Word of the week
“In the underworld, reality itself has elastic properties and is capable of being stretched into different definitions of the truth.”
“Cybersecurity and Class M Planets”
Word of the week special
“Remember Remember the 5th of November”
From last year…
Crypto challenge of the week
From Russia with Love
Sarah and Igor are exchange students. Sarah lives in Moscow while Igor is in Berlin. Sarah learns Cyrillic. To keep their little secrets confidential, they encrypt their emails. They have exchanged the key in person. The key is formed from all the 26 letters of the Latin alphabet. The key is 26 letters long
Lisk Bug Bounty Program
“LOW — MEDIUM — HIGH — CRITICAL”
- LOW: €200
- MEDIUM: €1500
- HIGH: €2500–5000
- CRITICAL: Determined on a case-by-case basis
May 25th: GDPR Live! See incidents section below
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
TLS 1.0 and TLS 1.1 ARE GOING!!
Now: HTTPS mandatory
HTTPS everywhere HERE
March 29th 2019: Brexit
September 2019: PSD2 security mandatory
Near future? – Crypto BTC ETF
French business school accepts fees in bitcoin for blockchain technology courses. A quarter of the Financia Business School’s enrolment is foreign, with students having to bear complex and punitive money transfer costs. The acceptance of cryptocurrency for fees makes it easier for foreign students to cut the costs and transact with ease, said the Paris-based college
Comic of the week
Some OWASP stuff first
-AWS Security Webinars
-BSidesRDU 2018 Videos
OWASP events HERE
BlackHat London HERE
All InfoSec events HERE
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incidents in the world last week
Other source HERE Find your country
Data breach statistics HERE
NO CHANGE SINCE LAST WEEK.
Cyber security of youth data
A Girl Scouts of America branch in Orange County, California, has suffered a security breach potentially exposing the sensitive personally identifiable information (PII) of thousands of minors.
Unidentified hackers were able to log into the email account used to coordinate travel for its members. Sensitive PII extended as far back as 2014 and included name, date of birth, email, address, driver licence, health history and insurance policy details
Victims of an aggressive ransomware known as GandCrab can now find assistance in recovering their files from Europol’s No More Ransom website.
Developed by police in Romania, Bulgaria, France, Italy, Poland, the Netherlands, United Kingdom, United States and individual security companies, the comprehensive decryption tool is able to recover files from all versions of GandCrab apart from v1.4 and v5
Troy Hunt weekly update
VirtualBox Zero-Day Vulnerability Details and Exploit Are Publicly Available
A Russian vulnerability researcher and exploit developer has published detailed information about a zero-day vulnerability in VirtualBox. His explanations include step-by-step instructions for exploiting the bug.
According to the initial details in the disclosure, the issue is present in a shared code base of the virtualization software, available on all supported operating systems
CRLF Injection Into PHP’s cURL Options
PortSmash Side-Channel Vulnerability Affects CPUs
A newly-detected side-channel vulnerability in Intel x64 and other processors could be exploited to steal data. Researchers notified Intel of the flaw early last month. The flaw lies in the chips’ implementation of simultaneous multi-threading (SMT).
To exploit the flaw the code has to be executing on the same core of the same CPU as the victim process. Not all code is susceptible to this attack. For example, while OpenSSL 1.1.0h is, later versions are not, which, in combination with the exploit requirement, makes this a low risk threat. While PortSmash can be mitigated by disabling SMT/Hyper-Threading in the bios, evaluate performance impacts before deploying that change across the enterprise
Chalubo botnet launches denial-of-service attacks against internet-of-things devices
A botnet known as “Chalubo” is targeting IoT devices and launching distributed denial-of-service attacks against them. Once a device is infected, the attacker can download the three components: a downloader, the main bot and a Lua command script
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Proof-of-concept exploit of the PortSmash microarchitecture attack
Radboud University researchers discover security flaws in widely used data storage devices
These flaws exist in the encryption mechanism of several types of solid state drives – listed below – of two major manufacturers, namely Samsung and Crucial. The vulnerabilities occur both in internal storage devices (in laptops, tablets and computers) and in external storage devices (connected via a USB cable). The storage devices affected include popular models that are currently widely available
Google released a new version of reCAPTCHA that requires no user interaction
A December Google Chrome update will disable advertisements on websites that have a history of hosting malicious ads
Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets
Bluetooth Chip Bugs Affect Enterprise Wi-Fi, as Hackers Exploit Cisco 0-Day
Research of the week
-Remember: CyBOK – two new Knowledge Areas released for comment and review
-Denial of Service – by the numbers – by Akamai
-Web Security Stats Show XSS & Outdated Software Are Major Problems
XSS is way more common than SQL Injection
-ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field
-Android ecosystem security
Google is committed to protecting the privacy and security of over 2 billion Android users. This report provides transparency into our efforts to reduce Potentially Harmful Application (PHA) rates on devices and in Google Play
Tool of the week
-Criminals are using these tools to “crack” your website
Custom-built “cracking” tools are making it easier than ever for criminals to automate credential stuffing. Credential stuffing is the act of testing large sets of stolen credentials against a targeted interface. Criminals load lists of breached credentials into these tools to test them at large scale against targeted web or mobile authentication interfaces
-CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
-Masscan as a lesson in TCP/IP
When learning TCP/IP it may be helpful to look at the masscan port scanning program, because it contains its own network stack. This concept, “contains its own network stack”, is so unusual that it’ll help resolve some confusion you might have about networking
-The Social Engineering Framework
-Configuring the Cloudflare WAF
Other interesting articles
Password Constraints and Their Unintended Security Consequences
You’re probably familiar with some of the most common requirements for creating passwords. A mix of upper and lowercase letters is a simple example. These are known as password constraints. They’re rules for how you must construct a password. If your password must be at least eight characters long, contain lower case, uppercase, numbers and symbol characters, then you have one length, and four character set constraints.
Password constraints eliminate a number of both good and bad passwords. I had never heard anyone ask “how many potential passwords, good and bad, are eliminated?” And so I began searching for the answer. The results were surprising. If you want to know the precise number of possible 8-character passwords there are if all of the character sets must be used, then the equation looks something like this
DevSecOps changes security
There’s been an ongoing kerfuffle over whether we need to expand DevOps to explicitly bring in security. After all, the thinking goes, DevOps has always been something of a shorthand for a broad set of new practices, using new tools (often open source) and built on more collaborative cultures. Why not DevBizOps for better aligning with business needs? Or DevChatOps to emphasize better and faster communications?
- “Shift left”
- Manage dependencies
- Services vs. monoliths
Top 4 Questions to Ask About Compliance, Security, and Containers
Question 1: Are the Right Access Controls in Place?
Question 2: Are Containers Configured Properly?
Question 3: Is the Proper Security Orchestration in Place?
Question 4: Do the Infrastructure Solutions You’re Using Keep Your Industry’s Compliance Standards in Mind?
And finally, the tax you are paying for using Scrum
##HACKING, TOOLS and FUN – CHECK BELOW!
URL: http://bit.ly/2qnqbnO (+)
Description: Journey through Google referer leakage bugs (KISS).
URL: http://bit.ly/2QcNf46 (+)
Description: How I hacked Anda, the public transportation app of Porto (CVE-2018-13342).