are there PCI DSS (or equivalent) requirements for user-interface security for cardholders?

The PCI DSS requirements around account security (password strength, password changes, etc.) all seem to apply to system users who have access to cardholder data.

Are there any industry standards that apply to the user (i.e. cardholder) accounts themselves?

In other words, suppose I find out that my banking website allows me to set my user account password to “dog”. Is there some banking-specific industry regulation that this violates, that I can point them to?

error: process launch failed: Security

When i run ionic cordova run ios --device -- I get the following error..

verbose(lldb) command script add -s asynchronous -f fruitstrap_828bb79436e53a8fe3e9d624710bf67bf3033f89.safequit_command safequit (lldb) connect (lldb) run error: process launch failed: Security (lldb) safequit

Application has not been launched

Command finished with error code 1: ios-deploy –justlaunch,–no-wifi,-d,-b,/Users/sysadmin/new/platforms/ios/build/device/MyApp.app ios-deploy: Command failed with exit code 1 Error: ios-deploy: Command failed with exit code 1 at ChildProcess.whenDone (/Users/sysadmin/new/node_modules/cordova-common/src/superspawn.js:135:23) at ChildProcess.emit (events.js:197:13) at maybeClose (internal/child_process.js:978:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:265:5) [ERROR] An error occurred while running subprocess cordova.

    cordova run ios --device --verbose exited with exit code 1.      Re-running this command with the --verbose flag may provide more      information. 

ionic:utils-process onBeforeExit handler: process.exit received +0ms ionic:utils-process onBeforeExit handler: running 2 functions +0ms ionic:utils-process onBeforeExit handler: exiting (exit code 1) +43ms

What are the security implications of capabilities in Kubernetes pods?

We have a Kubernetes deployment with an application that need to be on a VPN. We implement this requirement by running openvpn-client in a sidecar container within the pod with elevated capabilities:

securityContext:   capabilities:     add:       - NET_ADMIN 

We’d like to better understand the impact of this, and how exposed we’d be if this container were compromised. We want to be confident that code exec in this container couldn’t view or modify packets or network configuration in other pods, or on the host node.

My current hypothesis is that since each pod has an isolated network namespace, giving CAP_NET_ADMIN to a container in the pod just provides the capability within that namespace.

However, I haven’t been able to find any documentation that’s definitively discusses the impact of using securityContext to assign capabilities to containers. There’s a few pieces of documentation – outlined below – that strongly imply that Kubernete / Docker will provide sufficient isolation here, but I’m not 100% certain.


The pods documentation on resource sharing [1] gives a hint here:

The applications in a Pod all use the same network namespace (same IP and port space), and can thus “find” each other and communicate using localhost. Because of this, applications in a Pod must coordinate their usage of ports. Each Pod has an IP address in a flat shared networking space that has full communication with other physical computers and Pods across the network.

The networking documentation on the network model has this to say:

Kubernetes IP addresses exist at the Pod scope – containers within a Pod share their network namespaces – including their IP address. This means that containers within a Pod can all reach each other’s ports on localhost. This also means that containers within a Pod must coordinate port usage, but this is no different from processes in a VM. This is called the “IP-per-pod” model.

Finally, I note that pod.spec.hostNetwork is configurable, and defaults to false:

$   kubectl explain pod.spec.hostNetwork KIND:     Pod VERSION:  v1  FIELD:    hostNetwork <boolean>  DESCRIPTION:      Host networking requested for this pod. Use the host's network namespace.      If this option is set, the ports that will be used must be specified.      Default to false. 

[1] https://kubernetes.io/docs/concepts/workloads/pods/pod/#resource-sharing-and-communication

[2] https://kubernetes.io/docs/concepts/cluster-administration/networking/#the-kubernetes-network-model

How can I make this? Thyme Leaf, Spring Boot, Hibernate, Security Project

I’ve been making a Spring Boot project for the college and now I’m stuck in this part: The client user have a shopping cart that shows all items the client added. I want when the client make the checkout the items dont appears anymore.

I’m a little newbie in this area, I have no idea what to do. Do you guys can help me? Thanks for the atetion. 🙂 That is the table who shows the items of the client’s order:

<table class="table table-dark">                 <tbody>                     <tr>                         <td>Item</td>                         <td>Imagem</td>                         <td>Nome</td>                         <td>Preço</td>                     </tr>                     <tr th:each = "itens : $  {listaDeItens}">                         <td th:text="$  {itens.codigo}"></td>                         <td><img width="200" height="200" th:src="@{'/images/'+$  {itens.nomeprato}+.png}"></td>                         <td th:text="$  {itens.nomeprato}"></td>                         <td th:text="@{'R$  '+$  {itens.precoprato}}"></td>                         <td><a class="btn btn-danger"  th:href="@{/removeItem/{codigo} (codigo = $  {itens.idprato})}">Remover Item</a></td>                     </tr>                     <tr th:each = "itens : $  {listaDeItens}">                         <td></td>                         <td><a class="btn btn-primary"  th:href="@{/finalizar/{codigo} (codigo = $  {itens.idprato})}">Finalizar Compra</a></td>                     <tr>                 </tbody>             </table> 

VLC 3.0.4 security risks

This is latest security advisory from VLC

Security Advisory 1901

Summary : Read buffer overflow & double free Date
: June 2019 Affected versions : VLC media player 3.0.6 and earlier ID : VideoLAN-SA-1901 CVE reference : CVE-2019-5439, CVE-2019-12874

Details

A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. Threat mitigation

Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.

ASLR and DEP help reduce exposure, but may be bypassed. Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Solution

VLC media player 3.0.7 addresses the issue.

According to them, installing VLC media player 3.0.7 will fix the issue.

However, the one available in Ubuntu is the old version 3.0.4

user@linux:~$   apt show vlc Package: vlc Version: 3.0.4-1ubuntu0.2 Priority: optional Section: universe/graphics Origin: Ubuntu 

Isn’t this considered as high security risk?

What is the best way to make sure our softwares in Ubuntu is updated since sudo apt update && sudo apt upgrade clearly won’t help in this issue.

Do we really need to manually check and update each software in our computer?

VLC 3.0.4 security risks

This is latest security advisory from VLC

Security Advisory 1901

Summary : Read buffer overflow & double free Date
: June 2019 Affected versions : VLC media player 3.0.6 and earlier ID : VideoLAN-SA-1901 CVE reference : CVE-2019-5439, CVE-2019-12874

Details

A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. Threat mitigation

Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.

ASLR and DEP help reduce exposure, but may be bypassed. Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Solution

VLC media player 3.0.7 addresses the issue.

According to them, installing VLC media player 3.0.7 will fix the issue.

However, the one available in Ubuntu is the old version 3.0.4

user@linux:~$   apt show vlc Package: vlc Version: 3.0.4-1ubuntu0.2 Priority: optional Section: universe/graphics Origin: Ubuntu 

Isn’t this considered as high security risk?

What is the best way to make sure our softwares in Ubuntu is updated since sudo apt update && sudo apt upgrade clearly won’t help in this issue.

Do we really need to manually check and update each software in our computer?

VLC 3.0.4 security risks

This is latest security advisory from VLC

Security Advisory 1901

Summary : Read buffer overflow & double free Date
: June 2019 Affected versions : VLC media player 3.0.6 and earlier ID : VideoLAN-SA-1901 CVE reference : CVE-2019-5439, CVE-2019-12874

Details

A remote user can create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow (read) in ReadFrame (demux/avi/avi.c), or a double free in zlib_decompress_extra() (demux/mkv/utils.cpp) respectively Impact

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. Threat mitigation

Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.

ASLR and DEP help reduce exposure, but may be bypassed. Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Solution

VLC media player 3.0.7 addresses the issue.

According to them, installing VLC media player 3.0.7 will fix the issue.

However, the one available in Ubuntu is the old version 3.0.4

user@linux:~$   apt show vlc Package: vlc Version: 3.0.4-1ubuntu0.2 Priority: optional Section: universe/graphics Origin: Ubuntu 

Isn’t this considered as high security risk?

What is the best way to make sure our softwares in Ubuntu is updated since sudo apt update && sudo apt upgrade clearly won’t help in this issue.

Do we really need to manually check and update each software in our computer?

Hardware security key with locked down usb slots

I would like to use hardware security keys in an environment where it is additionally needed to lock down any ways in which a user could download data to a device like a usb key. Is it possible to lock down a usb slot in a way, that file transfer is not possible but hardware security keys still work?

In my case the scenario would include Windows 10 Pro as an OS and preferably a fido2 capable key.