Word of the week “Donkey Deception”
Zoo denies it painted a donkey to look like a zebra
A photo went viral from a zoo in Cairo where it appears donkeys have been disguised as zebras using paint
Word of the week special “Surgical penetration testing”
“Bulkify your code”
Code that has been bulkified (structured to handle processing of multiple records) will run properly in different contexts. In particular, if you import data, the trigger or method that ordinarily only receives a single record as input, will receive a hundred – to run correctly in this context (and others) it should be written to handle multiple records
Crypto challenge of the week
-NSA Puzzle Periodical Marble Math
May 25: GDPR Live! See incidents section below – Worst breaches in 2018 so far HERE
June 30: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS Is Easy!
Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare
August – Holidays!!
March 29 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-Security devolution with Troy Hunt – HTTPS + content security + CAA + WTF
Web security has come a long way in recent years and these days, there’s a whole bunch of browser security features that can not only make your site more secure than ever, but make your job as a developer even easier. But the features remain largely unused with many developers not knowing of their existence nor how to properly leverage them. In this talk you’ll see the mechanics of a whole bunch of acronyms you’ve probably never heard of before, but will witness first hand as they’re put into action. You’ll see the attacks they prevents, how to implement them and ultimately, how they help better protect the apps you’re building
– Hacking Chrome to Look More Awesome!
I’ve been playing around with a few of the ‘hidden’ flags in the Chrome browser and I’ve come up with a selection of settings that I think really improve the current browsing experience. Here they are if you want to try them out!
-The OWASP ZAP HeadsUpDisplay – Usable Security Tooling
-Safeguard your code: 17 tips to develop more-secure code
Secure programming tip No. 1: Test inputs rigorously
Secure programming tip No. 2: Store what you need, and not one bit more
Secure programming tip No. 3: Avoid trusting passwords more than necessary
Secure programming tip No. 4: Negotiate requirements
Secure programming tip No. 5: Add delays to your code
Secure programming tip No. 6: Use encryption more often than you think you should
Secure programming tip No. 7: Build walls
Secure programming tip No. 8: Tested libraries—use them
Secure programming tip No. 9: Use internal APIs
Secure programming tip No. 10: Bring in outside auditors to critique your code
Secure programming tip No. 11: Code analyzers are your friend
Secure programming tip No. 12: Limit privilege
Secure programming tip No. 13: Model your threat
Secure programming tip No. 14: Trust goes both ways
Secure programming tip No. 15: Keep apprised of the latest threats
Secure programming tip No. 16: Deep research can pay off
Secure programming tip No. 17: Educate yourself
-OWASP Europe London 2018 – Slides and videos
“Adding Privacy by Design “, by Sebastien Deleersnyder – Slides
“A View from Above “, by Chris Horn – Slides
“Current Research and Standards “, by Charles M Schmidt – Slides
“Deconstructing Threat Modeling “, by Ciaran Conliffe – Slides
“Development to Risk Management “, by Johanna Curiel.key – Slides
“Regular to Enterprise Ready “, by Ovidiu Cical – Slides
“Seconds out “, by Etienne Greeff – Slides
“Security is Everyone’s Job “, by Tanya Janca – Slides
“Threat Modeling for IOT “, by Dan Cornell – Slides
“Threat Perspectives “, by Jacky Fox and Gina Dollard – Slides
“A Methodology for Assessing “, by Pedro Fortuna – Slides
“Building Secure ASP NET “, by Niels Tanis – Slides
“Cross Application CSRF Protection “, by Egor Balyshev – Slides
“Injecting Security Controls “, by Katy Anton – Slides
“Oauth is DAC “, by Johan Peeters – Slides
“Patterns in Nodejs “, by Chetan Karande – Slides
“Remediate the Flag “, by Andrea Scaduto – Slides
“Secure Software Development “, by Damilare D. Fagbemi – Slides
“Unicode The Hero or Villain “, by Pawel Kawczyk – Slides
“Usable Security “, by Achim D. Bruker – Slides
“Gamifying Education “, by Max Feldman and John Sonnenschein – Slides
“Buiding an AppSec Program “, by Chris Romeo – Slides
“Building a Valid Threat Library “, by Tony Ucedavelez – Slides
“Detecting and Preventing “, by Lieven Desmet – Slides
“Docker 201 Security “, by Dirk Wetter – Slides
“Gamifying Developer Education “, by Max Feldman and John Sonnenschein – Slides
