Security Stack Sheet #25

Word of the week

“In the underworld, reality itself has elastic properties and is capable of being stretched into different definitions of the truth.”

Link HERE Book HERE

“Cybersecurity and Class M Planets”

Link HERE

 

Word of the week special

“Remember Remember the 5th of November”

Links HERE and HERE and HERE and Security treats for protection HERE

 

Bonus

Credential stuffing

Link HERE

From last year…

Link HERE

Link HERE

 

Crypto challenge of the week

From Russia with Love

Sarah and Igor are exchange students. Sarah lives in Moscow while Igor is in Berlin. Sarah learns Cyrillic. To keep their little secrets confidential, they encrypt their emails. They have exchanged the key in person. The key is formed from all the 26 letters of the Latin alphabet. The key is 26 letters long

Link HERE

Lisk Bug Bounty Program

“LOW — MEDIUM — HIGH — CRITICAL”

  • LOW: €200
  • MEDIUM: €1500
  • HIGH: €2500–5000
  • CRITICAL: Determined on a case-by-case basis

Link HERE

 

Dates

May 25th: GDPR Live! See incidents section below

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

TLS 1.0 and TLS 1.1 ARE GOING!!

Google HERE Firefox HERE Microsoft HERE

Now: HTTPS mandatory

HTTPS everywhere HERE

March 29th 2019: Brexit

September 2019: PSD2 security mandatory

Near future? – Crypto BTC ETF

French business school accepts fees in bitcoin for blockchain technology courses. A quarter of the Financia Business School’s enrolment is foreign, with students having to bear complex and punitive money transfer costs. The acceptance of cryptocurrency for fees makes it easier for foreign students to cut the costs and transact with ease, said the Paris-based college

Link HERE

 

Comic of the week

 

Some OWASP stuff first

-AWS Security Webinars

Link HERE

Two Sides to a Bug Bounty: The Researcher and The Program (S04E15)

Link HERE

-BSidesRDU 2018 Videos

Link HERE

 

Events

OWASP events HERE

BlackHat London HERE

All InfoSec events HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

 

Incidents in the world last week

Other source HERE Find your country

Data breach statistics HERE

NO CHANGE SINCE LAST WEEK.

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Cyber security of youth data

A Girl Scouts of America branch in Orange County, California, has suffered a security breach potentially exposing the sensitive personally identifiable information (PII) of thousands of minors.

Unidentified hackers were able to log into the email account used to coordinate travel for its members. Sensitive PII extended as far back as 2014 and included name, date of birth, email, address, driver licence, health history and insurance policy details

GandCrab

Victims of an aggressive ransomware known as GandCrab can now find assistance in recovering their files from Europol’s No More Ransom website.

Developed by police in Romania, Bulgaria, France, Italy, Poland, the Netherlands, United Kingdom, United States and individual security companies, the comprehensive decryption tool is able to recover files from all versions of GandCrab apart from v1.4 and v5

Link HERE

Troy Hunt weekly update

Link HERE

 

Incidents detail

VirtualBox Zero-Day Vulnerability Details and Exploit Are Publicly Available

A Russian vulnerability researcher and exploit developer has published detailed information about a zero-day vulnerability in VirtualBox. His explanations include step-by-step instructions for exploiting the bug.

According to the initial details in the disclosure, the issue is present in a shared code base of the virtualization software, available on all supported operating systems

Link HERE Video HERE

CRLF Injection Into PHP’s cURL Options

Link HERE

PortSmash Side-Channel Vulnerability Affects CPUs

A newly-detected side-channel vulnerability in Intel x64 and other processors could be exploited to steal data. Researchers notified Intel of the flaw early last month. The flaw lies in the chips’ implementation of simultaneous multi-threading (SMT).
[Neely]
To exploit the flaw the code has to be executing on the same core of the same CPU as the victim process. Not all code is susceptible to this attack. For example, while OpenSSL 1.1.0h is, later versions are not, which, in combination with the exploit requirement, makes this a low risk threat. While PortSmash can be mitigated by disabling SMT/Hyper-Threading in the bios, evaluate performance impacts before deploying that change across the enterprise

Link HERE

Chalubo botnet launches denial-of-service attacks against internet-of-things devices

A botnet known as “Chalubo” is targeting IoT devices and launching distributed denial-of-service attacks against them. Once a device is infected, the attacker can download the three components: a downloader, the main bot and a Lua command script

Link HERE

Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data

Link HERE

Proof-of-concept exploit of the PortSmash microarchitecture attack

Link HERE

Radboud University researchers discover security flaws in widely used data storage devices

These flaws exist in the encryption mechanism of several types of solid state drives – listed below – of two major manufacturers, namely Samsung and Crucial. The vulnerabilities occur both in internal storage devices (in laptops, tablets and computers) and in external storage devices (connected via a USB cable). The storage devices affected include popular models that are currently widely available

Link HERE

Google released a new version of reCAPTCHA that requires no user interaction

Links HERE and HERE

A December Google Chrome update will disable advertisements on websites that have a history of hosting malicious ads
Link HERE

Google logins: JavaScript now required

Google users: In news that may sound alarming, it is now a requirement for you to enable JavaScript.

