Application security weekly for April 22

More news than usual today.

 

There is a new WebLogic RCE. I'll be adding it to Nikto this week.

https://github.com/brianwrf/CVE-2018-2628

 

Android is adding DNS over TLS. As a user I am happy about this.  As a tester, @#$%&#$%@^.

https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html

 

There are 100 devs for every appsec specialist.  We have out work cut out for us.

https://www.infosecurity-magazine.com/news/developers-outnumber-security-pros/

 

The thermometer in a fishtank was the pivot point for hackers to pwn a casino. Noice.

http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T

 

Holy crap I forgot about this one.  The RSA custom Android application had the API keys stored in the source code, so someone downloaded the attendee list.

https://twitter.com/svblxyz/status/987044025122336774

 

Verizon last week, Microsoft this week. Annual security report.

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/15/microsoft-security-intelligence-report-volume-23-is-now-available/

 

Finally, a teen found some documents on a web server, downloaded them, and now is going to jail.  Stay safe out there kids!

http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970

 

And that's the news.

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList