Downclimb

2017.01.22

RSS feed

Weekly infosec news summary for 2017.01.15 – 2017.01.22

I apologize for the brevity of this week's Downclimb. I've been without Internet for much of the week, on vacation.

Tools

  • CheckPointSW/InviZzzible: Tool to assess your virtual environments to see what aspects of them can be detected as being a virtual environment, similar to Pafish.
  • pbiernat/ripr: Binary Ninja tool to rip out functionality from binary code and use it from python.

Other reads

  • Silence speaks louder than words when finding malware: Google describes how they are able to find potentially harmful apps for Android by looking for apps that have been installed on devices that then stop checking in. If a device stops checking in, it could be because the user did a factory reset or abandoned their devices, which may have happened due to a bad app. So by looking at the recently installed apps before the check-ins stop, they've identified over 25,000 apps in certain malware families.
  • GitHub's post-CSP journey: Github describes some CSP bypasses that were uncovered with the help of an assessment from Cure53.
  • Automatic HTTPS Enforcement for New Executive Branch .gov Domains: The US government is automatically forcing new executive branch .gov domains to use HTTPS by enrolling them in HSTS.
  • You don't need a Chief Security Officer.: Ryan McGeehan argues that for small start-ups, bringing in a security lead too early can be harmful. He concedes that eventually one will be needed.
  • Facebook's Imagetragick story: $40K bug bounty rewarded for figuring out how to exploit the Imagetragick vuln on Facebook.