Apologies up front for including a press release that points to a report behind a regwall, but I chose it as a prompt to talk about what platforms can do about secret scanning. GitHub already does this. Where's the funding and engineering investment to bring that kind of capability to npm and PyPI?
Sure, it's a setup for joking about how IPv6 adoption (second only to Linux on the desktop...), but it's a reminder that we're going to see lists of "integer underflow", "buffer overflow", "out of bounds read", and similar memory safety issues until we move on from C and C++.
A slew of 28 vulns, including RCEs, in a memory safe language (Java). The list also includes SSRF, which is a reminder (and broken record, sorry) that memory safety is an important first step towards secure code.
I'm primarily including this to tie in with our interview segment where Sandy Carielli talks about bots and API security. The relevant piece from this article is how Cloudflare “...found 30.7% more API endpoints through machine learning-based discovery than the self-reported approach, suggesting that nearly a third of APIs are “Shadow APIs” — and may not be properly inventoried and secured.”
Some fun computing history: "...on January 18 in 1944, a man called Tommy Flowers drove to Bletchley Park — the secret codebreaking facility about 50 miles north of London — in a truck carrying an enormous electronic machine that was instantly nicknamed Colossus." It was "...perhaps the first-ever digital computer, used to crack messages between senior German commanders encrypted with the Lorenz cipher…"
Vulnerabilities (CVE-2023-45866, CVE-2024-21306) were discovered that allow either pairing a virtual keyboard with an already paired computer - without authentication. This has been patched in most but not all OSes.
Additionally on MacOS, Apple tried doing something smart by allowing a magic keyboard to do out-of-band authentication over USB/Thunderbolt (thunderbolt is dead - long live USB) so a user wouldn't have to type in 6 numbers to pair a device. Problem here is an attacker can connect to that USB/thunderbolt port after the keyboard is disconnected, and gather that pairing key for their own uses.
This is based on a CVE from last year - 2023-46604 - a unsafe deserialization vuln in OpenWire protocol that ActiveMQ uses. Some folks have figured out how to use that to upload a payload to render in the web interface, allowing a remote webshell on the host.
Why I mention this - we (I?) talk about wanting "nice" UIs to make using technology easier for those less technically-focused. But we must keep in mind when we add these UIs that we can't be adding a bunch of vulnerabilities at the same time. They're usually added quickly at the last minute after the "real" work is done...but need to be considered earlier and implemented with respect.
Jayson joins us to discuss how he is using, and social engineering, AI to help with his security engagements. We also talk about the low-tech tools he employs to get the job done, some tech tools that are in play, and the most important part of any security testing: Talking to people, creating awareness, and great reporting.
The latest attacks against WiFi, its illegal to break encryption, BLE Padlocks are as secure as you think, when command not found attacks, how did your vibrator get infected...with malware, the OT jackpot, the backdoor in a random CSRF library, it’s a vulnerability but there is no CVE, car theft and Canada, Glubteba, and settings things on fire!
Saša Zdjelar joins us on this episode to dive into how organizations can manage supply chain risk, including the current challenges we face and how best to deal with them.
This segment is sponsored by Eclypsium. Visit https://securityweekly.com/eclypsium to learn more about them!