Word of the week “Security booze” – thanks to Naz
Stress, bad workplace cultures are still driving security folk to drink
Self-medicating with booze is no answer, hackers warned at conference
Word of the week special
Is it right for Uber drivers to rate passengers? Do passengers know that?
What are Uber drivers actually rating?
Is it right for Uber to have access to that information? Who are they sharing it with?
Could one be denied a loan or a purchase because of their Uber passenger rating?
Crypto challenge of the week
May 25th: GDPR Live! See incidents section below – Worst breaches in 2018 so far HERE
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS Is Easy!
Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare
Deploying TLS 1.3 at scale with Fizz, a performant open source TLS library
The opposite -> NeverSSL HERE :)
This website is for when you try to open Facebook, Google, Amazon, etc on a wifi network, and nothing happens. Type “http://neverssl.com” into your browser’s url bar, and you’ll be able to log on
August – Holidays!!
September 21st SEC Bitcoin ETF
March 29th 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-BlackHat and Defcon happening right now! More in the coming weeks!
Slides and presentations for BlackHat HERE
-Hacker Summer Camp GUIDE – Surviving Vegas – Part one
-New Pluralsight Course: Bug Bounties for Researchers
Earlier this year, I spent some time in San Fran with friend and Bugcrowd founder Casey Ellis where we recorded a Pluralsight “Play by Play” titled Bug Bounties for Companies. I wrote about that in the aforementioned post which went out in May and I mentioned back then that we’d also created a second course targeted directly at researchers. We had to pull together some additional material on that one but I’m please to now share the finished product with you: Bug Bounties for Researchers
-Course: The State of GDPR: Common Questions and Misperceptions
In this course, you’ll learn how to distinguish fact from misperception when it comes to the General Data Protection Regulation (GDPR) and get answers to many commonly asked GDPR questions
-Critical log review checklist for security incidents
-Cyber Security Body Of Knowledge
-Application Security Podcast – last episodes
- CRS and an Abstraction Layer (S04E02)
- Google Chrome and the Case of the Disappearing HTTP (S04E01)
- All the Pieces You Need for an #AppSec Program: Finale(S03 E21) – Application Security PodCast
- OWASP, Reach Out; We Are Known and Misunderstood (S03E20) – Application Security PodCast
- Bug Bounty with a Side of Empathy (S03E19) – Application Security PodCast
- Malicious User Stories (S03E18) – Application Security PodCast
- Neurodiversity in Security (S03E17) – Application Security PodCast
- AppSec and Hardware (S03E16) – Application Security PodCast
- #OWASP AppSensor (S03E15) – Application Security PodCast
- Third Party Software is not a Cathedral, It’s a Bazaar (S03E14) – Application Security PodCast
-Social engineer podcast – last one
-Network Monitoring Is Going Away…Now What? TLS, QUIC and Beyond
Protocol improvements to prevent pervasive monitoring, such as forward secrecy and metadata hiding, are being standardized and deployed in response to greater awareness of threats to network traffic. The changes impact monitoring
Incidents in the world last week
Other source HERE Find your country
Data breach suffered by Reddit
Reddit confirmed earlier this week that it had suffered a data breach back in June 2018 with all data created between 2005 and 2007 compromised.
This data included users’ protect passwords and email addresses as well as current usernames and corresponding email addresses which were obtained from the weekly email digests that roundup top Reddit posts
Used connected cars need disconnecting
Once upon a time you sold your car, handed over the keys, log book, MOT certificate and pocketed the cash or bought a new car and thought no more about it. No longer. In today’s connected world – you may have just sold a computer on wheels
Social engineering as a malware delivery mechanism: technical support fraud
We are all used to warnings about the need to keep security patches up-to-date in an effort to make our computers harder to exploit, but hackers have long been using social engineering alone as a means to exploit us and our computers. One type of scam – technical support fraud – seems to be on the rise again
Weekly Intelligence Summary from Digital Shadows
- In the spotlight this week: the reemergence of the “Kronos” banking trojan in three active campaigns targeting entities in Germany, Japan and Poland. The revival coincides with an increase in email phishing campaigns distributing banking trojans during the first quarter of 2018.
- Other highlights focus on: the detection of a multi-tiered supply-chain attack affecting a software vendor; the return of the extortionist threat actor(s) “thedarkoverlord”; and a Middle Eastern espionage group’s use of a custom backdoor variant.
- Looking ahead, cyber espionage activity in the Middle East is likely to continue as geopolitical tensions affect different nations’ interests in the region. Additional extortion activity attributed to thedarkoverlord will likely be reported; the general election in Zimbabwe could trigger cyber attacks; and a hacktivist response will likely follow PricewaterhouseCoopers’ negotiations with the Saudi Arabian military
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Capture NTLM Hashes using PDF (Bad-Pdf)
Today we are demonstrating stealing NTLM hashes through a pdf file. We have already discussed the various method to Capture NTLM Hashes in a Network in our previous article. Recently a new tool has launched “Bad-PDF” and in this article, we are sharing our experience
Security Patch Management — 7 Do’s and Don’ts
#1 Do: Come Prepared: Put a Security Patch Management Policy in Place
#2 Do: DevOps it Up: Automate Your Patch Management Strategy
#3 Do: SCA to the Rescue: Patch Management for Open Source Components
#4: Do: Test and Monitor Your Security Patches
#5: Don’t Take Your Time
#6: Don’t Get Too Attached to Your Patch Management Policy
#7: Don’t Patch and Run
Security Patch Management: It’s a Marathon, not a Sprint
Windows App Development Environment Bug
A flaw in the Minimalist GNU for Windows for 64-bit PCs (mingw-w64) compiling tool produces executable Windows files that are incompatible with Address Space Layout Randomization (ASLR) exploit mitigation technology. An advisory from CERT/CC suggests a workaround for the issue, but there are not presently any fixes. Vendors were notified about the issue in late July
The Gorgon Group: Slithering Between Nation State and Cybercrime
HP Releases Fix for InkJet Printer Flaws
HP has released a firmware update to address two flaws affecting its InkJet printers. The vulnerability affects at least 166 different models of HP InkJet printers. Malicious files sent to vulnerable devices could result in stack or static buffer overflows, which could allow remote code execution. In May, HP launched a bug bounty program, the first such program to address flaws in printers. The program is private; 34 researchers were invited to participate.
Part of the problem here is that there is too much gratuitous general-purpose computer function included in these printers and exposed to public networks. We should be building appliances with only the function necessary rather than including too much function which we then have to compensate for
New attack on WPA/WPA2 using PMKID
Security flaws let hackers hit in-flight and at sea WiFi
GitHub announces new account security and recovery practices
Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally
John McAfee’s ‘unhackable’ Bitcoin wallet (allegedly) got hacked
ASP.NET resource files (.RESX) and deserialisation issues
Research of the week
-Vulnerability research and responsible disclosure: Advice from an industry veteran
“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab
-Adopting a Zero Trust approach is the best strategy to control access
A new study conducted by Forrester Consulting found that organizations powering Zero Trust Security with next-gen access solutions reported twice the confidence to accelerate new business models and customer experiences
-Nine years of bugs & coordinated vulnerability disclosure: Trends, observations & recommendations for the future
-How to security harden your friend’s new Android phone
But Android is one of the top platforms for malware. And because Android isn’t quite as restrictive as iOS, consumers can be especially susceptible to mobile cyber attacks if they don’t know what they’re doing. My Android phone has reasonably good endpoint security, but then again I do know what I’m doing
-Burn Box Self-Revocable Encryption
Researchers from Cornell University, Cornell Tech, and the University if Illinois Champaign-Urbana have developed a form of self-revocable encryption, which would allow users to temporarily revoke access to selected files on their devices. The feature could be especially useful to journalists and human rights workers who want to prevent authorities from viewing sensitive information. The researchers plan to present their work at Usenix Security Symposium in Baltimore later this month.
When using such techniques, caution has to be taken to not appear to lying or otherwise obstructing law enforcement or border control officials which can lead to an extended scope inspection. The safest bet is not store sensitive data on the devices going through control points and log out of cloud services that can access the data
Tool of the week
-Bomgar releases free privileged account Discovery Tool
As the quantity and scope of cyber attacks continues to grow, organizations are focusing on the risk from privileged users such as insiders and third parties. The free Bomgar Discovery Tool provides key information on the scope of these privileged accounts to equip you with the information you need to proactively protect them
-OSS-Fuzz – continuous fuzzing of open source software
Currently OSS-Fuzz supports C and C++ code (other languages supported by LLVM may work too)
-How to Implement Spring Security With OAuth2
Spring Security provides comprehensive security services for J2EE-based enterprise software applications. It is powerful, flexible, and pluggable. It is not like a Proxy server, firewall, OS level Security, Intrusion Detection System, or JVM Security
Other interesting articles
Getting product security engineering right
Product security is an interesting animal: it is a uniquely cross-disciplinary endeavor that spans policy, consulting, process automation, in-depth software engineering, and cutting-edge vulnerability research. And in contrast to many other specializations in our field of expertise – say, incident response or network security – we have virtually no time-tested and coherent frameworks for setting it up within a company of any size
How to balance development goals with security and privacy
As a software security evaluator and a one-time engineer, I can confirm what the daily security breaches are telling us: software engineers and architects regularly fail at building in sufficient security and privacy. As someone who has been on both sides of this table, I’d like to share some of my own security-related engineering sins and provide some practical advice for both engineers and security officers on how best to balance development goals with privacy concerns
Let’s Encrypt Root Trusted By All Major Root Programs
As of the end of July 2018, the Let’s Encrypt root, ISRG Root X1, is directly trusted by Microsoft products. Our root is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.
Let’s Encrypt is currently providing certificates for more than 115 million websites
Adventures in vulnerability reporting
At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of the time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into the hands of vendors. Since it is important to user security that software vendors fix reported vulnerabilities in a timely matter, and vendors need to actually receive the report for this to happen, we have decided to share some of our experiences. We hope to show that good practices by software vendors can avoid delays in vulnerability reporting
How Open Source Intelligence Could Save Your Network
Sites dedicated to compiling information about indicators from the atomic to the behavioral include:
- Team Cymru’s Community Services portal: This portal includes IP reputation lookup and malware hash analysis.
- Threatminer: Search by domains, hashes, user-agent strings and registry entries.
- Threatcrowd: Look for information on domains, IP addresses, emails and organizations.
- URLQuery: This site profiles URLs for web-based malware.
- InfoByIP: This site finds the domain, location, internet service provider (ISP) and autonomous system number (ASN) for IPs or domains — which is good for bulk queries.
- Cymon: Input IPs, domains or hashes and get activity and malware reports.
- Shodan: This site helps analysts determine which devices are publicly connected to the internet.
- ATT&ACK: This is MITRE’s collection of attack techniques and tactics
And finally, Google – you autocomplete me
At what point will Google’s predictive technology grow so powerful that we begin thinking of its personalized recommendations as our own?
I don’t like to say “hi.” I’m a “hey” person. But more and more, I find myself greeting friends and colleagues with a “hi” on email. Why? Because Google suggests that I do. In May, Gmail…
HACKING, TOOLS and FUN – CHECK BELOW!