Word of the week “Paranoia Is Now a Best Practice”
Bust out the tinfoil—the data security crisis is worse than you ever imagined.
Online content manipulation contributed to a seventh consecutive year of overall decline in internet freedom, along with a rise in disruptions to mobile internet service and increases in physical and technical attacks on human rights defenders and independent media.
Nearly half of the 65 countries assessed in Freedom on the Net 2017 experienced declines during the coverage period, while just 13 made gains, most of them minor. Less than one-quarter of users reside in countries where the internet is designated Free, meaning there are no major obstacles to access, onerous restrictions on content, or serious violations of user rights in the form of unchecked surveillance or unjust repercussions for legitimate speech.
Word of the week special “QAppSec”
Why app sec and QA testing teams need to partner
“The Most Persuasive Word in the Dictionary is…BECAUSE”
“The Effectiveness of Publicly Shaming Bad Security”
Crypto challenge of the week
Perplexed by cryptic crosswords?
May 25th: GDPR Live! See incidents section below – 100 days of GDPR HERE
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS Is Easy!
Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare
HTTPS everywhere HERE
August – Holidays over!!
September 21st: SEC Bitcoin ETF
March 29th 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-OWASP London meetup today (news next week) and next week again
Watch this one!! “Bug Hunting Beyond facebook.com” – Jack Whitton
Facebook’s Whitehat bug bounty program receives 1000’s of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook’s Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of “facebook.com”
Event last week hosted video HERE
-Conferences to watch out for
AppSec Israel happened last week:
Security is everybody’s job… Literally!
-AppSec Podcast: A Slice of the Razor with ASP.Net Core
-GrrCON 2018 Videos
DevSecCon London HERE
44Con London HERE – happening this week! More details next week.
OWASP AppSec Bucharest HERE
OWASP events HERE
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incidents in the world last week
Other source HERE Find your country
British Airways data breach
British Airways (BA) have reported that it suffered a data breach that compromised names, email addresses and credit card information. BA suspect the breach was a result of criminal activity, and have notified the police and relevant authorities.
The NCSC is working with partners to better understand this incident and how it has affected customers, and have published a statement. It has been reported that up to 380,000 customers could have been affected. The incident is thought to have affected some customers who made bookings on the BA website or app between August 21 and September 5, 2018. BA have reported that the compromised data includes names, email addresses and credit card information. You can read BA’s latest information here
Mobile spyware hacks and breaches
Media sources have reported multiple hacks and a data breach affecting businesses that offer mobile spyware as a service. In the last week TheTruthSpy, Family Orbit and mSpy have all been compromised. The NCSC previously reported on a similar data breach of the TeenSafe app back in May
Domain abandonment and hijacking
Gabor Szathmari, an independent Australian cyber security researcher has published a blog highlighting the dangers of allowing corporate domain names to expire. Known as domain name abandonment, companies that have merged, been acquired, changed name or gone out of business will often abandon their domain name which is then available for anyone to re-register from domain registrars. Domain name abandonment allows threat actors to gain access to, or reset passwords for online services and profession-specific portals
Printers need to be secured
A recent survey of 200 enterprises with over 1,000 employees in the UK, France, Germany and the US by business and IT analyst firm Quocirca revealed that 61% admitted suffering at least one data breach through insecure printers. Modern multi-function printers come with a host of features to print, copy, fax, scan and e-mail documents, making them, in effect, computers themselves and therefore potentially vulnerable to cyber attack
Troy Hunt weekly update
Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims
Only 22 lines of script victimized 380,000 people
Several apps on the Mac store were recently discovered to be stealing users’ data
Some of which is being sent to Chinese servers
Two VPN clients re-patched a vulnerability that was still exploitable after an initial fix was rolled out earlier this year
Apple is working on a new portal designed to help law enforcement agencies file official requests for customers’ information during investigations
Microsoft intercepting Firefox and Chrome installation on Windows 10
Report on Equifax breach is out
They essentially had a lack of asset inventory, vulnerable infrastructure, and failures in SecOps (eg vuln mgmt didn’t identify Struts issue, 10 month expired certificate so no monitoring etc.)
Public IP Addresses of Tor Sites Exposed via SSL Certificates
Abandoning a domain name can come back to bite you, research shows
EICAR – The Most Common False Positive in the World
Open .git Directories Expose Site Source Code
Researcher Vladimir Smitka found nearly 400,000 web pages with open .git directories. The directories can expose database passwords, API keys, and other information that should not but which often is stored in the repository
This is a symptom of the larger problem of poorly audited permissions on directories accessible from the Internet. If you haven’t audited your website for forced browsing attacks, the time to do so is now. With the increased attention on .git directories, expect to see an increase in attackers scanning for forced browsing vulnerabilities of all types.
When deploying an application to your site, make sure that the .git directory is not available. Even without an index file and directory browsing disabled, well known files can still be retrieved, such as the list of commits in /.git/logs/HEAD. Verify the directory contents are not retrievable by attempting to access <web-site>/.git/HEAD
Small businesses targeted by highly localized Ursnif campaign
A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets
Developers are worth more to tech companies than cash
Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation
Tesla Will Reflash Car Firmware for Vulnerability Testers
Tesla has reiterated that researchers are permitted to hack its cars without voiding the vehicle’s warranty or facing legal liability. Tesla says it will restore firmware and operating systems on cars that have undergone and have become incapacitated by testing, with some conditions: the researcher and the vehicle must be registered and approved as part of Tesla’s vulnerability reporting program
Solid password practice on Capital One’s site? Don’t bank on it
What’s in your wallet? Definitely not a password manager
Windows Zero-Day: Advanced Local Procedure Call (ALPC)
An unpatched flaw in Windows Advanced Local Procedure Call (ALPC) is being actively exploited. The vulnerability was first disclosed on August 27, 2018. The issue is due to the ALPC function not properly checking user permissions when interacting with files in the Windows Task Scheduler folder in Windows OS versions later than Windows 7
How to nab a HTTPS cert for a stranger’s website: Step one, shatter those DNS queries…
Domain validation systems fooled by boffins
MEGA Chrome Extension Hacked – Detailed Timeline of Events
Research of the week
-DZone Research: The Future of Security
In this final installment of DZone security research, we dive into automation and its support by Artificial Intelligence (AI) and Machine Learning (ML)
-Fear the Reaper: Characterization and Fast Detection of Card Skimmers
Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices including point of sale terminals, gas pumps, and ATMs. Detecting such devices can be difficult, and while many experts offer advice in doing so, there exists no large-scale characterization of skimmer technology to support such defences. In this paper, we perform the first such study based on skimmers recovered by the NYPD’s Financial Crimes Task Force over a 16 month period. After systematizing these devices, we develop the Skim Reaper, a detector which takes advantage of the physical properties and constraints necessary for many skimmers to steal card data. Our analysis shows the Skim Reaper effectively detects 100% of devices supplied by the NYPD. In so doing, we provide the first robust and portable mechanism for detecting card skimmers
-Integer Factorization — Defining The Limits of RSA Cracking
Tool of the week
– Retire.JS, but for .Net
It checks your apps for known vulnerable dependencies
-Safety checks your installed dependencies for known security vulnerabilities for Python – thanks to Neil
-Search for vulnerabilities associated exploits and Metasploit modules – thanks to Naz
-Russian Security Researcher i_bo0om releases Sploitus
A search engine for exploits and tools
-7 open source tools for rugged DevOps
- Gauntlt: The ruggedization framework for DevOps
- Vault: Secrets management
- OWASP Dependency Check: Software dependency security
- ChaoSlingr: Chaos engineering
- InSpec: Secure configuration & compliance validation
- OpenControl and Compliance Masonry: Compliance as code
-OpenSSL 1.1.1 release
Major new features: TLS 1.3, side-channel hardening, new RNG, SHA3, Ed25519 support
Other interesting articles
Netflix Cloud Security: Detecting Credential Compromise in AWS
Credential compromise is an important concern for anyone operating in the cloud. The problem becomes more obvious over time, as organizations continue to adopt cloud resources as part of their infrastructure without maintaining an accompanying capability to observe and react to these compromises. The associated impacts to these compromises vary widely as well. Attackers might use this for something as straightforward as stealing time and CPU on your instances to mine Bitcoin, but it could be a lot worse; credential compromise could lead to deletion of infrastructure and stolen data
Deploy only what you trust: introducing Binary Authorization for Google Kubernetes Engine
“How do I trust what is running on my production infrastructure?” is one of the top questions we hear from those working in enterprise security and DevOps. To help you answer that question, we’re excited to introduce Binary Authorization in beta so you can be more confident that only trusted workloads are deployed to Google Kubernetes Engine. Integrated into the Kubernetes Engine deployment API, Binary Authorization is a container security feature that provides a policy enforcement chokepoint to ensure only signed and authorized images are deployed in your environment
A Clean Start: Finding Vulnerabilities in your Docker Base Images
Cybersecurity is Rapidly Changing
Working in Cyber Security: “Have fun with the work and don’t try to learn everything all at once”
What is it like to work in cyber security?
Have fun with the work and don’t try to learn everything all at once. Cyber security is such a big field and there are a lot of specializations, you can get overwhelmed if you don’t take things one step at a time
And finally, Sim Ethics
Say you could make a thousand digital replicas of yourself — should you? What happens when you want to get rid of them?
What Are Our Ethical Obligations to Future AI Simulations?
HACKING, TOOLS and FUN – CHECK BELOW!
URL: http://bit.ly/2MQEqzs (+)
Description: XSS using quirky implementations of ACME http-01.
Description: View Private Instagram Photos.
Description: Hacking The RPi Cam Web Interface.