A new blog series: Application Security Weekly

No, I haven't given up on my OTHER blog series about application vulnerability assessment but an opportunity opened up to start publishing my client newsletter on my blog.  It's just usually four stories about appsec that I think are particularly important this week.  Not even a lot of commentary, but if you only have so much time to absorb appsec news, then this could be a great way to fit some news in.

Enough chatting, this weeks stories:

 

Any authenticated user on a Samba 4 Active Directory can change any other users' password via LDAP.  A patch is available.

https://www.theregister.co.uk/2018/03/14/samba_password_bug/

 

Ass we all surmised, there was an app that leveraged Open Graph to download profiles from Facebook for the purposes of crafting the election advertising.

https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election

I spend a lot of time talking about the Facebook Open Graph, here I am three years ago at Cleveland BSides:

https://www.youtube.com/watch?v=Ze9Pzb1KSFw&feature=youtu.be&t=12m26s

 

Abusing Certificate Transparency logs to get subdomains from an HTTPS website:

https://github.com/UnaPibaGeek/ctfr

 

A nice primer on breaking encryption from MalwareBytes:

https://blog.malwarebytes.com/threat-analysis/2018/03/encryption-101-how-to-break-encryption/

 

Happy hunting!

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList