Word of the week “Save your Company’s Bacon”
Do you know an individual or team that deserves recognition for going over and above the call of duty when it comes to protecting their organisations from cyber threats? Maybe they have saved the day from a cyber attack or malware infection or rescued the organisation from ransomware? Did they implement a cyber risk awareness campaign that made a difference to the office culture when it comes to phishing; or are they simply a great advocate when it comes to security best practices?
Nominate until the 24th of August!
- Fraud Fighter
- Captain Compliance
- Godfather/Godmother of Security
- Cyber Writer
- Security Avengers
- Best Security Awareness Campaign
- Security Leader/Mentor
- Apprentice/Rising Star
- Best Educator
- Best Ethical Hacker/Pen-Tester
- Data Guardian
- SecDevOps Trailblazer
- Best Cyber Security Sales Leader
- CISO Supremo
Word of the week special
Deterring Attackers by Making Software Buggier
Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes)
1337d00m – thanks to Daniel
1337d00m is a hacker’s version of the original DOOM
Name the most horrible part of this code.
Crypto challenge of the week
Kudelski Security’s 2018 pre-Black Hat crypto challenge
For this year’s crypto challenge we have 3 stages, but it’s on a server which is receiving a lot of empty UDP packets and it sometimes reboots without notice, very strange, but IT tells us they are working on it … Here is how you access the API to query the oracle, good luck!
All challenges can be queried on the API under https://cryptochall.ks.kgc.io (N.B. it refuses insecure connection). Any submitted characters not in [a-zA-Z0-9 ] will generate an error.
To solve the first 2 challenges, you must write a program that creates valid signatures, in order to send the /win endpoint the message specified in the /flag one. That signed message must be successfully verified by the verification service. Obviously, your program should not just copy a signature received from the signing service, and we’ve thus blacklisted the winning messages.
The 3rd and final challenge is won by decrypting the flag
May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS Is Easy!
Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare
HTTPS everywhere HERE
TLS 1.3 Standard is Official
Transport Layer Security 1.3 (TLS 1.3) standard is now official. The revised standard was approved in March 2018; the Internet Engineering Task Force (IEFT) calls it “a major revision designed for the modern Internet.” Its developers have worked hard to make TLS 1.3 easy to deploy.
August – Holidays!!
September 21st: SEC Bitcoin ETF
March 29th 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-BlackHat and Defcon 2018!
Refresh from last week: Slides and presentations for BlackHat HERE
BlackHat key note: Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes
-Application Security Podcast – last episode
Securing DevOps (S04E03)
-Social engineer podcast – ep. 108 Neil Fallon Is My Tech Support – Security through Education
-InSecurity Podcast: Katie Moussouris Breaks Down Bug Bounty Programs
-Top 10 Web Hacking Techniques of 2017 – Voting Open
- How I hacked hundreds of companies through their helpdesk
- Web Cache Deception Attack
- GitHubs post-CSP journey
- Request encoding to bypass web application firewalls
- Binary Webshell Through OPcache in PHP 7
- A deep dive into AWS S3 access controls taking full control over your assets
- CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox
- HaXmas: The True Meaning(s) of Metasploit
- The Good, The Bad and The Ugly of Safari in Client-Side Attacks
- Modern Alchemy: Turning XSS into RCE
- My Sweet Innocence Exposed – Eleven Reasons why we will all miss you, e
- Dont Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets
- From Markdown to RCE in Atom
- The Absurdly Underestimated Dangers of CSV Injection
- Rare ASP.NET request validation bypass using request encoding
- Password Not Provided – Compromising Any Flurry Users Account
- $10k host header
- The .io Error – Taking Control of All .io Domains With a Targeted Registration
- Pivoting from blind SSRF to RCE with HashiCorp Consul
- Exploiting the unexploitable with lesser known browser tricks
- Why CSP Should be carefully crafted: Twitter XSS CSP Bypass
- Text/Plain Considered Harmful
- Autobinding vulns and Spring MVC
- Stealing Messenger.com Login Nonces
- Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token
- Cloudflare Reverse Proxies are Dumping Uninitialized Memory
- The Attack of the Alerts and the Zombie Script (IE)
- Shopware 5.3.3: PHP Object Instantiation to Blind XXE
- Assorted WordPress DB prepare exploits
- A New Era of SSRF – Exploiting URL Parser in Trending Programming Languages!
- Cure53 Browser Security Whitepaper
- Friday The 13th JSON Attacks
- X41 Browser Security Whitepaper
- How I used google dorks to find 0-days
- MITM Attacks on HTTPS: Another Perspective
- Google Maps XSS (by fiddling with Protobuf)
- Advanced Flash Vulnerabilities
-How the OWASP Top 10 can Secure your DevSecOps Initiative
As software becomes increasingly complex, the difficulty of achieving application security increases. With the rapid pace of modern software development processes, securing the software from the beginning can be challenging.
