Application Security WeeklySubscribe
Application security, IoT, AI/ML

Apache HTTPD Vulns, Hacking IoT Speakers, Use Cases for WASM, Slack AI Leak – ASW #297

Research by Orange Tsai into Apache HTTPD's architecture reveals several vulns, NCC Group shows techniques for hacking IoT devices with Sonos speakers, finding use cases for WebAssembly, Slack's AI leaks data, DARPA wants a future of Rust, and more!

Full episode and show notes

Announcements

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Hosts

Tech Lead at Block
  1. 1. Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! | Orange Tsai
  2. 2. BlackHat USA 2024 – Listen-Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap

    PDF

  3. 3. wasmCloud on the factory floor: efficient and secure processing of high velocity machine data | CNCF
  4. 4. Slack AI data exfiltration from private channels via indirect prompt injection
  5. 5. Translating All C to Rust (TRACTOR)
  6. 6. Listen to the whispers: web timing attacks that actually work | PortSwigger Research
Senior Engineering Leader at AWS
  1. 1. Adobe releases a mass of security updates

    I'm just linking to Adobe's top-level security page, so this story won't age well - as of today, there's 11 announcements across Adobe products that were published on August 13th, and many of these announcements has a collection of vulnerabilities under it's own banner. Lots of arbitrary code execution, denial of service, memory leaks - this was either a common library was repaired, or a new tool was brought into the SDLC and found a bunch of errors that hadn't been recognized before...or maybe something else?

  2. 2. Security and RFID smart cards…

    This paper goes through a collection of issues in RFID cards that includes an encrypted backdoor, which once broken results in being able to easily clone the cards at scale.

    We think of depending on hardware things like smart cards as a reliable security factor - it's just a benign card, right?

  3. 3. MakeShift: A Security Analysis of Shimano wireless bike shifters

    We've talked a few times about not just the IOT devices in your car, but the network of these devices. Networks have come to some higher-end bicycles over the last few years as well, including Shimano's Di2 gear shifting system. Among the issues they found an ability to jam another cyclist's shifting system - one could call such a capability "problematic" in a bike race, not alone day-to-day...

Related

AI fixes everything, C++ the actual worst, IAM is hard – ASW #308

This week, in the Application Security News, we dismiss magical thinking and discuss what generative AI will actually be able to do for us. We also discuss whether Secure by Design's goals are practical or not. OSC&R releases a report on software supply chain that should be interesting, though neither of us had time to read it yet. Also, Wat...