Word of the week “Cyberbully-gaslighting”
Gaslighting is a form of psychological manipulation that seeks to sow seeds of doubt in a targeted individual or in members of a targeted group, making them question their own memory, perception, and sanity. Using persistent denial, misdirection, contradiction, and lying, it attempts to destabilize the victim and delegitimize the victim’s belief
Word of the week special “Cyberbalkanisation”
CEO Fraud / BEC
Cyber attackers continue to evolve an email attack called CEO Fraud, or Business Email Compromise (BEC). These are targeted email attacks that trick their victim into taking an action they should not take. In most cases, the bad guys are after money. What makes these attacks so dangerous is cyber attackers research their victims before launching their attack
Crypto challenge of the week
May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS Is Easy!
Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare
HTTPS everywhere HERE
August – Holidays over!!
September 21st: SEC Bitcoin ETF
March 29th 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-OWASP London meetup
On last event: Slides HERE
-smart contract security is HARD
-security is a huge field, it will split in many specialisations
-OWASP ZAP in action with Selenium
-DevSecOps the Kubernetes Way @OWASP Bay Area
The Cloud as we know it is changing. Containers have taken the center stage as the preferred method of developing and deploying software into production. As security practitioners, we must adapt to the latest technologies or be left in the dust. This workshop is a mix of lecture and labs and focuses on the ins and outs of building a Kubernetes infrastructure capable of taking containers from a developer’s laptop to production, in a secure manner
-OAuth 2.0 and OpenID Connect (in plain English)
-The Ten Most Critical Risks for Serverless Applications v1.0
The “Serverless architectures Security Top 10” document is meant to serve as a security awareness and education guide. The document is curated and maintained by top industry practitioners and security researchers with vast experience in application security, cloud and serverless architectures.
- SAS-1: Function Event Data Injection
- SAS-2: Broken Authentication
- SAS-3: Insecure Serverless Deployment Configuration
- SAS-4: Over-Privileged Function Permissions & Roles
- SAS-5: Inadequate Function Monitoring and Logging
- SAS-6: Insecure 3rd Party Dependencies
- SAS-7: Insecure Application Secrets Storage
- SAS-8: Denial of Service & Financial Resource Exhaustion
- SAS-9: Serverless Function Execution Flow Manipulation
- SAS-10: Improper Exception Handling and Verbose Error Messages
-Conference at high altitude in Nepal – ThreatCon (if you can afford it)
-Conferences to watch out for
AppSec Israel happens today – more news next week
DevSecCon London HERE
44Con London HERE
OWASP AppSec Bucharest HERE
OWASP events HERE
-Security list for fun and profit – Books, bounties, exploits, leaks, malware…
-Phil Young talks over the years
Mainframe Security: Hacking Hearts and Minds
Managing Enterprise Risk through Legacy System Testing
Gaps in Your Defense: Hacking the Mainframe
Security Weekly #431 – Interview with Phil Young and Chad Rikansrud
NorthSec 2015 – Philip Young – Why You Should (But Don’t) Care About Mainframe Security
DEF CON 23 – Young and Rikansrud – Security Necromancy : Further Adventures in Mainframe Hacking
How to Embrace Hacker Culture For z/OS | Phil Young at SHARE in Seattle
Philip Young – Smashing the Mainframe for Fun and Prison Time
DEF CON 22 – Philip “Soldier of Fortran” Young – From root to SPECIAL: Pwning IBM Mainframes
bg13 we hacked the gibson now what philip young
Black Hat 2013 – Mainframes: The Past Will Come to Haunt You
Mainframed – The Secrets Inside that Black Box
Mainframed: The Secrets Inside that Black Box [Shmoocon 2013]
2.2.0 Phil Young Mainframed – The Forgotten Fortress
PG – Mainframed – The Forgotten Fortress
Incidents in the world last week
Other source HERE Find your country
Facebook removes VPN app due to privacy concerns
Following discussions with Apple, Facebook’s Onavo Mobile VPN app has been withdrawn from the iOS app store, with reports alleging this is due to possible policy violations on personal data collection
Guidance for Data Breaches
More high profile data breaches have come to light recently, affecting the UK’s Superdrug high street store and mobile phone provider T-Mobile
Variant of the Mirai botnet returns
In 2016, a Mirai botnet DDoS attack crippled the French telecoms provider OVH. Internet access was slowed or prevented for parts of the USA when a service provider, Dyn came under attack. One attack maxed out at 620Gbps, one of the largest the internet has ever witnessed. Mirai worked by enslaving IoT devices
Troy Hunt weekly update
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
What is Cryptojacking and Why Is It a Cybersecurity Risk?