-How can developers write more secure applications?
-What are the security techniques they could use while writing their software?
Incidents in the world last week
Other source HERE Find your country
Social engineering to gain access: SIM swapping
SIM swapping (also known as ‘SIM splitting’) emerged several years ago but is on the increase as mobile phone numbers become more widely used as part of security checks. The scam sees attackers access victims’ texts, calls and other sensitive information, including security codes used as part of two-factor authentication (2FA).
To be successful, attackers first need personal information, gleaned through various forms of phishing, purchasing victims’ details from organised crime networks, or by conducting open source research. Social media sites can also contain sufficient information for attackers to masquerade as genuine customers
US payment processing services targeted by BGP hijacking attacks
Three United States payment processing companies were reportedly targeted by Border Gateway Protocol (BGP) hijacking attacks on their DNS servers in July
Bitpaymer: Cyber attack against Alaskan local government
The Alaskan local government borough of Matanuska-Susitna (Mat-Su) has confirmed they suffered a large scale, disruptive cyber attack in July, caused by a multi-faceted malware package containing Bitpaymer ransomware
Malware targets cryptocurrency ATMs
Trend Micro have reported that malware specifically designed to target cryptocurrency ATMs is being sold on the DarkNet for $25,000 by an apparently established user who regularly sells ATM and other financially-related malware
Increase of mobile phone enabled fraud
Last week the social news aggregator Reddit reported a data breach that saw hackers able to access a backup system containing user data, including email addresses, and a 2007 database with usernames and hashed passwords. Several Reddit employees’ accounts connected to cloud and hosting providers were compromised.
The company employed an SMS-based two-factor authentication system where a one-time passcode was used to access systems, along with a password. The hack was accomplished by intercepting SMS messages, circumventing Reddit’s 2FA system. See the NCSC’s advice following the Reddit breach.
SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, exploitation and intercept of legacy telephone signalling systems, or by directly intercepting and decrypting signals from cell towers
Troy Hunt weekly update
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
FBI ATM Cashout Warning
A confidential FBI alert sent to banks last week warns that criminals are planning an ATM cashout, an attack in which there is a coordinated effort to empty ATMs of all the cash they contain using cloned cards. The scheme involves compromising the system at a bank or payment card processor and using information obtained there to program clones of legitimate cards. The FBI’s alert recommends that banks implement strong security measures, such as two-factor authentication using a physical or digital token, dual authentication procedures for withdrawals that exceed a certain threshold, and application whitelisting.
In the early days of ATMs we limited cash withdrawals to $200 per account per day. Over the decades banks have relaxed this limit. While banks would be reluctant to reinstitute it, it would be one way of addressing this risk. Note that the application of two-factor (card and PIN) authentication began with ATMs. It was very effective until the cost of cloning cards dropped. When the issuers stop using mag-stripe and use “chips,” the cost of cloning will go back up and the risk will go down.
This is a two-step exploit. First, controls are disabled at the financial institution, such as maximum withdrawal amount or maximum number of ATM transactions, then cloned cards are used to drain accounts. Implementing multi-factor authentication, whitelisting, active monitoring, separation of duties, and dual-person controls are key to protecting the back-end systems from exploitation. While the elimination of the mag-stripe on ATM cards makes the cloning activity very difficult, removing the mag-stripe will take a while. The US deadline for automated fuel pumps to convert to EMV is pushed to October 2020, even when all merchants are no longer using mag-stripe readers, card holders will still need to be issued cards without the enabled capability.
Update, Aug. 15, 11:11 a.m. ET: Several sources now confirm that the FBI alert was related to a breach of the Cosmos cooperative bank in India. According to multiple news sources, thieves using cloned cards executed some 12,000 transactions and stole roughly $13.5 million from Cosmos accounts via 25 ATMs located in Canada, Hong Kong and India
Hack Can Turn Robotic Vacuum Into Creepy Rolling Surveillance Machine
Siri is listening to you, but she’s NOT spying, says Apple
Hashcat developer discovers simpler way to crack WPA2 wireless passwords
Only 8% of orgs have effective DevSecOps practices
Vulnerabilities in mPOS devices could lead to fraud and theft
Intel’s SGX blown wide open by, you guessed it, a speculative execution attack
Speculative execution attacks truly are the gift that keeps on giving
CGit clone objects bug
Description: There is a directory traversal vulnerability in CGit, a web frontend for Git repositories, identified as CVE-2018-14912. The vulnerability exists in the cgit_clone_objects function in CGit before version 1.2.1 when `enable-http-clone=1` is not turned off
Vulnerabilities in election machines
Hackers at the Black Hat conference last week in Las Vegas were able to discover several new vulnerabilities in election machines used in the U.S. Conference attendees had physical access to the devices
Windows 10 is getting a new disposable sandbox feature that will allow users to run suspicious apps in a virtualized environment
Snapchat source code leaked on GitHub – but no one knows why
The Pentagon has banned deployed soldiers from using wireless GPS systems, including fitness trackers, citing security concerns
FakesApp: A Vulnerability in WhatsApp
Applying Linkage Analysis to Cyber Crime Attribution
Case linkage or linkage analysis is a technique used by law enforcement to connect multiple crimes to a single individual. By examining behavioural fingerprints, law enforcement can draw conclusions that link seemingly unrelated cases. At DefCon last week, Matt Wixey presented efforts to apply the technique to digital crimes, using granular behaviour to identify hackers
Comcast data loss
More than 26.5 million Comcast customers potentially had their personal information exposed due to a flaw on the cable and internet company’s login page
Microsoft – Protecting the protector: Hardening machine learning defenses against adversarial attacks
Vulnerabilities Found in the Firmware of 25 Android Smartphone Models
GCHQ Director: New technologies are opening the door to cyber-rogues; you can help shut it
Research of the week
-DevSecOps Reference Architectures
Degrees of DevSecOps Automation
-NIST Working on Final Public Draft of Risk Management Framework 2.0
The National Institute of Standards and Technology (NIST) is hard at work on the next version of its Risk Management Framework 2.0 (RMF 2.0). The final public draft of RMF 2.0 is expected to be available in September 2018, with final publication expected in November. RMF 2.0 will address supply chains, systems engineering, and privacy
-Computer forensics equipment – ForensicMagiCube – thanks to Naz
Tool of the week
A curated list of cryptography resources and links – Theory, Tools, Frameworks and Libs and other resources
-WhiteSource Vulnerability Checker (free!)
Identify the Top Open Source Vulnerabilities
A free tool for automated discovery of targets’ social media accounts.
Social Mapper is an Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review
-Bluetooth Low Energy Swiss-army knife
Btlejack provides everything you need to sniff, jam and hijack Bluetooth Low Energy devices. It relies on one or more BBC Micro:Bit. devices running a dedicated firmware
Other interesting articles
5 Threats to Financial Services
5 Things to Know For a Successful Pen Testing
Penetration testing (AKA Pen test) is an authorized deliberate hacking of a corporate network and computer infrastructure to determine its vulnerability. The vulnerability report arising from pen test is a valuable part of the system audit, which will enable the production of a credible mitigation plan while preserving overall security and privacy of the system and its users. In penetration testing, a distribution of Linux is used. This is because the mainstream desktop OS, Windows is inefficient for pen test purposes due to the artificial restriction set by Microsoft. In Windows, the user does not fully control the OS, Microsoft maintains full authority and control of it
Android 9 Pie Security
- Built-in support for DNS over TLS, automatically upgrading DNS queries to TLS if a network’s DNS server supports it.
- HTTPS by default. App developers who want HTTP traffic for specific domains will have to change their app’s network security config to allow those connections.
- A new hardware security module and stronger protection for private keys(API support for devices that provide key storage in tamper-resistant hardware with isolated CPU, RAM, and secure flash.)
- Support for encrypting Android backups with a client-side secret (by default if the user has set a screen lock for their device that requires a PIN, pattern, or password to unlock.)
- Compiler-level mitigations for detecting dangerous behaviour and integer overflow sanitizers for mitigating memory-corruption and information-disclosure vulnerabilities.
- A consistent UI for biometric authentication across apps and devices. Apps no longer need to build their own dialog to prompt the user for any supported type of biometric authentication (fingerprint, face, iris). They can use the BiometricPrompt API to show the standard system dialog instead.
- Android P now restricts access to the microphone, camera, and all SensorManager sensors by apps running in the background.
- “While your app’s UID is idle, the mic reports empty audio and sensors stop reporting events. Cameras used by your app are disconnected and will generate an error if the app tries to use them,” the company explained. Idle apps will also not receive events from sensors.
And finally, Is Humanity About To Accidentally Declare Interstellar War On Alien Civilizations?
If the Breakthrough Starshot initiative, promoted by Stephen Hawking, works exactly as planned, it could lead to disaster.
There are a great variety of stars with known exoplanets within 25 light years of the Sun, and missions like K2 and TESS will only find more. These are excellent targets for interstellar travel, but if we don’t do it carefully, our explorations could be mistaken for a malicious act of aggression. (NASA/GODDARD/ADLER/U. CHICAGO/WESLEYAN).
HACKING, TOOLS and FUN – CHECK BELOW!