by Bill Sempf
30. September 2018 19:40
The "Wow, it's been a busy month" edition.
Apple took "Adware Doctor" out of the store because it was stealing data. How did no one notice this?
https://www.infosecurity-magazine.com/news/apple-removes-security-tool/
There is a new search engine for researching exploits.
https://sploitus.com/
Google open sourced their file upload protection tool.
https://github.com/google/wuffs
A cheat sheet for Angular web security.
https://cheatsheets.pragmaticwebsecurity.com/angularowasptop10
SharpSploit: a C# post-exploitation library.
https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51
a46d4c9f-9afe-4f28-a616-37d43147c641|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
8. September 2018 19:40
MWR Labs describes use of HTTP Referer headers to execute DNS rebinding attacks on AWS-hosted analytics systems
https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/
Malicious PowerShell Compiling C# Code on the Fly
https://isc.sans.edu/diary/rss/24072
Interesting bug in Chromium
https://bugs.chromium.org/p/chromium/issues/detail?id=881410
Holy crap there are a lot of Cisco security patches this month.
https://tools.cisco.com/security/center/publicationListing.x
6509f762-9435-4d11-940e-c4cee112a3ff|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
3. September 2018 10:30
Mazen Ahmed write an exploit for the new Struts CVE.
https://github.com/mazen160/struts-pwn_CVE-2018-11776
Speaking of the CVE program, and MITRE in general, Steve Ragan got a solid scoop on congress planning a revamp.
https://www.csoonline.com/article/3300753/security/congress-pushes-mitre-to-fix-cve-program-suggests-regular-reviews-and-stable-funding.html
Secure Ideas started a blog seried on CORS, CSRF, and Clickjacking which is off to a good start
https://blog.secureideas.com/2018/07/three-c-words-of-web-app-security-part-1-cors.html
The Fortnite Android app is vulnerable to a really very unique flaw, Man-on-the-disk.
https://www.theregister.co.uk/AMP/2018/08/29/android_external_storage_man_in_the_disk/
Speaking of weird flaws, people have started registering skills on Alexa with phonetically similar names as common commands. It's called Skill Squatting.
https://www.usenix.org/conference/usenixsecurity18/presentation/kumar
And that's the news!
53eae250-9c81-4e4d-a219-593178a0f51c|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags: