Application Security This Week for August 4

by Bill Sempf 4. August 2019 12:20

The Capital One breach leads the news this week, for a dozen good reasons.


Reeeeeely good writup on Crypto attacks from Checkpoint.  More than just reading the unreadable, ya know.


The Node Package Manager is in the news again, thanks to a huge kerfuffle related to someone injecting malware into a much-used package.  Think before you import, people.


Credential stuffing attacks are outpacing phishing, sayth Akamai.


And we are still talking about weakening encryption, of course:


That's the news, people.  Stay safe.


Facebook, Passport, and the Human Condition

by Bill Sempf 2. August 2019 19:18

Facebook is under heavy fire for privacy "violations", although they never did anything they didn't explicitly tell users they were going to do. Also, no privacy laws apply to what they did wrong. Also, if the product is free, you are the product. Blah blah. Fact is, in a capitalist society, companies are going to do whatever they can within the constraints of the law to make a buck. If they make enough customers angry, they will eventually lose money, and that is the incentive to stay on the straight and narrow.

Anyway, in case you hadn't heard, there are a lot of things going on here that has raised the ire of Facebook's customer base. For years, I have demoed using the Open Graph API to download either all of the public users on Facebook, or friends of friends private information. Of course, as we all know, Cambridge Analytica used that same API to write a slick little plugin to gather a boatload of information and sell it to political candidates, which influenced elections, and they are kinda important around here, so people got mad. Technically, they did nothing that hasn't been done a hundred times (hell, I have written software that does it) but this time people got mad. So be it.

Then there is the fake news, and the tracking, and watching where you go on the web even if you don't have a Facebook account, and and and you get the idea. Folks got mad. Facebook did the whole mea culpa thing, as one does, and their customer count still goes up. As the time of this writing, they are still the most used application on the planet. Roger that.

Once upon a time

Let's get in the wayback machine. No, not Brewster Kahle's WayBack Machine, just an imaginary one. In 2002, I was at TechEd signing the newly minted Professional Visual Basic.NET book, and trying to keep up with the Wrox contingent (news flash: Brits can drink.) In the evenings, I was working on an article about the second incarnation of Microsoft Passport. The original version was a try at what is now Active Directory Federated Services, but this version was a wholistic internet identity. It would track your calendar, your credit cards, your contact list, your email, everything, and help you out. If you bought plane tickets, it would have your Visa at the ready, and automatically add flight to your calendar. If your kids emailed to tell you they needed cupcakes for the bake sale, BANG, on the shopping list.

But … there was a problem. The user base went shitfuck. Some of the comments I remember were "I'll sooner throw my computer in the river than give Microsoft access to my calendar and credit cards" and "Are you saying they will look at our email and change our data without asking first" and "The day will never come that I will let Microsoft log me into my bank".


Anyway, if you of a certain age, and I told you the names of the people what wrote those things, you would instantly recognize them, I promise you. Me, I thought Passport was pretty neat. Not many other people thought it was neat. Court cases were filed. People quit Microsoft jobs (really!) over this. It was a disaster.

Fast forward

So here we are today. Facebook is under fire for using the data that people gave them freely to buy Mark more fast cars and hot women and blow, and people are mad. Meanwhile, they are logging into American Airlines, using their stored credentials, and their saved credit card info, and the email from American automatically adds the flight to their Google calendar.

Suffice it to say, in 15 years we'll be having this same, exact conversation about some other technology, maybe facial recognition and brain scanning or something. I dunno. William Gibson probably does. Either way, Facebook has breached the front. In not too long, the user base will have gotten used to it, and whatever is after Facebook will sell our data with impunity.


Application Security This Week for July 28

by Bill Sempf 28. July 2019 13:25

It's 1994 again! Encryption is on the table for law enforcement. Be ready for entry in the back door soon.

If you want to read about the LAST time we tried this, I recommend Matt Curtin's book Brute Force.


Very good analysis of the XML eXternal Entity (XXE) attack.


Gitlab's Global Developer Report has some interesting security insights.


If you write mobile apps, and your vulnerability assessment mentions "a third party malicious app could exploit this" pay attention to it.  It's really happening in the wild.


That's the news!



Application Security This Week for July 21

by Bill Sempf 21. July 2019 19:11

Awesome paper presented in France covering XXE - really good research.  Worth a read.


Those who have taken my training know how I talk about protecting the soft meaty middle - well, Slack is proving that user accounts are the gift that keeps on giving.  They reset passwords - from a breach 4 years ago.


Really neat tool for hooking executables in Windows.  I tried it, it's super neat.


Here's an I-wish-it-was-an-OWASP-project example.  Tons of research on Command injection.


That's the news folks.  Stay safe out there.


Application Security This Week for July 14

by Bill Sempf 14. July 2019 10:35

A wonderful human being put together a list of resources about hacking mainframe systems, worth a look if your organization is run on the big metal.


Apple had a not-good-very-bad week.  First, the OpenIF Foundation dinged the Mac implementation of "Sign in with Apple"

Then it was discovered that all of the magic of Zoom's conference software is due to a web server installed on MacOS, which you can't remove!  (Heeeey!)


Rhino Security released a new version of CloudGoat, an insecure-by-design cloud deployment tool.


One of my favorite attacks against file uploads that take zip files is the zipbomb.  Well, someone made a really nice one.


There is a flaw in the Android update system that allows attackers to modify updates on the fly.  Oh, and it is being exploited in the wild.


That's the news, folks.  Have a safe week!



Application Security This Week for July 7

by Bill Sempf 7. July 2019 14:47

Good article on using fuzzers as productivity tools

Reminds me of a great talk by the remarkable Craig Stuntz, worth a read.


Firefox will automatically trust certificates trusted by your OS

In other Firefox news, the UK is up in arms about Secure DNS breaking the Great British Pornwall


Next time I ping your site for not using X-FRAME-OPTIONS on a DNS endpoint, well, HAH I TOLD YOU SO NAAA NAA NAA


And that's the news, folks.


Application Security This week for June 30

by Bill Sempf 30. June 2019 09:46

Fascinating look into Internet routing that caused an outage last week.  We are really building this city on a bed of sticks.


Not my normal fare for this newsletter, but Microsoft added a secure vault to OneDrive.  Not in the US yes, but my Australian friends can give it a try.


There is a directory traversal vulnerability in ... this blog!  Please don't hack my.  I'll update later today.


MongoDB is adding field level encryption.  Now if folks would just use the authentication features ...


Found a VERY cool tool that lists known vulnerabilities in default containers.


A weird enge case forces the npm deployment script to push the .git folder.  Remember, complexity is the enemy of security.


And that's the news folks.



Application Security This Week for June 23

by Bill Sempf 23. June 2019 14:03

Google has decided that the API that underpins the Chrome extension kit is too powerful - and they aren't wrong.  But the changes appear to be killing adblockers.  Strange, that.


No, you aren't reading an old edition of this newsletter.  There really is another Orable Weblogic deserialization bug.


Good writeup on the current state of 2 factor authorization.


That's the news, folks.



Application Security This Week for June 16

by Bill Sempf 16. June 2019 19:34

Happy Father's Day!


Great writeup by Rapid7 about security-focused HTTP headers.


Phishing kit used by the bad guys has a gaping insecure file upload bug.


"But it's inside the firewall!" Here's 18 cases of insider attacks in the banking industry.


And, a little security related humor to lighten your week.


And that's the news.




Application Security This Week for June 2

by Bill Sempf 2. June 2019 10:09

Accidentally Took Memorial Day Weekend Off Edition


New tool: FinalRecon- OSINT Tool For All-In-One Web Reconnaissance


Permanent URL Hijack Through 301 HTTP Redirect Cache Poisoning


Didier Stevens, one of my favorite researchers, mentioned that one of his readers has made a docker container with all of his tools.


There is a POC for CVE-2019-0708. Certainly is worth a look.


Speaking of Docker, there is a bug that allows a hypervisor jump.


Finally, the always-wonderful folks at Portswigger have a cool analysis of Behavioral Fuzzing.


And that's the news! Have a great week.


Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites