Security Weekly
Application Security WeeklySubscribe
Application security, AI/ML, DevSecOps

What’s in Store for 2024? – ASW #268

Full Audio

View Show Index

Segments

1. What’s in Store for 2024? – ASW #268

We kick off the new year with a discussion of what we're looking forward to and what we're not looking forward to. Then we pick our favorite responses to "appsec in three words" and set our sights on a new theme for 2024.

Announcements

  • Security Weekly listeners: Cyber threats are evolving — is your organization keeping up? The 2023 Cybersecurity Year in Review is Here! Uncover the latest challenges and strategic responses in CRA's 2023 Cybersecurity Year in Review – sponsored by RSA Conference. From the impact of generative AI to the risks of ransomware to navigating new SEC rulings, get ahead for 2024 with your free copy. Download the report at securityweekly.com/yearinreview2023

Hosts

Tech Lead at Block
Senior Engineering Leader at AWS

2. 23andMe Blames Users, Abusing Google’s OAuth2, Rustls Performance, AI Goes OSINT – ASW #268

23andMe shifts blame to users for poor password practices, abusing Google's OAuth2 through a MultiLogin endpoint, Rustls is memory safe and fast, AI enters OSINT, and more!

Hosts

Tech Lead at Block
  1. 1. 23andMe: “Negligent” Users at Fault for Breach of 6.9M Records

    The year starts off with a regression in security attitudes -- 23andMe says users should have taken security seriously with better password practices. It's the ultimate shift left, where a company best positioned to vet credentials against known breaches, support MFA, and even require MFA decides that the fate of users lies solely in the password practices of users.

  2. 2. Polish Hackers Say Manufacturer’s Repair DRM Killed Train’s Power, Broke Emergency Brakes

    We covered this in the last episode of 2023, but here's an update to the article as well as the video now available from the Chaos Communication Congress where the researchers presented their work.

  3. 3. Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking | CloudSEK
  4. 4. Billion times emptiness | Trail of Bits Blog
  5. 5. Securing the Web: Rustls on track to outperform OpenSSL – Prossimo

    Here's my usual reminder: memory safety is necessary, but insufficient for secure software.

    In cryptography, constant-time operations are important for countering side-channel attacks. The Marvin attack is a case in point, with the RustCrypto/RSA code impacted.

    OpenSSH, a cryptographic peer of OpenSSL, had a recent flaw called Terrapin. There's no direct consequence for this Rustls, but I mention it as the type of thing to be aware of when implementing cryptographic protocols and ciphers.

  6. 6. AI: This AI can find your location just by looking at a few photos | ZDNET
  7. 7. AI: Artificial Intelligence Security Center
  8. 8. AI: Deconstructing the AI Cyber Challenge (AIxCC) – Open Source Security Foundation
  9. 9. INFO: Do we think of git commits as diffs, snapshots, and/or histories?

    If you come across code, you're likely to come across git. If you come across git, you're likely to deal with an unintuitive command line and concepts. This is a nice resource for understanding some of the basics of git. The site has tons of great resources for not only git, but common Unix commands, network protocols, and coding. The zines are entertaining and informative. Check them out!

  10. 10. FYI: Federal Register :: Request for Information on “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software”

    Want to influence secure by design? You have until February 20th to respond to this RFI.

Senior Engineering Leader at AWS
  1. 1. Kaspersky engineers publish “Operation Triangulation”

    At one of my favorite conferences I haven't been to - the Chaos Communication Congress - some engineers from Kaspersky disclosed some really interesting research they've been doing into a extremely complex attack against Apple iOS devices.

  2. 2. Tackle technical debt by reframing it as “business risk”

    I'm pulling a Matt Alderman and looking at this more from a business, "CIO" side. But I do think it's important for us to figure out how we can reframe a technical debt - or security - problem in a way that captures the resources it needs.

  3. 3. When Apple ditches tbolt, hack usbc

    I'm posting this more to discuss the idea that you can't just solve security issues by swapping out tech components. Sometimes you actually need to do work to harden those parts of your stack

Related

Hacking AI Bias with Human Techniques – Keith Hoodlet – ASW #284

We already have bug bounties for web apps so it was only a matter of time before we would have bounties for AI-related bugs. Keith Hoodlet shares his experience winning first place in the DOD's inaugural AI bias bounty program. He explains how his education in psychology helped fill in the lack of resources in testing an AI's bias. Then we discuss ...
AI & Hype & Security (Oh My!) – Caleb Sima – ASW #284

A lot of AI security has nothing to do with AI -- things like data privacy, access controls, and identity are concerns for any new software and in many cases AI concerns look more like old-school API concerns. But...there are still important aspects to AI safety and security, from prompt injection to jailbreaking to authenticity. Caleb Sima explain...