All Blogs

How Security Teams Can Learn to Stop Worrying and Love the OODA Loop
A well-loved military operational strategy is the OODA loop, a learning cycle that helps the operator gain an advantage against their opponent by responding with greater agility to unfolding events. While initially outlined by Colonel John Boyd with the fighter pilot user persona in mind, it is not only applicable to cyberwarfare but also remarkably […]
Customer Interview: Looker
With over 1700 industry-leading and innovative companies such as Sony, Amazon, IBM, Spotify, Etsy and Lyft trusting Looker’s data platform, Looker takes security seriously.  The Looker Security Operations team, managed by Richard Reinders, is constantly working to ensure they have the best security possible to protect their customers’ production workloads. We sat down with Richard […]
Escaping like a Rocket via rkt enter
Last week, a researcher disclosed three vulnerabilities in rkt, CVE-2019-10144, CVE-2019-10145, and CVE-2019-10147, that let an attacker escape the container. Rkt is an open source container runtime created by CoreOS in 2014. Why it’s cool: This vuln trio allows attackers to gain root on the host machine from a rkt pod. rkt up to version […]
Race Conditions – Cloudy with a Chance of R/W Access
Docker Race Condition: CVE-2018-15664 Today, Aleksa Sarai published a Docker vulnerability, CVE-2018-15664, on the oss-sec mailing list. It turns out that a function inside Docker facilitates a TOCTOU bug (more on that below) which could lead to someone malicious inside a container to gain arbitrary read/write file access on the host with root privileges (not […]
A Buffer Buffet for Data Sampling
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Yesterday, three data sampling side channel vulnerabilities were disclosed in Intel CPUs by a whole bunch of smart researchers. Intel is calling them “microarchitectural data sampling” (MDS) bugs, but they’re colloquially known as ZombieLoad (CVE-2019-1109 & CVE-2018-12130), RIDL aka “Rogue In-flight Data Load” (CVE-2018-12130), and Fallout (CVE-2018-12126) — plus there was […]
Linux Security Fun With Webhooks
At Capsule8, we want to let you work the way you prefer working rather than forcing new workflows on you. To realize this philosophy, we designed Capsule8 to be super flexible and let users consume alert data in familiar ways — such as through the use of webhooks. Since REST APIs are the lifeblood of […]
The Methods to our Madness: How Capsule8’s Detection Methods Work
One of the best weapons in defending against attackers is speed. The ability to detect an attacker’s attempts as soon as it happens, and in turn shut it down before it takes hold, is the best way to reduce any potential damage. Our detection strategies at Capsule8 are built to look for Indicators of Attack […]
Search No Further: Capsule8 Supports Google Cloud Security Command Center with Security Partner Integration
Today is another big day for Capsule8. We officially announced that we are included as a Security Partner Integration within the newly launched Google Cloud Security Command Center (Cloud SCC). The Cloud SCC made a huge splash last week at Google Next, when it was made generally available as a security and data risk platform […]
apache carpe diem - cve-2019-0211
Apache CARPE DIEM: CVE-2019-0211
Recently, Charles Fol blogged about his privilege escalation bug in Apache, CVE-2019-0211, aka “CARPE DIEM” (seize the 0day, comrades!). This affects Apache HTTP Server versions 2.4.17 through version 2.4.38 (from October 9, 2015 to April 1, 2019). Why is it cool? Exploiting this bug allows for escalation from the meager privileges of an Apache worker […]
monitoring linux infrastructure
A Guide to Linux Monitoring
Different Approaches to Linux Host Monitoring In case you hadn’t heard, Linux is a big deal. Linux servers are used in the vast majority of production systems, the ones running the apps and services everyone uses. But, as said by the great infosec #thoughtleader and uncle to Spiderman, “with great power comes great responsibility.” These […]
Between Two Kernels: Halvar Flake – E03
In Episode 3 Kelly chats with Halvar Flake, former Project Zero team member at Google and Co-Founder of optimyze. The two get philosophical about vendor tag lines, characterize his new start-up with buzzwords, and the differences between automation in offensive and defensive security work.
Between Two Kernels: Allan Alford – E02
In Episode 2 of Between Two Kernels Kelly chats with CISO Allan Alford about being the most hated man in his organization, the three biggest mistakes of his life, and which infosec category he would date, marry, and kill. Check out the highlights below and full video if you’re interested! Episode Transcript Kelly: Welcome to […]
Between Two Kernels: Art Coviello
We’re excited to kick off a new video series with our VP of Product Strategy, Kelly Shortridge, titled “Between Two Kernels.” Kelly aims to conduct short, potentially awkward interviews with industry leaders that don’t shy away from tough and entertaining questions. Episode one is embedded for your viewing pleasure and features Art Coviello at the […]
An Exercise in Practical Container Escapology
What seemed lost in this (runc) hype is that the ability to escape containers is not confined to a one-off vulnerability in container management programs or orchestrators.
Kernel Configuration Glossary
In our post “Millions of Binaries Later: a Look Into Linux Hardening in the Wild”, we examined the security properties of different distributions. In the following, we provide a glossary for the security-relevant kernel configuration options discussed in that post (scraped from the Linux Kernel Driver Database). Option Description Significance CONFIG_X86_SMAP Supervisor Mode Access Prevention […]
Linux Hardening in the Wild
TL;DR: Millions of Binaries Later In this post, we explore the adoption of Linux hardening schemes across five popular distributions by examining their out-of-the-box properties. For each distribution, we analyzed its default kernel configuration, downloaded all its packages, and analyzed the hardening schemes of their enclosed binaries. Our dataset includes the OpenSUSE 12.4, Debian 9, […]
UAFs in Linux Kernel Modules: CVE-2019-8912 & CVE-2019-8956
A researcher using syzkaller found a locally-exploitable bug in Linux’s crypto API, CVE-2019-8912, which allows for a use-after-free in sockfs_setattr. It’s received sudden buzz, probably because a bug in the kernel’s cryptography API sounds pretty scary! And, there’s a hot 2-for-1 special for Linux use-after-free bugs with the announcement of CVE-2019-8956, too. What makes it […]
Nested Guests: CVE-2019-7221
Earlier this month, twin KVM bugs found by Google’s Project Zero team were released publicly: CVE-2019-7221, a use-after-free vulnerability, and CVE-2019-7222, a memory leak that can assist exploitation of the former vulnerability. Why is it cool? If successfully exploited, CVE-2019-7221 can give an attacker a guest-to-host escape and root privileges on that host. It’s a […]
Dirty Sock: CVE-2019-7304
Today, Chris Moberly blogged about his local privilege escalation bug in Ubuntu Linux, CVE-2019-7304, a.k.a. the “Dirty Sock” exploit (ew). This affects snapd, which is installed on Ubuntu 16.04.4 LTS and later by default, but snapd is also available for other Linux distributions with a manual install. Beneath the hype: Snapd’s auto-update should mean you […]
A Brief Review of CVE-2019-5736: runc Container Breakout
A group of researchers yesterday announced CVE-2019-5736, a runc container breakout affecting container tools including Docker, Kubernetes, and containerd. Why it matters: Because many people run containers as “root,” the exploitability here is pretty easy. However, it still requires some level of interaction: Starting from an attacker-controlled container “Exec” (in Docker) into a compromised container […]
Exploiting systemd-journald Part 2
Introduction This is the second part in a multipart series on exploiting two vulnerabilities in systemd-journald, which were published by Qualys on January 9th. In the first post, we covered how to communicate with journald, and built a simple proof-of-concept to exploit the vulnerability, using predefined constants for fixed addresses (with ASLR disabled). In this […]
1 2 3 4 5 6