Word of the week “Cyber-psychopathology”
Cyberchondria, cyberbullying, cybersuicide, cybersex: “new” psychopathologies for the 21st century?
The Internet and related technologies permeate our every-day functioning to the extent that it has become difﬁcult to imagine life without them. As their penetrance increases, so does discussion of, and research into, new problematic behaviours and psychopathologies, especially “Internet addiction” and “online gaming addiction”.
However, cybertechnology is also reshaping “established” psychiatric disorders and phenomena, leading to symptoms and manifestations that are both familiar and novel, old and new. Of those, this paper will focus on health-related anxiety, bullying or stalking, suicide, and compulsive sexual behaviour. While far from unique, they illustrate the range of psychological functions that have been reconﬁgured by the digital revolution – and how simplistic a “big umbrella” approach that reduces the discussion to “technology addiction” is.
Word of the week special “Hardcoded secrets”
Crypto challenge of the week
NSA Crop Calculations
A farmer, known for his unusual aesthetics, planted five circular fields. Four of the circles have a one furlong radius and were arranged so their centers form a square and they are each tangent to two of the other three circles. The fifth field was planted in the area enclosed by the four circles such that it is tangent to all of them.
What is the total area of the unplanted land enclosed by the five circles?
In this image, the fields are shown in green. We are interested in measuring the red regions.
May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS Is Easy!
Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare
HTTPS everywhere HERE
August – Holidays!!
September 21st: SEC Bitcoin ETF
March 29th 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-OWASP London meetup next week
“From zero to hero: building security from scratch” – Anthi Gilligan
Breaches mean financial, regulatory, legal, and above all reputational repercussions. Organisations are quick to react, however with security professionals in high demand and low supply, there has been an increase in individuals jumping on the “cybersecurity” bandwagon. In this talk, we discuss the pitfalls of the inadequately qualified “cybersecurity expert”, and examine the building blocks of a solid information security management system
“Smart Contract Security” – Evangelos Deirmentzoglou
Dapps and many Initial Coin Offerings (ICOs) run on smart contracts and tend to process a substantial amount of funds. This makes them a target, and therefore they often undergo attacks. Combined with the blockchain immutability, vulnerabilities undiscovered during development will exist forever in the blockchain. This talk will dive into the most common smart contract security vulnerabilities and provide in-depth knowledge on how these issues occur and their mitigation. Real world examples will be discussed and vulnerabilities like re-entrancy, overflows, gas limit attacks etc. will be demonstrated
-Badgelife: A Defcon 26 retrospective
-What happened in Vegas stayed in Vegas? DEFCON’s Caesar’s Palace controversy
“At noon-ish on Thursday (August 9th), I received a phone call from Las Vegas Police requesting to interview me, saying that they had a ‘anonymous tip from a third party’ about ‘some threats which were made.’ I agreed to meet them at the work event I was hosting. When they arrived, they had a printed out copy of a single tweet I’d sent, which was part of a conversation with munin.
We had a brief chat and I explained that the tweet was talking about phone hacking/network hacking and not physically attacking people, and wasn’t intended to be a threat to anyone. The LVPD said that sounded reasonable and they found no reason to doubt my explanation. It took all of ten minutes to talk to them. They said don’t worry about it any further and thanks for chatting. I went from work to dinner, to an evening event, then back to Caesar’s around midnight.”
-Black Hat USA 2018: ransomware is still the star
-Finding the signal of community in all the noise at Black Hat
-BSides Manchester 2018
Good article HERE
-Application Security Podcast – last episode
Threat Modeling with a bit of #Startup (S04E04)
-Electron – abusing the lack of context isolation
Oldies but goodies:
-Scriptless Attacks – Stealing the Pie without touching the Sill
-In the DOM, no one will hear you scream
Incidents in the world last week
Other source HERE Find your country
Software secure? What about your hardware?
Researchers at the DEF CON 2018 cyber security convention revealed that they could access an internal network using legacy technology – a fax machine
Data breaches fueling phishing scams
An ongoing email scam claims to plant spyware on a victim’s computer or phone and to record them visiting adult websites. $1,000 in Bitcoin is then demanded to prevent wider release of the video
Troy Hunt weekly update
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning
Update, 8:10 p.m. ET: An earlier version of this story incorrectly stated that there were only 25 ATMs used in the cashout against Cosmos. The figure was meant to represent the number of countries with ATMs that were used in the heist, not ATMs, and that number is 28 at last count.
