I Forgot To Post On Easter Because I Was Cooking Edition
There is a really need VMWare bug that has some solid analysis already. Thanks to John from a client of mine for tuning me into it.
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/
You need to reboot Boeing 787s every couple months or they crash. No big deal.
https://www.theregister.co.uk/2020/04/02/boeing_787_power_cycle_51_days_stale_data/
From the archives (because I just used it on a test): a Command Injection Cheatsheet:
https://hackersonlineclub.com/command-injection-cheatsheet/
I was blindingly honored to judge the CBusStudentHack competition this year. Clearly it was weird, and we had to do it remotely. Way easier when you can talk to the young women and men on the teams, but we got it done via video. Here are the five finalists - worth a watch if you want to feel god about the next generation of hackers.
https://www.youtube.com/playlist?list=PLXpk4w_SsmmTJgYwm9OLgVlPkl-aQK_kc
Please stay safe and healthy.
I'm hoping everyone is safe and healthy. This whole thing is weird. But security news marches on.
There was a vulnerability discovered in Pi-hole. If you don't know what it is, don't worry, but if you do, you need to patch right meow. Either way, neat application security lessons. Good writeup here:
https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/
Along those lines, there is a vulnerability in OpenWRT. Again, if you aren't using it don't sweat it but cool writeup about the vulnerability:
https://nakedsecurity.sophos.com/2020/03/31/patch-now-critical-flaw-found-in-openwrt-router-software/
HTML 6 is coming! See what's new here:
https://morioh.com/p/6d422fc49bd2
The incredible Binni Shah tuned me in to two some really interesting new C# memory injection tools:
https://github.com/coffeegist/changeling
https://github.com/pwndizzle/c-sharp-memory-injection
That's the news. Stay safe, everyone.
Unusual challenges ahead. Remember that with remote working, application security is on the front lines, and there are those out there that don't care about the pandemic crisis or dead people, they just want to steal stuff.
Extraordinary article about his exact topic from SANS. I am not SANS biggest fan but this is very good work.
https://isc.sans.edu/diary/rss/25940
An error in a font (no I am not kidding) is causing problems. Check your sites.
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006
I have stepped away from appsec before in this newsletter, but this is a new bar. This is a link to free codes for games on Steam to play while you are keeping away from your friends and neighbors. Let's use the Internet to stay in touch, and KEEP IT RUNNING. We are on the front lines.
https://docs.google.com/spreadsheets/d/1LoYfg6bI649dPQfevPNZzL2Xm9o4pOH0bUkIrIcWry4/edit#gid=1293924779
Please, please stay safe.
S
Quarantine edition.
Microsoft patches the newest SMB flaw. Stop using SMB.
https://nakedsecurity.sophos.com/2020/03/16/microsoft-patches-wormable-windows-10-smbghost-flaw/
Microsoft bough npm. This should be interesting.
https://www.windowscentral.com/microsofts-github-acquires-npm-help-javascript-developers
There are a ton of folks streaming and running virtual conferences right now. Watch them. I'm watching PancakesCon right now. Even if you are an introvert, it's good for your mental health.
https://tisiphone.net/2020/03/15/pancakescon-2020-quarantine-edition/
Keep safe, keep aware. We are in condition orange. Distance yourself from poisonous people. (and I don't mean ill people) Help out your neighbors if you can.
NordVPN has yet another interesting application security vulnerability.
https://www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/
The University of Cincinnati has open sources their malware reverse engineering class.
https://class.malware.re/
Not new but new to me: 23 node.js security tips.
https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d
That's the news!
From @baskarmib on Twitter, we have an example of malware that will steal your Google authenticator codes.
https://www.zdnet.com/google-amp/article/android-malware-can-steal-google-authenticator-2fa-codes/?__twitter_impression=true
OK, I know we have a love hate relationship with ISC2, but they put opuur a cloud security paper, and it is really good.
https://blog.isc2.org/isc2_blog/2020/02/white-paper-on-cloud-security-risks-and-how-to-mitigate-them.html
Google is now explicitly suggesting that developers encrypt data used by their applications, on the device.
https://thehackernews.com/2020/02/android-app-data-encryption.html?m=1
Lots of Google today. Their security team has a good whitepaper on malicious document detection.
https://security.googleblog.com/2020/02/improving-malicious-document-detection.html
Finally, if you aren't getting Violet Blue's weekly security roundup, you are missing out. Lots of good stuff.
https://www.patreon.com/posts/cybersecurity-25-34318466
That's the news, folks. Stay safe.
Portswigger (the company that makes Burp Suite) is out with their Top 10 web application hacking techniques.
https://portswigger.net/research/top-10-web-hacking-techniques-of-2019
Solid evidence that APIs are becoming the main target for credential stuffing attacks.
https://www.csoonline.com/article/3527858/apis-are-becoming-a-major-target-for-credential-stuffing-attacks.html
Another decent writeup for template injection. Attacks like this are becoming SO much more common in SPAs.
http://ghostlulz.com/angularjs-client-side-template-injection-xss/
That's the news, people. Stay safe out there.
From the Absolute AppSec Podcast - learned about a really great article on how Account Enumeration is exploited. I get pushback when I put it on reports, but it's a real vulnerability.
https://sidechannel.tempestsi.com/once-upon-a-time-there-was-an-account-enumeration-4cf8ca7cd6c1
Chrome is going to start blocking mixed content downloads, which are HTTPS pages that have links to HTTP files. Search your codebase for HTTP!
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1
America isn't the only country leaving their data exposed.
https://www.zdnet.com/article/netanyahus-party-exposes-data-on-over-6-4-million-israelis/
Exposing secrets in source code is a real thing. I discovered a very cool tool that helps (if you are working in VS Code, which you should be) called Cloak.
https://johnpapa.net/hide-your-secrets-in-vs-code-with-cloak/
Finally, I have mixed feelings about this one. Firefox will stop supporting TLS 1.0 and 1.1 soon and other browsers will surely follow. I get it, there are flaws in those protocols, but they are better than nothing. This feels a lot like gatekeeping to me (older machines run older browsers), and regular readers know that I am not saying that out of political correctness. Lemme know what you think in the comments.
https://www.theregister.co.uk/2020/02/10/tls_10_11_firefox_complete_eradication/
That's the news, folks. Stay safe.
Christian Pedersen wrote a cool scanner for the Netscaler Gateway flaw, and is hosting it on Azure.
https://cve-2019-19781.azurewebsites.net/
It is based on the TrustedSec POC
https://github.com/trustedsec/cve-2019-19781
Wacom tablets call the mothership every time you load up an application. The writeup has a fantastic breakdown on how to use available tools to find this shittery.
https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/
The Twitter API was exploitable by a direct object reference flaw that exposed phone numbers of users.
https://www.theregister.co.uk/2020/02/04/twitter_phone_numbers/
An ancient bug in Sudo (well by software standards anyway) allowed nonprivleged users to, well, do what superusers do.
https://thehackernews.com/2020/02/sudo-linux-vulnerability.html
That's the news folks. Keep it frosty.