Weekly infosec news summary for 2017.01.15 – 2017.01.22

I apologize for the brevity of this week’s Downclimb. I’ve been without Internet for much of the week, on vacation.

Tools

• CheckPointSW/InviZzzible: Tool to assess your virtual environments to see what aspects of them can be detected as being a virtual environment, similar to Pafish.
• pbiernat/ripr: Binary Ninja tool to rip out functionality from binary code and use it from python.

Other reads

• Silence speaks louder than words when finding malware: Google describes how they are able to find potentially harmful apps for Android by looking for apps that have been installed on devices that then stop checking in. If a device stops checking in, it could be because the user did a factory reset or abandoned their devices, which may have happened due to a bad app. So by looking at the recently installed apps before the check-ins stop, they’ve identified over 25,000 apps in certain malware families.
• GitHub’s post-CSP journey: Github describes some CSP bypasses that were uncovered with the help of an assessment from Cure53.
• Automatic HTTPS Enforcement for New Executive Branch .gov Domains: The US government is automatically forcing new executive branch .gov domains to use HTTPS by enrolling them in HSTS.
• You don’t need a Chief Security Officer.: Ryan McGeehan argues that for small start-ups, bringing in a security lead too early can be harmful. He concedes that eventually one will be needed.
• Facebook’s Imagetragick story: $40K bug bounty rewarded for figuring out how to exploit the Imagetragick vuln on Facebook.