Word of the week “Public by default”
Word of the week special “Why not HTTPS”
Great list of InfoSec people to follow on Twitter HERE
Crypto challenge of the week
-Reminder: the cryptopals crypto challenges
May 25: GDPR Live! See incidents section below – Worst breaches in 2018 so far HERE
June 30: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
July and August – Holidays!!
March 29 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-Top 10 Web Hacking Techniques of 2017 – Nominations Open
Every year, numerous security researchers choose to share their findings with the community through conference presentations, blog posts, whitepapers, videos, and even simple disclosures
-MyCrypto’s Security Guide For Dummies And Smart People Too
An in-depth guide on how to be safe in the crypto world and the online world in general
-OWASP Europe in London – Presentations coming soon!
Incidents in the world last week
Other source HERE Find your country
Are weak login credentials allowing criminals to bypass your security?
A study by cyber security firm McAfee has found that criminal marketplaces on the dark web are selling Remote Desktop Protocol (RDP) access for as little as $3 and, in some instances, offering up to 40,000 separate RDP connections. These RDP accesses are said to include government departments and the security system of a major international airport
Spanish telecoms provider Telefonica suffers security breach
According to media reports, Spanish telecoms provider Telefónica, has suffered the largest data breach in Spanish telecommunications history
The threat from the inside
Several attempted data theft incidents in recent weeks have highlighted the significant insider threat to businesses developing high-value intellectual property. These incidents had the potential to introduce a potentially catastrophic financial and or reputational impact on the company:
- A disgruntled Tesla employee reportedly stole a large volume of sensitive data from company servers, allegedly passed the details on to an unknown third party after being refused promotion within the company
- A former Apple employee was reportedly arrested after stealing data related to the company’s research and development of self-driving cars. Suspicious activity on the employee’s user accounts during the last few days of his employment sparked an investigation into his activities, revealing the theft of Apple trade secrets relating to autonomous vehicles
- Israeli security company, NSO, reportedly discovered an employee had stolen proprietary surveillance software from the company and offered it on the dark web. A potential buyer of the stolen surveillance software informed NSO of the theft
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
XSS on etherscan.io
Etherscan is ranked as the 1,379th site in the world according to Alexa, so they’re pretty big!
Starting today with the release of Chrome 68, Google Chrome prominently marks all non-HTTPS websites as ‘Not Secure’ in its years-long effort to make the web a more secure place for Internet users
Request for Packets: Port 15454
Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise
Evading CSP with DOM-based dangling markup
Dangling markup is a technique to steal the contents of the page without script by using resources such as images to send the data to a remote location that an attacker controls. It is useful when reflected XSS doesn’t work or is blocked by Content Security Policy (CSP). The idea is you inject some partial HTML that is in an unfinished state such as a src attribute of an image tag, and the rest of the markup on the page closes the attribute but also sends the data in-between to the remote server
Attackers concealing malware in images uploaded to Google servers
Cybercriminals are putting a new spin on the old trick of hiding malware code in Exchangeable Image File Format (EXIF) data. Recently, attackers were observed using this technique in image files, rather than text files, and uploading them to googleusercontent.com servers
Titan Security Keys – Google launches its own USB-based FIDO U2F Keys
Open AWS S3 bucket at political robocall firm exposes 2,600 files
An open AWS S3 bucket at a political autodial company exposed nearly 2,600 files relating to a number of political campaigns in the U.S. and was indexed by GrayhatWarfare, a database of 48,623 open S3 buckets
.NET Process Injection
For a while now, I have been saying that PowerShell is dead in high security environments. Yes, it still works in environments where they haven’t figured out how to monitor PowerShell or at least process creation commands and arguments, but as soon as a defensive team implements visibility into this space, defense (the blue team) has all the advantages over an adversary playing in this space
New Bluetooth Hack Affects Millions of Devices from Major Vendors
The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware
Facebook has suspended data analytics firm Crimson Hexagon over concerns that the company has been misusing Facebook’s data
Spectre Returns! Speculation Attacks using the Return Stack Buffer
The recent Spectre attacks exploit speculative execution, a pervasively used feature of modern microprocessors, to allow the exfiltration of sensitive data across protection boundaries. In this paper, we introduce a new Spectreclass attack that we call SpectreRSB. In particular, rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses
Research of the week
-Hardware and firmware attacks: Defending, detecting, and responding – by Facebook
- The attack landscape for firmware is maturing and needs more attention from defense and detection communities. Recent examples of firmware attacks include the Equation Group’s attacks on drive firmware, Hacking Team’s commercialized EFI RAT, Flame, and Duqu.
- Simple tools like osquery give defenders important insights about what’s happening on their network so they can quickly detect a potential compromise. Facebook released osquery as an open source project in 2014.
- Facebook recently added hardware monitoringto osquery, which already aids security teams in vulnerability management, incident response, OS X attacks, and IT compliance
-ERP Applications Under Fire How cyberattackers target the crown jewels – thanks to Gustavo
- Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations.
- Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications.
- Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage.
- There has been a dramatic increase in the interest in exploits for SAP applications, including SAP HANA, in dark web and cybercriminal forums.
- Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days.
- Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.
- Leaked information by third parties and employees can expose internal ERP applications.
-Credential Spill Report 2018
Read the Conclusion!
-Developing the UK cyber security profession
-A Look at Java Cryptography
A discussion of some key concepts from the Java Cryptographic Architecture (JCA) API that developers can use to add encryption to their Java-based applications
-Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication
The design and implementation of cryptographic systems offer many subtle pitfalls. One such pitfall is that cryptography may create unique identifiers potentially usable to repeatedly and precisely re-identify and hence track users. This work investigates TLS Client Certificate Authentication (CCA), which currently transmits certificates in plain text. We demonstrate CCA’s impact on client traceability using Apple’s Apple Push Notification service (APNs) as an example. APNs is used by all Apple products, employs plain-text CCA, and aims to be constantly connected to its backend. Its novel combination of large device count, constant connections, device proximity to users and unique client certificates provides for precise client traceability. We show that passive eavesdropping allows to precisely re-identify and track users and that only ten interception points are required to track more than 80 percent of APNs users due to global routing characteristics. We conduct our work under strong ethical guidelines, responsibly disclose our findings, and can confirm a working patch by Apple for the highlighted issue. We aim for this work to provide the necessary factual and quantified evidence about negative implications of plain-text CCA to boost deployment of encrypted CCA as in TLS 1.3
Tool of the week
-AddressSanitizer (or ASan)
-BYOB (Build Your Own Botnet) – thanks to Naz
BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats
-Gargoyle: Innovative solution for preventing insider attacks
Dubbed Gargoyle, the solution:
- Evaluates the trustworthiness of an access request context through a set of Network Context Attributes (NCAs) that are extracted from the network traffic
- Leverages the capabilities of Software-Defined Network (SDN) for both policy enforcement and implementation
- Takes advantage of the network controller for added protection/defense
- Avoids a binary approach when making authorizations. Instead, depending on the context, some functions (e.g., copy, email) may be disallowed for the data requester
-Two Factor Auth List – thanks to Neil
List of sites with Two Factor Auth support which includes SMS, email, phone calls, hardware, and software
-Updated: Amass – In-Depth DNS Enumeration written in Go
-Advanced for Pentesters: House: A Mobile Analysis Platform Built on Frida
House is an open source web application that simplifies the testing process with Frida. With House, security researchers can easily generate Frida scripts to perform various tasks including enumeration, function hooking and intercepting. It also provides an easy-to-use web UI for researchers to generate, customize, and manage their Frida scripts
DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks
Other interesting articles
Zero login: Fixing the flaws in authentication
The truth is clear. We are moving into a post-password zero-login age, with new biometric technologies and other PII innovations helping to secure a fast, easy, frictionless personalised experience for every single application we need to access on a daily basis
The Most Common Vulnerability Of All
Rethinking Email for Privacy and Security
5 ways to find and fix open source vulnerabilities
A recent discovery of surreptitious execution of cryptomining code by a sandboxed app, riding piggyback on the open source software (OSS) ecosystem, raises pertinent questions about the security of open source code and its dependencies
Data regulations and privacy discussions are still in the early stage
GDPR is just the starting point
Privacy by design
And finally, the Engineer’s guide to the future
Augmented Reality (AR), also known as Mixed Reality (MR) or even more trendily, Extended Reality (XR), is approaching blockchain levels of hype.
With the advent of ARKit and ARCore, augmented reality apps are now a lot easier to make. There are a lot of people trying to sell them as amazingly groundbreaking, with the ability to change retail, health, finance, whatever
If it can be automated to save money or make money, it will be automated.
Here’s some varied, and potentially crazy, thoughts on what else could happen to impact us:
- Quantum Computing — I could have spent more time on this, but don’t know enough about it yet to be knowledgeable. Basically, quantum computing could be capable of carrying out calculations heretofore impossible and also do things we may not like as much, such as breaking all known encryptions algorithms. This field is likely to be huge, and focusing your efforts here would probably not be a bad career move.
- Driverless cars will replace mosts cars. And they won’t be called ‘cars’ (we don’t call cars horseless carriages, and we won’t call cars that move themselves, cars). See my post here ‘Your Grandkids won’t need to know how to drive’. These “cars” will be basically massive computers, with screens, voice interfaces and more, so there will be so much potential for engineers to get involved.
- Ageing could be extended dramatically, most likely for the super-rich. If you’re a billionaire right now, you’re most likely investing in a remote hideaway in case civilisation falls, or doing research into life-extending technology. More to read on this hereand here.
- The population could explode as major illnesses like cancer and heart disease are prevented / cured, along with road-accidents being eliminated by those driverless cars.
- The population could be significantly reduced by a pandemic or other disaster.
- Clean, free energy could be created, either by Nuclear Fusion (read more here) or some new breakthrough. What changes would next-to-free electricity do for industry, and for consumers?
- The Space Industry could grow massively — think asteroid mining or tourist trips to the moon. Bored of programming APIs? Why not help program a probe to mine ore on asteroids?
- War at a scale not seen since the 20th Century.
- Nano-technology — micro-robotics that could be used for innumerable things — medicine, manufacturing, military, security and much more. And fighting crime
HACKING, TOOLS and FUN – CHECK BELOW!