Greeting from FelixGreeting from Felix

Shift Security Left #19

While ChatGPT continues to provide advise that isn't useful on the data and applications security, we should be working on developing our own new neural connections.

And that's why we meet here every two weeks :)

Felix from Cossack Labs

Real world

People and Security Incentives

Another portion of food for reflection from Phil Venables.

Risk management based on incentives and inherent biases does not always reduce the right risks, effectively. Immerse yourself in Phil's thoughts on improving and sustaining organisation' security with behavioural insights.

philvenables.com

AppSec

So long passwords, thanks for all the phish

No more phishing in Google pond!

The company is shifting away from passwords to more secure and convenient user authentication methods to combat the growing threat of phishing attacks and enhance user security. We're talking about passkeys, which are cryptographically baked sign in and log in methods.

If you have Google Account or are simply curious to learn how Google adopts new WebAuthN standard – take your time and enjoy reading.

googleblog.com

Vulnerabilities

Exploring Algorithm Confusion Attacks on JWT: Exploiting ECDSA

Let's spice up your knowledge of web security!

Get ready to discover sneaky tactics attackers use to bypass authentication and authorization mechanisms in JSON Web Tokens (JWT). Focus: Performing algorithm confusion attacks on JWT using ECDSA.

That's the article you don't want to miss as it contains a comprehensive breakdown of the attack and a step-to-step guide on how to execute it.

pentesterlab.com

Cookie Bugs - Smuggling & Injection

A cookie popup is one of the most annoying elements on the site. But the problems with cookies don't end there.

Ankur has investigated how browsers encode and send cookies, how they are parsed by various web frameworks, and identified bugs that can lead to authorization bypasses, among other threats. Dig deeper into the cookie jar.

ankursundara.com

Incidents

The Untold Story of the Boldest Supply-Chain Hack Ever

Join a thrilling journey together with Kim Zetter into the SolarWinds supply-chain hack, that sent shockwaves across the cybersecurity world in December 2020.

Read this article if you are ready to go deep into the details of the attack and ponder over the measures to be taken to prevent similar accidents from happening again in the future.

wired.com

P.S.

Get yourself a cyber tea or cyber whiskey and relax this weekend to have productive cyber week!

Felix from Cossack Labs

No spam, ever. We'll never share your email address and you can opt out at any time.