Application Security Weekly for June 10

Firstly, I have had a MASSIVE chest cold that has kept me down for the count, so I have been reading a lot of news.  Thus, long newsletter.

 

Microsoft bought Github.  This might seem to not be a security issue, but 'tis.  Why did they buy them? Github doesn't make money.  However: 1) Microsoft wants devs on their platform and 2) they are really into machine learning.  So, let's get all of the devs and all of their code and ... profit?

https://www.linuxfoundation.org/blog/microsoft-buys-github-the-linux-foundations-reaction/

 

This is a little older but was new to me - Bruce Schneier writing for Lawfare (recommended reading by the way) about the implications of Efail.

https://www.lawfareblog.com/what-efail-tells-us-about-email-vulnerabilities-and-disclosure

 

A cartoon intro to DNS over HTTPS.  We need more of these.

https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/

 

Building malicious zip files.  Remember, mess with malware in a virtual machine, and NOT on your company network please.

https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/README.md

 

Didier Stevens is oft referenced in these missives, and he had a really productive May.  I'll just link to his own overview.  Lots of great appsec content.

https://blog.didierstevens.com/2018/06/05/overview-of-content-published-in-may-3/

 

XSS on ESPN's site.  Stuff is just everywhere:

http://seclists.org/fulldisclosure/2018/Jun/22

 

Oh man, I forgot about this one.  Remote Code Execution on a voice-based AI.  You know, one of those smart speakers?  Incredible stuff.  Now I wanna go test my Echo.

https://github.com/Nhoya/MycroftAI-RCE

 

And we'll finish up with a breakdown by El Reg of all of the week's data breaches.

https://www.theregister.co.uk/AMP/2018/06/09/what_got_breached_this_week_ticket_portals_dna_sites_and_atlantas_police_cameras/

 

Have a good week, everyone. I'm going back to bed. Oh, and that's the news.

Add comment

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

PageList

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList