Real world
Waterloo researchers discover security loophole allowing attackers to use WiFi to see through walls
And here's scientists' POV on Wi-Fi security: lab-created Wi-Peep drone-powered device can fly near a building and use the inhabitantsโ Wi-Fi network to identify and locate all Wi-Fi-enabled devices inside. Similar technology can be used to track security guards inside a bank or identify candidates for a break-in.
AppSec
Memory safe languages in Android 13
Jeffrey Vander Stoep assumes that the percent of vulnerabilities caused by memory safety issues correlates rather closely with the development language used. In the Android 13 release as of August'22, a majority of new code was in a memory safe language. Also, according to the Android security bulletin, the number of memory safety vulnerabilities has dropped considerably. So, how rare are memory corruption bugs on Android?
Cryptography
How GitHub converts previously encrypted and unencrypted columns to ActiveRecord encrypted columns
Your code on GitHub is encrypted at rest by default, but sensitive database columns are additionally encrypted using application level encryption. GitHub does it to provide defense in depth for sensitive data. However, supporting and migrating between encryption methods may be difficult. Hehe, let's go inside this cryptic area with Kylie Stradley to learn about the GitHub encryption strategy.
Native ad time ๐
If you are not working for GitHub but also want to use application level encryption, try Cossack Labsโ Acra. It works with SQL and NoSQL databases, web and backend applications.
Vulnerabilities
Smart contract security audit: tips & tricks
If smart is vulnerable, then how vulnerable are smart contracts, which are, simply put, pieces of code on the blockchain operating sensitive financial data? It's better to check rather than cross your fingers. Nazar Serhiichuk describes in detail how to review smart contracts' code, infrastructure, and data flow for security issues from a boring cryptographer's point of view.
Incidents
Hacking on a plane
"Boredom leads to greatness", rez0 writes (hell yes, as a boring cryptographer I justify this). One day, he was on a 14-hour flight, got tired of watching shows and reading books, and headed to Wi-Fi. But first, he decided to take a cursory glance at the security of the provider's system. That led him to bugs revealing the personal and financial information of tens of millions of users.
Tools
Pre-auth RCE with CodeQL in under 20 minutes
Have a deeper look into CodeQL, a semantic code analysis engine that allows querying code as though it were data. In the example by frycos, you can see how the security code review is done.
P.S.
Have a tremendous New Year while giving intruders a hard time! โ๏ธ
Wish you happy holidays and see you next year! ๐
P.S.S. Not for hacking purposes but to keep your engineering skills shipshape during the holidays, I recommend practising on Hack The Box to find user and system secrets.