“Jumpstarting Your DevSecOps “, by Jeff Williams – Slides
“Making Continuous Security “, by Matt Tesauro and Aaron Weaver – Slides
“Securing Containers “, by Jack Mannino and Abdullah Munawar – Slides
“Exploiting Unknown Browsers “, by Gareth Heyes – Slides
“FIESTA “, by Jose Selvi – Slides
“Outsmarting Smart Contracts “, by Damian Rusinek – Slides
“Secure Messengers “, by Jeremy Matos and Laureline David – Slides
“The Last XSS “, by Jim Manico – Slides
“WAF Bypass Techniques “, by Soroush Dalili – Slides
Incidents in the world last week
Other source HERE Find your country
Singapore health system attacked – 1.5m records stolen
Singapore’s Ministry of Health and Ministry of Communications and Information have reported that 1.5 million personal data records, about a quarter of the country’s population, were stolen in a recent breach. The data included names, national identity card numbers, addresses, gender, race and dates of birth, with 160,000 of these also containing the records of dispensed medicines
The threat from Emotet dropper malware
The US Department of Homeland Security has warned of the threat to network systems from Emotet. Emotet is an advanced banking trojan that primarily functions as a downloader or dropper of other banking trojans. It is disseminated through malicious attachments or links in email, which often appear as quite convincing invoices, receipts and shipping notices using branding familiar to the recipient. Emotet has worm-like features that result in rapidly spreading network-wide infections; it can evade typical signature-based detection, is Virtual Machine aware and has several methods for maintaining persistence on a network. The US alert reports that Emotet infections on local government systems have cost up to $1 million per incident to remediate
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Reddit security incident
A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.
On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.
Now that we’ve concluded our investigation sufficiently to understand the impact, we want to share what we know, how it may impact you, and what we’ve done to protect us and you from this kind of attack in the future
Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software -> Font Packages Compromised with Cryptocurrency Miners
Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users’ computers.
The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus
Endgame Ends Document-Based Phishing Attacks With Machine Learning
Endgame, the first endpoint protection platform to deliver the stopping power of a world class SOC in a single agent, today announced that it has enhanced its platform to end the threat of document-based phishing attacks. MalwareScore, a host-based machine learning technology, now has the capability to identify and block known and never before seen malicious Microsoft Office documents pre-execution with 99 percent efficacy
NetSpectre: Read Arbitrary Memory over Network
Vehicle Cybersecurity: Mitigating the Threat of Connectedness
Earlier this year, authors David Morris, Garikayi Madzudzo and Alexeis Garcia-Perez released a report on threats to vehicle cybersecurity, noting that the systems in automobiles are as vulnerable as any other connected device
The Pentagon has been working on a “do not buy” list of software from Russia and China
Once a vendor is included on the list, their products will be boycotted by the Pentagon as a security risk
Popular electric scooter startups are collecting tons of location data on their riders
…but don’t have the security to protect that information
Research of the week
-Multi-Factor Authentication: Four Challenges Faced by Developers
-Quantum key distribution
This white paper describes our current position on quantum key distribution (QKD). QKD is an approach to key distribution that relies on the properties of quantum mechanics to provide security.
Specifically, this paper:
explores the limitations of QKD systems, including security concerns
makes the case for research into developing post-quantum public key cryptography as a more practical and cost-effective step towards defending real-world communications systems from the threat of a future quantum computer
Note: QKD is distinct from post-quantum public key cryptography, which is based on classical mathematical problems that are hard to solve even in the presence of quantum computers
-Malicious Word documents using DOSfuscation
Since more than a week, malicious Word documents using DOSfuscation (“DOS command obfuscation”) are appearing.
