![]() Word of the week Unfortunately it has to be “GDPR” Or Global Defence Posture Realignment? nah.. General Data Protection Regulation Free GDPR tools and toolkits HERE and HERE and HERE and HERE and ICO HERE Microsoft tool HERE Good article GDPR & PageUp Security HERE Freaking out? HERE Note: You are required your private info in order to download some of these tools ha-ha J
Word of the week special Link HERE
Bonus “WARNING. In our butcher’s shop we might ask your name and remember your meat-related preferences. If you are worried about this, please enter the shop while shouting ‘I DO NOT AGREE!’, and we will henceforth pretend we don’t know you.” Link HERE
Crypto challenge of the week May 2018 Puzzle Periodical – Shall We Play a Game? Computer Tic-Tac-Toe This month’s NSA Puzzle Periodical pays tribute to the 1983 motion picture “WarGames.” In the movie, a supercomputer is programmed to play Tic-Tac-Toe. The computer plays itself, with each X and O placed uniformly at random into any square (this means the computer plays without regard to strategy). What is the probability a game will end in a draw? Assume perfect random number generation. The first X will be placed in any square with probability 1/9. The first O will go into any of the remaining squares with probability 1/8, and so on. Link HERE HackyEaster2018 Solutions
Dates May 25: GDPR enforced (tomorrow!) May 25: First GDPR related incident June 12 2018: Trump meets Kim (maybe) June 30: TLS1.1 mandatory for PCI-DSS compliance Now: TLS1.2 mandatory for proper security Jun 14: World Cup 2018 July and August – Holidays!! March 29 2019: Brexit Sept 2019: PSD2 security mandatory
Comic of the week ##Some OWASP stuff first -Play by Play: OWASP Top 10 2017 By Troy Hunt and Andrew van der Stock In this course, you’ll learn the risks that made the 2017 OWASP Top 10 and how best to utilize the OWASP Top 10 in your organisation Link HERE -Event next week in London: Beginner’s Guide to Emotional Intelligence + Improving Your Cyber Security Hires – opinions and slides to follow Link HERE -Contribute! How do we Stop Spilling the Beans Across Origins? A primer on web attacks via cross-origin information leaks and speculative execution. While concerns about Spectre are a direct motivation for the mechanisms discussed above, we propose that it is critical to consider the broader problem of cross-origin information leaks and design defenses for this more general class of attacks. This is especially important for any opt-in protections whose value depends on adoption by application developers, for two reasons: · Web developers don’t understand Spectre, and they shouldn’t need to in order to protect their applications, but they have long had to deal with other vulnerabilities discussed in this document (CSRF, XSSI). Providing mechanisms which can protect from a larger class of attacks, especially those known to developers, increases their security value and makes it more likely that they will be adopted in real applications. · Web developers don’t understand browser process models, but are familiar with the concept of allowing application resources to be loaded only from a small set of origins from which the developer expects requests (for example via CORS, or when handling data sent via postMessage). Aligning security mechanisms with the standard web model of policing cross-origin relationships, instead of focusing on ad hoc mitigations tailored to Spectre, may make the protections more understandable and increase the likelihood of their adoption Link HERE -InfoSecurity Europe 2018 in London – FREE event with great keynotes Link HERE -PCI Security Standards Council publishes PCI DSS 3.2.1 PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and SSL/early TLS migration deadlines that have passed. No new requirements are added in PCI DSS 3.2.1. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019 Link HERE
Incidents Incidents in the world Source HERE Find your country Incidents detail Many faced threats to Serverless security Link HERE Extracting SSH Private Keys from Windows 10 ssh-agent Link HERE SECOND remote Rowhammer exploit Up to 800,000 Draytek router attacked by new Zero day Link HERE Data of Over 200 Million Japanese Sold on Underground Hacking Forum Link HERE The Verge Hack, Explained Time Warps, Mining Exploits, Denial of Service, and More! Link HERE iOS / Android “Zipper Down” Vulnerability Link HERE PDF exploit built to combine zero-day Windows and Adobe Reader bugs Link HERE Mobile carriers may be selling real-time location data to third-party companies, which may be putting that data in unsafe places Link HERE The University of Greenwich fined £120,000 by Information Commissioner for “serious” security breach Link HERE DLL Hijacking via URL files Link HERE AWS Security Flaw which can grant admin access! Link HERE More Meltdown and Spectre Issues Additional variants of the Meltdown/Spectre processor flaws have been detected. Dubbed Variants 3A and 4, the newly detected issues are a rogue system register read and a speculative store bypass. Intel and other companies are releasing microcode updates to address the problem. [Neely] Regression testing is key in this space. As more Meltdown/Spectre fixes are released, make sure to fully test them before deploying to the enterprise as the impact of the fix is tied to the specific work mix of the systems were the fixes are being deployed Link HERE Examining Spectre and Meltdown attacks by Synopsis HERE System Management Mode Speculative Execution Attacks Link HERE Securus Hacked Securus, the company that was recently revealed to be providing cell phone location data to law enforcement, was the target of a data breach last week. The intruder stole a database that includes some passwords for some of Securus’s law enforcement customers. Securus acquires phone location data from service providers. The information is usually sold to marketing companies, but it was recently found that Securus offers a service for law enforcement agencies as well. Last week, US Senator Ron Wyden (D-Oregon) asked the Federal Communications Commission (FCC) to investigate wireless carriers that allow law enforcement unrestricted access to customer location data Link HERE Link HERE
Research of the week -The 2018 Hacker Report We are in the age of the hacker. Hackers are lauded as heroes, discussed daily in the media, villainized at times, and portrayed by Hollywood – anything but ignored Link HERE -The Future of JavaScript: 2018 and Beyond -The State of .NET in 2018 Links HERE and HERE + Yarn uses checksums to verify the integrity of every installed package before its code is executed – HERE
Tool of the week -DIY passive security scanning & verification 1. -SSL/TLS deep analysis of public web servers – SSLLabs – HERE 2. -Testing TLS/SSL encryption anywhere on any port – testssl.sh – HERE 3. -Analyse the HTTP response headers of websites – Securityheaders.com – HERE 4. –Utility that uncovers the technologies used on websites – Wappalyzer – HERE 5. -Domain security report – Hardenize.com – HERE 6. -CIS security benchmarks for Operating systems, Databases etc. – HERE 7. -Use Developer Tools debug section in your browser – HERE 8. -Mozilla secure site tool – All in one scanner – HERE 9. -Scanner to check if an internet connected device is publicly insecure – HERE 10. -Scan for open ports from the outside – HERE 11. -See if your server is blacklisted and other information gathering online tools – HERE 12. -Scan for vulnerable JavaScript libraries – Retire.js – HERE 13. -Check if your account has been compromised in a data breach – have I been pwned – HERE 14. -Check if you can see the real IPs behind Cloudflare WAF – Cloudflair – HERE and HERE and HERE 15. -Create, analyze, and edit client HTTP requests / Encoding, decoding tool – Acunetix HTTP Editor – HERE 16. -Proxy that allows you to analyze HTTP requests and responses, and manually crawl a site structure – Acunetix HTTP Sniffer – HERE 17. -Tool that allows one to identify and fingerprint Web Application Firewall (WAF) – WAFW00F – HERE 18. -Tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and rate-limiting – Acunetix HTTP Fuzzer – HERE 19. -Tool that performs numerous checks on a database to evaluate security – DbDat – HERE 20. -Security auditing tool for AWS environments – Scout2 – HERE 21. -Security auditing tool for Azure environments – Azucar – HERE 22. -Simple HS256 JWT token brute force cracker – test your JWT – HERE 23. -BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases – HERE 24. -OWASP ZAP Passive Scanning – finding vulnerabilities in web applications – HERE and tool HERE 25. -Free cross-platform web debugging proxy with user-friendly companion tools – Fiddler – HERE 26. -A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification – Anchore – HERE 27. -Vulnerability Static Analysis for Containers – Clair – HERE and Open Source compliance for containers – tern – HERE 28. -Google Hacking Database – magic searches with Google – HERE 29. -RSA CTF Tool – Tool to attack RSA public keys and ciphertexts in common ways – check how strong your encryption is – HERE 30. -Analyze suspicious files and URLs to detect types of malware, automatically – Virustotal – HERE -SleuthQL: A SQL Injection Discovery Tool Link HERE -Certificate Transparency is coming, are you ready? CT is one of those things where once you know what it does you find yourself thinking ‘why hasn’t it always been like that?’. It fixes a problem we’ve had in the PKI ecosystem for some time and in many ways CT is a lot more awesome than you might realise. I have a blog post, Certificate Transparency, an introduction, if you’d like to go into more detail on exactly what CT is, but at a high level it means that you can always be aware of exactly what certificates exist for your domain. Right now there is no way for you to be absolutely sure what certificates exist and that means employees, friends, attackers or your dog could get a certificate for your site and if they didn’t tell, you would never know. Think about, if I can bribe or compromise a CA, or even request a certificate outside of the normal company process, without me disclosing that I’ve done that there’s basically no way to know it exists. This is a really dangerous place to be and this is exactly what CT fixes. CT requires that all certificates are logged into public CT Logs so that their existence can never be a secret and never be hidden from the domain owner. The CT Logs will provide something called a Signed Certificate Timestamp which is proof that the certificate has been placed on the log and it’s this proof that the browser will soon want to see or it will reject the certificate Link HERE -Want exploits? Link HERE
Kewl articles Product Security FrameworkProduct Security is a superset of application security, infrastructure security, and incident response around a particular product or system Link HERE Others HERE and HERE and HERE My Favourite Security Folks on Twitter. From Rookie to ProWhen I first started looking into InfoSec as a career path I did what I usually do when trying to make these types of decisions. I took to twitter to follow folks who were already in the business or those who were new like me but with similar goals. It’s pretty easy to go follow all of the big names but what I find is that I tend to learn more from the women and men down in the trenches and doing this stuff every day. So I wanted to put together a list of some folks you may or may not know who I have learned a lot from in my short time following them. This is in no way meaning that there are not others I have learned from but a list can only be so long! Link HERE Where does a CISO spend her time HERE So you want to be a web security researcher?· Breaking stuff for a living · Moving beyond known techniques · Iterate, invent, share An introduction to cryptography and public key infrastructure
Learn the basic concepts behind cryptography, with a focus on confidentiality, integrity, and authenticity Link HERE How to measure risk with a better OKR Objective and Key ResultI’ve become a big fan of the Objective and Key Result (OKR) at companies that take them seriously. I’ll describe an opinionated method that fits within an OKR and measures the reduction (or increase) of a chosen risk. This will inform a team’s decision to reduce or increase engineering efforts to mitigate that risk going forward. This method is similar to how a meteorologist forecasts the weather. For deep dives into OKR’s, you can read this, watch this, or read this. OKR’s are a simple way to express a motivational goal and commit to a short list of measurable outcomes that push a group towards that goal. They sometimes cascade from executive management out to all employees. OKR’s are a common practice among tech companies and many security teams I work with Link HERE Set goals with OKRs HERE How to secure the mother of all networks, the Internet? And perfect Operational Security (OPSEC)Five Features of Information Security Every Cloud Platform Should Provide1: Identity and Access Management (IAM) 2: Networking Security and Host Security 3: Data Security: Encryption and Key Management 4: Application Security and DevSecOps 5: Visibility and Intelligence Link HERE And finally, Mental Models, Dragonfloxes, and How to Think Real GoodA lot has been said recently about mental models. If you are at all interested in clear thinking and decision-making, the term seems to show up everywhere. The most famous proponent of the concept is Warren Buffett’s business partner, Charlie Munger. He considers mental models the key to ‘elementary wordly wisdom.’ Here he is: “I’ve long believed that a certain [decision-making] system — which almost any intelligent person can learn — works way better than the systems that most people use. …what you need is a latticework of mental models in your head.And you hang your actual experience and your vicarious experience (that you get from reading and so forth) on this latticework of powerful models. And, with that system, things gradually get to fit together in a way that enhances cognition.” Link HERE |