Application Security This Week for May 31

The group unc0ver has released a broad-ranging iOS jailbreak tool.

https://thehackernews.com/2020/05/iphone-ios-jailbreak-tools.html?m=1

 

Very complete writeup of the BBPress vulnerability,

https://b.ou.is/articles/2020-05/CVE-2020-13693

 

Neet little tool to get details about a repo without cloning.

https://github.com/sameera-madushan/RepoPeek

 

Have a good week, everyone.

Application Security This Week for May 24

Happy Memorial Day! Take a minute to learn something new about the seven branches of the US Military (see you learned something already)

https://www.defense.gov/Our-Story/Our-Forces/

 

A new decompiler for ... wait for it ... Visual Studio Code. Yup. Uses Ghidra and IDApro. Neat.

https://marketplace.visualstudio.com/items?itemName=tintinweb.vscode-decompiler

 

Tenable did a fantastic writeup of Signal's use of WebRTC, and how to abuse it.  Really good research.

https://medium.com/tenable-techblog/turning-signal-app-into-a-coarse-tracking-device-643eb4298447

 

Georgetown University published a paper (PDF) on ethics and Artificial Intelligence.

https://cset.georgetown.edu/wp-content/uploads/CSET-A-National-Security-Research-Agenda-for-Cybersecurity-and-Artificial-Intelligence.pdf

 

There was a Remote Code Vulnerability in Google's Cloud Deployment Manager.

https://www.ezequiel.tech/2020/05/rce-in-cloud-dm.html?m=1

There is also a username harvesting vulnerability in Azure Portal, but I'll handle that under separate cover.

 

Not appsec related, but very interesting.  Windows 10 got tcpdump. Now, it's not a conspiracy, it's a debugging tool. Geez, people.

https://www.bleepingcomputer.com/news/microsoft/windows-10-quietly-got-a-built-in-network-sniffer-how-to-use/

 

Hope everyone is doing well. Stay in touch.

S

Application Security This Week for May 17

FireEye has an excellent breakdown of a Remote Access Trojan in C# - which is quite a feat given the constraints of the .NET Framework.

https://www.fireeye.fr/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html

I have written some C# malware as well, it is not easy, but we are all standing on the shoulders of giants.

https://github.com/lockfale/DotNetAVBypass-Master

 

The inestimable awesome Didler Stevens wrote some incredibly well thought out code the deobfuscated Excel macros

https://isc.sans.edu/diary/26110

 

Here's some really interesting analysis of malweare written for supercomputers.  This is really interesting because these hyperdrive computers do a lot of really useful work with governance data, voting, medicine, and a boatload of other stuff.

https://www.cadosecurity.com/2020/05/16/1318/

 

Hope everyone is staying safe in these weird times.

S

Application Security This Week for May 10

Lots of AWS assessments recently, here is a good new tool for IAM checking.

https://github.com/salesforce/cloudsplaining

 

Here is a neat, but not new one for Azure

https://github.com/FSecureLABS/Azurite

 

Lotsa code today.  Here's a token reverser to help test password reset functions.

https://github.com/dariusztytko/token-reverser

 

Good article on proxying thick clients.

https://maxfieldchen.com/posts/2020-05-05-proxying-unaware-thick-clients.html

 

Hope everyone had a great Mother's Day.

Application Security This Week for May 3

Really awesome article on automating application scanning with OWASP ZAP:

https://www.zaproxy.org/blog/2020-04-09-automate-security-testing-with-zap-and-github-actions/

 

Interesting model on how Chrome extensions can be used for man-in-the-middle attacks.

https://github.com/mandatoryprogrammer/cursedchrome

 

DLL Hijacking is one of those thick-client attacks that everyone dismisses, but they shouldn't.  This is why:

https://itm4n.github.io/windows-dll-hijacking-clarified/

 

Another information disclosure vulnerability - this time through the Referrer header.

https://www.theregister.co.uk/2020/04/30/email_http_leakage/

 

That's the news folks.  Hope everyone is healthy!

 

 

The rule of threes

In the world of emergency preparedness, which has been a hobby of mine since I was a Scout, there is something called the rule of threes. When I teach Emergency Prep merit badge, I talk about these points:

You can survive:

  • 3 minutes without air
  • 3 hours in severe weather
  • 3 days without water
  • 3 weeks without food

Now, this all sounds very depressing, but it is VERY important.  The fact is, in an emergency, you need to prioritize before anything else.  The first thing you must do is make a list, in order, of shit to do.  Do not, ever, let anyone tell you otherwise.  For instance, in a car wreck, you must first make sure everyone can breathe and isn't bleeding (because that is what gets the air to your organs). Then, if it is winter, you need to get warm.  If there is a tornado, you need to get shelter first, then make sure you have water. 

The one thing I don't tell Scouts is the last point, because it isn't usually something that we have to deal with in the developed world:

  • 3 months without hope

This isn't often talked about but it is a very important point. In war stricken areas, or places like Louisiana after Katrina, it has been proven true over and over.  Without hope, mental health has a significant impact over physical health, crime, and overall strife.

We are nearing that threshold in the United States (and elsewhere).

If you are safe, and you have water, and if you have food, the clear and present is to find sources of hope.  Stop watching the news. Preen your lists of who you follow on social media. The Boston Symphony Orchestra is doing stuff online.  The Columbus Museum of Art is holding virtual tours.

I don't talk a lot about mental health but I deal with issues myself. This is gonna bring out some things you didn't know about yourself. Be smart, be safe, consider your risk model, and best to all of you.

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList