Securing Non-Election Election Systems, Modernizing AppSec Education – Brian Glas – ASW #247

I include this article to ultimately pose the question - just because ChatGPT and Google Bard have safety measures, does that mean the underlying LLMs are also safe?

I included this article to introduce us to the Open Source Security Foundation, a conglomerate of individuals that are dedicated to securing open source. This 'SBOM Everywhere' initiative is a newer initiative dedicated to empowering developers to use SBOMs to secure their supply chain.

CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard. This document overviews teasers of some of the upcoming changes to CVSS v 4.0, and you can find a full readout of the upcoming changes at https://www.first.org/cvss/v4-0/cvss-v40-presentation.pdf.

CISA releases an alert about critical vulnerability in the software that gathers and analyzes data from pacemakers. Not a direct attack on the pacemaker, but I suspect a creative malcreant could use this to cause much suffering

Everybody's favorite legal-threatening thermostat company also has an industrial arm has disclosed 9 CVEs in their Experion DCS platforms and controllers, used across "agriculture, water, pharmaceutical, and nuclear plants." The vulnerabilities range from information disclosure to DOS weaknesses to RCE.

I like research laid out like this, and while Twitter has it's issues, laying the research out in a Twitter thread I think forces people to write in consumable bite-sized chunks. Neat to see them using Frida to help understand what's going on...I'm sure we've talked about it on previous episodes. https://frida.re/

While I'm happy to say I haven't hand-coded postscript in over 2 decades, it's still very much in use. I'm sure Mike still keeps his resume up to date in postscript (as well as LaTEX), so for people like him who use Ghostscript for rendering their work, this one's for you.

Wired has a solid article to get people thinking about what could happen when you pull up to a public charger with your EV, take that plug and shove it into your car to stock up on angry pixies.(possible paywall)

"Multi-site cloudsec encryption information disclosure" never ever sounds like a good thing.

Aqua's Nautilus researchers have a great 2 part blog looking at work currently happening at a presumable APT to compromise docker and kubernetes systems through a collection of vulnerabilities (including the crowd favorite Jupiter Lab) to build a botnet that we're not sure what it's going to be used for, just yet.

Part two is at https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campaign

The name doesn't sound good, nor does it's 7.8 CVSS. This use after free vulnerability is expected to have a exploit in coming weeks, so understand it now and patch quickly.

Sometimes you shouldn't just download and run things from the internet without closer inspection.

You definitely shouldn't do so with security-related code, especially when it comes from security researchers, and more especially from security researchers you are not familiar with.

Hey, can you run this for me real quick?

We've seen plenty of issues with WAFs and proxies over the years: Safely handling traffic for inspection can be difficult to do right. We've also covered a few issues parsing and supporting HTTP/2.

In this case, those two great flavors come together like peanut butter and...WAF.

Fortinet seems to be going through a rough spot with vulnerabilities this year. Up next we have a RCE related to untrusted java object deserialization in their NAC product.

The vulnerability pair includes ability to (mis)control industrial IOT devices.

Here's a chance to see the source code behind one notorious UEFI bootkit. Of interest is the quality of code, it's documentation, organization, and cleanliness. Take a look, and compare it to how some of your source looks!

h/t https://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-windows-uefi-malware-leaked-on-github/

I'm posting this one as it shows how that Security tab on a GitHub project can be used...I find many projects leave it there without either using it or disabling it in the project's settings.