Why? When your username and password are entered on Google’s sign-in page, Google runs a risk assessment and only allows the sign-in if nothing looks suspicious. Recently, Google went about improving this analysis and now requires JavaScript in order to run their assessment. Want to use some of those comprehensive security enhancements for your account? Then JavaScript must be enabled, or you won’t be able to log in. JavaScript is now your forever friend

Link HERE

Attack uses malicious InPage document and outdated VLC media player to give attackers backdoor access to targets

Link HERE

Bluetooth Chip Bugs Affect Enterprise Wi-Fi, as Hackers Exploit Cisco 0-Day

Link HERE

 

Research of the week

-Remember: CyBOK – two new Knowledge Areas released for comment and review

Link HERE

-Denial of Service – by the numbers – by Akamai

Link HERE

-Web Security Stats Show XSS & Outdated Software Are Major Problems

XSS is way more common than SQL Injection

Link HERE

-ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Link HERE

-Android ecosystem security

Google is committed to protecting the privacy and security of over 2 billion Android users. This report provides transparency into our efforts to reduce Potentially Harmful Application (PHA) rates on devices and in Google Play

Link HERE

 

Tool of the week

-Criminals are using these tools to “crack” your website

Custom-built “cracking” tools are making it easier than ever for criminals to automate credential stuffing. Credential stuffing is the act of testing large sets of stolen credentials against a targeted interface. Criminals load lists of breached credentials into these tools to test them at large scale against targeted web or mobile authentication interfaces

Link HERE

-CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains

Link HERE

-Masscan as a lesson in TCP/IP

When learning TCP/IP it may be helpful to look at the masscan port scanning program, because it contains its own network stack. This concept, “contains its own network stack”, is so unusual that it’ll help resolve some confusion you might have about networking

Link HERE

-The Social Engineering Framework

Link HERE

-Configuring the Cloudflare WAF

Links HERE and HERE For Drupal HERE

 

Other interesting articles

Password Constraints and Their Unintended Security Consequences

You’re probably familiar with some of the most common requirements for creating passwords. A mix of upper and lowercase letters is a simple example. These are known as password constraints. They’re rules for how you must construct a password. If your password must be at least eight characters long, contain lower case, uppercase, numbers and symbol characters, then you have one length, and four character set constraints.

Password constraints eliminate a number of both good and bad passwords. I had never heard anyone ask “how many potential passwords, good and bad, are eliminated?” And so I began searching for the answer. The results were surprising. If you want to know the precise number of possible 8-character passwords there are if all of the character sets must be used, then the equation looks something like this

Link HERE

 

DevSecOps changes security

There’s been an ongoing kerfuffle over whether we need to expand DevOps to explicitly bring in security. After all, the thinking goes, DevOps has always been something of a shorthand for a broad set of new practices, using new tools (often open source) and built on more collaborative cultures. Why not DevBizOps for better aligning with business needs? Or DevChatOps to emphasize better and faster communications?

  • Automation
  • “Shift left”
  • Manage dependencies
  • Visibility
  • Services vs. monoliths

Link HERE DevSecOps in AWS HERE Azure HERE

 

Top 4 Questions to Ask About Compliance, Security, and Containers

Question 1: Are the Right Access Controls in Place?

Question 2: Are Containers Configured Properly?

Question 3: Is the Proper Security Orchestration in Place?

Question 4: Do the Infrastructure Solutions You’re Using Keep Your Industry’s Compliance Standards in Mind?

Link HERE Docker Best Practices HERE and HERE and HERE and HERE

 

And finally, the tax you are paying for using Scrum

Link HERE

 

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: http://bit.ly/2qnqbnO  (+)

Description: Journey through Google referer leakage bugs (KISS).

URL: http://bit.ly/2QcNf46  (+)

Description: How I hacked Anda, the public transportation app of Porto (CVE-2018-13342).

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *