Things I Hearted this Week, 12th October 2018

October 12, 2018  |  Javvad Malik

What is a Vulnerability?

The part that most people don’t seem to understand enough is that an attack only matters if something is at stake. A transaction of some sort needs to occur, otherwise it doesn’t matter if someone performs the particular attack against you.

An Analysis of CVE-2018-0824

While we’re on the topic of vulnerabilities, I’ve said it before, but one of the best things that has come out from bug bounty programs is the writeups that sometimes follow which detail the thought process and the steps taken.

Similarly, it’s always insightful to see when security researchers not only create an exploit, but also spend some time analysing its patch and writing up how it works.

Visualising Your Threat Models

Do you struggle finding the right tool for threat model diagramming? Well, this may be the one for you, if your requirements match the ones of Michael where the app had to:

  • Support DFD and attack trees
  • Enjoyable and easy to us
  • Free and cross platform
  • Not web or ‘cloud’ based
  • Draw.IO for threat modeling | Michael Riksen

Brutal Blogging: Go for the Jugular

Ever wondered whether you should get into blogging? Ever started to write a blog but run out of ideas? Ever wonder why your blog post gets no love?

Well, fear not, because Kate Brew brings to you all these answers and more in her great DerbyCon 2018 talk

Blockchain Eating its Greens?

Walmart Inc., in a letter to be issued Monday to suppliers, will require its direct suppliers of lettuce, spinach and other greens to join its food-tracking blockchain by Jan. 31. The retailer also will mandate that farmers, logistics firms and business partners of these suppliers join the blockchain by Sept. 30, 2019.

Do you Know What You’re Building?

Across the technology industry, rank-and-file employees are demanding greater insight into how their companies are deploying the technology that they built. At Google, Amazon, Microsoft and Salesforce, as well as at tech start-ups, engineers and technologists are increasingly asking whether the products they are working on are being used for surveillance in places like China or for military projects in the United States or elsewhere.

Why Logic Errors Are So Hard to Catch

The fact that a relatively simple flaw allowed an anonymous hacker to compromise 50 million Facebook accounts serves as a powerful reminder: When hackers, professional or amateur, find business logic errors, as defined by CWE 840, the exploitation can be incredibly damaging.

The worst part is that finding logic errors can't be solved with automated tools alone. The best advice on how to avoid logic errors comes from Aristotle: "Knowing yourself is the beginning of all wisdom."

What NOT to do When Researchers Notify you of a Breach

A  short but useful reminder what not to do when a researcher tries to contact you about a potential security issue.

TL;DR - try to be nice.

  • What NOT to do when researchers notify you of a breach | Cyberwar news

Argos Doesn’t Take Care of IT

What happens when scammers target the wrong company? More specifically what happens when a social engineer tries to scam a company named, ‘the anti-social engineer’?

Amazon AI Scrapped for Being Biased Against Women

Apparently Amazon has scrapped an internal project that was trying to use AI to vet jobs after the software consistently downgraded female candidates.

I don’t know, sounds like a case of shooting the messenger. What about the developers? Surely the AI inherited the biases from somewhere. Simply scrapping the AI won’t necessarily fix the issue.

Random Stories I Enjoyed This Week

Share this with others

Get price Free trial