Application Security This Week for July 28

It's 1994 again! Encryption is on the table for law enforcement. Be ready for entry in the back door soon.

https://www.theregister.co.uk/2019/07/23/us_encryption_backdoor/

If you want to read about the LAST time we tried this, I recommend Matt Curtin's book Brute Force.

https://www.amazon.com/Brute-Force-Cracking-Encryption-Standard/dp/1441918957

 

Very good analysis of the XML eXternal Entity (XXE) attack.

https://www.synack.com/blog/a-deep-dive-into-xxe-injection/

 

Gitlab's Global Developer Report has some interesting security insights.

https://learn.gitlab.com/c/2019-global-develope

 

If you write mobile apps, and your vulnerability assessment mentions "a third party malicious app could exploit this" pay attention to it.  It's really happening in the wild.

https://www.infosecurity-magazine.com/news/uptick-in-ransomware-mobile/

 

That's the news!

 

Application Security This Week for July 21

Awesome paper presented in France covering XXE - really good research.  Worth a read.

https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation

 

Those who have taken my training know how I talk about protecting the soft meaty middle - well, Slack is proving that user accounts are the gift that keeps on giving.  They reset passwords - from a breach 4 years ago.  

https://thehackernews.com/2019/07/slack-password-data-breach.html

https://www.theregister.co.uk/2019/07/19/2015_database_hack_slack/

 

Really neat tool for hooking executables in Windows.  I tried it, it's super neat.  

https://github.com/everdox/InfinityHook

 

Here's an I-wish-it-was-an-OWASP-project example.  Tons of research on Command injection.

https://hackersonlineclub.com/command-injection-cheatsheet/

 

That's the news folks.  Stay safe out there.

Application Security This Week for July 14

A wonderful human being put together a list of resources about hacking mainframe systems, worth a look if your organization is run on the big metal.

https://github.com/samanL33T/Awesome-Mainframe-Hacking/

 

Apple had a not-good-very-bad week.  First, the OpenIF Foundation dinged the Mac implementation of "Sign in with Apple"

https://nakedsecurity.sophos.com/2019/07/08/privacy-and-security-risks-as-sign-in-with-apple-tweaks-open-id-protocol/

Then it was discovered that all of the magic of Zoom's conference software is due to a web server installed on MacOS, which you can't remove!  (Heeeey!)

https://www.engadget.com/2019/07/09/zoom-will-remove-server-behind-mac-security-hole/?ncid=txtlnkusaolp00000618

 

Rhino Security released a new version of CloudGoat, an insecure-by-design cloud deployment tool.  

https://rhinosecuritylabs.com/aws/cloudgoat-walkthrough-rce_web_app/

 

One of my favorite attacks against file uploads that take zip files is the zipbomb.  Well, someone made a really nice one.

https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes

 

There is a flaw in the Android update system that allows attackers to modify updates on the fly.  Oh, and it is being exploited in the wild.

https://thehackernews.com/2017/12/android-malware-signature.html?m=1

 

That's the news, folks.  Have a safe week!

 

Application Security This Week for July 7

Good article on using fuzzers as productivity tools

https://kripken.github.io/blog/binaryen/2019/06/11/fuzz-reduce-productivity.html

Reminds me of a great talk by the remarkable Craig Stuntz, worth a read.

https://speakerdeck.com/craigstuntz/high-speed-bug-discovery-with-fuzzing

 

Firefox will automatically trust certificates trusted by your OS

https://thehackernews.com/2019/07/firefox-https-security.html?m=1

In other Firefox news, the UK is up in arms about Secure DNS breaking the Great British Pornwall

https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/

 

Next time I ping your site for not using X-FRAME-OPTIONS on a DNS endpoint, well, HAH I TOLD YOU SO NAAA NAA NAA

https://medium.com/intigriti/gotcha-taking-phishing-to-a-whole-new-level-72eda9e30bef

 

And that's the news, folks.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList