Sorites Paradox as applied to Infosec
One port open on a host - perfectly fine.
50 ports open on a host - something is messed up.
But how many ports need to be open for it to be considered a problem?
Infosec ethics/drama
HackerOne is running a bug bounty program for FlexiSpy, who specialise in spying on spouses https://twitter.com/josephfcox/status/857314960099160067
Their justification: it's "just fixing vulns" https://twitter.com/senorarroz/status/857399800601337856
I don't buy this at all. By providing security testing services to a shady company, you lend legitimacy to them and their brand. I agree with Casey on this one https://twitter.com/caseyjohnellis/status/857362206626689025
Liamosaurs patented decision tree for whether you need to buy a $BIG_MONEY magical 0day protection service from $BIG_VENDOR...
Q: Can you put your hand on your heart and say "no technology stack my company uses contains publically known vulnerabilities"?
If the answer is "no", you should just work harder on patching your shit instead
If the answer is "yes", you should work on better understanding the software you use, because you're a liar
Some "OSINT" (if you will) observations on the last few months of going through arXiv papers:
1) there is a huge focus in China on malware taxonomies and ML-based analysis. I've started filtering papers based on names I now recognise in the field because literally everyone is working on this,
2) there is gently smouldering return in interest on honeypots. The odd paper resurfaces and discusses old techniques again.
3) tracking people & users is big in the Western world. This is not surprising
Me when a site I'm scanning suddenly slows down then stops responding https://mastodon.social/media/fnsQl325Uz_ThjWmmIw
Update on the the Linux UDP RCE. From what I've seen from ppl that do kernel exploiting... they can't really see a way to turn it into a useful exploit.
It looks like a vulnerability with the right scary characteristics, but practically not a major concern.
It is not (likely to be) a "one shot remote ring 0" exploit.
I'm learning Irish, and was a bit confused by the Genetive Case (where the suffix of a noun is changed if it's a possessive).
Reading up on it, I was fascinated to find that Old English used to have the same thing with an "es" suffix. eg. "king" would become "kinges" in say "the kinges army".
Over time, the "e" was replaced by an apostrophe, which is why English possessives end in " 's ". The apostrophe replaces a vowel that has not been used in half a millennia
RCE in Linux (inc Android) via UDP. CVSS 10.0. I'm a little confused as to why a bigger fuss isn't being made of this
https://nvd.nist.gov/vuln/detail/CVE-2016-10229
Is it that the vuln doesn't have a cool brand name and logo and website?
I was pleasantly surprised to find out that my nexus phone was patched for this last week. Other androids are probably going to be fucked
ICYMI The OWASP Top 10 2017 Release Candidates are available at https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
TL;DR they're merging two, ditching "Unvalidated redirects" and adding "Insufficient Attack Protection" & "Underprotected APIs"
I like the content, but dislike the name "Insufficient Attack Protection". It's about detection, response and remediation times, which is π, but from the title sounds like it's "you haven't bought enough vendor bullshit to protect your website"
By default, Cloudflare proxies 11 ephemeral ports in addition to 80 and 443
Obviously, this is only a security vulnerability if the high ports on the origin hosts are open to Cloudflare when they're not supposed to be, but in 2017 where nearly everything is closed-by-default, this surprises me. You can't disable this behaviour unless you're on a higher-tier service plan.
https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-
The one company that gets IoT security right is the one you'd least expect: Ikea https://mjg59.dreamwidth.org/47803.html
Infosec and Ducks, Ducks and Infosec