Hello, World!Hello, World!

Your 🐝 weekly letter is here!

Hello there, I'm Felix, a bit chaotic security engineer.

My newsletter for security-aware developers continues to grow!
Some people say that software was never created to be hacked. Totally agree but then I would be out of a job :(

Sooo, here I am and let's see what my team found inspiring and want to share with you.

Secure Architecture

Between 2012 and 2014 I worked at Etsy...

The history of amazing (or not) infrastructure automation when Chat Ops and Hack Weeks met each other at Etsy.

github.com

AppSec

Experts show how to run malware on chips of a turned-off iPhone

Surprise: when an iPhone is turned off, most wireless chips (Bluetooth, NFC, and UWB) continue to operate. A motivated attacker can develop a malware that runs on an iPhone Bluetooth chip even when it is off.

securityaffairs.co

Cryptography

How a saxophonist tricked the KGB by encrypting secrets in music

In 1985, using a custom encryption scheme within music notation, Merryl Goldberg and three other US musicians slipped information to Soviet performers and activists known as the Phantom Orchestra. While someone could technically have played the code as music, it would have sounded less like a tune and more like a cat walking across piano keys. πŸ‘»πŸ±πŸŽ­ Read how the obfuscation served its purpose.

wired.com

DevOps

Introduction to automated security testing

Nothing can guarantee that your apps won’t have security bugs, but automated tests can prevent security problems from growing to devastating outcomes. DAST, SAST, dependency scanning, fuzzing, performance and incident recovery testing – we share an arsenal of approaches and tools on how to automate security testing for your software.

cossacklabs.com

Incidents

npm security update: Attack campaign using stolen OAuth tokens

Yet another npm security story. Several stolen OAuth user tokens allowed to escalate the access to npm infrastructure and steal user data. Here is what went wrong.

github.blog

Tools

Lynis β€” Auditing, system hardening, compliance testing

Lynis is an open source security audit tool. It performs in-depth security scan of your systems (Linux, macOS, or Unix-based OS) and suggests tips on security hardening.

Run Lynis before inviting pentesters :)

cisofy.com

P.S.

Have you already passed the "security audit"? 😏

See you and your friends/colleagues in two weeks!

No spam, ever. We'll never share your email address and you can opt out at any time.