It's the holiday edition!  No I'm kidding it's the same stuff as usual.  Sorry.

Apparently there is a chat app that is literally spyware developed by a nation state.  This isn't a political blog, but the technical implications are deep. Here's a good writeup.

https://objective-see.com/blog/blog_0x52.html

I'm all about supply chain issues, and this is a really good analysis of risks involved with package managers like npm.

https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

Someone reverse engineered an RSA token, and is using it to bypass two factor in the wild.

https://www.schneier.com/blog/archives/2019/12/chinese_hackers_1.html

That's the news folks.  See you next decade.

Hope everyone has a good holiday.

You probably heard that the Russian offices of ngnix were raided by the government.  F5 is doing a code review.

https://www.msn.com/en-us/news/technology/f5-networks-secures-ngnix-software-builds-as-precaution-after-visit-from-russian-law-enforcement/ar-BBY357u?ocid=ARWLCHR

Solid research on privilege escalation in Amazon Web Services.  Very real problem.

https://know.bishopfox.com/research/privilege-escalation-in-aws

Do you want to bone up on real world appsec skills over the week?  I recommend the PortSwigger Web Academy.

https://portswigger.net/web-security

That's the news.

Nice writup that explains a pivot from and iPhone app all the way through to domain access via chained exploits. Application security is hard.

https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem/

The security.txt file is near becoming an IETF standard.

https://mailarchive.ietf.org/arch/msg/ietf-announce/OFuiGlVv6WgvEEABaGmnYi120yU

Cool Azure horizontal privilege escalation writeup using the cloud shell.

https://blog.netspi.com/attacking-azure-cloud-shell/

That's the news. Hope everyone is having a stress-free holiday.

My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter.  Oopsie.

https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

An Android spoofing vulnerability is already being exploited by bank thieves.  Hard to write secure apps when the platform doesn't help.

https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/

On that topic, here's a cool primer on Android reverse engineering.

https://maddiestone.github.io/AndroidAppRE/

TruffleHog is a new (and still a little rough) script to sniff out secrets from GitHub repos.

https://www.darknet.org.uk/2019/12/trufflehog-search-git-for-high-entropy-strings-with-commit-history/

AWS built a took to yell at you if you have open S3 buckets.

https://www.theregister.co.uk/2019/12/03/aws_s3_buckets/

That's the news, folks.  Stay safe out there.

Fortinet is communicating with static keys and a simple XOR.  Whoops.

https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/

An Android gif library has an interesting vulnerability that will affect many application.

https://seclists.org/fulldisclosure/2019/Nov/27

An OWASP member made a neat ZAP plugin that helps to attack deployed Kubernetes applications.

https://github.com/omerlh/zap-operator

Hope everyone had a great thanksgiving.

S