Cybersecurity has always been about recognizing and responding to new developments. Each month we gather our favorite finds from around the internet and recommend them to you right here. So go ahead, pour yourself a cup of coffee, or tea, and settle in.
Stop Storing Secrets In Environment Variables!
Matt Hamilton argues that an application is the most trustworthy at initialization before the execution of business logic. He suggests utilizing ephemeral filesystems to provide secrets to an application. A very interesting article that got a lot of attention. >read<
The beautiful complexity of the SHA256 Algorithm
Domingo Martin presents on his website the inner workings of the SHA256 hashing algorithm. Knowing the theory is one thing but having such an engaging graphical representation is quite a treat! >read<
How I hacked a hardware crypto wallet and recovered $2 million
A very entertaining video reached us from Joe Grand aka Kingpin. The video is running us through the hack of a Trezor One hardware wallet to recover $2 million in cryptocurrency (THETA). Joe uses a technique called fault-injection - also known as glitching — to undermine the security protection of the wallet. >watch<>read<
Father accidentally knocks out mobile network
Between midnight and 3 AM every day of the week, the mobile network in the French municipality of Messanges did not work. Turns out a father wanted to prevent his children from surfing the Internet with a jammer - and as a side effect shut down the mobile network of a municipality in France. >read<
Open-source tool Unredacter makes pixelated text readable again
Pixelation is not a secure way to make text passages unreadable. The software “Unredacter”, developed by Dan Petro, a senior researcher at security provider Bishop Fox, takes redacted pixelized text and reverses it back into its readable form. We recommend a black bar to securely redact text. >read<
Little improvements in vulnerability management
Most organizations appear to be making little progress in addressing application security issues despite all of the heightened concerns around the topic. A study, by researchers at NTT Application Security, shows that organizations left more than half (53%) of known critical flaws nonremediated. >read<
Advisory: Western Digital My Cloud Pro Series
The wonderful world of IOT provides us with a dead simple command injection and execution for the WD PR4100. Turns out the device sends a HTTP (not HTTPS) based healthcheck to the WD remote cloud service every 300 seconds. This can be hijacked and untrusted data can be injected. The lack of input validation leads to the execution of said untrusted data.>read<