Word of the week “#2GOOD2BTRUE”
BEWARE OF THE CRIMINALS OUT TO RUIN YOUR HOLIDAYS
Escape to the sun this summer, but first get our last minute advice on holiday and ticket fraud for free
Word of the week special “complexity is the worst enemy of security”
“Past Jeopardy” – thanks to Rob
A Jeopardy! champion and former Adrian College professor who hacked college email accounts pleaded guilty to unauthorized access to a computer, program or network, punishable by a maximum of five years in prison and a large fine
Crypto challenge of the week
-Create a Dice Roller
I love playing D&D with my friends, and my favourite part is creating character sheets (my DM is notorious for killing us all off by level 3 or so). One major part of making character sheets is rolling the character’s stats. Sadly, I have lost all my dice, so I’m asking for your help to make a dice roller for me to use!
May 25: GDPR Live! See incidents section below
June 30: TLS1.1 mandatory for PCI-DSS compliance
Now: TLS1.2 mandatory for proper security
Jun 14: World Cup 2018 ongoing and Russia seems a safe place (!)
July and August – Holidays!!
March 29 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
##Some OWASP stuff first
-OWASP Dependency Track 3.1.1
Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components
-What does it take to be a cyber-security professional?
-We need to talk application security
-Ep. #17, Security Research with The Morning Paper’s Adrian Colyer
Thou Shalt Not Depend On Me – dependencies
-OWASP Bristol meetup presentation – Red Team
-BSides London 2018 presentations
[Keynote] State of The Net – Mikko Hypponen
Travel with Underground Services: ecosystem exposed – Vladimir Kropotov
The Insider – Users – Neil Lines
Hacking the Drones – Aatif Khan
BotProbe – botnet traffic capture using IPFIX – Mark Graham
How I break into Casinos, Airports and CNI: The Basics of Social Engineering – Chris Pritchard
How to take over a production system in the cloud – Paul Schwarzenberger
Solving Threat Detection – Alex Davies
Random Problems in IoT – Mark Carney
-Don’t forget about
Conference Preview HERE
Incidents in the world last week
Other source HERE Find your country
Yet another cryptocurrency exchange is attacked
On Saturday, 9 June, Coinrail, a South Korean cryptocurrency exchange, announced that they had been the victim of a data breach, leading to the loss of an estimated $40 million in altcoins.
The ongoing costs of a ransomware attack
We have previously reported on the SamSam ransomware attack on the City of Atlanta (initial report and a follow-up report on the costs of recovery). Recent media reporting has revealed that video files containing police dashcam footage were encrypted during the attack and cannot be recovered
Prowli botnet infects over 40,000 networked devices
Over recent months, Guardicore researchers have identified a cyber crime group they have called “Prowli”, who have been conducting a wide-ranging campaign using an array of techniques to infect more than 40,000 machines at 9,000 companies globally
Global ALERT level
Google Developer Discovers a Critical Bug in Modern Web Browsers
‘Wallchart’ Phishing Campaign Exploits World Cup Watchers
The details on a phishing attack designed to lure soccer fans with a subject line about the World Cup schedule and scoresheet
Processors should practice SafeSpec to overcome Spectre/Meltdown problems
Scientists have devised a way to defeat the Meltdown and Spectre security vulnerabilities caused by speculative execution in modern processors
The US Department of Homeland Security’s (DHS’s) US-CERT has issued a malware analysis report regarding a Trojan horse program known as Typeframe, which is believed to have been developed by a North Korean hacking group.
