Security Stack Sheet #11

Word of the week “Donkey Deception”

Zoo denies it painted a donkey to look like a zebra

A photo went viral from a zoo in Cairo where it appears donkeys have been disguised as zebras using paint

Links HERE and HERE

 

Word of the week special “Surgical penetration testing”

Links HERE and HERE Real thing HERE

 

Bonus

Link HERE

And reply…

Link HERE

Link HERE

No Link

Link HERE

“Bulkify your code”

Code that has been bulkified (structured to handle processing of multiple records) will run properly in different contexts. In particular, if you import data, the trigger or method that ordinarily only receives a single record as input, will receive a hundred – to run correctly in this context (and others) it should be written to handle multiple records

Link HERE

 

Crypto challenge of the week

-NSA Puzzle Periodical Marble Math

Link HERE

 

Dates

May 25: GDPR Live! See incidents section below – Worst breaches in 2018 so far HERE

June 30: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS Is Easy!

Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare

Link HERE What Cloudflare says HERE and HERE

August – Holidays!!

July 27 – Mars approach and liquid water on Mars HERE

March 29 2019: Brexit

Sept 2019: PSD2 security mandatory

 

Comic of the week

 

Some OWASP stuff first

-Security devolution with Troy Hunt – HTTPS + content security + CAA + WTF

Web security has come a long way in recent years and these days, there’s a whole bunch of browser security features that can not only make your site more secure than ever, but make your job as a developer even easier. But the features remain largely unused with many developers not knowing of their existence nor how to properly leverage them. In this talk you’ll see the mechanics of a whole bunch of acronyms you’ve probably never heard of before, but will witness first hand as they’re put into action. You’ll see the attacks they prevents, how to implement them and ultimately, how they help better protect the apps you’re building

Link HERE

– Hacking Chrome to Look More Awesome!

I’ve been playing around with a few of the ‘hidden’ flags in the Chrome browser and I’ve come up with a selection of settings that I think really improve the current browsing experience. Here they are if you want to try them out!

Link HERE

-The OWASP ZAP HeadsUpDisplay – Usable Security Tooling

Link HERE Explanations HERE

-Safeguard your code: 17 tips to develop more-secure code

Secure programming tip No. 1: Test inputs rigorously

Secure programming tip No. 2: Store what you need, and not one bit more

Secure programming tip No. 3: Avoid trusting passwords more than necessary

Secure programming tip No. 4: Negotiate requirements

Secure programming tip No. 5: Add delays to your code

Secure programming tip No. 6: Use encryption more often than you think you should

