Security Stack Sheet #5

Word of the week “#2GOOD2BTRUE”

BEWARE OF THE CRIMINALS OUT TO RUIN YOUR HOLIDAYS

Escape to the sun this summer, but first get our last minute advice on holiday and ticket fraud for free

Link HERE Others HERE and HERE and HERE and HERE

 

Word of the week special “complexity is the worst enemy of security”

Links HERE and HERE and HERE

 

Bonus

Link HERE

“Past Jeopardy” – thanks to Rob

A Jeopardy! champion and former Adrian College professor who hacked college email accounts pleaded guilty to unauthorized access to a computer, program or network, punishable by a maximum of five years in prison and a large fine

Link HERE

 

Crypto challenge of the week

-Create a Dice Roller

I love playing D&D with my friends, and my favourite part is creating character sheets (my DM is notorious for killing us all off by level 3 or so). One major part of making character sheets is rolling the character’s stats. Sadly, I have lost all my dice, so I’m asking for your help to make a dice roller for me to use!

Link HERE

 

Dates

May 25: GDPR Live! See incidents section below

June 30: TLS1.1 mandatory for PCI-DSS compliance

Link HERE

Now: TLS1.2 mandatory for proper security

Jun 14: World Cup 2018 ongoing and Russia seems a safe place (!)

Link HERE

July and August – Holidays!!

March 29 2019: Brexit

Sept 2019: PSD2 security mandatory

 

Comic of the week

Link HERE

 

##Some OWASP stuff first

-OWASP Dependency Track 3.1.1

Dependency-Track is an intelligent Software Composition Analysis (SCA) platform that allows organizations to identify and reduce risk from the use of third-party and open source components

Link HERE

-What does it take to be a cyber-security professional?

-We need to talk application security

Links HERE and HERE

-Ep. #17, Security Research with The Morning Paper’s Adrian Colyer

Thou Shalt Not Depend On Me – dependencies

Using Delegations to Protect Community Repos

When CSI Meets Public WiFi

CLKSCREW

Leave Your Phone at the Door

Re-coding Black Mirror

Game of Missuggestions

Securing Wireless Neurostimulators

Privacy Guide

The Curious Case of the PDF Converter That Likes Mozart

Trajectory Recovery From Ash

Link HERE

-OWASP Bristol meetup presentation – Red Team

Link HERE Video HERE

-BSides London 2018 presentations

Circumventing egress filtering by exploiting HTTP – Lorenzo Grespan

Profiling the attacker – using offender profiling in SOC environments – James Stevenson

How to get started in Cybersecurity – John Stoner

[Keynote] State of The Net – Mikko Hypponen

Travel with Underground Services: ecosystem exposed – Vladimir Kropotov

The Insider – Users – Neil Lines

Hacking the Drones – Aatif Khan

BotProbe – botnet traffic capture using IPFIX – Mark Graham

How I break into Casinos, Airports and CNI: The Basics of Social Engineering – Chris Pritchard

How to take over a production system in the cloud – Paul Schwarzenberger

Solving Threat Detection – Alex Davies

Random Problems in IoT – Mark Carney

Breaking into Embedded Devices and IoT Security – Andrew Costis

Link HERE

Link HERE Twitter HERE

-Don’t forget about

Conference Preview HERE

 

Incidents

Incidents in the world last week

Other source HERE Find your country

Yet another cryptocurrency exchange is attacked

On Saturday, 9 June, Coinrail, a South Korean cryptocurrency exchange, announced that they had been the victim of a data breach, leading to the loss of an estimated $40 million in altcoins.

The ongoing costs of a ransomware attack

We have previously reported on the SamSam ransomware attack on the City of Atlanta (initial report and a follow-up report on the costs of recovery). Recent media reporting has revealed that video files containing police dashcam footage were encrypted during the attack and cannot be recovered

Prowli botnet infects over 40,000 networked devices

Over recent months, Guardicore researchers have identified a cyber crime group they have called “Prowli”, who have been conducting a wide-ranging campaign using an array of techniques to infect more than 40,000 machines at 9,000 companies globally

Link HERE

 

Global ALERT level

Incidents detail

Google Developer Discovers a Critical Bug in Modern Web Browsers

Link HERE PDF HERE

‘Wallchart’ Phishing Campaign Exploits World Cup Watchers

The details on a phishing attack designed to lure soccer fans with a subject line about the World Cup schedule and scoresheet

Link HERE

Processors should practice SafeSpec to overcome Spectre/Meltdown problems

Scientists have devised a way to defeat the Meltdown and Spectre security vulnerabilities caused by speculative execution in modern processors

Link HERE

Typeframe Trojan

The US Department of Homeland Security’s (DHS’s) US-CERT has issued a malware analysis report regarding a Trojan horse program known as Typeframe, which is believed to have been developed by a North Korean hacking group.
[Williams]
Unlike many malware samples that execute an svchost.exe using process hollowing, this malware creates a new service that runs in an existing svchost.exe service group. However, this highlights the importance of software inventories in discovering malware. Interestingly, most of the malware was compiled using Visual C++ 6.0, which was released in 1998. Little software today is being actively developed using this platform, but malware authors like it because all modern versions of Windows already has the runtime for this version installed. Newer versions of the compilers may require a separate C++ runtime to be installed before executing. The exception to this are the x64 modules, which were compiled with Visual C++ 8.0, probably because 6.0 doesn’t support x64 modules

Link HERE

Setting arbitrary request headers in Chromium via CRLF injection

Link HERE

Sonic and ultrasonic attacks damage hard drives and crash OSes

Sounds played over off-the-shelf or embedded speakers often require a reboot

Link HERE

Subverting your server through its BMC: the HPE iLO4 case

iLO is the server management solution embedded in almost every HP server since more than 10 years. It provides the features required by a system administrator to remotely manage a server without having to physically reach it. iLO4 (known to be used on the family of servers HP ProLiant Gen8 and ProLiant Gen9) runs on a dedicated ARM microprocessor embedded in the server, totally independent from the main processor. We performed an initial deep dive security study of HP iLO4 and covered the following topics:

– Firmware unpacking and memory layout

– Embedded OS internals

– Vulnerability discovery and exploitation

– Full compromise of the host server operating system through DMA

One of the main outcome of our study was the discovery of a critical vulnerability in the web server component allowing an authentication bypass but also a remote code execution. Still, one question remains open: are the iLO systems resilient against a long term compromise at firmware level? For this reason, we focus on the update mechanism and how a motivated attacker can achieve long term persistence on the system

Link HERE Slides HERE

Popular Flight Tracker Flightradar24 Suffers Data Breach

Link HERE

Email Phishers Using A Simple Way to Bypass MS Office 365 Protection

Dubbed ZeroFont, the technique involves inserting hidden words with a font size of zero within the actual content of a phishing email, keeping its visual appearance same, but at the same time, making it non-malicious in the eyes of email security scanners

Link HERE

Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives

Link HERE and one more Apple Boo Boo HERE plus Siri phishing HERE

GnuPG Flaw in Encryption Tools Lets Attackers Spoof Anyone’s Signature

Link HERE

Fake GOV.UK “HMRC Payment error” delivers Trickbot

Link HERE

17 Backdoored Docker Images Removed From Docker Hub

Link HERE

 

Research of the week

-Containers at-risk

A Review of 21,000 Cloud Environments

Securing your workloads in public clouds requires a different approach than that used for traditional data centers. The need to operate security at cloud speed, respond to continuous change, adapt at scale, and operate with a new operating model all require a dramatic shift in the type of security solution required by today’s operation. In a world where APIs drive the infrastructure and create ephemeral workloads, organizations can develop control over their cloud security posture through real-time visibility, anomaly detection, and deep understanding of the behaviours of users, resources, and connections

Link HERE Infographic HERE and Containerised Apps Checklist HERE

-Hashing in Action: Understanding bcrypt

The bcrypt hashing function allows us to build a password security platform that scales with computation power and always hashes every password with a salt

Links HERE and HERE

– Introduction to Web Authentication: The New W3C Spec

Learn about WebAuthn, a new standard for secure authentication on the web.

Web Authentication brings a stronger authentication mechanism to the masses by defining an API that both authenticators and web browsers can implement. With the release of Firefox 60 and Chrome 67, Web Authentication has become available to a big number of users. Authenticators, such as Yubikeys, already support the necessary protocols and work with current implementations

Link HERE and the MFA API HERE

-Quantifying The Attacker’s First-Mover Advantage

Recommendations:

  • Use continuous vulnerability assessments to effectively improve the Time to Assess – but this by itself cannot fully mitigate the resulting exposure gap.
  • Vulnerabilities and exploits are discovered and published incessantly, and attacks and threats evolve at a rapid pace and can strike at any time. The objective of an effective vulnerability management program must be to quickly adapt and react to these changing circumstances. A start-stop or cyclical model falls short in achieving this objective, requiring instead a vulnerability management approach based on a continuous integration and delivery (CI/CD) model.
  • Align operational processes to support rapid response and ad hoc remediation and mitigation requests outside of regular maintenance and patch windows.
  • Focus remediation and prioritization efforts on vulnerabilities with publicly available exploits and those actively being targeted by malware, exploit kits and ransomware. This necessitates up-to-date situational awareness and threat context.

Link HERE

-2018 Data Breach Investigations Report

53,308 security incidents, 2,216 data breaches, 65 countries, 67 contributors.

76% of breaches were financially motivated.

4% of people will click on any given phishing campaign.

Ransomware is the top variety of malicious software, found in 39% of cases where malware was identified.

You have 16 minutes until the first click on a phishing campaign. The first report from a savvy user will arrive after 28 minutes.

68% of breaches took months or longer to discover.

94% of security incidents and 90% of confirmed data breaches fall into our nine incident classification patterns across all years.

Link HERE

 

Tool of the week

-10 GitHub Security Best Practices

Link HERE

-A Practical Overview of Stack Based Buffer Overflow (with tools)

Link HERE

-InvisiMole Spyware: Sophisticated Tool for Targeted Cyber Espionage

Link HERE

-Encrypted Office Documents

Last I had to analyze a malicious, encrypted Excel document, with a twist.