Unlike many malware samples that execute an svchost.exe using process hollowing, this malware creates a new service that runs in an existing svchost.exe service group. However, this highlights the importance of software inventories in discovering malware. Interestingly, most of the malware was compiled using Visual C++ 6.0, which was released in 1998. Little software today is being actively developed using this platform, but malware authors like it because all modern versions of Windows already has the runtime for this version installed. Newer versions of the compilers may require a separate C++ runtime to be installed before executing. The exception to this are the x64 modules, which were compiled with Visual C++ 8.0, probably because 6.0 doesn’t support x64 modules
Setting arbitrary request headers in Chromium via CRLF injection
Sonic and ultrasonic attacks damage hard drives and crash OSes
Sounds played over off-the-shelf or embedded speakers often require a reboot
Subverting your server through its BMC: the HPE iLO4 case
iLO is the server management solution embedded in almost every HP server since more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM microprocessor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics:
– Firmware unpacking and memory layout
– Embedded OS internals
– Vulnerability discovery and exploitation
– Full compromise of the host server operating system through DMA
One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open: are the iLO systems resilient against a long term compromise at firmware level? For this reason, we focus on the update mechanism and how a motivated attacker can achieve long term persistence on the system
Popular Flight Tracker Flightradar24 Suffers Data Breach
Email Phishers Using A Simple Way to Bypass MS Office 365 Protection
Dubbed ZeroFont, the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners
Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives
GnuPG Flaw in Encryption Tools Lets Attackers Spoof Anyone’s Signature
Fake GOV.UK “HMRC Payment error” delivers Trickbot
17 Backdoored Docker Images Removed From Docker Hub
Research of the week
A Review of 21,000 Cloud Environments
Securing your workloads in public clouds requires a different approach than that used for traditional data centers. The need to operate security at cloud speed, respond to continuous change, adapt at scale, and operate with a new operating model all require a dramatic shift in the type of security solution required by today’s operation. In a world where APIs drive the infrastructure and create ephemeral workloads, organizations can develop control over their cloud security posture through real-time visibility, anomaly detection, and deep understanding of the behaviours of users, resources, and connections
-Hashing in Action: Understanding bcrypt
The bcrypt hashing function allows us to build a password security platform that scales with computation power and always hashes every password with a salt
– Introduction to Web Authentication: The New W3C Spec
Learn about WebAuthn, a new standard for secure authentication on the web.
Web Authentication brings a stronger authentication mechanism to the masses by defining an API that both authenticators and web browsers can implement. With the release of Firefox 60 and Chrome 67, Web Authentication has become available to a big number of users. Authenticators, such as Yubikeys, already support the necessary protocols and work with current implementations
-Quantifying The Attacker’s First-Mover Advantage
- Use continuous vulnerability assessments to effectively improve the Time to Assess – but this by itself cannot fully mitigate the resulting exposure gap.
- Vulnerabilities and exploits are discovered and published incessantly, and attacks and threats evolve at a rapid pace and can strike at any time. The objective of an effective vulnerability management program must be to quickly adapt and react to these changing circumstances. A start-stop or cyclical model falls short in achieving this objective, requiring instead a vulnerability management approach based on a continuous integration and delivery (CI/CD) model.
- Align operational processes to support rapid response and ad hoc remediation and mitigation requests outside of regular maintenance and patch windows.
- Focus remediation and prioritization efforts on vulnerabilities with publicly available exploits and those actively being targeted by malware, exploit kits and ransomware. This necessitates up-to-date situational awareness and threat context.
-2018 Data Breach Investigations Report
53,308 security incidents, 2,216 data breaches, 65 countries, 67 contributors.
76% of breaches were financially motivated.
4% of people will click on any given phishing campaign.
Ransomware is the top variety of malicious software, found in 39% of cases where malware was identified.
You have 16 minutes until the first click on a phishing campaign. The first report from a savvy user will arrive after 28 minutes.
68% of breaches took months or longer to discover.
94% of security incidents and 90% of confirmed data breaches fall into our nine incident classification patterns across all years.
Tool of the week
-10 GitHub Security Best Practices
-A Practical Overview of Stack Based Buffer Overflow (with tools)
-InvisiMole Spyware: Sophisticated Tool for Targeted Cyber Espionage
-Encrypted Office Documents
Last I had to analyze a malicious, encrypted Excel document, with a twist.
When an OOXML file is encrypted, it is stored inside an OLE file. Stream EncryptedPackage contains the encrypted document
The de-obfuscation is quite easy to perform. The most interesting part is in the array of hex-encoded strings.
Other interesting articles
Prepare Yourself! The Security Token Tsunami Is About To Hit
My last piece on Security Tokens, “The Flippening Is Coming”, outlined the reasons why 2019 will see more issuance of Security Tokens than Utility Tokens. Since then, the Security Token future has come in to greater focus, and it’s bigger than anyone thinks. Below are the 8 reasons why I’m all in.
- The Smartest People In Finance Are Quitting Wall Street & Devoting Their Life To Crypto
- People Want Liquidity
- The Security Token Rails Are Being Laid
- We’re Entering The Golden Age of Securities Innovation
- Security Token Regulations Have Been In Place For 85 Years
- I Want My MTV — Fractional Ownership Will Be Huge
- Enhanced Transparency Equals Enhanced Value
- The Security Token Meetup — It’s All About The Communities
NIST Rules for Contractor Data Handling
The National Institute of Standards and Technology (NIST) has released SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will allow companies seeking federal government contract work to determine if they are in compliance with requirements for handling data.
NIST provides a mapping of 800-171 to the NIST Cybersecurity Framework and EDUCAUSE has published a nice template (created by the Common Solutions Group) that includes mapping 800-171 to ISO 27002 and an older version of the Critical Security Controls:
library.educause.edu: NIST SP 800-171 Compliance Template
IT and “cyber security” have always been poor at articulating measurable service level agreements (SLA). We have often operated under an implicit SLA of “best efforts.” Our expectations of other parties will not be met until we learn to express them in such a way that both parties can know that they are met. In our space, this includes expressions of risk tolerance. Look to ITIL for both expectations and their expression.
The document could be more beneficial with some guidance on how an organization knows, or should know, which information needs protecting. In the absence of guidance, the default tends to be either all or none. Also, this document is clear that organizations have a lot of freedom to choose which measures they implement. With those two issues taken together, I am not sure it will be terribly useful.
Nation of shoplifters: the rise of supermarket self-checkout scams
You’re not a thief, are you? Perish the thought. But when it comes to self-checkout tills anyone can make a ‘mistake’
Analysing mouse-movement to see if you’re lying
The detection of faked identity using unexpected questions and mouse dynamics.
The detection of faked identities is a major problem in security. Current memory-detection techniques cannot be used as they require prior knowledge of the respondent’s true identity. Here, we report a novel technique for detecting faked identities based on the use of unexpected questions that may be used to check the respondent identity without any prior autobiographical information. While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors. Responses to unexpected questions are compared to responses to expected and control questions (i.e., questions to which a liar also must respond truthfully). Parameters that encode mouse movement were analyzed using machine learning classifiers and the results indicate that the mouse trajectories and errors on unexpected questions efficiently distinguish liars from truth-tellers. Furthermore, we showed that liars may be identified also when they are responding truthfully. Unexpected questions combined with the analysis of mouse movement may efficiently spot participants with faked identities without the need for any prior information on the examinee.
Security Checklist for Full Stack Web Developers
And finally, Psychology and Security Resource Page
A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it’s easier to mislead people than to hack computers or hack through walls. Many systems also fail because of usability problems: the designers have different mental models of threats and protection mechanisms from users. Wrong assumptions about users can lead systems to discriminate against women, the less educated and the elderly. And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they’re different. The gap gets ever wider, and ever more important.
At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain’ hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Conflict is also deeply tied up with social psychology and anthropology, while evolutionary explanations for the human religious impulse involve both trust and conflict. The dialogue between researchers in security and in psychology has thus been widening, bringing in people from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. We believe that this new discipline will increasingly become one of the active contact points between computing and psychology – an exchange that has hugely benefited both disciplines for over a generation
##HACKING, TOOLS and FUN – CHECK BELOW!