What is a Vulnerability?
The part that most people don’t seem to understand enough is that an attack only matters if something is at stake. A transaction of some sort needs to occur, otherwise it doesn’t matter if someone performs the particular attack against you.
- When is a vulnerability not a vulnerability? | Medium, Tanya Janca
An Analysis of CVE-2018-0824
While we’re on the topic of vulnerabilities, I’ve said it before, but one of the best things that has come out from bug bounty programs is the writeups that sometimes follow which detail the thought process and the steps taken.
Similarly, it’s always insightful to see when security researchers not only create an exploit, but also spend some time analysing its patch and writing up how it works.
- Marshalling to SYSTEM - An analysis of CVE-2018-0824 | Code White Sec
Visualising Your Threat Models
Do you struggle finding the right tool for threat model diagramming? Well, this may be the one for you, if your requirements match the ones of Michael where the app had to:
- Support DFD and attack trees
- Enjoyable and easy to us
- Free and cross platform
- Not web or ‘cloud’ based
- Draw.IO for threat modeling | Michael Riksen
Brutal Blogging: Go for the Jugular
Ever wondered whether you should get into blogging? Ever started to write a blog but run out of ideas? Ever wonder why your blog post gets no love?
Well, fear not, because Kate Brew brings to you all these answers and more in her great DerbyCon 2018 talk
- Brutal blogging: Go for the jugular | Youtube
Blockchain Eating its Greens?
Walmart Inc., in a letter to be issued Monday to suppliers, will require its direct suppliers of lettuce, spinach and other greens to join its food-tracking blockchain by Jan. 31. The retailer also will mandate that farmers, logistics firms and business partners of these suppliers join the blockchain by Sept. 30, 2019.
- Walmart Requires Lettuce, Spinach Suppliers to Join Blockchain | Wall Street Journal
Do you Know What You’re Building?
Across the technology industry, rank-and-file employees are demanding greater insight into how their companies are deploying the technology that they built. At Google, Amazon, Microsoft and Salesforce, as well as at tech start-ups, engineers and technologists are increasingly asking whether the products they are working on are being used for surveillance in places like China or for military projects in the United States or elsewhere.
- Tech Workers Now Want to Know: What Are We Building This For? | The New York Times
Why Logic Errors Are So Hard to Catch
The fact that a relatively simple flaw allowed an anonymous hacker to compromise 50 million Facebook accounts serves as a powerful reminder: When hackers, professional or amateur, find business logic errors, as defined by CWE 840, the exploitation can be incredibly damaging.
The worst part is that finding logic errors can't be solved with automated tools alone. The best advice on how to avoid logic errors comes from Aristotle: "Knowing yourself is the beginning of all wisdom."
What NOT to do When Researchers Notify you of a Breach
A short but useful reminder what not to do when a researcher tries to contact you about a potential security issue.
TL;DR - try to be nice.
- What NOT to do when researchers notify you of a breach | Cyberwar news
Argos Doesn’t Take Care of IT
What happens when scammers target the wrong company? More specifically what happens when a social engineer tries to scam a company named, ‘the anti-social engineer’?
- Argos Doesn’t Take Care of IT | The antisocial engineer
Amazon AI Scrapped for Being Biased Against Women
Apparently Amazon has scrapped an internal project that was trying to use AI to vet jobs after the software consistently downgraded female candidates.
I don’t know, sounds like a case of shooting the messenger. What about the developers? Surely the AI inherited the biases from somewhere. Simply scrapping the AI won’t necessarily fix the issue.
Random Stories I Enjoyed This Week
- How New York City Tells the Story of Its Open Data Work | Gov tech
- America Is Losing Its Edge for Startups | CityLab
- The battle for the Home | Stratechery