It was using the encrypted file format for OOXML files (.docx, .xlsx, …), I knew this because of oledump‘s report:

When an OOXML file is encrypted, it is stored inside an OLE file. Stream EncryptedPackage contains the encrypted document

Link HERE

-Malicious JavaScript Targeting Mobile Browsers

A reader reported a suspicious obfuscated piece of a Javascript code that was found on a website.

The de-obfuscation is quite easy to perform. The most interesting part is in the array of hex-encoded strings.

Link HERE

 

Other interesting articles

Prepare Yourself! The Security Token Tsunami Is About To Hit

My last piece on Security Tokens, “The Flippening Is Coming”, outlined the reasons why 2019 will see more issuance of Security Tokens than Utility Tokens. Since then, the Security Token future has come in to greater focus, and it’s bigger than anyone thinks. Below are the 8 reasons why I’m all in.

  1. The Smartest People In Finance Are Quitting Wall Street & Devoting Their Life To Crypto
  2. People Want Liquidity
  3. The Security Token Rails Are Being Laid
  4. We’re Entering The Golden Age of Securities Innovation
  5. Security Token Regulations Have Been In Place For 85 Years
  6. I Want My MTV — Fractional Ownership Will Be Huge
  7. Enhanced Transparency Equals Enhanced Value
  8. The Security Token Meetup — It’s All About The Communities

Link HERE

 

NIST Rules for Contractor Data Handling

The National Institute of Standards and Technology (NIST) has released SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will allow companies seeking federal government contract work to determine if they are in compliance with requirements for handling data.
[Pescatore]

NIST provides a mapping of 800-171 to the NIST Cybersecurity Framework and EDUCAUSE has published a nice template (created by the Common Solutions Group) that includes mapping 800-171 to ISO 27002 and an older version of the Critical Security Controls:

library.educause.edu: NIST SP 800-171 Compliance Template

[Murray]
IT and “cyber security” have always been poor at articulating measurable service level agreements (SLA). We have often operated under an implicit SLA of “best efforts.” Our expectations of other parties will not be met until we learn to express them in such a way that both parties can know that they are met. In our space, this includes expressions of risk tolerance. Look to ITIL for both expectations and their expression.

[Northcutt]
The document could be more beneficial with some guidance on how an organization knows, or should know, which information needs protecting. In the absence of guidance, the default tends to be either all or none. Also, this document is clear that organizations have a lot of freedom to choose which measures they implement. With those two issues taken together, I am not sure it will be terribly useful.

Link HERE

 

Nation of shoplifters: the rise of supermarket self-checkout scams

You’re not a thief, are you? Perish the thought. But when it comes to self-checkout tills anyone can make a ‘mistake’

Link HERE

 

Analysing mouse-movement to see if you’re lying

The detection of faked identity using unexpected questions and mouse dynamics.

The detection of faked identities is a major problem in security. Current memory-detection techniques cannot be used as they require prior knowledge of the respondent’s true identity. Here, we report a novel technique for detecting faked identities based on the use of unexpected questions that may be used to check the respondent identity without any prior autobiographical information. While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors. Responses to unexpected questions are compared to responses to expected and control questions (i.e., questions to which a liar also must respond truthfully). Parameters that encode mouse movement were analyzed using machine learning classifiers and the results indicate that the mouse trajectories and errors on unexpected questions efficiently distinguish liars from truth-tellers. Furthermore, we showed that liars may be identified also when they are responding truthfully. Unexpected questions combined with the analysis of mouse movement may efficiently spot participants with faked identities without the need for any prior information on the examinee.

Link HERE

 

Security Checklist for Full Stack Web Developers

Link HERE

 

And finally, Psychology and Security Resource Page

A fascinating dialogue is developing between psychologists and security engineers. At the macro scale, societal overreactions to terrorism are founded on the misperception of risk and uncertainty, which has deep psychological roots. At the micro scale, more and more crimes involve deception; as security engineering gets better, it’s easier to mislead people than to hack computers or hack through walls. Many systems also fail because of usability problems: the designers have different mental models of threats and protection mechanisms from users. Wrong assumptions about users can lead systems to discriminate against women, the less educated and the elderly. And misperceptions cause security markets to fail: many users buy snake oil, while others distrust quite serviceable mechanisms. Security is both a feeling and a reality, and they’re different. The gap gets ever wider, and ever more important.

At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The `Machiavellian Brain’ hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting deception in others, left more descendants. Conflict is also deeply tied up with social psychology and anthropology, while evolutionary explanations for the human religious impulse involve both trust and conflict. The dialogue between researchers in security and in psychology has thus been widening, bringing in people from usability engineering, protocol design, privacy, and policy on the one hand, and from social psychology, evolutionary biology, and behavioral economics on the other. We believe that this new discipline will increasingly become one of the active contact points between computing and psychology – an exchange that has hugely benefited both disciplines for over a generation

Link HERE Good preso HERE

 

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *