The Weekly Ink #12
##THE WEEKLY INK## The Weekly Ink is the weekly newsletter brought to you by Duo Labs, the security research team at Duo Security, with curated links of interest in the security world to inform the community on security happenings and culture.
Continuing his automotive security research, Chris Valasek shared a post on his analysis and thoughts of Vehicle-to-Vehicle (V2V) systems, which seem poised to make their way into cars in the next decade or two (though Chris says robots will have taken over long before then, so it's probably all for naught anyway). A great primer V2V, Chris' post breaks down the various components of V2V systems, communications and interactions, and, of course, proposed security mechanisms. I found the PKI aspect of V2V a bit intriguing (and concerning) – namely the deployment and use of short-lived certificates – though, like Chris, I'm no crypto genius. All in all, a good read for anyone who's even remotely into automotive security "stuff".
Despite the whole "given enough eyeballs, all bugs are shallow" thing, numerous open source projects are riddled with security bugs (GASP). Enter Simply Secure, a new initiative to help open source developers with usability _and _security decisions. Though not the first of its kind, Simply Secure certainly has some major partners, including Google, Dropbox, and the Open Technology Fund. Additionally, Simply Secure's leadership has some smart cookies who know a thing or two about software and security. This is definitely a project to watch (and perhaps even join)!
After six years since the last update (2008!), the OWASP Testing Guide has finally been updated! Covering the usual areas such as authorization testing, session management, input validation, etc., the latest guide also includes information on testing HSTS, and also integrates with the OWASP Code Review and Developer guides. For anyone serious about a rigorous, thorough (web) app security testing methodology, the OWASP Testing Guide is certainly a great resource.
The latest in the Gamma Group/FinFisher saga is a pretty big release of FinFisher-related data – including software, internal documents, the entire customer support database, and even a customer list (including the products they purchased, and some support-related correspondence). Suffice to say, it's a pretty big blow to the company and their customers – but it does offer some significant insight into how this sort of commercial, tailored surveillance software really works, and just how expansive that targeted surveillance may be.