Word of the week Unfortunately it has to be “GDPR”
Note: You are required your private info in order to download some of these tools ha-ha J
Word of the week special
“WARNING. In our butcher’s shop we might ask your name and remember your meat-related preferences.
If you are worried about this, please enter the shop while shouting ‘I DO NOT AGREE!’, and we will henceforth pretend we don’t know you.”
Crypto challenge of the week
May 2018 Puzzle Periodical – Shall We Play a Game? Computer Tic-Tac-Toe
This month’s NSA Puzzle Periodical pays tribute to the 1983 motion picture “WarGames.” In the movie, a supercomputer is programmed to play Tic-Tac-Toe.
The computer plays itself, with each X and O placed uniformly at random into any square (this means the computer plays without regard to strategy). What is the probability a game will end in a draw?
Assume perfect random number generation. The first X will be placed in any square with probability 1/9. The first O will go into any of the remaining squares with probability 1/8, and so on.
May 25: GDPR enforced (tomorrow!)
May 25: First GDPR related incident
June 12 2018: Trump meets Kim (maybe)
June 30: TLS1.1 mandatory for PCI-DSS compliance
Now: TLS1.2 mandatory for proper security
Jun 14: World Cup 2018
July and August – Holidays!!
March 29 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
##Some OWASP stuff first
-Play by Play: OWASP Top 10 2017
By Troy Hunt and Andrew van der Stock
In this course, you’ll learn the risks that made the 2017 OWASP Top 10 and how best to utilize the OWASP Top 10 in your organisation
-Event next week in London: Beginner’s Guide to Emotional Intelligence + Improving Your Cyber Security Hires – opinions and slides to follow
-Contribute! How do we Stop Spilling the Beans Across Origins?
A primer on web attacks via cross-origin information leaks and speculative execution.
While concerns about Spectre are a direct motivation for the mechanisms discussed above, we propose that it is critical to consider the broader problem of cross-origin information leaks and design defenses for this more general class of attacks. This is especially important for any opt-in protections whose value depends on adoption by application developers, for two reasons:
· Web developers don’t understand Spectre, and they shouldn’t need to in order to protect their applications, but they have long had to deal with other vulnerabilities discussed in this document (CSRF, XSSI). Providing mechanisms which can protect from a larger class of attacks, especially those known to developers, increases their security value and makes it more likely that they will be adopted in real applications.
· Web developers don’t understand browser process models, but are familiar with the concept of allowing application resources to be loaded only from a small set of origins from which the developer expects requests (for example via CORS, or when handling data sent via postMessage). Aligning security mechanisms with the standard web model of policing cross-origin relationships, instead of focusing on ad hoc mitigations tailored to Spectre, may make the protections more understandable and increase the likelihood of their adoption
-InfoSecurity Europe 2018 in London – FREE event with great keynotes
-PCI Security Standards Council publishes PCI DSS 3.2.1
PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and SSL/early TLS migration deadlines that have passed. No new requirements are added in PCI DSS 3.2.1. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019
Incidents in the world
Source HERE Find your country
Many faced threats to Serverless security
Extracting SSH Private Keys from Windows 10 ssh-agent
SECOND remote Rowhammer exploit
Up to 800,000 Draytek router attacked by new Zero day
Data of Over 200 Million Japanese Sold on Underground Hacking Forum
The Verge Hack, Explained
Time Warps, Mining Exploits, Denial of Service, and More!
iOS / Android “Zipper Down” Vulnerability
PDF exploit built to combine zero-day Windows and Adobe Reader bugs
Mobile carriers may be selling real-time location data to third-party companies, which may be putting that data in unsafe places
The University of Greenwich fined £120,000 by Information Commissioner for “serious” security breach
DLL Hijacking via URL files
AWS Security Flaw which can grant admin access!
More Meltdown and Spectre Issues
Additional variants of the Meltdown/Spectre processor flaws have been detected. Dubbed Variants 3A and 4, the newly detected issues are a rogue system register read and a speculative store bypass. Intel and other companies are releasing microcode updates to address the problem.
Regression testing is key in this space. As more Meltdown/Spectre fixes are released, make sure to fully test them before deploying to the enterprise as the impact of the fix is tied to the specific work mix of the systems were the fixes are being deployed
System Management Mode Speculative Execution Attacks
Securus, the company that was recently revealed to be providing cell phone location data to law enforcement, was the target of a data breach last week. The intruder stole a database that includes some passwords for some of Securus’s law enforcement customers. Securus acquires phone location data from service providers. The information is usually sold to marketing companies, but it was recently found that Securus offers a service for law enforcement agencies as well. Last week, US Senator Ron Wyden (D-Oregon) asked the Federal Communications Commission (FCC) to investigate wireless carriers that allow law enforcement unrestricted access to customer location data
Research of the week
-The 2018 Hacker Report
We are in the age of the hacker. Hackers are lauded as heroes, discussed daily in the media, villainized at times, and portrayed by Hollywood – anything but ignored
-The State of .NET in 2018
Tool of the week
-DIY passive security scanning & verification
1. -SSL/TLS deep analysis of public web servers – SSLLabs – HERE
2. -Testing TLS/SSL encryption anywhere on any port – testssl.sh – HERE
3. -Analyse the HTTP response headers of websites – Securityheaders.com – HERE
5. -Domain security report – Hardenize.com – HERE
6. -CIS security benchmarks for Operating systems, Databases etc. – HERE
7. -Use Developer Tools debug section in your browser – HERE
8. -Mozilla secure site tool – All in one scanner – HERE
9. -Scanner to check if an internet connected device is publicly insecure – HERE
10. -Scan for open ports from the outside – HERE
11. -See if your server is blacklisted and other information gathering online tools – HERE
13. -Check if your account has been compromised in a data breach – have I been pwned – HERE
15. -Create, analyze, and edit client HTTP requests / Encoding, decoding tool – Acunetix HTTP Editor – HERE
16. -Proxy that allows you to analyze HTTP requests and responses, and manually crawl a site structure – Acunetix HTTP Sniffer – HERE
17. -Tool that allows one to identify and fingerprint Web Application Firewall (WAF) – WAFW00F – HERE
18. -Tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and rate-limiting – Acunetix HTTP Fuzzer – HERE
19. -Tool that performs numerous checks on a database to evaluate security – DbDat – HERE
20. -Security auditing tool for AWS environments – Scout2 – HERE
21. -Security auditing tool for Azure environments – Azucar – HERE
22. -Simple HS256 JWT token brute force cracker – test your JWT – HERE
23. -BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases – HERE
25. -Free cross-platform web debugging proxy with user-friendly companion tools – Fiddler – HERE
26. -A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification – Anchore – HERE
28. -Google Hacking Database – magic searches with Google – HERE
29. -RSA CTF Tool – Tool to attack RSA public keys and ciphertexts in common ways – check how strong your encryption is – HERE
30. -Analyze suspicious files and URLs to detect types of malware, automatically – Virustotal – HERE
-SleuthQL: A SQL Injection Discovery Tool
-Certificate Transparency is coming, are you ready?
CT is one of those things where once you know what it does you find yourself thinking ‘why hasn’t it always been like that?’. It fixes a problem we’ve had in the PKI ecosystem for some time and in many ways CT is a lot more awesome than you might realise. I have a blog post, Certificate Transparency, an introduction, if you’d like to go into more detail on exactly what CT is, but at a high level it means that you can always be aware of exactly what certificates exist for your domain. Right now there is no way for you to be absolutely sure what certificates exist and that means employees, friends, attackers or your dog could get a certificate for your site and if they didn’t tell, you would never know. Think about, if I can bribe or compromise a CA, or even request a certificate outside of the normal company process, without me disclosing that I’ve done that there’s basically no way to know it exists. This is a really dangerous place to be and this is exactly what CT fixes. CT requires that all certificates are logged into public CT Logs so that their existence can never be a secret and never be hidden from the domain owner. The CT Logs will provide something called a Signed Certificate Timestamp which is proof that the certificate has been placed on the log and it’s this proof that the browser will soon want to see or it will reject the certificate
Product Security Framework
Product Security is a superset of application security, infrastructure security, and incident response around a particular product or system
My Favourite Security Folks on Twitter. From Rookie to Pro
When I first started looking into InfoSec as a career path I did what I usually do when trying to make these types of decisions. I took to twitter to follow folks who were already in the business or those who were new like me but with similar goals.
It’s pretty easy to go follow all of the big names but what I find is that I tend to learn more from the women and men down in the trenches and doing this stuff every day. So I wanted to put together a list of some folks you may or may not know who I have learned a lot from in my short time following them. This is in no way meaning that there are not others I have learned from but a list can only be so long!
So you want to be a web security researcher?
· Breaking stuff for a living
· Moving beyond known techniques
· Iterate, invent, share
An introduction to cryptography and public key infrastructure
Learn the basic concepts behind cryptography, with a focus on confidentiality, integrity, and authenticity
How to measure risk with a better OKR Objective and Key Result
I’ve become a big fan of the Objective and Key Result (OKR) at companies that take them seriously. I’ll describe an opinionated method that fits within an OKR and measures the reduction (or increase) of a chosen risk. This will inform a team’s decision to reduce or increase engineering efforts to mitigate that risk going forward.
This method is similar to how a meteorologist forecasts the weather.
OKR’s are a simple way to express a motivational goal and commit to a short list of measurable outcomes that push a group towards that goal. They sometimes cascade from executive management out to all employees. OKR’s are a common practice among tech companies and many security teams I work with
How to secure the mother of all networks, the Internet? And perfect Operational Security (OPSEC)
Five Features of Information Security Every Cloud Platform Should Provide
1: Identity and Access Management (IAM)
2: Networking Security and Host Security
3: Data Security: Encryption and Key Management
4: Application Security and DevSecOps
5: Visibility and Intelligence
And finally, Mental Models, Dragonfloxes, and How to Think Real Good
A lot has been said recently about mental models. If you are at all interested in clear thinking and decision-making, the term seems to show up everywhere.
The most famous proponent of the concept is Warren Buffett’s business partner, Charlie Munger. He considers mental models the key to ‘elementary wordly wisdom.’
Here he is:
“I’ve long believed that a certain [decision-making] system — which almost any intelligent person can learn — works way better than the systems that most people use. …what you need is a latticework of mental models in your head.And you hang your actual experience and your vicarious experience (that you get from reading and so forth) on this latticework of powerful models. And, with that system, things gradually get to fit together in a way that enhances cognition.”