No, I haven't given up on my OTHER blog series about application vulnerability assessment but an opportunity opened up to start publishing my client newsletter on my blog. It's just usually four stories about appsec that I think are particularly important this week. Not even a lot of commentary, but if you only have so much time to absorb appsec news, then this could be a great way to fit some news in.
Enough chatting, this weeks stories:
Any authenticated user on a Samba 4 Active Directory can change any other users' password via LDAP. A patch is available.
https://www.theregister.co.uk/2018/03/14/samba_password_bug/
Ass we all surmised, there was an app that leveraged Open Graph to download profiles from Facebook for the purposes of crafting the election advertising.
https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election
I spend a lot of time talking about the Facebook Open Graph, here I am three years ago at Cleveland BSides:
https://www.youtube.com/watch?v=Ze9Pzb1KSFw&feature=youtu.be&t=12m26s
Abusing Certificate Transparency logs to get subdomains from an HTTPS website:
https://github.com/UnaPibaGeek/ctfr
A nice primer on breaking encryption from MalwareBytes:
https://blog.malwarebytes.com/threat-analysis/2018/03/encryption-101-how-to-break-encryption/
Happy hunting!