MWR Labs describes use of HTTP Referer headers to execute DNS rebinding attacks on AWS-hosted analytics systems
https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/
Malicious PowerShell Compiling C# Code on the Fly
https://isc.sans.edu/diary/rss/24072
Interesting bug in Chromium
https://bugs.chromium.org/p/chromium/issues/detail?id=881410
Holy crap there are a lot of Cisco security patches this month.
https://tools.cisco.com/security/center/publicationListing.x
Mazen Ahmed write an exploit for the new Struts CVE.
https://github.com/mazen160/struts-pwn_CVE-2018-11776
Speaking of the CVE program, and MITRE in general, Steve Ragan got a solid scoop on congress planning a revamp.
https://www.csoonline.com/article/3300753/security/congress-pushes-mitre-to-fix-cve-program-suggests-regular-reviews-and-stable-funding.html
Secure Ideas started a blog seried on CORS, CSRF, and Clickjacking which is off to a good start
https://blog.secureideas.com/2018/07/three-c-words-of-web-app-security-part-1-cors.html
The Fortnite Android app is vulnerable to a really very unique flaw, Man-on-the-disk.
https://www.theregister.co.uk/AMP/2018/08/29/android_external_storage_man_in_the_disk/
Speaking of weird flaws, people have started registering skills on Alexa with phonetically similar names as common commands. It's called Skill Squatting.
https://www.usenix.org/conference/usenixsecurity18/presentation/kumar
And that's the news!
Big, big news out of Portswigger this week. I'm a huge fan of OWASP ZAP, and use it daily, but this is a major uptick in web analysis tools.
A new API for Burp Suite (something ZAP has had for years) https://portswigger.net/blog/burps-new-rest-api
The introduction of 2.0 https://portswigger.net/blog/burp-suite-2-0-beta-now-available
And finally the introduction of Enterprise Edition, which effectively adds scalibility https://portswigger.net/blog/burp-suite-enterprise-edition
Really solid week of announcements.
In other news, AppSec consulting hits it out of the park again with advice on securing third-party JavaScript.
https://www.appsecconsulting.com/blog/securing-third-party-javascript
A major flaw was found in GhostScript. If you are parsing document formats like PDF or XPS, get your patch on!
https://www.kb.cert.org/vuls/id/332928
Another Struts RCE vulnerability. "I'm shocked!" said nobody, ever.
https://cwiki.apache.org/confluence/display/WW/S2-057
Bitdefender published a whitepaper on the next phase of Android malware, and it is worth a read.
https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf
And that's the news!
Trend Micro found a really interesting use-after-free vulnerability in the VBScript engine in IE. Now, before you giggle, think of all of the companies that have standardized on IE. They are out there. Either way, the finding is cool.
https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/
Username enumeration bug discovered in OpenSSH of all things.
http://seclists.org/oss-sec/2018/q3/124
Ever seen a scanner point out that a site is vulnerable to DNS Rebinding, and wonder what the heck it was talking about? Yeah me too. These folks wrote up a framework for it.
https://github.com/nccgroup/singularity
Here is a password list sorted by probability. Remember that training course when I said you should check your new passwords against a list of known bad values, because NIST said to? Here ya go. The esteemed Jim Fenton recommends checking against the first 100,000. Neat project.
https://github.com/berzerk0/Probable-Wordlists
Interesting idea - introducing bugs to make software more difficult to attackers to navigate. Seems risky to me; I would rather see self-reporting software.
https://arxiv.org/pdf/1808.00659.pdf
Cloudflare has a really really good writeup on TLS 1.3.
https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/
Questionably ethical hacker steals credentials from the Homebrew repo and makes a commit.
https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab
Viral tweet thread on the "voatz" software that WVa is planning on using for midterm elections. Vulnerabilityapalooza.
https://twitter.com/GossiTheDog/status/1026603800365330432
Portswigger posted a nice primer on cache poisoning.
https://portswigger.net/blog/practical-web-cache-poisoning
Reddit Breach Highlights Limits of SMS-Based Authentication
https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/
One of my favorite people - Adam Caudill with AppSec Consulting - gives a breakdown of changes to the way Chrome handles HTTPS
https://www.appsecconsulting.com/blog/https-or-be-warned
Information disclosure is a thing - stop using Trello as a password manager
https://www.reddit.com/r/security/comments/93n6ln/stop_using_trello_as_a_password_manager_how_to?sort=confidence
One of my favorite companies (Duo) has been acquired by Cisco
https://arstechnica.com/information-technology/2018/08/heads-up-2fa-provider-duo-security-to-be-acquired-by-cisco-ugh/
I have been assured that everything is gonna be OK
As nosqlmap has fallen a bit by the wayside, I'm glad to see a new NoSQL scanner show up
https://github.com/torque59/Nosql-Exploitation-Framework
Venmo, a social payment system, defaults to public disclosure of payments made on the system.
