Greeting from FelixGreeting from Felix

Shift Security Left #4

Hi guys! Here's October and the fourth Shift Security Left issue! Our community of security-minded developers is constantly growing: welcome! It's so nice to see people understanding that the earlier you pay attention to security, the better. Here you can find bits that immediately work for you. So, enjoy making your life and software more secure!
Follow me on Twitter

Real world

The new USB Rubber Ducky is more dangerous than ever

The original much-loved hacking tool Rubber Ducky was released over 10 years ago. With the right approach, the possibilities of its newest version are almost endless. Plug this USB flash drive into a computer—and the machine sees it as a USB keyboard and accepts keystroke commands from the device just as if a real person was typing them in.

theverge.com

Secure Architecture

Redis explained

Here's a deep technical dive into all things Redis (“REmote DIctionary Service”), an open-source key-value database server. Learn about various Redis topologies, data persistence, and process forking.

architecturenotes.co

AppSec

Building appsec pipeline for continuous visibility

Have you read Cossack Labs' article on automated security testing in the Shift Security Let #2? Now, go on with reading about building an application security pipeline for continuous security scanning using free and open-source tools for SAST, DAST, SCA, Secrets Scanning, and SBOM generation that they use at Chargebee.

medium.com

Vulnerabilities

Practically-exploitable Cryptographic Vulnerabilities in Matrix

When building own end-to-end encrypted protocol, just using well-known crypto primitives is not enough. Weak design choices and implementation bugs can invalidate the confidentiality and authentication guarantees and reduce security drastically.

github.io

DevOps

Everything you ever wanted to know about terminals

A good technical article on how the terminal (console) works: general principles, control sequences, special keys, code examples. For those who live in the console for a long time, it may not be a revelation, but if you are interested in how and why exactly terminals work—I advocate it.

xn--rpa.cc

Incidents

How I hacked my car

Do you like playing around with your gadgets? What about In-Vehicle Infotainment (IVI) system in your car? Here's a story about a 2021 Hyundai Ioniq SEL owner who decided to hack the IVI to get root access and be able to run his software on it. Hehe, guess if it was a success?

programmingwithstyle.com

Tools

GitHub — google/paranoid_crypto

Paranoid project checks for well-known weaknesses on cryptographic artifacts. It helps to find common and rare cryptographic mistakes, aiming at detecting the usage of weak third-party hardware or software black boxes. Paranoid can be used even if you don't have access to the source code.

github.com

P.S.

Kindly remind: pay attention to the scope because the scope will pay attention to you 😉

Enjoy your weekend, folks!

No spam, ever. We'll never share your email address and you can opt out at any time.