#security (2019-11)

Archive: https://archive.sweetops.com/security/

2019-11-06

Maciek Strömich avatar
Maciek Strömich
10:09:44 AM

https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html

Maciek Strömich avatar
Maciek Strömich
10:10:03 AM

update your chromes/chromium based browser asap

Igor avatar
Igor
05:56:13 PM

PSA Major vulnerability in SimpleSamlPHP/XMLSecLibs XML signature validation, if anyone uses it

1

2019-11-11

Maciek Strömich avatar
Maciek Strömich
01:15:22 PM

https://www.aisec.fraunhofer.de/en/stackoverflow.html

davidvasandani avatar
davidvasandani
12:59:01 AM

Has https://github.com/toniblyx/prowler come up in this channel before? Has anyone tried it?

toniblyx/prowler

AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks …

btai avatar
btai
01:22:19 AM

@davidvasandani just used it for my soc2 audit

davidvasandani avatar
davidvasandani
01:30:04 AM

Whoa! How’d it go?

btai avatar
btai
06:58:02 PM

@davidvasandani @Erik Osterman (Cloud Posse) prowler is a decent tool. we were asked to use it for our soc2 audit. It’s definitely not a super robust tool, but it does the job. We had a couple use cases where we had false negatives. The tool just greps for “true” and we had a client with the word “true” in it’s name where we got some false negatives on. Also after doing key rotations, we ended up with a ton of fails because the keys hadn’t been used yet (because we had just finished our key rotations!)

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
01:31:20 AM

Looks amazing. Thanks for sharing.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
01:31:37 AM

https://cloud.githubusercontent.com/assets/3985464/18489640/50fe6824-79cc-11e6-8a9c-e788b88a8a6b.png

attachment image
1
1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
01:31:43 AM

https://cloud.githubusercontent.com/assets/3985464/18522590/a04ca9a6-7a7e-11e6-8730-b545c9204990.png

attachment image
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
01:32:49 AM

@lvh

2019-11-12

chrism avatar
chrism
01:05:17 PM

We run it nightly; its pretty handy.

lvh avatar
lvh
02:00:46 PM

Yeah prowlers’ best, we also run ScoutSuite. Prowler does a better job of mapping to controls.

2

2019-11-13

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:09:53 PM

https://news.google.com/articles/CBMiQGh0dHBzOi8vdGVjaGNydW5jaC5jb20vMjAxOS8xMS8xMi9pbnRlbC1jYXNjYWRlLWxha2Utem9tYmllbG9hZC_SAURodHRwczovL3RlY2hjcnVuY2guY29tLzIwMTkvMTEvMTIvaW50ZWwtY2FzY2FkZS1sYWtlLXpvbWJpZWxvYWQvYW1wLw?hl=en-US&gl=US&ceid=US%3Aen

A new security flaw hits Intel’s Cascade Lake chips – TechCrunchattachment image

Time to reset your “days since last major chip vulnerability” counter back to zero. Security researchers have found another flaw in Intel processors — this time it’s a new variant of the Zombieload attack they discovered earlier this year, but targeting Intel’s latest family…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:15:55 PM

https://twitter.com/troyhunt/status/1194436182614011904?s=21

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
05:16:04 PM

chrism avatar
chrism
05:18:49 PM

one way to pay for the processing time of hashing

2019-11-18

2019-11-19

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
03:12:36 PM

https://www.checkmarx.com/blog/how-attackers-could-hijack-your-android-camera

How Attackers Could Hijack Your Android Camera to Spy on Youattachment image

The application security testing world is made up of various different solutions, all with one ultimate aim – to protect software from hackers and attacks.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
03:13:09 PM

https://news.google.com/articles/CAIiEAPE6nsm5oi1WUA6dsZDaRAqFQgEKg0IACoGCAowrqkBMKBFMMGBAg?hl=en-US&gl=US&ceid=US%3Aen

Google Confirms Android Camera Security Threat: ‘Hundreds Of Millions’ Of Users Affectedattachment image

Vulnerabilities in the Google Camera app left hackers able to take photos, and silently record audio and video, even when the phone was locked.

endofcake avatar
endofcake
01:41:13 AM

https://slack.engineering/introducing-nebula-the-open-source-global-overlay-network-from-slack-884110a5579?gi=4d57d57a7b17

Introducing Nebula, the open source global overlay network from Slackattachment image

Introducing Nebula, an open source scalable overlay networking tool with a focus on performance, simplicity and security.

2019-11-20

Maciek Strömich avatar
Maciek Strömich
02:14:35 PM

https://unit42.paloaltonetworks.com/docker-patched-the-most-severe-copy-vulnerability-to-date-with-cve-2019-14271/

Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271attachment image

Unit 42 researchers share details on a severe Docker container breakout vulnerability and outline a proof-of-concept that demonstrates how it can be exploited if a container has been compromised by a previous attack.

2019-11-22

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
03:47:12 PM

https://blog.cloudflare.com/introducing-flan-scan/

Introducing Flan Scan: Cloudflare’s Lightweight Network Vulnerability Scannerattachment image

Flan Scan is a thin wrapper around Nmap that converts this popular open source tool into a vulnerability scanner with an easy deployment.

2
    keyboard_arrow_up