The Importance and Requirements of Privileged Access Management
Microchip ‘god mode’ flaw: Is it time to rethink security?
What happened when we hacked an expo?
Google Is Taking Down Tech Support Scammers
Neatly bypassing CSP
How to trick CSP in letting you run whatever you want
No D’oh! DNS-over-HTTPS passes Mozilla performance test
Privacy-protecting domain name system standard closer
Five Eyes Countries Want Tech Companies’ Help to Access Encrypted Communications
The countries known as the Five Eyes – the US, the UK, Canada, Australia, and New Zealand – have issued a joint statement suggesting that unless tech companies help law enforcement access communications protected by end-to-end encryption, they “may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
Identifying and alerting on data loss using Cloudflare Workers
The State of Java Serialization
Google ‘Titan Security Key’ Is Now On Sale For $50
Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018
Yahoo continues to scan the emails its users receive
This in an effort to sell that data to advertisers. This is a practice that others in the industry, such as Google, have stopped over the past few years
Remote Mac Exploitation Via Custom URL Schemes
An offensive cyber-espionage campaign infects macs with a novel infection mechanism
Google wants to get rid of URLs but doesn’t know what to use instead
Reverse Engineering The Medium App (and making all stories in it free)
Pen tester’s Diary : Episode 1
Research of the week
-Remember: API Security Checklist
Checklist of the most important security countermeasures when designing, testing, and releasing your API
-The GDPR checklist – thanks to Arturo
-Remember: NIST Releases Version 1.1 of its Popular Cybersecurity Framework
-Open Source Network Security Tools for Beginners
Tool of the week
-Introducing the Tink cryptographic software library
At Google, many product teams use cryptographic techniques to protect user data. In cryptography, subtle mistakes can have serious consequences, and understanding how to implement cryptography correctly requires digesting decades’ worth of academic literature. Needless to say, many developers don’t have time for that.
To help our developers ship secure cryptographic code we’ve developed Tink—a multi-language, cross-platform cryptographic library. We believe in open source and want Tink to become a community project—thus Tink has been available on GitHub since the early days of the project, and it has already attracted several external contributors. At Google, Tink is already being used to secure data of many products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, etc. After nearly two years of development, today we’re excited to announce Tink 1.2.0, the first version that supports cloud, Android, iOS, and more!
-What you need to know: “snipr” credential stuffing tool
-PcapXray – GUI Network Forensics Tool To Analysis a Packet Capture Offline
-Analyzing Sharpshooter – Part 1
An open source C# payload creation and delivery tool built by MDSec, and look at how defenders can detect such activity
-JWT Authentication Tutorial: An example using Spring Boot
Other interesting articles
29 Startups With The Potential To Transform Cybersecurity
How to Cultivate Security Champions at the Workplace
Good security engineers are hard to come by. What is a company to do? Not all companies can afford outrageous salaries to acquire one, much less a full team of security professionals. Even if those few companies can afford it today, how do they retain them?
The answer to this is not simple and is realistically beyond the scope of one simple article written by a SOC analyst. I do, however, have a suggestion to help
Security Differences: Containers vs. Serverless vs. Virtual Machines
By knowing what type of computing environment on which you and your development teams are deploying applications, you have the best chance to apply all security best practices. Ideally, each application in your portfolio can and will be assessed, and you’ll be encouraged to use the most appropriate and streamlined deployment option available. By moving more applications to containers, and going serverless where appropriate, it will enable production-like security practices to be enforced much earlier in the development cycle and will ultimately improve your overall security profile
Silk Road: A Cautionary Tale about Online Anonymity
Are bitcoin and the Darkweb as anonymous as people think?
Anti-security J – Tackling Front End Performance —Strategy, Tools, and Techniques
And finally, in a Future of Mind Uploading, Who Will Own the Data That is YOU?
In a future of mind-uploaded “immortals,” will we achieve unlimited freedom or simply become slaves to that which owns our data?
The year is 2050 and researchers have developed an advanced method of replacing 99% of your brain’s functions for digital software/hardware…
HACKING, TOOLS and FUN – CHECK BELOW!
Description: Traversing the Path to RCE.
Description: Remote Code Execution on a Facebook server.