sql injection

This week in InfoSec  (06:25)

With content liberated from the “today in infosec” twitter account and further afield

16th February 2010: Version 2.0 of the CWE/SANS Top 25 Most Dangerous Software Errors was released.

Take a look and decide which of these weaknesses have been eradicated over the last 14 years.

Web Archive

https://twitter.com/todayininfosec/status/1758712418601971748

20th February 2003: Alan Giang Tran, former network admin for 2 companies, was arrested after allegedly destroying data on the companies' networks. Two months later he pleaded guilty to a federal charge of intentionally causing damage to a protected computer.

https://twitter.com/todayininfosec/status/1760021831354896443

Rant of the Week (14:01)

Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data

Avast, the cybersecurity software company, is facing a $16.5 million fine after it was caught storing and selling customer information without their consent. The Federal Trade Commission (FTC) announced the fine on Thursday and said that it’s banning Avast from selling user data for advertising purposes.

From at least 2014 to 2020, Avast harvested user web browsing information through its antivirus software and browser extension, according to the FTC’s complaint. This allowed it to collect data on religious beliefs, health concerns, political views, locations, and financial status. The company then stored this information “indefinitely” and sold it to over 100 third parties without the knowledge of customers, the complaint says.

Billy Big Balls of the Week(25:02)
Husband 'made over a million' by eavesdropping on BP wife

The husband of a BP employee has been charged with insider trading in the US following claims he overheard details of calls made by his wife while working from home.

The US Securities and Exchange Commission alleged Tyler Loudon made $1.76m (£1.39m) in illegal profits.

The regulator claimed Mr Loudon heard several of his wife's conversations about BP's takeover of TravelCenters of America and bought shares in the firm.

BP has declined to comment.

The SEC said: "We allege that Mr Loudon took advantage of his remote working conditions and his wife's trust to profit from information he knew was confidential."

His wife - a mergers and acquisitions manager at BP - worked on the oil giant's takeover of TravelCenters. 

The SEC said Mr Loudon purchased 46,450 shares of TravelCenter's stock, without his wife's knowledge, before the deal was made public in February last year.

Following the announcement, TravelCenter's share price rose nearly 71% and Mr Loudon allegedly immediately sold all of his newly-bought shares for a profit, the SEC said.

Industry News (32:16)

Attacker Breakout Time Falls to Just One Hour

NCSC Sounds Alarm Over Private Branch Exchange Attacks

Biden Executive Order to Bolster US Maritime Cybersecurity

Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited

Chinese Duo Found Guilty of $3m Apple Fraud Plot

OWASP Releases Security Checklist for Generative AI Deployment

Russian-Aligned Network Doppelgänger Targets German Elections

Change Healthcare Cyber-Attack Leads to Prescription Delays

ICO Bans Serco Leisure's Use of Facial Recognition for Employee Attendance

Tweet of the Week (42:37)

https://twitter.com/lauriewired/status/1760751495073640705

Come on! Like and bloody well subscribe!

Guest: Francesco Cipollone, CEO & Founder at Phoenix Security [@sec_phoenix]

On LinkedIn | https://www.linkedin.com/in/fracipo/

On Twitter | https://twitter.com/FrankSEC42

On YouTube | https://www.youtube.com/@phoenixsec

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Pentera | https://itspm.ag/penteri67a

___________________________

Episode Notes

In this episode of Redefining CyberSecurity Podcast, host Sean Martin is joined by Francesco Cipollone from Phoenix Security for a riveting conversation on the vulnerabilities associated with using pre-made tools for website development. The dialogue revolves around the inherent security risks these tools pose, especially when used by non-technical teams like marketing.

Francesco shares a fascinating account of discovering a potential SQL injection in a well-known CRM system. This revelation underscores the importance of input validation and the necessity of secure defaults in any tool. The discussion also brings to light the fact that many systems do not consider these potential security risks as standard, often requiring additional licenses or configurations for basic security measures.

The conversation takes an interesting turn as they discuss a new concept of a Workflow Bill of Materials™ (WBOM)—a term coined by the host, Sean Martin, for the first time. This idea extends beyond the typical focus on software bill of material security (which often focuses on source code, services, and APIs) to include a broader view of the tools and systems that teams use in their daily operations. The WBOM concept emphasizes the need for organizations to understand the associated risks of these tools and implement more secure practices.

Sean and Francesco highlight the importance of threat modeling in identifying potential risks. They also discuss the challenges organizations face in ensuring security, especially when these tools are used by teams with zero security knowledge. The episode concludes with a call to action for the industry to move towards security by default and the ethical use of technology.

This episode offers listeners an insightful look into the complexities of cybersecurity in the context of commonly used tools and systems, and the urgent need for a shift in perspective when it comes to securing these tools.

___________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

___________________________

Resources

Francesco's LinkedIn Post: https://www.linkedin.com/posts/fracipo_bit-of-a-rant-on-the-security-tax-of-certain-activity-7139650868064202753-LZ21/

___________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring an ITSPmagazine Channel?

👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

Guest: Francesco Cipollone, CEO & Founder at Phoenix Security [@sec_phoenix]

On LinkedIn | https://www.linkedin.com/in/fracipo/

On Twitter | https://twitter.com/FrankSEC42

On YouTube | https://www.youtube.com/@phoenixsec

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Pentera | https://itspm.ag/penteri67a

___________________________

Episode Notes

In this episode of Redefining CyberSecurity Podcast, host Sean Martin is joined by Francesco Cipollone from Phoenix Security for a riveting conversation on the vulnerabilities associated with using pre-made tools for website development. The dialogue revolves around the inherent security risks these tools pose, especially when used by non-technical teams like marketing.

