by Bill Sempf
29. December 2019 11:02
It's the holiday edition! No I'm kidding it's the same stuff as usual. Sorry.
Apparently there is a chat app that is literally spyware developed by a nation state. This isn't a political blog, but the technical implications are deep. Here's a good writeup.
https://objective-see.com/blog/blog_0x52.html
I'm all about supply chain issues, and this is a really good analysis of risks involved with package managers like npm.
https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
Someone reverse engineered an RSA token, and is using it to bypass two factor in the wild.
https://www.schneier.com/blog/archives/2019/12/chinese_hackers_1.html
That's the news folks. See you next decade.
4e0294be-a246-4f27-8983-525befaaaa2e|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
22. December 2019 11:08
Hope everyone has a good holiday.
You probably heard that the Russian offices of ngnix were raided by the government. F5 is doing a code review.
https://www.msn.com/en-us/news/technology/f5-networks-secures-ngnix-software-builds-as-precaution-after-visit-from-russian-law-enforcement/ar-BBY357u?ocid=ARWLCHR
Solid research on privilege escalation in Amazon Web Services. Very real problem.
https://know.bishopfox.com/research/privilege-escalation-in-aws
Do you want to bone up on real world appsec skills over the week? I recommend the PortSwigger Web Academy.
https://portswigger.net/web-security
That's the news.
f558f247-da3e-4cbe-8761-bc22b5996abb|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
15. December 2019 13:36
Nice writup that explains a pivot from and iPhone app all the way through to domain access via chained exploits. Application security is hard.
https://decoder.cloud/2019/12/12/from-iphone-to-nt-authoritysystem/
The security.txt file is near becoming an IETF standard.
https://mailarchive.ietf.org/arch/msg/ietf-announce/OFuiGlVv6WgvEEABaGmnYi120yU
Cool Azure horizontal privilege escalation writeup using the cloud shell.
https://blog.netspi.com/attacking-azure-cloud-shell/
That's the news. Hope everyone is having a stress-free holiday.
c84749aa-1694-4faf-8861-0638575e95d4|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags:
by Bill Sempf
8. December 2019 11:19
My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter. Oopsie.
https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/
An Android spoofing vulnerability is already being exploited by bank thieves. Hard to write secure apps when the platform doesn't help.
https://arstechnica.com/information-technology/2019/12/vulnerability-in-fully-patched-android-phones-under-active-attack-by-bank-thieves/
On that topic, here's a cool primer on Android reverse engineering.
https://maddiestone.github.io/AndroidAppRE/
TruffleHog is a new (and still a little rough) script to sniff out secrets from GitHub repos.
https://www.darknet.org.uk/2019/12/trufflehog-search-git-for-high-entropy-strings-with-commit-history/
AWS built a took to yell at you if you have open S3 buckets.
https://www.theregister.co.uk/2019/12/03/aws_s3_buckets/
That's the news, folks. Stay safe out there.
b984c030-f732-4913-9b04-314778e37bf9|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags: ASTW
by Bill Sempf
1. December 2019 09:30
Fortinet is communicating with static keys and a simple XOR. Whoops.
https://sec-consult.com/en/blog/advisories/weak-encryption-cipher-and-hardcoded-cryptographic-keys-in-fortinet-products/
An Android gif library has an interesting vulnerability that will affect many application.
https://seclists.org/fulldisclosure/2019/Nov/27
An OWASP member made a neat ZAP plugin that helps to attack deployed Kubernetes applications.
https://github.com/omerlh/zap-operator
Hope everyone had a great thanksgiving.
S
7005928b-5ee7-4c7b-bb99-d1567cf492c5|0|.0|96d5b379-7e1d-4dac-a6ba-1e50db561b04
Tags: