- As you probably already know, last week’s big story was the CloudFlare vulnerability now known as “Cloudbleed”. There’s a bunch to read here; these are the pieces that that I think are most important so far:
- Start with Tavis Ormandy’s original description of the issue on Google’s Project Zero issue tracker. Be sure to read the whole thread as Tavis discovers the scope of the issue.
- Next, read CloudFlare’s original incident report and subsequent attempt to quantify the impact.
- Then, I suggest checking out a few well-reasoned analyses of what the vulnerability means to the industry and to you: Troy Hunt’s Pragmatic thoughts on #CloudBleed and Ryan McGeehan’s CloudBleed Retrospective.
There will be more written about Cloudbleed in the future, I’m sure; it’s a bit of a perfect storm.
Want to learn about securing AWS deployments? flAWS is a great Capture-the-flag-style exercise that teaches many of the common AWS security failures through learning how to exploit them. I’ve worked through the first half so far, and am looking forward to finishing the exercises this weekend.
A few interesting articles on browser security. Over on the Microsoft Edge blog, Matt Miller wrote about Microsoft’s approach to mitigating native code execution in Edge. Then, Justin Schuh of the Chrome Security team followed up by comparing Microsoft’s approach with Google’s. Together, these articles are a great roundup of what’s happening on the bleeding edge of browser security.
Speaking of browser security, if you’ve ever wondered what Certificate Transparency is and how it works, Scott Helme’s Certificate Transparency, an introduction should answer all your questions.
If you want to be angry about the Internet of Things, read Troy Hunt: Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages. IoT: the “S” stands for “Security”.
Detectify Crowdsource - looks like a novel mashup of automated vulnerability scanners and bug bounties. The idea is to crowdsource the creation of scanners for specific vulnerabilities, and then pay the researchers every time the scanner makes a hit. It’s unclear exactly how this all will work, but it’s a danged cool idea. I’m looking forward to finding out more.
Dhaval Kapil’s Attacking the OAuth Protocol analyzes some of the weaknesses in the OAuth2 protocol. I’m not sure I agree with the premise that “the OAuth 2.0 protocol itself is insecure”, but if you’re implementing an OAuth provider you certainly need to know about these weaknesses and their mitigations.
Google’s been making some changes to Chrome’s HTTPS interface. Chris Palmer breaks down the changes and the reasoning behind them in Decoding Chrome’s HTTPS UX.
TeamSIK found a whole bunch of vulnerabilities in Password-Manager Apps. A few themes I noticed: the in-app browsers are tremendously problematic (and probably should be removed). The “keyboards” used on Android seem similarly bad. And, finally, the response times from the bigger players (especially LastPass) are good, and show they take these issues seriously.
Finally this week, a great vulnerability discovery, and an even better writeup:Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token.
This is a weekly roundup of interesting infosec related links, inspired by Geek Feminism’s linkspam tradition.
If you’d like to suggest a link for a future roundup, post it to Pinboard tagged with securitylinkspam and I’ll find it there.