Greeting from FelixGreeting from Felix

Shift Security Left #13

Having a good understanding of what's going on around you is critical for making sound decisions. Today we are going to move from a high-level overview of information security risks to the real world, where terrible passwords and untrusted password managers still exist, misconfigurations lead to vulnerabilities, and jokingly asked questions can uncover memory corruption bugs. I hope you will find insights in the new issue that may affect your threat model or future decisions.

Felix from Cossack Labs

News

GoTo says hackers stole encrypted backups, MFA settings

You might remember the LastPass data breach disclosed In August'22. Here are the new details.
SaaS provider of cloud-based remote work tools GoTo was also affected by this incident, and now they say that an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data.

securityweek.com

A fifth of passwords used by federal agency cracked in security audit

The password requirements of the US Department of the Interior say "minimum of 12 characters" and "at least 3-4 character types in uppercase, lowercase, digits, and special symbols". So, Password-1234 would be a nice one, unless you prefer ChangeItN0w!—just like at DOI! Get even more splendid ideas: explore the security audit report performed by the department’s inspector general.

arstechnica.com

Secure Architecture

Bitwarden design flaw: Server side iterations

In the aftermath of the LastPass breach, let's talk about Bitwarden. Bitwarden claimed that the password is going through PBKDF2-SHA256 function using 200,001 iterations: 100,000+1 iterations on the client side and another 100,000 on the server. But there is obvious design flaw: it's only required to perform 100,000 client-side iterations to brute force the encryption key (ooops).

What does this mean for attackers? How this affect end users? What did Bitwarden do? Is it even possible to implement server-side iterations mechanism correctly? Read the security findings by Wladimir Palant to find out.

palant.info

The 6 fundamental forces of information security risk

A Minute of Philosophy from Phil Venable, Director of Information Security at Google Cloud. Phil suggests assessing your maturity in dealing with each particular force of information security risks. Good exercise, yeah?

P.S. Delve deeper into the first force here: Information wants to be Free

philvenables.com

AppSec

cURL audit: How a joke led to significant findings

Workplace humour is occasionally necessary, as shown by Trail of Bits when audited cURL. Sometimes jokes can lead to run fuzzing that uncovers memory corruption bugs. Whaaaaat?

Read the blog post by Maciej Domanski about founded vulnerabilities and have fun in your team more, of course :)

trailofbits.com

Vulnerabilities

SSRF vulnerabilities caused by SNI proxy misconfigurations

One tiiiny misconfiguration in reverse proxy can lead to server-side request forgery (SSRF) vulnerabilities. That allow attackers to access servers behind the reverse proxy and expose data.

But what if SNI (Server Name Indication) proxy is under similar attacks? Check out Aleksei Tiurin's investigation for answers on potential risks.

invicti.com

P.S.

Something you can't control, but you can train your employees 😉

Felix from Cossack Labs

No spam, ever. We'll never share your email address and you can opt out at any time.