Francesco shares a fascinating account of discovering a potential SQL injection in a well-known CRM system. This revelation underscores the importance of input validation and the necessity of secure defaults in any tool. The discussion also brings to light the fact that many systems do not consider these potential security risks as standard, often requiring additional licenses or configurations for basic security measures.

The conversation takes an interesting turn as they discuss a new concept of a Workflow Bill of Materials™ (WBOM)—a term coined by the host, Sean Martin, for the first time. This idea extends beyond the typical focus on software bill of material security (which often focuses on source code, services, and APIs) to include a broader view of the tools and systems that teams use in their daily operations. The WBOM concept emphasizes the need for organizations to understand the associated risks of these tools and implement more secure practices.

Sean and Francesco highlight the importance of threat modeling in identifying potential risks. They also discuss the challenges organizations face in ensuring security, especially when these tools are used by teams with zero security knowledge. The episode concludes with a call to action for the industry to move towards security by default and the ethical use of technology.

This episode offers listeners an insightful look into the complexities of cybersecurity in the context of commonly used tools and systems, and the urgent need for a shift in perspective when it comes to securing these tools.

___________________________

Watch this and other videos on ITSPmagazine's YouTube Channel

Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:

📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

ITSPmagazine YouTube Channel:

📺 https://www.youtube.com/@itspmagazine

Be sure to share and subscribe!

___________________________

Resources

Francesco's LinkedIn Post: https://www.linkedin.com/posts/fracipo_bit-of-a-rant-on-the-security-tax-of-certain-activity-7139650868064202753-LZ21/

___________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:

https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring an ITSPmagazine Channel?

👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

In this episode, host Bidemi Ologunde presented five stories from obscure corners of the news media and the internet.

1. Augusta, USA

2. Wagga Wagga, Australia

3. Mombasa, Kenya

4. Ghent, Belgium

5. Puebla City, Mexico

בפרק נספר על הפרויקט ההתנדבותי המתחזק את רשימת פרצות האבטחה הנפוצות ביותר ב-Web, פרויקט OWASP Top Ten.

בחרנו מספר פרצות מתוך הרשימה, שנראות לנו הכי חשובות/נפוצות, ודיברנו עליהן.

מודעות לפרצות אלו יכולה לחסוך חלק נכבד מאוד מדליפות המידע והפרצות שאנו שומעים עליהן כמעט מדי יום. כל מתכנת, ובפרט מתכנת Web, להכיר אותן.

פרויקט OWASP Top Ten
https://owasp.org/www-project-top-ten/

OWASP Zed Attack Proxy
https://owasp.org/www-project-zap/

Shodan
https://www.shodan.io/explore

הבלוג של נתנאל הנסל - מגיש פינת "The Matrix - על אדם ומכונה"
https://hagolem.home.blog/

בדיחת ה-SQL Injection המפורסמת ביותר:
https://imgs.xkcd.com/comics/exploits_of_a_mom.png

See omnystudio.com/listener for privacy information.

It's every application developer's nightmare: your app gets hacked and everyone's private data is out in the open, and it's your fault.

Thankfully, Laravel and the tools it brings have the best security practices baked in. But a framework can only save us from so much.

In this episode, security advocate and UX Designer (the UX part matters! Listen to find out why) talks about what Laravel gives us by default, how to write code that plays nicely with Laravel's built-in security tooling, and other helpful tools and practices that can keep you, your apps, and your clients secure.

• Rizqi Djamaluddin Twitter -  https://twitter.com/rizqi_djm
• Laravel Documents: Eloquent - https://laravel.com/docs/8.x/eloquent
• SQL Injection - https://en.wikipedia.org/wiki/SQL_injection
• Cross Site Scripting (XSS) - https://en.wikipedia.org/wiki/Cross-site_scripting
• AWS
• Takeout - https://github.com/tighten/takeout
• Minio - https://min.io/
• S3 - https://s3.com/
• NGINX - https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/
• HTML Purifier - http://htmlpurifier.org/
• Laravel Documents: CSRF Protection - https://laravel.com/docs/8.x/csrf
• CORS - https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• Rate Limiting - https://en.wikipedia.org/wiki/Rate_limiting
• 2 Factor Authentication - https://authy.com/what-is-2fa/
• OWASP - https://owasp.org/
• Laravel Slack - https://larachat.co/

-----

Editing sponsored by Tighten; transcript sponsored by Larajobs.

Our inspiration for this week's show was Michelle Obama's popular catchphrase, "When they go low, you go high." Don't worry, our next episode will also have a fun Republican catchphrase.

In this episode, we discussed how low the security of our favorite things have gone - in music, email, and the internet of things(IoT).

Music. There are a lot of music lovers that use Spotify on their desktops, but they weren't expecting it to periodically cause their browser to open malicious sites without their permission.

Email. These days, even though kids these days think email is passé, organizations still rely on email. That's why, we must cover Yahoo's 500 million leaked accounts as well as hacked presidential candidates emails. (Psst, go to 5:03, if you wanna know how much Yahoo would have paid if GDPR - the EU's latest data protection regulation - was in effect)

IoT. Lastly, we discussed Mirai, the recent DDoS attack against Brian Krebs, who runs KrebsOnSecurity.com, a publication about cybersecurity.

Thinking Like a Hacker

In this segment, we attempt to explain "SQL Injection" to a 5-year-old.

A Tool for Sysadmins

Fiddler - The free web debugging proxy for any browser, system or platform

Subscribe & Follow

• itunes / android / RSS feed
• @infosec_podcast