Word of the week “Cyber Security Month”
Week 2: Oct. 8–12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
A key risk to our economy and security continues to be the shortage of cybersecurity professionals to safeguard our ever-expanding cyber ecosystem. Raising the next generation of interested and capable cybersecurity professionals is a starting point to building stronger defenses. There are limitless opportunities to educate students of all ages – from high school into higher education and beyond – on the field of cybersecurity as they consider their options. In addition, veterans and individuals who are looking for a new career or re-entering the workforce, should explore the multitude of well-paying and rewarding jobs available. Week 2 will address ways to motivate parents, teachers and counselors to learn more about the field and how to best inspire students and others to seek highly fulfilling cybersecurity careers.
Word of the week special
“The Lucifer effect” in Cyber Security
Crypto challenge of the week
Embedded Security CTF Challenge
You’ll want to know a bit about memory corruption vulnerabilities. Feeling lost? Let’s see if we can’t clear that up in just a few sentences:
- Trick a device into consuming more input than it allocated memory for and you’ve caused a buffer overflow.
- Overflow a buffer that lives on the program stack and you’ve “smashed the stack”; look that up on Google if you like, but the exploit is simple: overwrite another stack variable, often the return address of the function you’re in, and use that to take control of the device, often by aiming the CPU at memory you control.
- Overflow a buffer that was created by an allocator and you’ve “corrupted the heap”: allocators keep metadata to track the memory they’re managing, and they trust that only the program can manipulate that metadata; corrupt to trick the program into writing to arbitrary places in memory.
- Zero bottles of beer on the wall, zero bottles of beer; take one down, pass it around, 65535 bottles of beer on the wall.
May 25th: GDPR Live! See incidents section below
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS everywhere HERE
March 29th 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-Remember: The OWASP Code Pulse Project – version 2.5.0 is out since August!
A tool that provides insight into the real-time code coverage of black box testing activities. It is a cross-platform desktop application that runs on most major platforms
-Red Team Telemetry
-OWASP Cloud-Native Application Security Top 10
-Docker Security Threat Modelling
-Application Security Podcast
Chaos Engineering and #AppSec (S04E11)
On this episode, Chris and Robert talk to Aaron Rinehart about how the security community can embrace chaos engineering
DevSecCon London HERE NEXT WEEK Thursday!
Use code for 20% reduction – devseccon20
OWASP AppSec Bucharest HERE
OWASP AppSec USA HERE
OWASP events HERE
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incidents in the world last week
Other source HERE Find your country
Microsoft Warns Fileless Malware on the Rise
Media reporting has highlighted a recent warning from Microsoft that so-called ‘fileless’ malware attacks are on the rise.
According to the report, the trend towards fileless malware is being driven by the increasing effectiveness of antivirus solutions, which can detect the installation of malicious files on a hard-drive.
Attribution of Russian close access and remote cyber operations
Dutch and UK authorities attributed a range of malicious cyber activity to Russian military intelligence (GRU) on Thursday 4 October.
LoJax – A new type of rootkit
Security researchers at anti-virus software company ESET have revealed a new type of malwarethat is capable of surviving reinstallation of the Windows operating system or even hard drive replacement.
This type of clandestine rootkit is designed to provide continued privileged access to a computer while actively hiding its presence. This is the first time this type of malware has been seen ‘in the wild’
Last one HERE
Troy Hunt weekly update
GDPR vs Facebook Hack
That same Facebook hack could lead to the social media giant facing up to a $1.63 billion fine in the European Union under GDPR regulations
Chinese hackers may have installed tiny chips onto devices used in the U.S.
…that could be used to carry out cyber espionage. The companies named in the report, including Amazon and Apple, have so far denied that this happened
Google plans to shut down its Google+ social media platform after it tried to cover up a data breach
The company chose to not disclose that thousands of users could have had their information stolen over the past three years, according to a report in the Wall Street Journal, which led it to shut down the site
Bypassing Web Cache Poisoning Countermeasures
Many online services, such as Tinder and Pinterest, are still unsure how a recent data breach at Facebook may impact them
Intel Adds Spectre/Meltdown Mitigation to 9th Generation CPUs
Google released new regulations for extension developers, hoping to curtail the number of malicious apps that appear in the store for the Google Chrome web browser
Google PDFium information disclosure vulnerability
Google PDFium’s JBIG2 library contains a bug that could lead to an information leak, which could be used as part of a larger exploit. PDFium is a PDF reader used in Google’s Chrome and Chromium web browser. An attacker can exploit this flaw by convincing the user to open a malicious PDF
Trusting the delivery of Firefox Updates
Disclosure of Servers With Hardware Back-Doors
Brian Krebs places the Chinese technology manufacturing threat to the US supply chain in context. For example, it isn’t new: “More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.” And it will be extremely hard to counter: “ … it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today,” and “it’s quite time consuming and expensive to detect when products may have been intentionally compromised during some part of the manufacturing process. Your typical motherboard of the kind produced by a company like Supermicro can include hundreds of chips, but it only takes one hinky chip to subvert the security of the entire product.” He closes by offering five steps we need to take now to help mitigate the problem – from Bill Murray’s list
Credit reporting agency Experian’s website contained a flaw
…that exposed the credit freeze PINs of its users, which was patched in a matter of hours
Popping shells on Splunk
Auditing KRACKs in Wi-Fi
Preventing all attacks is hard in practice
Github Token Leaked publicly for https://github.sc-corp.net
California’s IoT Security Bill Will Require Devices to Ship With Unique Passwords
On September 28, 2018, the Information Privacy: Connected Devices bill was signed into law. Effective January 1, 2020, the law requires that Internet of Things (IoT) devices ship with unique passwords instead of a common default password.
Having users set up a strong password upon first use is a step in the right direction. Devices will also have to include password recovery mechanisms, which must have appropriate validation checks.
This is a step in the right direction for security, but will likely lead to greater implementation and troubleshooting issues. I’m betting that manufacturers will implement a factory reset password scheme that is algorithmically generated based on some data available without authentication (e.g. some unauthenticated endpoint that returns a device ID, which can be used to derive the password)
Research of the week
–Interactive Application Security Testing 101: How to Evaluate and Implement an IAST Solution
How can I benefit from IAST?
- Actionable findings for development teams
- Comprehensive vulnerability and security risk reporting earlier in the SDLC
- Low false-positive rates
- Seamless integration into automated development and testing environments
-7 Common Security Pitfalls to Avoid When Migrating to The Cloud
-The Hacker Powered Security Report 2018
-How Does an Intel Processor Boot?
When we switch on a computer, it goes through a series of steps before it is able to load the operating system. In this post we will see how a typical x86 processor boots. This is a very complex and involved process. We will only present a basic overall structure. Also what path is actually taken by the processor to reach a state where it can load an OS, is dependent on boot firmware. We will follow example of coreboot, an open source boot firmware
Tool of the week
-Remember: Leave your VPN and cURL secure APIs with Cloudflare Access
-Bellingcat’s Online Investigation Toolkit – thanks to Naz
-Security and convenience with biometrics and Windows Hello
Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans
-Bypassing WAFs and cracking XOR with Hackvertor
-Token Binding specs are RFC: deploy NOW with mod_token_binding
Today the so-called Token Binding specifications have formally been promoted to proposed standards RFC by the IETF. Essentially those specs define how to securely bind tokens to the communication channel running between a client and a server. As simple as that sounds, it is an extremely important step forward in web security: tokens are used everywhere across the Internet today (e.g. for SSO, APIs, Mobile Apps) but moreover, the ubiquitous HTTP cookie also falls into the security token category
-Simple HS256 JWT token brute force cracker
Other interesting articles
How to Enable Developers to Build Secure Software
“Having security professionals work with developers is a good process, but what is equally important is to provide security training to developers, so they can help themselves.”
Why You Shouldn’t Use Facebook to Log In to Other Sites
Facebook offered a convenient and secure way to sign up for online services. A major hack shows it failed at its one job.
I’m going to quit using Facebook to log in to apps and sites online. You should, too
Remember: The 2018 DevOps RoadMap
An illustrated guide to becoming a DevOps Engineer with links to relevant courses
And finally, Say It to My Face
Discussing the implications of face recognition technology with artist and researcher Adam Harvey.
Faces have evolved to convey information. Facial recognition was developed to replicate that human perceptual task. Then, in the last two years, researchers figured out a new way of seeing that isn’t human anymore. For example, by amplifying the green color channel in your forehead, I can extract your heart rate. The capabilities of computer vision broke away from the bottlenecks of our own built-in multimodal perceptual systems
HACKING, TOOLS and FUN – CHECK BELOW!
Description: Google Stored XSS in Payments.
URL: http://bit.ly/2OzZOsx (+)
Description: Applying a small bypass to steal Facebook Session tokens in Uber.