Security Stack Sheet #16

Word of the week “Cyberbully-gaslighting”

Gaslighting is a form of psychological manipulation that seeks to sow seeds of doubt in a targeted individual or in members of a targeted group, making them question their own memory, perception, and sanity. Using persistent denial, misdirection, contradiction, and lying, it attempts to destabilize the victim and delegitimize the victim’s belief

Wiki HERE Links HERE and HERE and HERE and HERE and HERE and books HERE and HERE

 

Word of the week special “Cyberbalkanisation”

Link HERE

 

Bonus

CEO Fraud / BEC

Cyber attackers continue to evolve an email attack called CEO Fraud, or Business Email Compromise (BEC). These are targeted email attacks that trick their victim into taking an action they should not take. In most cases, the bad guys are after money. What makes these attacks so dangerous is cyber attackers research their victims before launching their attack

Link HERE

Link HERE

Link HERE

Link HERE

Link HERE

 

Crypto challenge of the week

Nu-Vig Challenge

Link HERE Challenge HERE

 

Dates

May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS Is Easy!

Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare

Link HERE What Cloudflare says HERE and HERE Reasons to switch? HERE

HTTPS everywhere HERE

August – Holidays over!!

September 21st: SEC Bitcoin ETF

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory

 

Comic of the week

Link HERE

 

Some OWASP stuff first

-OWASP London meetup 

Event hosted by Facebook HERE – watch out for Live Facebook video HERE

On last event: Slides HERE

-smart contract security is HARD

-security is a huge field, it will split in many specialisations

-OWASP ZAP in action with Selenium

Links HERE and HERE

-DevSecOps the Kubernetes Way @OWASP Bay Area

The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust. This workshop is a mix of lecture and labs and focuses on the ins and outs of building a Kubernetes infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner

Link HERE

-OAuth 2.0 and OpenID Connect (in plain English)

Link HERE

-The Ten Most Critical Risks for Serverless Applications v1.0

The “Serverless architectures Security Top 10” document is meant to serve as a security awareness and education guide. The document is curated and maintained by top industry practitioners and security researchers with vast experience in application security, cloud and serverless architectures.

  • SAS-1: Function Event Data Injection
  • SAS-2: Broken Authentication
  • SAS-3: Insecure Serverless Deployment Configuration
  • SAS-4: Over-Privileged Function Permissions & Roles
  • SAS-5: Inadequate Function Monitoring and Logging
  • SAS-6: Insecure 3rd Party Dependencies
  • SAS-7: Insecure Application Secrets Storage
  • SAS-8: Denial of Service & Financial Resource Exhaustion
  • SAS-9: Serverless Function Execution Flow Manipulation
  • SAS-10: Improper Exception Handling and Verbose Error Messages

Link HERE

-Conference at high altitude in Nepal – ThreatCon (if you can afford it)

Link HERE

-Conferences to watch out for

AppSec Israel happens today – more news next week

DevSecCon London HERE

44Con London HERE

OWASP AppSec Bucharest HERE

OWASP events HERE

-Security list for fun and profit – Books, bounties, exploits, leaks, malware…

Link HERE

-Phil Young talks over the years

Mainframe Security: Hacking Hearts and Minds

Managing Enterprise Risk through Legacy System Testing

Gaps in Your Defense: Hacking the Mainframe

Security Weekly #431 – Interview with Phil Young and Chad Rikansrud

NorthSec 2015 – Philip Young – Why You Should (But Don’t) Care About Mainframe Security

DEF CON 23 – Young and Rikansrud – Security Necromancy : Further Adventures in Mainframe Hacking

How to Embrace Hacker Culture For z/OS | Phil Young at SHARE in Seattle

Philip Young – Smashing the Mainframe for Fun and Prison Time

DEF CON 22 – Philip “Soldier of Fortran” Young – From root to SPECIAL: Pwning IBM Mainframes

bg13 we hacked the gibson now what philip young

Black Hat 2013 – Mainframes: The Past Will Come to Haunt You

Mainframed – The Secrets Inside that Black Box

Mainframed: The Secrets Inside that Black Box [Shmoocon 2013]

2.2.0 Phil Young Mainframed – The Forgotten Fortress

PG – Mainframed – The Forgotten Fortress

Link HERE

 

Incidents

Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Facebook removes VPN app due to privacy concerns 

Following discussions with Apple, Facebook’s Onavo Mobile VPN app has been withdrawn from the iOS app store, with reports alleging this is due to possible policy violations on personal data collection

Guidance for Data Breaches 

More high profile data breaches have come to light recently, affecting the UK’s Superdrug high street store and mobile phone provider T-Mobile

Variant of the Mirai botnet returns

In 2016, a Mirai botnet DDoS attack crippled the French telecoms provider OVH. Internet access was slowed or prevented for parts of the USA when a service provider, Dyn came under attack. One attack maxed out at 620Gbps, one of the largest the internet has ever witnessed. Mirai worked by enslaving IoT devices

Link HERE

Troy Hunt weekly update

Link HERE

 

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

What is Cryptojacking and Why Is It a Cybersecurity Risk?

