Firstly, I have had a MASSIVE chest cold that has kept me down for the count, so I have been reading a lot of news. Thus, long newsletter.
Microsoft bought Github. This might seem to not be a security issue, but 'tis. Why did they buy them? Github doesn't make money. However: 1) Microsoft wants devs on their platform and 2) they are really into machine learning. So, let's get all of the devs and all of their code and ... profit?
https://www.linuxfoundation.org/blog/microsoft-buys-github-the-linux-foundations-reaction/
This is a little older but was new to me - Bruce Schneier writing for Lawfare (recommended reading by the way) about the implications of Efail.
https://www.lawfareblog.com/what-efail-tells-us-about-email-vulnerabilities-and-disclosure
A cartoon intro to DNS over HTTPS. We need more of these.
https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
Building malicious zip files. Remember, mess with malware in a virtual machine, and NOT on your company network please.
https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/README.md
Didier Stevens is oft referenced in these missives, and he had a really productive May. I'll just link to his own overview. Lots of great appsec content.
https://blog.didierstevens.com/2018/06/05/overview-of-content-published-in-may-3/
XSS on ESPN's site. Stuff is just everywhere:
http://seclists.org/fulldisclosure/2018/Jun/22
Oh man, I forgot about this one. Remote Code Execution on a voice-based AI. You know, one of those smart speakers? Incredible stuff. Now I wanna go test my Echo.
https://github.com/Nhoya/MycroftAI-RCE
And we'll finish up with a breakdown by El Reg of all of the week's data breaches.
https://www.theregister.co.uk/AMP/2018/06/09/what_got_breached_this_week_ticket_portals_dna_sites_and_atlantas_police_cameras/
Have a good week, everyone. I'm going back to bed. Oh, and that's the news.