Tag Archive for: permission

Group permission misconfiguration exposes Google Kubernetes Engine clusters

/in


GKE also supports anonymous access, and requests made to the Kubernetes API without presenting a client certificate or an authorized bearer token will automatically be executed as the “system:anonymous” user and the “system:unauthenticated” group role. However, if a token or certificate is presented, the API request will be identified as the corresponding identity with its defined roles but also with the roles assigned to the system:authenticated group. By default, this group provides access to some basic discovery URLs that don’t expose sensitive information, but admins could expand the group’s permissions without realizing the implications. “Administrators might think that binding system:authenticated to a new role, to ease their managerial burden of tens or hundreds of users, is completely safe,” the researchers said. “Although this definitely makes sense at first glance, this could actually turn out to be a nightmare scenario.”

To execute authenticated requests to a GKE cluster, all a user needs to do is use Google’s OAuth 2.0 Playground and authorize their account for the Kubernetes Engine API v1. By completing the playgroup authorization process, any user with a Google account can obtain an authorization code that can be exchanged for an access token on the same page. This access token can then be used to send requests to any GKE cluster and successfully identify as system:authenticated, which includes the system:basicuser role.

The system:basicuser allows users to list all the permissions they currently have, including those inherited from the system:authenticated group by querying the SelfSubjectRulesReview object. This provides a simple way for attackers to investigate whether a cluster’s admin has overpermissioned system:authenticated.

The Orca researchers demonstrated the impact with an example where the admin decided to associate any authenticated user with the ability to read all resources across all apiGroups in the cluster. This is “something that can be somewhat useful when there is a real governance around the users which can authenticate to the cluster, but not on GKE,” they said. “Our attacker can now, in the current…

Source…

HC allows Jalandhar man to go abroad; says pendency of an FIR no ground to deny him permission

/in


The Punjab and Haryana high court has allowed a Jalandhar man, an accused in a criminal case, to go abroad, observing that pendency of an FIR would not mean that the petitioner would not return back.

The petitioner, Kanwalpreet Singh Kalra, had approached the high court after he was denied permission to fly to Canada to attend the convocation ceremony of his daughter by a Jalandhar court. The trial court had refused to hand over the passport to him, which was lying with it.

“The day a child is born, the parents have a desire that he/she attains highest possible education. In Indian society, especially when a girl attains pinnacle of education, it brings joy not only to the parents but also makes the entire country proud. Thus, if her parents attend that function/convocation, it is likely to motivate the child for her further education. Simply because a case is pending, would not mean that a person (petitioner) would not return back to India or cannot be brought back to India,” the bench of justice Anoop Chitkara observed.

Kalra, an accused in 2018 FIR in an attempt to murder case in Jalandhar, in his plea had challenged the Jalandhar court’s order and submitted details of requisite permission the daughter had sought from Canadian authorities.

His daughter had completed a post-graduation diploma in cyber security and computer forensics at Lambton College at Queens College of Business Technology and Public Safety. The girl is in Canada since 2019 and Kalra and his wife had to attend convocation ceremony of their daughter on July 29, as per the plea.

The court allowed him to travel and directed the trial court to return his passport. However, it has imposed some conditions as per which he would have to procure a smart phone and inform its IMEI number and other details to the SHO concerned.

He would have to keep GPS system activated, all the time and as and when investigating officer asks to share the location, he will have to share the same. He has also been restrained from clearing the location history, WhatsApp chats, calls nor format the phone without permission of the concerned SHO. Upon return, he has been asked to deposit the passport back within 15 days.

Source…

Never Give All Your Apps Camera Permission. Here’s Why

/in


There’s a good reason why you should never give every single app you download camera permission. Verimatrix COO Asaf Ashkenazi told The Washington Post in November 2021 that permitting an app to access your camera means forfeiting your privacy to the company that created it. Some tech companies may be trustworthy enough to protect the data their apps record from cybercriminals, but there are other companies that misuse the camera permissions to secretly turn on your camera at any time and record everything that’s going on around you — even when you’re using the bathroom.

It’s one thing for an app to request camera permissions for legitimate reasons, like taking a photo, scanning a QR code or, in Android’s case, to use the Camera Switch feature for ease of accessibility, but when it uses your camera to record your activities even when you’re not functionally using your camera, that becomes a serious privacy issue. In 2017, iOS developer Felix Krause shared a video on YouTube demonstrating how any app you download onto your iPhone can take pictures of you while you’re using it and share them immediately without your consent. Apple has since addressed the issue with the launch of iOS 14.

Source…

two importent mobile security settings

/in