Sinan Eren – VP, Zero Trust Access • ZTNA Engineering at Barracuda Networks

Sinan Eren is the VP of Zero Trust Access at Barracuda. Sinan was formerly the Founder & CEO at Fyde, acquired by Barracuda in November of 2020.

Patrick Laverty

Security Consultant at Rapid 7

Paul Asadoorian

Founder at Security Weekly

Justin Collins – People Empowerer for Product Security Team at Gusto

Justin currently empowers the product security team at Gusto. In the past, he has been an application security engineer at SurveyMonkey, Twitter, & AT&T Interactive. Justin is the primary author of Brakeman, a free static analysis security tool for Ruby on Rails. The commercial version of Brakeman was acquired by Synopsys in 2018.

John Kinsella

Co-founder & CTO at Cysense

Patrick Laverty

Security Consultant at Rapid 7

Paul Asadoorian

Founder at Security Weekly

Joff Thyer

Security Analyst at Black Hills Information Security

John Kinsella

Co-founder & CTO at Cysense

Patrick Laverty

Security Consultant at Rapid 7

Paul Asadoorian

Founder at Security Weekly

1. Drone accidentally drops off several pounds of weed, tobacco at high school – Oops: “A drone carrying a package filled with marijuana, tobacco and three cell phones landed on school grounds in Brunswick County, Virginia on Monday. Investigators say this package was meant to be dropped off at the Lawrenceville Correctional Center.”
2. U.S. Company Sold Zero-Click Hacking Tool to UAE Spy Operation – “Baier, Adams, and Gericke are alleged to have violated the International Traffic in Arms Regulations and conspired to commit access device fraud and computer hacking offenses. In another filing, prosecutors added that they will drop the charges if the three men cooperate with U.S. authorities, pay a financial penalty, and agree to a list of unspecified restrictions on their employment” – So, turns out, you can’t just sell exploits to anyone willy niilly…(or if you do, there are consequences)
3. There Are Too Many Underemployed Former Spies Running Around Selling Their Services to the Highest Bidder – Agree? “This has been a years-long investigation and, in addition, far from the spotlight, policymakers have been trying to update the laws and regulations regarding how much of their expertise former American intelligence operatives can peddle to foreign countries, which will use that expertise to, oh, let’s just say, ratfck any attempts to reform their oil-sodden repression. This cannot be a space that is beyond the law.”
4. 8 Useful Websites That Can Replace Computer Software – Is this more or less secure? Or, does it really matter? – My issue is that your data has to be uploaded to a 3rd party, for PDF editor as an example…
5. Google is backing security reviews of these key open source projects – “OSTIF has identified a total of 25 MAP projects targeted for funding, including the eight that Google has funded to date. Other projects with funding pending support include well-known systems and tools developers use, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat’s Ansible, and Google’s Guava Java framework. “
6. Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects –
7. FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild – The Citizen Lab – “Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7. On Monday, September 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS. They designated the FORCEDENTRY exploit CVE-2021-30860, and describe it as “processing a maliciously crafted PDF may lead to arbitrary code execution.””
8. Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code – The Citizen Lab –
9. Fuzzing Closed-Source JavaScript Engines with Coverage Feedback –
10. Universal decryptor key for Sodinokibi, REvil ransomware released –
11. Apple Issues Urgent Updates to Fix New Zero-Day Linked to Pegasus Spyware – “The updates arrive weeks after researchers from the University of Toronto’s Citizen Lab revealed details of a zero-day exploit called “FORCEDENTRY” (aka Megalodon) that was weaponized by Israeli surveillance vendor NSO Group and allegedly put to use by the government of Bahrain to install Pegasus spyware on the phones of nine activists in the country since February this year.”
12. Anonymous Claims to Have Stolen Huge Trove of Data From Epik, the Right-Wing’s Favorite Web Host – “Members of the hacktivist collective Anonymous claim to have hacked web registration company Epik, allegedly stealing “a decade’s worth of data,” including reams of information about its clients and their domains. Epik is controversial, having been known to host a variety of rightwing clients, including ones that other web hosting providers, like GoDaddy, have dropped for various reasons.” – How active is Anonymous these days?
13. All PrintNightmare Vulnerabilities Fixed –
14. No Patch for High-Severity Bug in Legacy IBM System X Servers – “By sending a specially-crafted request through SSH or Telnet session, an attacker could exploit this vulnerability to execute arbitrary commands on the system.” The fix is easy LOL: “Disable SSH and Telnet (This can be done in the Security and Network Protocol sections of the navigation pane after logging into the IMM web interface)”
15. Microsoft Fixes Critical OMIGOD Vulnerabilities in Linux App – WOW: “Thanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0”
16. Security Researchers Unhappy With Apple’s Bug Bounty Program – So get this, researchers say: “Security researchers said that Apple limits feedback on which bugs will receive a bounty, and former and current Apple employees said there’s a “massive backlog” of bugs that have yet to be addressed.” and “In interviews with more than two dozen security researchers, The Washington Post collected a number of complaints. Apple is slow to fix bugs, and doesn’t always pay out what’s owed.”. YET, Apple says: “Apple feels the program has been a success, and that Apple has doubled the amount that it paid in bug bounties in 2020 compared to 2019. Apple is, however, still working to scale the program, and will offer new rewards in the future”
17. Critical vulnerability in HAProxy – “HTTP Request Smuggling is an attack technique that emerged in 2005. It is based on interfering with the processing of HTTP requests between the frontend server (i.e. HAProxy) and the backend server. An adversary typically exploits this technique by sending a specially crafted request that includes an additional request in its body. On a successful attack, the inner request is smuggled through the frontend (that considers it as only the request’s body) but is consumed as a normal request by the backend.”
18. PoC released for Ghostscript vulnerability that exposed Airbnb, Dropbox – “Hackers have released proof-of-concept code that exploits a recently demonstrated vulnerability in older but still widely used versions of Ghostscript, the popular server-side image conversion software package. Security researcher Emil Lerner demonstrated an unpatched vulnerability for Ghostscript version 9.50 at the ZeroNights X conference in Saint Petersburg, Russia last month.” – PoC: https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50 and more info: https://therecord.media/ghostscript-zero-day-allows-full-server-compromises/ (Originally From: https://twitter.com/jensvoid/status/1435631308294795264)