Application Security This Week for January 27

Here's a thread by Michael Stanek about how bad 7-zip's encryption algorithm is.  I use this all the time and had no idea.

https://threadreaderapp.com/thread/1087848040583626753.html

 

An exploit POC that Mark Haase wrote for the new SCP vulnerability.

https://gist.github.com/mehaase/63e45c17bdbbd59e8e68d02ec58f4ca2

 

Hadoop is the new target for a lot of malware.  Please stop leaving your clusters vulnerable.

https://www.theregister.co.uk/2019/01/24/hadoop_malware_attack/

 

Chrome is turning off the API that UBlock Origin uses. Makes sense - Chrome is free, Google is an ad company. Whatcha gonna do?

https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/

 

While you're here, the Central Ohio Infosec Summit has their annual Call For Papers open.  Submit!

https://www.infosecsummit.com/eSites/2019cbusinfosec/Homepage

 

And that's the news.

Application Security This Week for January 20

A 773 million record file of usernames and passwords discovered

https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/#comment-4289914828

 

Google releases a tool to help with TLS certificate management

https://www.theregister.co.uk/2019/01/09/certs_resh_security/

 

Really cool attack discovered using zero width spaces

https://www.theregister.co.uk/2019/01/09/certs_resh_security/

 

DNS Hijacking on the rise

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

 

Late addition: Watch your password control logic, please!

 

That's the news, folks.

Application Security This Week for January 6

New year, new vulnerabilities.

 

Or old vulnerabilities.  How about Open Redirects, the vulnerability no one cares about other than the bad guys.

https://stevetabernacle.github.io/blog/open-redirects-the-vulnerability-class-no-one-but-attackers-cares-about/

 

We gotta look back at The Year That Was.

https://www.theregister.co.uk/2018/12/27/2018_the_year_in_security/

 

Someone cracked recaptcha.  Again.

https://github.com/ecthros/uncaptcha2

 

Chrome was leaking device info.  I got caught by this too.

https://threatpost.com/chrome-in-android-leaks-device-fingerprinting-info/140480/

 

Cool research on a malicious jpeg.

https://isc.sans.edu/forums/diary/A+Malicious+JPEG/24490

https://isc.sans.edu/diary/A+Malicious+JPEG%3F+Second+Example/24494

 

That's the news, folks.  Happy new year! Hope to see some of you at CodeMash.

 

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList