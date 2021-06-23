Security Leftovers
Report Again Finds US Government IT Security Sucks, Three Years After Saying The Same Thing
Three years ago a US Senate Committee report showcased that the U.S. government's cybersecurity defenses were the IT equivalent of damp cardboard. The study found numerous government agencies were using dated systems that were expensive to maintain but hard to properly secure. It also noted how from 2008 to 2018, the government repeatedly failed to adequately protect sensitive data at the Social Security Administration and Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education.
Spam is Chipotle's secret ingredient: Marketing email hijacked to dish up malware
Between July 13 and July 16, someone took over the Mailgun account owned by restaurant chain Chipotle Mexican Grill and placed an order for login credentials using misappropriated marketing messages.
Phish-fighting firm INKY said on Thursday that it spotted 121 phishing emails during this period originating from Chipotle's Mailgun account.
But a sample Microsoft phishing message published by INKY suggests that inconsistency would not have been visible to recipients.
Apple Undermines Its Famous Security 'For The Children'
Apple is somewhat famous for its approach to security on its iPhones. Most famously, Apple went to court to fight the FBI's demand that they effectively insert a backdoor into its on-phone encryption (by being able to force an update to the phone). Apple has tons of goodwill in the security community (and the public) because of that, though not in the law enforcement community. Unfortunately, it appears that Apple is throwing away much of that good will and has decided to undermine the security of its phone... "for the children" (of course).
SAML is insecure by design
SAML uses signatures based on computed values. The practice is inherently insecure and thus SAML as a design is insecure.
Open Web Application Security Project (OWASP) online community web application security
HTTP/2: The Sequel is Always Worse
HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. In this paper, I'll introduce multiple new classes of HTTP/2-exclusive threats caused by both implementation flaws and RFC imperfections.
I'll start by showing how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. These achieve critical impact by hijacking clients, poisoning caches, and stealing credentials to net multiple max-bounties.
After that, I'll unveil novel techniques and tooling to crack open desync-powered request tunnelling - a widespread but overlooked request smuggling variant that is typically mistaken for a false positive. Finally, I'll share multiple new exploit-primitives introduced by HTTP/2, exposing fresh server-layer and application-layer attack surface.
