Venmo, a social payment system, defaults to public disclosure of payments made on the system.

https://arstechnica.com/tech-policy/2018/07/venmos-terrible-idea/

Scott Simmons has some terriffic advice about using Same-Origin policy as a control for CSRF.

https://www.appsecconsulting.com/blog/using-the-same-origin-policy-to-control-for-cross-site-request-forgery

Open redirect flaw in Electron exploites in the new Google Hangouts Chat application.

https://blog.bentkowski.info/2018/07/vulnerability-in-hangouts-chat-aka-how.html?m=1

F5 has released their annual Application Protection report.  Worth a read.

https://www.f5.com/labs/articles/threat-intelligence/2018-Application-Protection-Report

DOMpurify, a common control for DOM based XSS, has a vulnerability - update if you are using it (you probably are).

http://www.thespanner.co.uk/2018/07/29/bypassing-dompurify-with-mxss/

It has come to my attention that one of Paul Asadoorian's Security Weekly broadcasts is titled Application Security Weekly! I had no idea. It's good too, you should listen.  I caught up with the last few weeks when I drove over to Indianapolis to chat with the Indy Software Artisans meetup.  Anyway, I am changing the title of this recurring series of posts to Application Security This Week because of the mixup.

Interesting discussion over at El Reg about the weakest link in software security.

https://www.theregister.co.uk/2018/07/16/who_is_the_weakest_link_in_software_security/

Oracle addressed 334 security vulnerabilities in its latest patch series.

https://www.us-cert.gov/ncas/current-activity/2018/07/17/Oracle-Releases-July-2018-Security-Bulletin

Shape Security did the math, and 9 out of 10 login attempts on the web are bypass attempts.

http://info.shapesecurity.com/rs/935-ZAM-778/images/Shape_Credential_Spill_Report_2018.pdf?aliId=7269967

For my home internet, I have one choice - Spectrum, née Time Warner Cable.  I don't completely live in the boonies but it is far enough away from everything that I can't get anything but cable, and Time Warner is the only cable company I got.  Honestly it hasn't been bad - I have been a customer since they were Roadrunner, and have had nearly zero problems.  Had a mixup when we moved our phone service to them, which led to us dropping phone altogether and just using mobile (and the alarm system for emergencies). Had a couple useless repair folks.  Over a 20 year history with them, I'm pretty pleased.

However, we have started having brownouts.  We'll be tooting along, then the feed will go to a dribble. I pay for 50 Mbps down, and usually get 70, but then it will be 500 Kbps for hours.  Then it will be fine.  Is it Spectrum?  My modem?  My router?  Something else on my network? I wasn't sure, so I would lug my laptop back there, plug the ethernet from the cable model directly in, and run Speedtest. Started to get some data.  Then, the laptop that had an ethernet port went titsup.  Now what?

Enter the Speedtest Pi.  I scrapped a screen from an old POS appliance that I tested and was allowed to keep, an old mini keyboard, and one of the dozen Pis that I have laying around from various programs I have taught, and built a semi-permanent speed test appliance that I can go and use anytime I want.

I did need to buy an AV shield at Microcenter so I didn't have to soldier the heck out of the Pi, but that's OK. This was a quick and dirty job, and the shield was only $15.

Now - best way to do the speedtest?  Well, did you know there is a Speedtest API? I DID NOT.  To make it even better, there is a speedtest command line interface app in the install paths for Raspbian.  So I simply:

sudo apt-get install speedtest-cli

and that's all there was to it.

Next next step is to put a fast switch in, so that I can leave it on all the time, and then have it run every hour or so, and show a graph on the screen.  Should be a fun Python project.

npm is a dumpster fire.  Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies.  In other news, I learned about snyk, which is a pretty cool tool.

https://snyk.io/vuln/npm:eslint-scope

In dev news, the #1 development GUI of all time is being updated.  Notepad!

https://www.theverge.com/platform/amp/2018/7/12/17563704/microsoft-windows-notepad-app-update

Apple wrote some code to appease the Chinese government and it was kind of a mess.

https://objective-see.com/blog/blog_0x34.html

Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.

http://seclists.org/fulldisclosure/2018/Jul/44

Remember when I said "Spectre is not exploitable"?  Yeah, I was wrong.  Again, and again, and again...

https://arstechnica.com/gadgets/2018/07/new-spectre-like-attack-uses-speculative-execution-to-overflow-buffers/

New variation of my favorite Weblogic vuln - CVE-2017-10271.

https://techblog.mediaservice.net/2018/07/cve-2017-10271-oracle-weblogic-server-remote-command-execution-sleep-detection-payload/

I wrote the tests for this vulnerability for Nikto.

https://github.com/sempf/nikto/commit/530351343da18f684b57fbf7431717cf24f9eb4e#diff-05c4b2da09480ffee5450fdf8fa8faac

And that's the news.

LTE has a bug.  Who knew? One more strike for IoT devices, methinks.

https://arstechnica.com/information-technology/2018/06/lte-wireless-connections-used-by-billions-arent-as-secure-as-we-thought/

Cool XXE Vulnerability in WeChat Pay SDK.

http://seclists.org/fulldisclosure/2018/Jul/16

UK's National Health Service had a breack due to a currently unspecified coding flaw, keep an eye on the story for more info.

https://www.theregister.co.uk/2018/07/03/confidential_patient_info_nhs_software_share_tpp/

It's the "Bill accidentally skipped a week" edition.  I didn't even DO anything last Sunday, I just forgot!

The IETF calls for formal revocation of the TLS 1.0 and 1.1 standards.  This will effectively cut mobile users on Android 4.4 and earlier off the web.  Guess who this hurts: developing countries. And why?  Because it's possible to decrypt a message BEFORE the heat death of the universe.  We have a priority problem.

https://www.theregister.co.uk/2018/06/19/ietf_calls_for_formal_tls_1_0_1_1_deprecation/

Rhino Security put together a good article about privilege escalation on Amazon Web Services, and it is juicy.

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

They have an open source AWS scanning tool too!!

https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools

This isn't a security story explicitly, but it is about why security in apps for mobile is so important, and it features Columbus, where I am based.  And it is The Atlantic, one of my favorite papers.

https://www.theatlantic.com/technology/archive/2018/06/shops-arent-for-shopping-anymore/563054/?utm_source=feed

There's a 7-month-unpatched vulnerability in Wordpress that allows for unauthorized access.  Considering what Wordpress has grown into I'm kind of shocked by this.

https://thehackernews.com/2018/06/wordpress-hacking.html

A breach bigger than Equifax?  SURE WHY NOT.

https://www.wired.com/story/exactis-database-leak-340-million-records/

While I am eating up your Wired soft-paywall allowance, they have another good article on how the Mirai botnet was just some kids trying to cheat at Minecraft.  Great long read.  Don't screw with malware, folks!

https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/?mbid=social_twitter

By the way, Wired has great reporting and is worth the $10 a year.  You should subscribe.

And that's the news.  Have a great 4th, if you are in the US.  Otherwise, have a great week!