Australian schoolboy hacks into Apple’s network, steals files
Apple Says Customer Data Not Compromised in Breach
After an Australian teenager pleaded guilty to breaking into Apple’s main computer network, the company reassured customers that their data were not compromised. The teenager admitted to downloading 90 gigabytes of internal data and to accessing customer accounts
Evolution of Android Security Updates
At Google I/O 2018, in our What’s New in Android Security session, we shared a brief update on the Android security updates program. With the official release of Android 9 Pie, we wanted to share a more comprehensive update on the state of security updates, including best practice guidance for manufacturers, how we’re making Android easier to update, and how we’re ensuring compliance to Android security update releases
London City police squad foils over EUR 27 mln of fraudulent online scams in six months
Philips cardiovascular software found to contain privilege escalation, code execution bugs
Man-in-the-Disk attacks leave Android users exposed to data manipulation
Check Point researchers discovered a new attack surface for Android applications that leverages external storage, dubbed Man-in-the-Disk attacks
Gmail Confidential Mode
Gmail’s new Confidential Mode lets users send email messages that “self destruct” and cannot be printed or forwarded. Settings allow senders to choose an amount of time before the email expires (from one day to five years) and can restrict access to the message after it is sent. Senders can also choose to require a password to open the message. The email contains a link to the actual content of the message, which is hosted on Google servers. The Electronic Frontier Foundation (EFF) takes issue with Google’s claims of Confidential Mode’s security and privacy, pointing out that the messages are not encrypted end-to-end
Back to the 90’s: FragmentSmack
As we had the previous week SegmentSmack (CVE-2018-5390) allowing remote DoS attacks by sending crafted TCP packets, this week a similar vulnerability has been reported on IP fragments
Hacking any internal network through a poor printer or fax
The enemy is us: a look at insider threats
How’s that encryption coming, buddy? DNS requests routinely spied on, boffins claim
Uninvited middlemen may be messing with message
A severe PHP vulnerability has left thousands of WordPress websites open to attack
NPM – Three new features to help our users protect themselves
Booz Allen Hamilton wins $1 billion US cybersecurity contract
We thought about making a public list might make them care a bit more.
It might also cheer up adminsys that are struggling to deploy a strict policy on a complex website, to see that even some big players have botched CSP
How Cloudflare protects customers from cache poisoning
A few days ago, Cloudflare — along with the rest of the world — learned of a “practical” cache poisoning attack. In this post I’ll walk through the attack and explain how Cloudflare mitigated it for our customers. While any web cache is vulnerable to this attack, Cloudflare is uniquely able to take proactive steps to defend millions of customers.
In addition to the steps we’ve taken, we strongly recommend that customers update their origin web servers to mitigate vulnerabilities. Some popular vendors have applied patches that can be installed right away, including Drupal, Symfony, and Zend
Research of the week
-The DevOps Roadmap for Security
How Security can take on a new role in the DevOps movement by embracing modern principles, practices, and tooling
-File Operation Induced Unserialization via the “phar://” Stream Wrapper
The risk of unserializing attacker-controlled data in PHP has been well known since Stefan Essar first presented the issue in detail in 2009. This topic is closely associated with similar vulnerabilities in other languages (see CWE-502 and CWE-915). Recent years have also seen several vulnerabilities in the native code implementing unserialization (CVE-2017-12934, CVE-2017-12933, CVE-2017- 12932 et al.) further demonstrating the risk of exposing unserialization to attacker-controlled data.