These are classic maldocs with obfuscated VBA code that build up a command, and then executed that command via shell. The commands that we are seeing now are executed through cmd.exe and heavily obfuscated with methods described in the DOSfuscation research. These cmd commands will have one or more levels of DOS command obfuscation, and will then execute a PowerShell command. This is a unobfuscated, classic downloader PowerShell script with several URLs
Tool of the week
-Hack yourself first!
This website is provided by troyhunt.com as part of the Pluralsight course Hack Yourself First: How to go on the cyber-offence. It’s full of nasty app sec holes. No seriously, it’s terrible!
This course is designed to help web developers on all frameworks identify risks in their own websites before attackers do and it uses this site extensively to demonstrate risks. Feel free to browse through this site and go watch the course if you’d like to see both the risks and mitigations in action
-Integrating LDAP/AD Users to Kubernetes RBAC with the AWS-IAM-Authenticator Community Project
Alexa top 1 million security analysis
-Have I been pawned Zapier integration
Connects the HIBP api to Zapier so that users can check email addresses against known breaches
-Updated again!: DOMPurify
DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks
Why the last update HERE
Other interesting articles
The Road to QUIC
QUIC (Quick UDP Internet Connections) is a new encrypted-by-default Internet transport protocol, that provides a number of improvements designed to accelerate HTTP traffic as well as make it more secure, with the intended goal of eventually replacing TCP and TLS on the web. In this blog post we are going to outline some of the key features of QUIC and how they benefit the web, and also some of the challenges of supporting this radical new protocol
21 Security Pros Reveal The One Thing They’d Change About AWS Security
And one of them says:
“The biggest security risk with AWS…”
Especially for small companies, is the lack of understanding where security duties begin and end with the public cloud provider.
Your Security Just Might Kill Your Serverless
Let me start with an anecdote. In the midst of a fascinating discussion with the security person in a large company that has embraced serverless, I asked her how it came about that the security organization doesn’t own the security controls to the application. “How do you guys let the developers own the IAM roles and VPC decisions?” I asked. Her answer was astonishing but also enlightening: “We tried, but the developers threatened they would all leave.”
My instinct, and perhaps yours, was to think, “Oh my God, these developers have really taken over the world.” It’s easy to attribute this to some sort of megalomania and turn it into a story about how hard it is to find a good developer these days. But that would be entirely missing the point, and the point is important
Reminder: Cloudflare’s Lava Lamp Cryptography
Cloudflare uses data generated from images of 100 active lava lamps in the lobby of the company’s office in San Francisco in combination with other data – the movement of a pendulum in London and data from a Geiger counter in Singapore – to generate cryptographic keys.
Lava lamps were used by Silicon Graphics 20 years ago to seed random number generation. I don’t think in the intervening decades anyone has debunked the method, but the old joke was that the security team came through and put lens caps on the cameras monitoring the lamps…
Bitcoin (BTC) and Crypto vs. Mastercard: Which Is More Secure?
Mastercad CEO Ajay Banga called cryptocurrency “junk” this week, right before a tweet apparently challenging the security of PayPass, a Mastercard product, surfaced on Twitter
Secure Contexts Everywhere
Since Let’s Encrypt launched, secure contexts have become much more mature. We have witnessed the successful restriction of existing, as well as new features to secure contexts. The W3C TAG is about to drastically raise the bar to ship features on insecure contexts. All the building blocks are now in place to quicken the adoption of HTTPS and secure contexts, and follow through on our intent to deprecate non-secure HTTP
The age of cyberwar is here. We can’t keep citizens out of the debate
Unlike nuclear weapons, there is no clear protocol for when cyberwarfare should be used, or how to respond to an attack
And finally, Phone and internet use: Number of mobile calls drops for first time
HACKING, TOOLS and FUN – CHECK BELOW!