Container security is a big deal, with OWASP A9 showing up more and more. Here is a tool that will help with container scanning, and it is compatible with your continuous integration builds.
https://github.com/knqyf263/trivy
WhatsApp had a bug, but that doesn't dismiss the importance of end-to-end encryption. Discuss.
https://www.wired.com/story/whatsapp-hack-phone-call-voip-buffer-overflow/
Someone found a user after free vulnerability in the Linux kernal going alllll the way back.
https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/
And that's the news!
If you have been in my classes, you know that I often point to weev as my example for why not to hack live sites. Well, now I have a new example.
https://thehackernews.com/2019/05/israel-hamas-hacker-airstrikes.html
DHS is putting a 15 day deadline on all critical patches. Maybe that Windows NT4SP2 box will get a little sumpn sumpn, huh?
https://thehackernews.com/2019/05/dhs-patch-vulnerabilities.html
The Google CTF is coming up in a month or so. Start doing those ZAP pushups.
https://security.googleblog.com/2019/05/google-ctf-2019-is-here.html
El Reg has a great article on the latest (of many) SQLite RCE flaws.
https://www.theregister.co.uk/2019/05/10/sqlite_rce_vuln/
Y'all know that cryptography is not my best subject, but this is important. SHA1 is now provably just as broken as MD5, so start scrubbing it from codebases, except in cases like HMAC.
https://eprint.iacr.org/2019/459
That's the news!
Another Weblogic deserialization bug.
https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html
I have a PR in for Nikto for it
https://github.com/sullo/nikto/pull/607
A reminder that application security is more than SQL Injection: good analysis of the bugs that caused the 737 Max wrecks. I had to drop it in Pastebin because IEEE put it behind the paywall.
https://pastebin.com/QEiKvvMM
Using Git dotfiles to bypass authentication.
https://blog.assetnote.io/bug-bounty/2019/04/23/getting-access-zendesk-gcp/
ZDNet, of all places, has a really good, plain language explainer of credential stuffing.
https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-operations-work/
Little more on the dev side - 10 articles reviewed about using Python in machine learning.
https://hackernoon.com/10-great-articles-on-python-development-6f54dd38437f
And that 's the news! I'll be on vacation next week, so see you on the 12th.
The Stack Overflow Survey is out and has some interesting insights
https://insights.stackoverflow.com/survey/2019
Rebex has built a tool to scan SSH servers, similar to the Qualis SSL scan
https://sshcheck.com/
A new OWASP project that I'm participating in is aiming at inventorying and improving the overall security postures of package managers - take a look
https://github.com/OWASP/packman
And that's the news!
PortSwigger has replaced the exercises in the Web Application Security Hacker's Handbook with the new Web Academy.
https://portswigger.net/web-security
An ARM assembler - in JavaScript. I don't even have the words, this is so awesome.
https://azm.azerialabs.com/
Writing a talk? Here are 60 information security statistics with corresponding references.
https://itblogr.com/60-must-know-cybersecurity-statistics-for-2019/
Google has started their own vulnerability database. I'm not sure why, we already have several, but it is worth a look.
https://www.vulncode-db.com/
And that's the news!
No April Fools here.
Solid primer on using burp Collaborator for blind command injection. One of the real benefits of Burp over ZAP.
https://threat.tevora.com/stop-collaborate-and-listen/
Bruce weighs in on a study where freelance devs were checked for their secure coding. It didn't go well.
https://www.schneier.com/blog/archives/2019/03/programmers_who.html
A new tool for testing on Windows. Now, I don't use Windows for EVERYTHING but it is nice for a lot of things. I'll be checking this out.
https://securityaffairs.co/wordpress/83065/hacking/commando-vm-windows.html
And that's the news!
Bruce has some thoughts on a well-circulated article suggesting that application security isn't that important after all.
https://www.schneier.com/blog/archives/2019/03/an_argument_tha.html
Solid analysis of SimBad, a rogue malware campaign that infiltrated the Google Play store.
https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/
Terrifying tool that creates a spoofed cert for any website and signs an executable for AV Evasion.
https://github.com/paranoidninja/CarbonCopy
More awesome research from Rapid7, on deserialization bugs. A topic, as regular readers know, that is near and dear to my heart.
https://www.rapid7.com/research/report/exploiting-jsos/
And that's the news!
Android malware had almost 150 MILLION Googe Play Store downloads before it is was discovered and pulled.
https://www.theverge.com/2019/3/13/18263739/android-adware-simbad-google-play-store
Awesome User Access Control bypass that never saves anything to disk. As always PLEASE be careful playing with malware.
https://www.activecyber.us/activelabs/windows-uac-bypass
I wrote something similar for FALE a LOOOONG time ago but the ActiveLabs tool is better.
https://github.com/lockfale/DotNetAVBypass-Master
It's old home week. Subdomain brute forcing tool in VISUAL BASIC 6!! If anyone gets this up and running let me know, I would, but it triggers my PTSD.
https://github.com/visualbasic6/subdomain-bruteforce
Thanks to Jim Holmes to tuning me into this list - collected exploits for web attacks.
https://github.com/swisskyrepo/PayloadsAllTheThings
And that's the news!!
The NSA has open sourced their internal reverse engineering tool. It's so good, many consultants I know and trust have moved to it from IDA.
https://ghidra-sre.org/
This is a great story from the Verge that reminds us all to occasionally look at the ANSI alphabet for attacks ... and passwords.
https://www.theverge.com/tldr/2019/3/5/18252150/bad-password-security-data-breach-taiwan-ji32k7au4a83-have-i-been-pwned
Remember that guy, who might or might not write this blog, who said that SPECTRE isn't a real vulnerability and it will never be exploitable? Well, he was wrong. Again.
https://www.theregister.co.uk/2019/03/05/spoiler_intel_processor_flaw/
In the department of Standing On The Shoulders of Giants, we have a ring of GitHub accounts that are promoting forked and backdoored versions of popular software.
https://www.zdnet.com/article/researchers-uncover-ring-of-github-accounts-promoting-300-backdoored-apps/
And that's the news!