I don't do a lot of advertising on this blog, but this is a pretty important part of my "walk the talk" campaign.  I have for years been espousing a four part analysis pattern, including manual dynamic analysis (vulnerability analysis), manual static analysis (code review), automatic dynamic analysis (scanning the app with something like ZAP), and automatic static analysis (code scanning).  Well, I have added this last one, automatic static analysis to the list of products that POINT offers, with a partnership with Veracode.  Veracode offers automatic static binary analysis, and is the best product I've found for web applications and mobile applications.  What's more, I can triage the findings for you before delivery. (I'll of course also give you the original test results).  I spoke on this in my talk from a couple of years ago, Developers: Care and Feeding.

https://www.youtube.com/watch?v=_7jsUACnjjM

I also spoke at length on the topic on the Brakeing Down Security podcast

http://brakeingsecurity.com/2015-045-care-and-feeding-of-devs-podcast-edition-with-bill-sempf

So now, I offer this for real.  It's not free, but it's a great addition to a vulnerability analysis, and I'm pleased to be able to add it to the suite of offerings we have here at POINT.

The Android Debig Bridge (ADB) feature is even less secure than we thought.  Avoid those "recharge stations"

https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20

A tale of the disclosure of WebUSB vulns.

https://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html

In the "let's be clear" department, Microsoft explains what is will and will not fix.

https://www.theregister.co.uk/AMP/2018/06/13/microsoft_security_servicing_commitments_for_windows_draft/

And that's the news.

Firstly, I have had a MASSIVE chest cold that has kept me down for the count, so I have been reading a lot of news.  Thus, long newsletter.

Microsoft bought Github.  This might seem to not be a security issue, but 'tis.  Why did they buy them? Github doesn't make money.  However: 1) Microsoft wants devs on their platform and 2) they are really into machine learning.  So, let's get all of the devs and all of their code and ... profit?

https://www.linuxfoundation.org/blog/microsoft-buys-github-the-linux-foundations-reaction/

This is a little older but was new to me - Bruce Schneier writing for Lawfare (recommended reading by the way) about the implications of Efail.

https://www.lawfareblog.com/what-efail-tells-us-about-email-vulnerabilities-and-disclosure

A cartoon intro to DNS over HTTPS.  We need more of these.

https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/

Building malicious zip files.  Remember, mess with malware in a virtual machine, and NOT on your company network please.

https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/README.md

Didier Stevens is oft referenced in these missives, and he had a really productive May.  I'll just link to his own overview.  Lots of great appsec content.

https://blog.didierstevens.com/2018/06/05/overview-of-content-published-in-may-3/

XSS on ESPN's site.  Stuff is just everywhere:

http://seclists.org/fulldisclosure/2018/Jun/22

Oh man, I forgot about this one.  Remote Code Execution on a voice-based AI.  You know, one of those smart speakers?  Incredible stuff.  Now I wanna go test my Echo.

https://github.com/Nhoya/MycroftAI-RCE

And we'll finish up with a breakdown by El Reg of all of the week's data breaches.

https://www.theregister.co.uk/AMP/2018/06/09/what_got_breached_this_week_ticket_portals_dna_sites_and_atlantas_police_cameras/

Have a good week, everyone. I'm going back to bed. Oh, and that's the news.

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

And that's the news.

S

My good friends at AppSec Consulting tipped me off this this really neat finding .  It's a SAML bypass - they didn't discover it but they have been using it in tests and it works well.

https://developer.okta.com/blog/2018/02/27/a-breakdown-of-the-new-saml-authentication-bypass-vulnerability

Remember JScript, that attempt by Microsoft to take over ECMAscript?  Yeah, neither does anyone else but it is still in Windows and it has an RCE vulnerability.

https://securityaffairs.co/wordpress/73076/hacking/jscript-component-0day.html

Apparently it's the theme today, so I'll point out that an RCE vulnerability was found in the Steam client, and has a good writeup.

https://www.contextis.com/blog/frag-grenade-a-remote-code-execution-vulnerability-in-the-steam-client

In a previous post I mentioned the sheer mass of Redis servers left open on the Internet.  Someone has now written a worm for them, and 75% are infected.

https://www.incapsula.com/blog/report-75-of-open-redis-servers-are-infected.html

And that's the news.

S