Greeting from FelixGreeting from Felix

Shift Security Left #9

Hey! Hackernoon Noonies'22 🥈 best general technology newsletter is here! ;) I hope that with every single SSL issue, building better protection against cyber attacks and security threats becomes more engaging and clear. Here we go again!

Felix from Cossack Labs

Real world

Russian software disguised as American finds its way into U.S. Army, CDC apps

Reuters found mobile apps for the U.S. Army and CDC were using software from Pushwoosh, a Russian company that claims to be US-based. A fact not in that story: in 2013, a Pushwoosh developer admitted authoring the SMS stealing Pincer Trojan for Android.

P.S. Back in spring, we built a small tool to evaluate OSS projects based on the contributors' profiles. With RepoMetaScore, you can evaluate open-source projects by looking at their contributors' profiles and reduce supply chain attacks coming from "untrusted" sources.

reuters.com

Secure Architecture

Threat_Model_Examples: collection of threat models

Improving security starts with looking at & around your values through the threat modelling lens. Threat models help to identify and understand threats and their mitigations, so this collection by Tal Eliyahu can become your unputdownable reading :)

github.com

Cryptography

Researchers quietly cracked Zeppelin ransomware keys

Triggered by the Zeppelin ransomware gang attacks on homeless shelters, nonprofits, and charity organizations, Lance James and Joel Lathrop cracked the ransomware strain undoing the whole scheme by factoring or computing just one encryption key randomly generated on each infected machine. Their findings helped dozen victim organizations recover without paying their extortionists.

krebsonsecurity.com

Vulnerabilities

What I learnt from reading 217* Subdomain Takeover bug reports

Alana Witten scraped 143 SDTO bug reports from hackerone and 74 detailed write-ups to analyze and explain in figures the weak spots in subdomain security. Spoiler alert: SDTO is still worth hunting.

medium.com

Incidents

How the FBI stumbled in the war on cybercrime

The FBI is often seen as those surrounding a crime scene with yellow tape, taking down bad guys, and not sharing information. In a long read by Renee Dudley and Daniel Golden, you'll find even more mess-ups in the FBI cyber division happening for decades.

propublica.org

P.S.

Keep walking the walk

Want to participate in building and breaking software? Join us!
Or refer this to whom it is relevant.

-> Mobile Application Security Engineer
-> Application Security Engineer

Looking for Ukraine-based applicants :)

Felix from Cossack Labs

No spam, ever. We'll never share your email address and you can opt out at any time.