Word of the week “Logsponsibility!” thanks to Mike for the new word
NIST on log management HERE
Word of the week special
“’Happy Birthday’ song violation”
Fourteen girls aged between 5 and 6 have been detained by police after revealing, publicly, the name of the girl whose birthday party they were attending, whilst singing Happy Birthday to her in the café of the celebrated dinosaur attraction, Tamba Park.
Quick-thinking members of the public alerted police when the children, who cannot be named for legal reasons, blurted out the girl’s name, having made no attempt to first acquire in writing her consent for them to do so
ALL CREDIT CARD PIN CODES IN THE WORLD LEAKED HERE
Crypto challenge of the week
Can you crack the NCSC’s regex crossword?
Can you crack our cryptic crossword? Instead of a word or phrase, each clue is a regular expression (or a ‘regex’). To complete the puzzle, find the letter matching both the horizontal and vertical regex for each square.
May 25: GDPR Live! Waiting for big incidents!
June 12 2018: Trump meets Kim (maybe)
June 30: TLS1.1 mandatory for PCI-DSS compliance
Now: TLS1.2 mandatory for proper security
Jun 14: World Cup 2018
July and August – Holidays!!
March 29 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
##Some OWASP stuff first
-OWASP Top 10 new icons!
-Loco Moco Security Conference Hawaii – videos
Allison Miller: Building Better Defenses: Engineering for the Human Factor HERE
John Melton: Starting an AppSec Program: An Honest Retrospective HERE
Alvaro Muñoz: .NET Serialization: Detecting and defending vulnerable endpoints HERE
Scott Helme: Revocation is broken, here’s how we’re fixing it HERE
Jeremy Long: The (Application) Patching Manifesto HERE
-LangSec 2018 slides – thanks to Renato
-Google CTF 2018
Google CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!
Date and time: 00:00:01 UTC on June 23th and 24th, 2018
-Don’t forget: InfoSecurity Europe 2018 in London – FREE event with great keynotes
Incidents in the world last week
Other source HERE Find your country
Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system
Internet policy wonks scramble over GDPR
Small merchants are not effectively engaging with PCI programs
The Twitter account for the Dutch bank ABN AMRO (abnamro.nl) has reported that their website was under a DDoS attack earlier on 24 May
Misconfigured CalAmp Server Enabled Vehicle Takeover
For our French readers: French cybercrime gang boss caught in Thailand
Suspect allegedly obtained customer details at a British bank and threatened to leak the information unless he was paid
More Data Leaked from AWS Bucket Misconfigurations
New VPNFilter malware targets at least 500K networking devices worldwide
You probably heard the advice given earlier this week to reset your router due to some malware referred to as “VPNFilter” infecting a large number of routers. I do not want to second guess this advice, but instead, outline a couple of issues with “resetting” a router.
First of all: Pretty much all router malware (Mirai variants, TheMoon and various Linux Perl/bash scripts affecting routers) will not survive a simple power cycle of the router. However, the vulnerability that allowed access to the malware will. Secondly, some configuration changes may survive. In particular changes to DNS settings that are often done without actual malware, but by using CSRF vulnerabilities in the routers web-based admin interface.
My main problem with having thousands of users reset their routers to factory default settings is that they inadvertently may reset it to use a simple default password.
Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs
Reinhold: Serialization was a “horrible mistake”
Oracle plans to end support for Java serialization, which has been the source of many security issues. Oracle’s Java platform group chief architect Mark Reinhold said that adding serialization to Java in 1997 was a “horrible mistake.” Oracle has not set a date for ending serialization support.
One remembers the security claims that were made for Java (also Chrome) when it was released. As with many other products, security is sacrificed to “features.” The claims are washed away by the endless chain of announcement of security vulnerabilities and patches. Patching has become a necessary and routine part of doing business.
This move is likely to result in worse security. Serialization support is not unique to Java – most object-oriented languages support it. While many Java developers implement serialization in an unsafe manner, the problem is the use of the feature, not the feature itself. Many applications we pentest today use serialization in a relatively safe manner and will require major refactoring to remove the feature. Rather than refactoring the applications, many organizations will simply opt to execute existing code on legacy Java versions, making everyone less secure
Most SAP systems vulnerable to critical security configuration risk
Malware Distributed via .slk Files
Attackers are always trying to find new ways to infect computers by luring not only potential victims but also security controls like anti-virus products. Do you know what SYLK files are? SYmbolic LinK files (they use the .slk extension) are Microsoft files used to exchange data between applications, specifically spreadsheets
BackSwap malware finds innovative ways to empty bank accounts
Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)
As part of an engagement for one of our clients, we analysed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.
Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected
Data encryption Trojan that supports standard encryption algorithms like AES and RSA
Side-channel attacking browsers through CSS3 features
With the staggering amount of features that were introduced through HTML5 and CSS3 the attack surface of browsers grew accordingly. Consequently, it is no surprise that interactions between such features can cause unexpected behavior impacting the security of their users. In this article, we describe such a practical attack and the research behind it.
· We (co-)discovered a side-channel vulnerability in browser implementations of the CSS3 feature “mix-blend-mode” which allowed to leak visual content from cross-origin iframes.
· We demonstrate the impact of this vulnerability by showing how visiting a malicious site was enough to de-anonymize Facebook users. In particular, exploitation allowed to leak the profile picture, username and likes of unsuspecting visitors all while requiring no additional user interaction.
· This vulnerability affected major browsers like Chrome and Firefox and was disclosed responsibly
General Data Protection Regulation (GDPR) Phishing Email
Research of the week
-A Deep Dive on AWS CloudFormation Custom Resources
Learn How to Implement Serverless Authentication The Custom Way!
We will describe a basic yet complete authentication system using Auth0. I find Auth0 to be a very flexible and easy to use authentication service. Let’s dive deeper.
We will describe a microservice using an AWS CloudFormation template. Throughout the building process, I will emphasize some best practices I have learnt over an extensive use of custom resources
-The Importance of Encrypted Platforms – Iagon
IAGON is an Open Source platform for harnessing the storage capacities and processing power of multiple computers over a decentralized Blockchain grid. IAGON utilizes enables to store big data files and repositories , as well as smaller scales of files, and to carry out complex computational processes, such as those needed for artificial intelligence and machine learning operations , within a fully secure and encrypted platform that integrates blockchain, cryptographic and AI technologies in a user-friendly way
-2018 Open Source Security and Risk Analysis
-Experimental Security Assessment of BMW Cars: A Summary Report
-Low level PC/server attack papers collection by Xeno Kovah
-The detection of faked identity using unexpected questions and mouse dynamics
The detection of faked identities is a major problem in security. Current memory-detection techniques cannot be used as they require prior knowledge of the respondent’s true identity. Here, we report a novel technique for detecting faked identities based on the use of unexpected questions that may be used to check the respondent identity without any prior autobiographical information. While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors. Responses to unexpected questions are compared to responses to expected and control questions (i.e., questions to which a liar also must respond truthfully). Parameters that encode mouse movement were analyzed using machine learning classifiers and the results indicate that the mouse trajectories and errors on unexpected questions efficiently distinguish liars from truth-tellers. Furthermore, we showed that liars may be identified also when they are responding truthfully. Unexpected questions combined with the analysis of mouse movement may efficiently spot participants with faked identities without the need for any prior information on the examinee
-For the security advanced: SOC Value Chain & Delivery Models
-For the security initiated: BUG BOUNTY HUNTING (METHODOLOGY , TOOLKIT , TIPS & TRICKS , Blogs)
Tool of the week
-AWS security tools
1. prowler – Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the CISAmazon Web Services Foundations Benchmark (https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
6. Aardvark – Aardvark is a multi-account AWS IAM Access Advisor API
7. Repokid – AWS Least Privilege for Distributed, High-Velocity Deployment
10. Bucket finder – This is a fairly simple tool to run, all it requires is a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon’s S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect.
Public buckets are checked for directory indexing being enabled, if it is then all files listed will be checked using HEAD to see if they are public or private.Redirects are followed and the final destination checked. All this is reported on so you can later go through and analyse what has been found.
-Prowler – Distributed Network Vulnerability Scanner
-Pornhub launches VPNhub – a free and unlimited VPN service
-Kali Linux 2018.2 Release
Everything you need to know about getting application security buy-in
Penetration Testing Requirements for GDPR
What the Information Commissioners Office has said about Penetration Testing and GDPR
Article 32 of GDPR is the section that covers security testing and it simply says this:
“a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”
Well that’s as clear as mud then isn’t it! But don’t worry there is some further guidance:
Nigel Houlden, head of technology policy at the Information Commissioners Office (ICO), said: “There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
He added: “We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act (DPA) is serious enough to warrant a civil monetary penalty.”
The critical hole at the heart of our cell phone networks
In February 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.
The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages
The Security Token Thesis
The security token movement has substantial momentum at this point. The hype around blockchain will add fuel to this momentum, but realization of real benefits will sustain it in the longer term.
The features listed below form the foundation of the thesis that security tokens will see widespread adoption across numerous asset classes in the coming years.
· 24/7 markets
· Fractional ownership
· Rapid settlement
· Reduction in direct costs
· Increased liquidity and market depth
· Automated compliance
· Asset interoperability
· Expansion of the design space for security contracts
Most dangerous attack techniques, and what’s coming next
The five threats outlined are:
1. Repositories and cloud storage data leakage
2. Big Data analytics, de-anonymization, and correlation
3. Attackers monetize compromised systems using crypto coin miners
4. Recognition of hardware flaws
5. More malware and attacks disrupting ICS and utilities instead of seeking profit
Only half of CI/CD workflows include appsec testing elements
Only half of CI/CD workflows include application security testing elements despite respondents citing awareness of the importance and advantages of doing so…
What are the most critical application security testing elements to add to CI/CD workflows?
20 years on, L0pht hackers return to D.C. with dire warnings
In May 1998, seven members of the L0pht hacker collective spoke before Congress, telling them “any of the seven individuals seated before you” could take down the Internet in 30 minutes. Twenty years later, four members of that group gathered to speak on a panel hosted by the Congressional Internet Caucus. They said that while technology has changed significantly over the past two decades, many of the underlying security concerns remain. Chris Wysopal noted that “We keep building new things on old infrastructure that never seems to get fixed.”
Why product strategy matters
Code in haste, count the waste.
Imagine a world where everything you ever do or say is watched and rated by invisible eyes.
· Who do you talk to?
· What did you buy?
· Do you brush your teeth?
· Did you forget to floss?
· Do you watch too much TV or play video games or talk on the phone?
· Do you own a gun?
· Do you recycle?
· Are your political opinions in line with the people in power?
· Did you pay your water bill or taxes on time?
Now imagine if all the things you ever did wrong followed you around like a big, bright red Scarlett letter.