory McCune19h ago

Just released another entry in my blog series looking at the unpatchable vulnerabilities of Kubernetes.

Whilst the CVEs are quite old, understanding them is useful, both to understand if you need to apply mitigations and also for some of the low-level Kubernetes implementation details they involve.

https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8561/

Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8561 | Datadog Security Labs

A look at how Kubernetes CVE-2020-8561 works

Rory McCuneMar 17
Security Research LabsMar 17

We don't need to hack your AI Agent to hack your AI Agent …and we don't need an AI agent for that either :)

Via a large enterprise's AI assistant, we obtained access to several million Entra identities and all chat logs including attachments — no prompt injection or model tricks required.

For all we know, the poor agent was not at fault and may not have even been able to witness what was happening.

https://srlabs.de/blog/hacking-ai-agent

#AI #AIhacking #VulnerabilityDisclosure #ResponsibleDisclosure

We don't need to hack your AI Agent to hack your AI Agent - SRLabs Research

We strolled through an enterprise AI assistant's backend, helped ourselves to full application takeover and access to every chat log, and had a Microsoft Entra ID dump for dessert — no prompt injection, no model tricks, no AI expertise required.

SRLabs
Rory McCuneMar 11

One of the points I make in Kubernetes Security a lot is that talking about security defaults is hard as each distribution has its own idea of what works for their users.

One of the most surprising of these is Microk8s' choice to not enable RBAC by default. I wrote up a bit about it, here. https://raesene.github.io/blog/2026/03/11/microk8s-rbac-default/

Variance of defaults - Microk8s RBAC

Rory McCuneMar 10

Kubernetes SIG-Security docs have been doing some work to refresh the OWASP Kubernetes Top 10, to help cluster operators and users have a clear idea of where to start with Kubernetes security. It's taken a little longer than expected, but we have our draft top 10 out now. Any feedback very welcome

https://owasp.org/www-project-kubernetes-top-ten/

OWASP Kubernetes Top Ten | OWASP Foundation

Welcome to the OWASP Top Ten for Kubernetes

Rory McCuneMar 5
Insomni'hackMar 5
Christophe Tafani-Dereeper join us again at #INSO26 and explains how phising campaigns are evolving into worms.
Buy your ticket: https://insomnihack.ch/?utm_source=mastodon&utm_medium=image&utm_campaign=Insomnihack2026&utm_content=0503
#InsomniHack #Cybersecurity #INSO26
Show threadRory McCuneFeb 28
@gsuberland ah you could’ve dropped in at Securi-tay on the way by!
Rory McCuneFeb 27
ObsidianFeb 27

Obsidian 1.12 is now available to everyone!

- Obsidian CLI
- Bases search
- Image resizing
- Automatically clean up unused images
- Better copy/paste into rich text apps like Google Docs
- Native iOS share sheet

Show threadRory McCuneFeb 26
@gsuberland yeah I'm very glad I don't have any immediate requirements for new hardware, and I've even got some old kit lying about that can be pressed into service in an emergency!
Rory McCuneFeb 26

Really looking forward to Securi-Tay from the Abertay Ethical Hacking Society tomorrow.

If you're there and interested in hearing what 20 years of speaking experience has taught me and how you can hopefully improve your next talk, I'm on at 11:30am in track 3!

https://securi-tay.co.uk/schedule

Rory McCuneFeb 26
If you're using GCP and have enabled Gemini on any of your projects, this one is worth reading, as you may have some checking to do. https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules
Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.

Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.