Application security weekly for April 22

More news than usual today.

 

There is a new WebLogic RCE. I'll be adding it to Nikto this week.

https://github.com/brianwrf/CVE-2018-2628

 

Android is adding DNS over TLS. As a user I am happy about this.  As a tester, @#$%&#$%@^.

https://security.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html

 

There are 100 devs for every appsec specialist.  We have out work cut out for us.

https://www.infosecurity-magazine.com/news/developers-outnumber-security-pros/

 

The thermometer in a fishtank was the pivot point for hackers to pwn a casino. Noice.

http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T

 

Holy crap I forgot about this one.  The RSA custom Android application had the API keys stored in the source code, so someone downloaded the attendee list.

https://twitter.com/svblxyz/status/987044025122336774

 

Verizon last week, Microsoft this week. Annual security report.

https://cloudblogs.microsoft.com/microsoftsecure/2018/03/15/microsoft-security-intelligence-report-volume-23-is-now-available/

 

Finally, a teen found some documents on a web server, downloaded them, and now is going to jail.  Stay safe out there kids!

http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970

 

And that's the news.

Comments are closed

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList