Word of the week
“So. Many. Developers.” & “How many developers really care about security?”
According to the Global Developer Population and Demographic Study conducted by Evans Data Corporation, there are over 22 million developers worldwide and this figure is expected to raise to 26 million in 2022. 300k are based on Greater London.
“60% of developers lack confidence in their app security, but don’t take steps to fix it” – that’s 13.2 million developers!!
This is 2016 – the 2018 figures are 5.1 Europe, 5.9 US.
Links HERE and HERE and HERE and HERE and HERE and HERE and study on node.js Devs HERE
Word of the week special
“Security badgering” – thanks to Neil
Or “How To Sell Security Solutions (Without) Using Fear, Uncertainty And Doubt”
Links HERE and HERE and HERE and HERE and HERE and HERE
Bonus
Microsoft faces wrath of developers after GitHub acquisition
Link HERE What does GitHub say HERE and more HERE
Thanks to Naz
NSA Security posters – thanks to Naz and Arturo
Link HERE
Crypto challenge of the week
-NSA Puzzle Periodical – First or Second?
On a rainy summer day, brothers Dylan and Austin spend the day playing games and competing for prizes as their grandfather watches nearby. After winning two chess matches, three straight hands of poker and five rounds of ping-pong, Austin decides to challenge his brother, Dylan, to a final winner-take-all competition. Dylan clears the kitchen table and Austin grabs an old coffee can of quarters that their dad keeps on the counter.
The game seems simple as explained by Austin. The brothers take turns placing a quarter flatly on the top of the square kitchen table. Whoever is the first one to not find a space on his turn loses. The loser has to give his brother tonight’s dessert. Right before the game begins, Austin arrogantly asks Dylan, “Do you want to go first or second?”
Dylan turns to his grandfather for advice. The grandfather knows that Dylan is tired of losing every game to his brother. What does he whisper to Dylan?
Link HERE
-Hacky Easter 2018 solutions and writeup
Link HERE
Dates
May 25: GDPR Live! Waiting for first incident (and fine)!
June 12 2018: Trump meets Kim (maybe)
June 30: TLS1.1 mandatory for PCI-DSS compliance
Link HERE
Now: TLS1.2 mandatory for proper security
Jun 14: World Cup 2018
July and August – Holidays!!
March 29 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
##Some OWASP stuff first
-From Open Security Summit London: Mapping security testing
Link HERE
-DevSecOps Studio Project
DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started, mostly automatic and battle tested during our Free Practical DevSecOps Course
-Security Is Everybody’s Job … Literally. – Tanya Janca
Security Learns to Sprint!
In a DevOps world everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody’s job
Link HERE
-How to Secure an Angular Web Application
In this presentation, we will cover all the elements required to build a secure web application with Angular and Node.
We will discuss SSL/TLS, authentication and authorization, cookies vs JSON Web Tokens (JWT) for session management, password hashing, salting and enforcing password policy. Finally, we will look at how this can be implemented in an example Angular/Node application
Link HERE
-Securing Spring Applications with Hashicorp Vault
The talk held at Spring I/O 18 on 24th of May 2018 showed how to use Hashicorp Vault to secure Spring applications. Token and Approle authentication as well as the PKI and database backends have been shown.
The companion code is available from https://github.com/jandd/spring-boot-vault-demo
Link HERE
-Oldie, but good: iOS App Security
A brief introduction to hacking iOS applications. This covers:
– Network security.
– Static analysis.
– Runtime analysis and manipulation.
– Decompilation and reverse-engineering.
To get a better understanding of the topic, check out DVIA:
http://damnvulnerableiosapp.com/#learn
Link HERE
-Redis – Persistence, Availability & Security
Link HERE
-Defense-in-Depth Techniques for Modern Web Applications and Google’s Journey with CSP
Link HERE
-How NOT to behave as a security researcher
Link HERE
Incidents
Incidents in the world last week
Other source HERE Find your country
Global ALERT level
Incidents detail
Zip Slip
Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here)
Busted! Founder sells $51m website, hacks it, tries to sell site its own data
What’s worse than Dracula sucking out your lifeblood? Dracula sucking out your lifeblood, bottling it and trying to sell it back to you…
Link HERE
2018 Fraud World Cup
Link HERE
Miscreants hijacked the defunct SpamCannibal blacklist service
The SpamCannibal blacklist service was hijacked since Wednesday morning, attackers changed the DNS name server settings for the website overnight
Link HERE
FontCode Technique Can Hide Secret Messages Inside Font Glyphs
Three researchers from Columbia University have created a technique named FontCode that can be used to embed hidden messages inside font glyphs (characters).
The technique takes advantage of how computers work with font glyphs, which for them, are nothing more than mathematical equations used to draw lines and curves on a screen.
The FontCode technique consists of altering these equations to produce slight perturbations in one or more font characters.
An external observer can scan for these perturbations and decode them into individual letters based on a custom algorithm.
Link HERE
Bug in git opens developer systems up to attack
Link HERE
VPNfilter makes a comeback
Link HERE
Pet trackers open to mitm attacks, interception
Link HERE
12 iOS 12 features Apple didn’t mention at WWDC
Link HERE
Research of the week
-A Methodical Approach to Browser Exploitation
The Exploit Development Lifecycle, From A to Z(ero Day)
Link HERE
-A Practical Overview of Stack Based Buffer Overflow
Teaser:
Link HERE
-Advanced Techniques for DDoS Mitigation and Web Application Defence
Link HERE IoT based attacks HERE
-SecOps Playbook for Cloud Infrastructure
Link HERE
-NIST Seeking Comments on Lightweight Encryption Algorithm Project
NIST has launched an initiative “to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable.” Comments on the DRAFT: Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process will be accepted through June 28, 2018.
[Pescatore]
In the early days of web browsers and servers, there was a lot of software implementing crappy “crypto” under the guise of utilizing Secure Socket Layer. NIST drove FIPS 140-1 in 1994 to standardize how good crypto should be built and it greatly raised the bar for secure transport. The Internet of Things is causing a repeat of the crappy crypto era – good to see NIST driving this forward.
[Murray]
For many applications and environments, the cryptographic algorithms, “codes and ciphers” that we use, are stronger than we need them to be. While they are computationally intensive, the cost of computation continues to fall. The problems that we have are not so much with the algorithms as with their selection, application, implementation, and operation. Therefore, as relates to IoT, what we really need are not new algorithms but implementations that are easy to use effectively and difficult to get wrong. Note that few IoT developers are using encryption at all and almost none are implementing it from scratch.
Link HERE
Tool of the week
-Reminder: Infer Static Analysis Tool from Facebook (free)
Infer checks for null pointer exceptions, resource leaks, annotation reachability, missing lock guards, and concurrency race conditions in Android and Java code
Link HERE
-Hygieia
An OSS Project Sponsored by Capital One – One Dashboard for the Entire CI/CD Pipeline.
A single, configurable, easy to use dashboard to visualize near real-time status of the entire software delivery pipeline. Key enhancements to v.3.0 include an Executive Dashboard, Gamification, and Audit API features
Link HERE
-Post-quantum Cryptography VPN from Microsoft
Link HERE
-Amazon EKS is generally available, bringing fully-managed Kubernetes to AWS
57 percent of Kubernetes users run Kubernetes on AWS, according to the Cloud Native Computing Foundation
Links HERE and HERE Secure it with THIS
Kewl articles
Mobile App Developers Making Old Mistakes
Researchers from Texas A&M University say that mobile app developers are making the same security mistakes that web developers made nearly twenty years ago, locating business logic in client-side code rather then in server-side code. In their paper, “Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities,” the researchers describe a system they have developed that analyzes mobile apps to see if they are vulnerable to HTTP request parameter injection attacks.
[Murray]
The app developer often has more control over the client side than the server side. Also, by definition, in the client-server model, servers are stateless. That is why we have cookies, to store state on the client side
An Expertly Crafted Crypto Phishing Attempt (and How to Detect it)
Link HERE
Isolated Networks in the Cloud
Network isolation is an vital part of any layered security approach. It’s used by all players, from small businesses to large organizations, in different capacities. More demanding networks require a high level of outbound filtering, to prevent data exfiltration and lessen the impact of breaches.
We chose to test AWS, Google Cloud, and Azure, since they’re some of the most popular providers. They also provide a good amount of networking features for larger organizations wanting to mimic their on-prem infrastructure in the cloud
Link HERE Check out SCION the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communications HERE SCION paper HERE
Serverless Security Scorecard
- Cloud Providers Handle OS & Runtime Security & Patching
- Smaller Microservices = Fine-Grained IAM
- Stateless/Ephemeral == No Long-Term Resident Injections
- More Visibility into App Behavior
- Security Visibility Got Harder
- Many More Points of Attacks, Protocols & Vectors
- Erosion of The Perimeter as We Used to See It
- More Resources = More Permissions to Manage
- Where Do You Deploy Security?
- Attacks and Attackers
- Application Velocity
- Cloud Security Is Mostly AppSec
Link HERE
An encryption upgrade could upend online payments
At the end of June, digital credit card transactions are getting a mandatory encryption upgrade. It’s good news—but not if you have an old device, or depend on a retailer that hasn’t completed the transition.
When data moves from one device to another, it needs protection so it isn’t intercepted and manipulated along the way. This defense is especially crucial, as you might imagine, for sensitive communications like financial transactions. And with credit card fraud booming, the Payment Card Industry Security Standards Council announced last year that it would phase out an old, buggy encryption scheme used for processing digital credit card transactions, called Transport Layer Security 1.0, in favor of more secure options. The deadline: June 30
Link HERE
UK’s FCA Actively Probing Two Dozen Cryptocurrency Firms
The cryptocurrency industry is undergoing some big changes. For their part, the UK’s Financial Conduct Authority is looking for ways to crack down on illicit activity in the cryptocurrency industry. Cracking down on companies running illegitimate businesses is of the utmost importance.
At present, the FCA is launching no less than two dozen investigations involving cryptocurrency firms. Additionally, seven whistle-blower reports were investigated in 2018. All of those reports pertain to Bitcoin and other cryptocurrencies, although the exact nature of the investigations is rather unclear at this time
Link HERE
Pen Testing in the Era of APIs and Microservices
Software development practices are going through an evolution: large monolithic applications are falling out of favor, being quickly replaced by loosely coupled and modular microservices that are easier to develop, test, and scale. These services may be outwardly exposed as part of a software-as- a-service or other API offering
Link HERE
And finally, this is how Google will collapse
Reporting from the very near, post-Google future
Google made almost all its money from ads. It was a booming business — until it wasn’t. Here’s how things looked right before the most spectacular crash the technology industry had ever seen
Link HERE
HACKING, TOOLS and FUN – CHECK BELOW!
█████╗ ██████╗ ██████╗ ███████╗███████╗ ██████╗ ███████╗███████╗██╗███╗ ██╗███████╗ ██╔══██╗██╔══██╗██╔══██╗██╔════╝██╔════╝██╔════╝ ██╔════╝╚══███╔╝██║████╗ ██║██╔════╝ ███████║██████╔╝██████╔╝███████╗█████╗ ██║ █████╗ ███╔╝ ██║██╔██╗ ██║█████╗ ██╔══██║██╔═══╝ ██╔═══╝ ╚════██║██╔══╝ ██║ ██╔══╝ ███╔╝ ██║██║╚██╗██║██╔══╝ ██║ ██║██║ ██║ ███████║███████╗╚██████╗ ███████╗███████╗██║██║ ╚████║███████╗ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚══════╝╚══════╝ ╚═════╝ ╚══════╝╚══════╝╚═╝╚═╝ ╚═══╝╚══════╝