https://arstechnica.com/tech-policy/2018/07/venmos-terrible-idea/
Scott Simmons has some terriffic advice about using Same-Origin policy as a control for CSRF.
https://www.appsecconsulting.com/blog/using-the-same-origin-policy-to-control-for-cross-site-request-forgery
Open redirect flaw in Electron exploites in the new Google Hangouts Chat application.
https://blog.bentkowski.info/2018/07/vulnerability-in-hangouts-chat-aka-how.html?m=1
F5 has released their annual Application Protection report. Worth a read.
https://www.f5.com/labs/articles/threat-intelligence/2018-Application-Protection-Report
DOMpurify, a common control for DOM based XSS, has a vulnerability - update if you are using it (you probably are).
http://www.thespanner.co.uk/2018/07/29/bypassing-dompurify-with-mxss/
It has come to my attention that one of Paul Asadoorian's Security Weekly broadcasts is titled Application Security Weekly! I had no idea. It's good too, you should listen. I caught up with the last few weeks when I drove over to Indianapolis to chat with the Indy Software Artisans meetup. Anyway, I am changing the title of this recurring series of posts to Application Security This Week because of the mixup.
Interesting discussion over at El Reg about the weakest link in software security.
https://www.theregister.co.uk/2018/07/16/who_is_the_weakest_link_in_software_security/
Oracle addressed 334 security vulnerabilities in its latest patch series.
https://www.us-cert.gov/ncas/current-activity/2018/07/17/Oracle-Releases-July-2018-Security-Bulletin
Shape Security did the math, and 9 out of 10 login attempts on the web are bypass attempts.
http://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf?aliId=7269967
For my home internet, I have one choice - Spectrum, née Time Warner Cable. I don't completely live in the boonies but it is far enough away from everything that I can't get anything but cable, and Time Warner is the only cable company I got. Honestly it hasn't been bad - I have been a customer since they were Roadrunner, and have had nearly zero problems. Had a mixup when we moved our phone service to them, which led to us dropping phone altogether and just using mobile (and the alarm system for emergencies). Had a couple useless repair folks. Over a 20 year history with them, I'm pretty pleased.
However, we have started having brownouts. We'll be tooting along, then the feed will go to a dribble. I pay for 50 Mbps down, and usually get 70, but then it will be 500 Kbps for hours. Then it will be fine. Is it Spectrum? My modem? My router? Something else on my network? I wasn't sure, so I would lug my laptop back there, plug the ethernet from the cable model directly in, and run Speedtest. Started to get some data. Then, the laptop that had an ethernet port went titsup. Now what?
Enter the Speedtest Pi. I scrapped a screen from an old POS appliance that I tested and was allowed to keep, an old mini keyboard, and one of the dozen Pis that I have laying around from various programs I have taught, and built a semi-permanent speed test appliance that I can go and use anytime I want.
I did need to buy an AV shield at Microcenter so I didn't have to soldier the heck out of the Pi, but that's OK. This was a quick and dirty job, and the shield was only $15.
Now - best way to do the speedtest? Well, did you know there is a Speedtest API? I DID NOT. To make it even better, there is a speedtest command line interface app in the install paths for Raspbian. So I simply:
sudo apt-get install speedtest-cli
and that's all there was to it.
Next next step is to put a fast switch in, so that I can leave it on all the time, and then have it run every hour or so, and show a graph on the screen. Should be a fun Python project.
npm is a dumpster fire. Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies. In other news, I learned about snyk, which is a pretty cool tool.
https://snyk.io/vuln/npm:eslint-scope
In dev news, the #1 development GUI of all time is being updated. Notepad!
https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update
Apple wrote some code to appease the Chinese government and it was kind of a mess.
https://objective-see.com/blog/blog_0x34.html
Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.
http://seclists.org/fulldisclosure/2018/Jul/44
Remember when I said "Spectre is not exploitable"? Yeah, I was wrong. Again, and again, and again...
https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/
New variation of my favorite Weblogic vuln - CVE-2017-10271.
https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/
I wrote the tests for this vulnerability for Nikto.
https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac
And that's the news.