Link HERE

The Importance and Requirements of Privileged Access Management

Link HERE

Microchip ‘god mode’ flaw: Is it time to rethink security?

Link HERE

What happened when we hacked an expo?

Link HERE

Google Is Taking Down Tech Support Scammers

Link HERE

Neatly bypassing CSP

How to trick CSP in letting you run whatever you want

Link HERE

No D’oh! DNS-over-HTTPS passes Mozilla performance test

Privacy-protecting domain name system standard closer

Link HERE

Five Eyes Countries Want Tech Companies’ Help to Access Encrypted Communications

The countries known as the Five Eyes – the US, the UK, Canada, Australia, and New Zealand – have issued a joint statement suggesting that unless tech companies help law enforcement access communications protected by end-to-end encryption, they “may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”

Link HERE

Identifying and alerting on data loss using Cloudflare Workers

Link HERE

The State of Java Serialization

Link HERE

Google ‘Titan Security Key’ Is Now On Sale For $50

Link HERE

Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018

Link HERE

Yahoo continues to scan the emails its users receive

This in an effort to sell that data to advertisers. This is a practice that others in the industry, such as Google, have stopped over the past few years
Link HERE

Remote Mac Exploitation Via Custom URL Schemes

An offensive cyber-espionage campaign infects macs with a novel infection mechanism

Link HERE

Google wants to get rid of URLs but doesn’t know what to use instead

Link HERE

Reverse Engineering The Medium App (and making all stories in it free)

Link HERE

Pen tester’s Diary : Episode 1

Link HERE

Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure

Link HERE

 

Research of the week

-Remember: API Security Checklist

Checklist of the most important security countermeasures when designing, testing, and releasing your API

Link HERE

-The GDPR checklist – thanks to Arturo

Link HERE

-Remember: NIST Releases Version 1.1 of its Popular Cybersecurity Framework

Link HERE

-Open Source Network Security Tools for Beginners

Link HERE

 

Tool of the week

-Introducing the Tink cryptographic software library
At Google, many product teams use cryptographic techniques to protect user data. In cryptography, subtle mistakes can have serious consequences, and understanding how to implement cryptography correctly requires digesting decades’ worth of academic literature. Needless to say, many developers don’t have time for that.
To help our developers ship secure cryptographic code we’ve developed Tink—a multi-language, cross-platform cryptographic library. We believe in open source and want Tink to become a community project—thus Tink has been available on GitHub since the early days of the project, and it has already attracted several external contributors. At Google, Tink is already being used to secure data of many products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, etc. After nearly two years of development, today we’re excited to announce Tink 1.2.0, the first version that supports cloud, Android, iOS, and more!

Link HERE

-What you need to know: “snipr” credential stuffing tool

Link HERE

-PcapXray – GUI Network Forensics Tool To Analysis a Packet Capture Offline

Link HERE

-Analyzing Sharpshooter – Part 1

An open source C# payload creation and delivery tool built by MDSec, and look at how defenders can detect such activity

Link HERE

-JWT Authentication Tutorial: An example using Spring Boot

Link HERE

 

Other interesting articles

29 Startups With The Potential To Transform Cybersecurity

Link HERE

 

How to Cultivate Security Champions at the Workplace

Good security engineers are hard to come by. What is a company to do? Not all companies can afford outrageous salaries to acquire one, much less a full team of security professionals. Even if those few companies can afford it today, how do they retain them?

The answer to this is not simple and is realistically beyond the scope of one simple article written by a SOC analyst. I do, however, have a suggestion to help

Link HERE

 

Security Differences: Containers vs. Serverless vs. Virtual Machines

By knowing what type of computing environment on which you and your development teams are deploying applications, you have the best chance to apply all security best practices. Ideally, each application in your portfolio can and will be assessed, and you’ll be encouraged to use the most appropriate and streamlined deployment option available. By moving more applications to containers, and going serverless where appropriate, it will enable production-like security practices to be enforced much earlier in the development cycle and will ultimately improve your overall security profile

Links HERE and HERE and HERE and Securing your container deployment with Open Source tools HERE

 

Silk Road: A Cautionary Tale about Online Anonymity

Are bitcoin and the Darkweb as anonymous as people think?

Link HERE

 

Anti-security J – Tackling Front End Performance —Strategy, Tools, and Techniques

Link HERE

 

And finally, in a Future of Mind Uploading, Who Will Own the Data That is YOU?

In a future of mind-uploaded “immortals,” will we achieve unlimited freedom or simply become slaves to that which owns our data?

The year is 2050 and researchers have developed an advanced method of replacing 99% of your brain’s functions for digital software/hardware…

Link HERE

 

HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hawkinsecurity.com/2018/08/27/traversing-the-path-to-rce/

Description: Traversing the Path to RCE.

URL: https://blog.scrt.ch/2018/08/24/remote-code-execution-on-a-facebook-server/

Description: Remote Code Execution on a Facebook server.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *