Application Security This Week for January 27

by Bill Sempf 27. January 2019 13:29

Here's a thread by Michael Stanek about how bad 7-zip's encryption algorithm is.  I use this all the time and had no idea.

https://threadreaderapp.com/thread/1087848040583626753.html

 

An exploit POC that Mark Haase wrote for the new SCP vulnerability.

https://gist.github.com/mehaase/63e45c17bdbbd59e8e68d02ec58f4ca2

 

Hadoop is the new target for a lot of malware.  Please stop leaving your clusters vulnerable.

https://www.theregister.co.uk/2019/01/24/hadoop_malware_attack/

 

Chrome is turning off the API that UBlock Origin uses. Makes sense - Chrome is free, Google is an ad company. Whatcha gonna do?

https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/

 

While you're here, the Central Ohio Infosec Summit has their annual Call For Papers open.  Submit!

https://www.infosecsummit.com/eSites/2019cbusinfosec/Homepage

 

And that's the news.

Tags:

Application Security This Week for January 20

by Bill Sempf 20. January 2019 14:35

A 773 million record file of usernames and passwords discovered

https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/#comment-4289914828

 

Google releases a tool to help with TLS certificate management

https://www.theregister.co.uk/2019/01/09/certs_resh_security/

 

Really cool attack discovered using zero width spaces

https://www.theregister.co.uk/2019/01/09/certs_resh_security/

 

DNS Hijacking on the rise

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html

 

Late addition: Watch your password control logic, please!

 

That's the news, folks.

Tags:

Application Security This Week for January 6

by Bill Sempf 8. January 2019 09:37

New year, new vulnerabilities.

 

Or old vulnerabilities.  How about Open Redirects, the vulnerability no one cares about other than the bad guys.

https://stevetabernacle.github.io/blog/open-redirects-the-vulnerability-class-no-one-but-attackers-cares-about/

 

We gotta look back at The Year That Was.

https://www.theregister.co.uk/2018/12/27/2018_the_year_in_security/

 

Someone cracked recaptcha.  Again.

https://github.com/ecthros/uncaptcha2

 

Chrome was leaking device info.  I got caught by this too.

https://threatpost.com/chrome-in-android-leaks-device-fingerprinting-info/140480/

 

Cool research on a malicious jpeg.

https://isc.sans.edu/forums/diary/A+Malicious+JPEG/24490

https://isc.sans.edu/diary/A+Malicious+JPEG%3F+Second+Example/24494

 

That's the news, folks.  Happy new year! Hope to see some of you at CodeMash.

 

Tags:

AppSec

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList

Mastodon