This paper will present a novel attack technique specific to PHP which can cause unserialization to occur in a variety of exploitation scenarios. The technique can be used when an XXE vulnerability occurs, as well as such circumstance that would typically be considered an SSRF vulnerability and in a number of other scenarios where the vulnerability would previously have been considered an information disclosure issue
-Encryption at rest: Not the panacea to data protection
-The Secure Socket API: TLS as an Operating System Service
SSL/TLS libraries are notoriously hard for developers to use, leaving system administrators at the mercy of buggy and vulnerable applications. We explore the use of the standard POSIX socket API as a vehicle for a simplified TLS API, while also giving administrators the ability to control applications and tailor TLS configuration to their needs. We first assess OpenSSL and its uses in open source software, recommending how this functionality should be accommodated within the POSIX API. We then propose the Secure Socket API (SSA), a minimalist TLS API built using existing network functions and find that it can be employed by existing network applications by modifications requiring as little as one line of code. We next describe a prototype SSA implementation that leverages network system calls to provide privilege separation and support for other programming languages. We end with a discussion of the benefits and limitations of the SSA and our accompanying implementation, noting avenues for future work
-TURNING (PAGE) TABLES
Bypassing advanced kernel mitigations using page tables manipulations
Tool of the week
-The Secure DevOps ToolChain
-dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
Other hash cracking:
-Pacu: The Open Source AWS Exploitation Framework
With the continued proliferation of Amazon Web Services (AWS), companies are continuing to move their technical assets to the cloud. With this paradigm shift comes new security challenges for both Sysadmin and DevOps teams. These aren’t just problems for the security-unaware, either. Even large enterprises – such as GoDaddy and Uber – have had major breaches from AWS configuration flaws.
This is where an authenticated AWS penetration test can help. By simulating a breach and providing an attacker with a set of ‘compromised’ AWS keys, the range of AWS services can fully vetted.
Several tools exist to aid in the scanning of AWS vulnerabilities, but focus on compliance requirements, rather than exploit potential. The offensive security community has a glaring need for a tool that provides a structured, comprehensive approach to pentesting AWS
BDD-Security is a security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications.
It tests Web Applications and API’s from an external point of view and does not require access to the target source code
Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings
-Reminder: Git Secret
There’s a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web
An API for accessing Public Key Credentials
Level 1 – Editor’s Draft, 22 August 2018
-Aqua Security Launches Open-Source Kube-Hunter Container Security Tool
Aqua Security has made its new Kube-hunter open-source tool generally available, enabling organizations to conduct penetration tests against Kubernetes container orchestration deployments
Other interesting articles
The moment when you realize every server in the world is vulnerable
Hash tables. Dictionaries. Associative arrays. Whatever you like to call them, they are everywhere in software. They are core. And when someone finds a vulnerability in such a low-level data structure, almost all software is implicated.
This is a story of one of those core vulnerabilities, and how it took a decade to uncover and resolve. The story is pretty amazing. But for context, let’s review what hash tables are
SipRound, the building block of SipHash
From Dev to InfoSec Part 1 – The Journey Begins
Hacking is awesome! I can understand the appeal of those that are doing it for a living. The hunt for bugs and the fight to secure systems from bad guys sounds like an incredible challenge of both intellect and skill. It’s probably why I’ve been drawn into the world of cybersecurity. It’s an exciting field to be in for a professional or a hobbyist and one that I’m keen to explore more.
This is the first of many articles that will document my journey from my roots as a coder and a career as a developer advocate at Microsoft to the very personal exploration into the world of information security. The intention is to not only make sense of the overwhelming scope of the field and its varying disciplines but also offer brutally honest assessments of myself and the industry that I so much want to be a part of. Here goes everything!
Enabling reliable, secure collaboration on data science and machine learning projects
Machine learning researchers often prototype new ideas using Jupyter, Scala, or R Studio notebooks, which is a great way for individuals to experiment and share their results. But in an enterprise setting, individuals cannot work in isolation—many developers, perhaps from different departments, need to collaborate on projects simultaneously, and securely. I recently spoke with IBM’s Paul Taylor to find out how IBM Watson Studio is scaling machine learning to enterprise-level, collaborative projects
How an uploaded image could take over your website, and how to stop it
Vulnerability hunter Tavis Ormandy just reported a series of security problems in an application called Ghostscript.
Ormandy works for Google’s Project Zero – he literally finds bugs for a living – and his work is both well-known and renowned…
…but who or what is Ghostscript, and why would someone as skilled as Ormandy feel the need to dig into it?
Well, for many people, Ghostscript is software they’ve never heard of, but probably use or rely upon regularly without even realising it.
Ghostscript is a free, open source implementation of Adobe PostScript, a programming language and ecosystem that powers many printers, and that is the technical underpinning to almost every PDF file out there
And finally, Make Truth Great Again
HACKING, TOOLS and FUN – CHECK BELOW!