The company plans to automatically enroll users in two-step verification if their accounts are properly configured.
Browsing CategorySecurity News
A malicious app can exploit the issue, which could affect up to 30 percent of Android phones.
Attackers used publicly available tools, FiveHands ransomware, and SombRAT to successfully target an organization, officials report.
The networking giant has rolled out patches for remote code-execution and command-injection security holes that could give attackers keys to the kingdom.
The student opted for “free” software packed with a keylogger that grabbed credentials later used by “Totoro” to get into a biomolecular institute.
Internet security, privacy, and authentication aren’t new issues, but IoT presents unique security challenges.
More companies moved to cloud-native infrastructure in the past year, and security incidents and malware moved right along with them.
A large-scale incident earlier this week against Belnet and other ISPs has sent a wave of internet disruption across numerous Belgian government, scientific and educational institutions.
Find video interviews with some of the coolest Black Hat Asia experts right here, as part of the Dark Reading News Desk this week.
With over 16 million pulls per month, Google’s `distroless` base images are widely used and depended on by large projects like Kubernetes and Istio. These minimal images don’t include common tools like shells or package managers, making their attack surface (and download size!) smaller than traditional base images such as `ubuntu` or `alpine`. Even with this additional protection, users could still fall prey to typosquatting attacks, or receive a malicious image if the distroless build process was compromised – making users vulnerable to accidentally using a malicious image instead of the actual distroless image. This problem isn’t unique to distroless images – until now, there just hasn’t been an easy way to verify that images are what they claim to be.
Cosign simplifies signing and verifying container images, aiming to make signatures invisible infrastructure – basically, it takes over the hard part of signing and verifying software for you.
We developed cosign in collaboration with the sigstore project, a Linux Foundation project and a non-profit service that seeks to improve the open source software supply chain by easing the adoption of cryptographic software signing, backed by transparency log technologies.
We’re excited to announce that all of our distroless images are now signed by cosign! This means that all users of distroless can verify that they are indeed using the base image they intended to before kicking off image builds, making distroless images even more trustworthy. In fact, Kubernetes has already begun performing this check in their builds.
As we look to the future, Kubernetes SIG Release’s vision is to establish a consumable, introspectable, and secure supply chain for the project. By collaborating with the sigstore maintainers (who are fellow Kubernetes contributors) to integrate signing and transparency into our supply chain, we hope to be an exemplar for standards in the cloud native (and wider) tech industry, said Stephen Augustus, co-chair for Kubernetes SIG Release.
How it works
To start signing distroless we integrated cosign into the distroless CI system, which builds and pushes images via Cloud Build. Signing every distroless image was as easy as adding an additional Cloud Build step to the Cloud Build job responsible for building and pushing the images. This additional step uses the cosign container image and a key pair stored in GCP KMS to sign every distroless image. With this additional signing step, users can now verify that the distroless image they’re running was built in the correct CI environment.
Right now, cosign can be run as an image or as a CLI tool. It supports:
- Hardware and KMS signing
- Bring-your-own PKI
- Our free OIDC PKI (Fulcio)
- Built-in binary transparency and timestamping service (Rekor)
Signing distroless with cosign is just the beginning, and we plan to incorporate other sigstore technologies into distroless to continue to improve it over the next few months. We also can’t wait to integrate sigstore with other critical projects. Stay tuned here for updates! To get started verifying your own distrolesss images, check out the distroless README and to learn more about sigstore, check out sigstore.dev.