Firstly, we want to thank our community for the overwhelmingly positive response to the concept of this newsletter series. We read each and every email we receive, so please keep them coming!
In Issue 2 of The Hacker’s Guide series, we’ll be taking on the theme of Independence Day -- the holiday, not the movie.
While this newsletter series won’t include an extraterrestrial race dead set on extinguishing the human race, I assure you it will be just as entertaining. I mean, 67% on Rotten Tomatoes shouldn’t be too hard to beat, right? Sure, they might have Will Smith, but we have fuzz testing and an unwavering determination to extinguish bugs.
Welcome to The Hacker’s Guide to Celebrating Independence Day.
The Hacker's Guide is a quarterly newsletter that aims to make security related news, podcast, content, and tools available and accessible. Our academic roots have made us advocates of education, especially around our passion for fuzz testing, and this is one of the few ways we aim to connect with our community. Share Feedback
While You’re Heating Up The Barbeque
The BBQ won’t be the only thing heating up. Check out these security testing trends that are heating up the market.
The Rise of The CPSO: Chief Product Security Officer A new chief security role known as Chief Product Security Officer (CPSO) is rising to prominence. While similar to the CISO role in that they cover security, the CPSO focuses on very separate domains under the cybersecurity category. CPSOs oversee cybersecurity of a company’s digital products, including software, firmware, or products that contain code. This includes implementing a product security program designed to address cybersecurity across all stages of the product life cycle.
Gartner Releases Magic Quadrant for Application Security Testing Gartner is shaking things up this year by expanding the scope of their market analysis by including the following trends: Infrastructure as Code (IaC) testing, container security, fuzz testing, API testing, and cloud-native support. These are areas in which Gartner analysts have observed an increase in client inquiries and interest for rounding out their application security testing programs.
These are the Two Attack Vectors Targeting Technology Companies Attacks are on the rise. Attackers are specifically targeting the products technology companies develop -- every flaw, vulnerability, exploit, and poor configuration. No company is immune. This trend is calling for end-to-end product testing and an approach where issues can be fix faster than the attacker can exploit.
Building Secure Cars: Assuring the Automotive Software Development Lifecycle Released In this book, Dr. Dennis Kengo Oka explores how the automotive industry can address the increased risks of cyberattacks and incorporate security into the software development lifecycle. Readers are introduced to various types of cybersecurity activities, measures, and solutions that can be applied at each stage in the typical automotive development process.
Just kidding! ForAllSecure is headquartered in Pittsburgh, so there’s no way we’re missing the Pirates vs Brewers game (you’re going down, Milwaukee). Following the highs of homeruns with lifeless commercials is disrespectful to the sport. Here’s some entertainment during your commercial breaks to keep that energy high.
Binary Exploitation Deep Dive: Return to LIBC (with Matt) YouTube talent John Hammond releases a technical and thorough deep dive on the fundamentals of binary exploitation, sourcing challenges specifically from PicoCTF. The two hour long session covers reverse engineering in Ghidra, debugging in GDB plugin, troubleshooting exploits, and fixing and understanding problems.
FuzzCon Goes to Las Vegas! Have you heard? FuzzCon is back. Don’t miss another entertainment-packed event covering all trends, news, and technology breakdowns on fuzzing. There’s something for everyone. FuzzCon will be hosted live and virtually.
Never heard of FuzzCon before? Here’s a quick clip from last year’s event.
The Hacker Mind EP 22: Hacking Social Media LiveOverflow talks about his six years producing engaging YouTube content and what the rise of social media influencers might mean for traditional conferences like Black Hat. He also gives a preview of his Youtube series on the sudo vulnerability.
In true potluck fashion, we’re bringing together a little bit of everything from everyone. Listed below are the fuzzing tools available at your disposal for devouring those bugs.
Native Go Fuzz Testing Tool Ready for Beta Testing Go project announced that native fuzzing for the Go language is ready for beta testing. They’ve focused on fuzzing because it provides more code coverage than traditional testing, making it particularly valuable in finding vulnerabilities and security exploits.
Did You Know Fuzzing in the NIST Risk Management Framework (RMF)? Looking for an artifact to fill that blank eMASS Fuzzing control void? ForAllSecure Mayhem has helped several organizations within the Department of Defense (DoD) meet this need.
Google’s OSS-Fuzz Now Supports Fuzzing Java Applications OSS-Fuzz, Google’s open source fuzzing service, now supports fuzzing applications written in Java and other Java Virtual Machine (JVM) based languages (e.g. Kotlin, Scala, etc).
In addition to watching the fireworks blow up the sky, check out these bugs, found with fuzz testing, that are blowing up in the industry.
PuzzleMaker Identifies Chrome and Windows Zero-Day Exploit Chain Kaspersky technologies has detected a wave of targeted attacks leveraging a chain of Google Chrome and Microsoft WIndows zero-day exploits.
Ransomware Attackers are Leveraging Old SonicWall SRA Flaw (CVE-2019-7481) Crowdstrike warns that a cyber-criminal group is exploiting CVE-2019-7481 - an older SQL injection vulnerabilities affecting SonicWall Secure Remote Access (SRA) 4600 devices running firmware versions 8.x and 9.x - to penetrate organizations’ network
Zero-day Vulnerability Found in Microsoft Teams A researcher at Tenable has found a vulnerability in Microsoft’s Team application, which allows an attacker to take control of a user’s account. This allos the attacker to access the victim’s chat history, the ability to read and send emails on the victim’s behalf, and access files in their OneDrive storage.
Apple Issues Patches for Two Zero-Days Exploited in Wild Apple shipped out-of-bound security patches to address two zero-day vulnerabilities in iOS 12.5.3 that are actively being exploited in the wild. This release comes with fixed for three security bugs, including a memory corruption issues in ASN.1 decoder (CVE-2021-30737) and two flaws concerning its WebKit browser engineer that could be abused to achieve remote exeuction (CVE-2021-30761 and CVE-2021-30762).