Secure programming tip No. 7: Build walls

Secure programming tip No. 8: Tested libraries—use them

Secure programming tip No. 9: Use internal APIs

Secure programming tip No. 10: Bring in outside auditors to critique your code

Secure programming tip No. 11: Code analyzers are your friend

Secure programming tip No. 12: Limit privilege

Secure programming tip No. 13: Model your threat

Secure programming tip No. 14: Trust goes both ways

Secure programming tip No. 15: Keep apprised of the latest threats

Secure programming tip No. 16: Deep research can pay off

Secure programming tip No. 17: Educate yourself

Link HERE

-OWASP Europe London 2018 – Slides and videos

CISO

“Adding Privacy by Design “, by Sebastien Deleersnyder – Slides

“A View from Above “, by Chris Horn – Slides

“Current Research and Standards “, by Charles M Schmidt – Slides

“Deconstructing Threat Modeling “, by Ciaran Conliffe – Slides

“Development to Risk Management “, by Johanna Curiel.key – Slides

“Regular to Enterprise Ready “, by Ovidiu Cical – Slides

“Seconds out “, by Etienne Greeff – Slides

“Security is Everyone’s Job “, by Tanya Janca – Slides

“Threat Modeling for IOT “, by Dan Cornell – Slides

“Threat Perspectives “, by Jacky Fox and Gina Dollard – Slides

Developer

“A Methodology for Assessing “, by Pedro Fortuna – Slides

“Building Secure ASP NET “, by Niels Tanis – Slides

“Cross Application CSRF Protection “, by Egor Balyshev – Slides

“Injecting Security Controls “, by Katy Anton – Slides

“Oauth is DAC “, by Johan Peeters – Slides

“Patterns in Nodejs “, by Chetan Karande – Slides

“Remediate the Flag “, by Andrea Scaduto – Slides

“Secure Software Development “, by Damilare D. Fagbemi – Slides

“Unicode The Hero or Villain “, by Pawel Kawczyk – Slides

“Usable Security “, by Achim D. Bruker – Slides

DevOps

“Gamifying Education “, by Max Feldman and John Sonnenschein – Slides

“Buiding an AppSec Program “, by Chris Romeo – Slides

“Building a Valid Threat Library “, by Tony Ucedavelez – Slides

“Detecting and Preventing “, by Lieven Desmet – Slides

“Docker 201 Security “, by Dirk Wetter – Slides

“Gamifying Developer Education “, by Max Feldman and John Sonnenschein – Slides

“Jumpstarting Your DevSecOps “, by Jeff Williams – Slides

“Making Continuous Security “, by Matt Tesauro and Aaron Weaver – Slides

“Securing Containers “, by Jack Mannino and Abdullah Munawar – Slides

Hacker

“Exploiting Unknown Browsers “, by Gareth Heyes – Slides

“FIESTA “, by Jose Selvi – Slides

“Outsmarting Smart Contracts “, by Damian Rusinek – Slides

“Secure Messengers “, by Jeremy Matos and Laureline David – Slides

“The Last XSS “, by Jim Manico – Slides

“WAF Bypass Techniques “, by Soroush Dalili – Slides

Link HERE

 

Incidents

Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Singapore health system attacked – 1.5m records stolen

Singapore’s Ministry of Health and Ministry of Communications and Information have reported that 1.5 million personal data records, about a quarter of the country’s population, were stolen in a recent breach. The data included names, national identity card numbers, addresses, gender, race and dates of birth, with 160,000 of these also containing the records of dispensed medicines

The threat from Emotet dropper malware

The US Department of Homeland Security has warned of the threat to network systems from Emotet. Emotet is an advanced banking trojan that primarily functions as a downloader or dropper of other banking trojans. It is disseminated through malicious attachments or links in email, which often appear as quite convincing invoices, receipts and shipping notices using branding familiar to the recipient. Emotet has worm-like features that result in rapidly spreading network-wide infections; it can evade typical signature-based detection, is Virtual Machine aware and has several methods for maintaining persistence on a network. The US alert reports that Emotet infections on local government systems have cost up to $1 million per incident to remediate

Link HERE

 

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

Reddit security incident

A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.

What happened?

On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.

Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.

Now that we’ve concluded our investigation sufficiently to understand the impact, we want to share what we know, how it may impact you, and what we’ve done to protect us and you from this kind of attack in the future

Link HERE

Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software -> Font Packages Compromised with Cryptocurrency Miners

Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users’ computers.

The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus

Link HERE

Endgame Ends Document-Based Phishing Attacks With Machine Learning

Endgame, the first endpoint protection platform to deliver the stopping power of a world class SOC in a single agent, today announced that it has enhanced its platform to end the threat of document-based phishing attacks. MalwareScore, a host-based machine learning technology, now has the capability to identify and block known and never before seen malicious Microsoft Office documents pre-execution with 99 percent efficacy

Link HERE

NetSpectre: Read Arbitrary Memory over Network

Link HERE Attack HERE

Vehicle Cybersecurity: Mitigating the Threat of Connectedness

Earlier this year, authors David Morris, Garikayi Madzudzo and Alexeis Garcia-Perez released a report on threats to vehicle cybersecurity, noting that the systems in automobiles are as vulnerable as any other connected device

Link HERE

The Pentagon has been working on a “do not buy” list of software from Russia and China

Once a vendor is included on the list, their products will be boycotted by the Pentagon as a security risk

Link HERE

Popular electric scooter startups are collecting tons of location data on their riders

…but don’t have the security to protect that information
Link HERE

 

Research of the week

-Multi-Factor Authentication: Four Challenges Faced by Developers

Link HERE

-Quantum key distribution

This white paper describes our current position on quantum key distribution (QKD). QKD is an approach to key distribution that relies on the properties of quantum mechanics to provide security.

Executive summary

Specifically, this paper:

explores the limitations of QKD systems, including security concerns

makes the case for research into developing post-quantum public key cryptography as a more practical and cost-effective step towards defending real-world communications systems from the threat of a future quantum computer

Note: QKD is distinct from post-quantum public key cryptography, which is based on classical mathematical problems that are hard to solve even in the presence of quantum computers

Link HERE

-Malicious Word documents using DOSfuscation

Since more than a week, malicious Word documents using DOSfuscation (“DOS command obfuscation”) are appearing.

These are classic maldocs with obfuscated VBA code that build up a command, and then executed that command via shell. The commands that we are seeing now are executed through cmd.exe and heavily obfuscated with methods described in the DOSfuscation research. These cmd commands will have one or more levels of DOS command obfuscation, and will then execute a PowerShell command. This is a unobfuscated, classic downloader PowerShell script with several URLs

Link HERE

 

Tool of the week

-Hack yourself first!

This website is provided by troyhunt.com as part of the Pluralsight course Hack Yourself First: How to go on the cyber-offence. It’s full of nasty app sec holes. No seriously, it’s terrible!

This course is designed to help web developers on all frameworks identify risks in their own websites before attackers do and it uses this site extensively to demonstrate risks. Feel free to browse through this site and go watch the course if you’d like to see both the risks and mitigations in action

Link HERE

-Integrating LDAP/AD Users to Kubernetes RBAC with the AWS-IAM-Authenticator Community Project

Link HERE

CRAWLER.NINJA

Alexa top 1 million security analysis

Link HERE

-Have I been pawned Zapier integration

Connects the HIBP api to Zapier so that users can check email addresses against known breaches

Link HERE

-Updated again!: DOMPurify

DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks

Why the last update HERE

Link HERE Preso – How to protect web apps using Javascript HERE

 

Other interesting articles

The Road to QUIC

QUIC (Quick UDP Internet Connections) is a new encrypted-by-default Internet transport protocol, that provides a number of improvements designed to accelerate HTTP traffic as well as make it more secure, with the intended goal of eventually replacing TCP and TLS on the web. In this blog post we are going to outline some of the key features of QUIC and how they benefit the web, and also some of the challenges of supporting this radical new protocol

Link HERE

 

21 Security Pros Reveal The One Thing They’d Change About AWS Security

And one of them says:

“The biggest security risk with AWS…”

Especially for small companies, is the lack of understanding where security duties begin and end with the public cloud provider.

Link HERE

 

Your Security Just Might Kill Your Serverless

Let me start with an anecdote. In the midst of a fascinating discussion with the security person in a large company that has embraced serverless, I asked her how it came about that the security organization doesn’t own the security controls to the application. “How do you guys let the developers own the IAM roles and VPC decisions?” I asked. Her answer was astonishing but also enlightening: “We tried, but the developers threatened they would all leave.”

My instinct, and perhaps yours, was to think, “Oh my God, these developers have really taken over the world.” It’s easy to attribute this to some sort of megalomania and turn it into a story about how hard it is to find a good developer these days. But that would be entirely missing the point, and the point is important

Link HERE

 

Reminder: Cloudflare’s Lava Lamp Cryptography

Cloudflare uses data generated from images of 100 active lava lamps in the lobby of the company’s office in San Francisco in combination with other data – the movement of a pendulum in London and data from a Geiger counter in Singapore – to generate cryptographic keys.

[Pescatore]

Lava lamps were used by Silicon Graphics 20 years ago to seed random number generation. I don’t think in the intervening decades anyone has debunked the method, but the old joke was that the security team came through and put lens caps on the cameras monitoring the lamps…

Link HERE Tech details HERE

 

Bitcoin (BTC) and Crypto vs. Mastercard: Which Is More Secure?

Mastercad CEO Ajay Banga called cryptocurrency “junk” this week, right before a tweet apparently challenging the security of PayPass, a Mastercard product, surfaced on Twitter

Link HERE

 

Secure Contexts Everywhere

Since Let’s Encrypt launched, secure contexts have become much more mature. We have witnessed the successful restriction of existing, as well as new features to secure contexts. The W3C TAG is about to drastically raise the bar to ship features on insecure contexts. All the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP

Links HERE and HERE

 

The age of cyberwar is here. We can’t keep citizens out of the debate

Unlike nuclear weapons, there is no clear protocol for when cyberwarfare should be used, or how to respond to an attack

Link HERE

 

And finally, Phone and internet use: Number of mobile calls drops for first time

Link HERE

 

HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *