Application Security Weekly for April 8

(Yes, last week was indeed an April Fools' joke)

(This week isn't.)

 

Domain names are a blessing and a curse.  It's a lot easier to remember "sempf.net" than "168.62.224.13".  The domain registration system is also on the front lines of fighting spam and malware - and it is under attack by the Powers That Be.  Overreaching privacy law is about to make blue teaming a lot harder.

https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/

 

Twitter thread regarding Tmobile Austria storing passwords in plain text. Warning: rough language

https://twitter.com/c_pellegrino/status/981409466242486272

https://motherboard.vice.com/en_us/article/7xdeby/t-mobile-stores-part-of-customers-passwords-in-plaintext-says-it-has-amazingly-good-security?utm_campaign=sharebutton

So, if they store the WHOLE password salted and hashed, but keep the first 4 characters in plain text just to help customer service, it is still a vulnerability?

 

Three Vulnerabilities Discovered in Spring Development Framework. Patchy patchy.

https://t.co/ytHgTw59LU

Critical — RCE Attack (CVE-2018-1270)
High — Directory Traversal Attack (CVE-2018-1271)
Low — Multipart Content Pollution (CVE-2018-1272) https://t.co/3UQj3iD3qO

 

Normally I link to primary sources, but El Reg did such a good job writing up the trustwave report I want to link to them.  Good, tongue-in-cheek breakdown of the TRustwave report, which is pretty ugly (Spoiler: criminals are getting better, and we are not catching up).  Link to the report at the end of the article - there will be a quiz.

https://www.theregister.co.uk/AMP/2018/04/05/trustwave_security_sitrep/

 

And that's the news

Comments are closed
Mastodon