Word of the week
5 most important vulnerabilities every developer should be aware of
“Securing the future state”
Word of the week special “We are all Equifax” from OWASP London Stefania Chaplin
In March 2017 hackers took three days to identify and exploit a new vulnerability in Equifax’s web applications. In the post-Equifax world, moving new business requirements (e.g., a non-vulnerable version of Struts2) into production in under three days might just be your new normal. Find out what the analysis of 17,000 applications reveals about the quality and security of software built with open source components. DevSecOps teams are applying lessons from W. Edwards Deming (circa 1982), Malcolm Goldrath (circa 1984) and Gene Kim (circa 2013) to improve their ability to respond to new business requirements and cyber risks
Link to presentation HERE AND Beyond passwords: 2FA, U2F and Google Advanced Protection
The Wartime Spies Who Used Knitting as an Espionage Tool
Grandma was just making a sweater. Or was she?
2018 Hacker Kids Gift Guide – holiday gifts to for young hackers
Crypto challenge of the week
May 25th: GDPR Live! See incidents section below
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
TLS 1.0 and TLS 1.1 ARE GOING!!
Now: HTTPS mandatory
HTTPS everywhere HERE
Why closing port 80 is bad for security
March 29th 2019: Brexit
September 2019: PSD2 security mandatory
Near future? – Crypto BTC ETF
Comic of the week
Some OWASP stuff first
-OWASP London event – 22 Nov – yesterday
- “We Are All Equifax: Data Behind DevSecOps” – Stefania Chaplin
Conclusion: The title says it all!
- “I know what you did last summer: New persistent tracking mechanisms used in the wild” – Dr. Alexios Mylonas
Conclusion: Everyone tracks you and if you want to make sure you have deleted that data from your browser do the following: Delete browser history, quit browser, kill browser process… format HDD and shut down computer, pull the plug from the wall.
-FROM THE OWASP TOP TEN(S) TO THE OWASP ASVS
-OWASP Serverless Top 10 – First Released
When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as AWS, Azure and Google Cloud. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed
-104: The world’s most evil phishing test, and cyborgs in the workplace
Does your employer want to turn you into a cyborg? Was this phishing test devised by an evil genius? And how did a cinema chain get scammed out of millions, time and time again…?
Oh, and the subject of erasable pens comes up again
-Security Culture Hacking: Disrupting the Security Status Quo – Chris Romeo
OWASP events HERE
BlackHat London HERE
All InfoSec events HERE
Remember: LocoMocoSec Conference in Hawaii 2018 – Presentations
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incidents in the world last week
Other source HERE Find your country
Data breach statistics HERE
NO CHANGE SINCE LAST WEEK.
Reported breaches in the first 9 months of 2018 exposed 3.6 billion records
Incidents by data type exposed
Smishing, the criminal’s data source in your pocket
According to recent reports, smishing, a technique similar to phishing, but using an SMS message rather than an email, is on the rise. The SMS message, which can be disguised to appear from an official source, will have a link which can download malware or redirect the victim to a malicious website to steal credentials or other personal data
Popular GDPR-related plugin compromised
According to media reporting, cyber criminals have recently found and exploited a vulnerability in the popular WordPress plugin WP GDPR Compliance. The vulnerability allowed the malicious actors to access WordPress sites and install backdoor scripts
African ISP inadvertently routes internet traffic via Russia and China
On Monday afternoon there was a widely reported outage of Google services in the US. This lasted for 74 minutes and was due to internet traffic being wrongly directed via Russia and China in a situation known as a “BGP Hijack”
UK Parliament Committee Report: Critical Infrastructure Cyber Security at Risk
According to a report from the UK Parliament’s Joint Committee on National Security Strategy, the UK’s national critical infrastructure is vulnerable to damaging cyber attacks. The report also says that while the risk of cyberattacks on the national critical infrastructure is growing, neither the government nor the private companies that operate elements of critical infrastructure are doing enough to adequately protect it. The report’s authors “are concerned that expectations of the [GCHQ’s] National Cyber Security Centre are outstripping the resources put at its disposal by the Government.” They go on to “urge the Government to appoint a single Cabinet Office Minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”
“This is a global story and would have been completely valid had “UK” been replaced with the name of many other countries.”
Troy Hunt weekly update
The next version of HTTP won’t be using TCP
HTTP is switching to a protocol layered on top of UDP
Most VPN Services are Terrible
Microsoft menaced with GDPR mega-fines in Europe for ‘large scale and covert’ gathering of people’s info via Office
Telemetry data slurp broke the law, Dutch govt eggheads say
APT29, otherwise known as the Russian threat group “Cozy Bear” is likely behind a massive string of spear-phishing emails over the past few weeks
‘I’m Possibly Alive Because It Exists:’ Why Sleep Apnea Patients Rely on a CPAP Machine Hacker
An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on CPAP machines to create a free tool that lets patients modify their treatment
Six Reasons App Security Defence Doesn’t Belong at the Edge
Instagram patched a bug in its website that could allow an attacker to view the passwords of some of its users in plain text
BlackBerry plans to acquire cybersecurity firm Cylance for $1.4 billion
Major SMS security lapse is a reminder to use authenticator apps instead
26 million customer texts were exposed
GPU side channel attacks can enable spying on web activity, password stealing
Gmail Glitch Offers Stealthy Trick for Phishing Attacks
Moody’s Will Factor Risk of Cyber Attacks into Ratings
Moody’s plans to start including the impact a major cybersecurity incident would have on a company in its creditworthiness ratings. Moody’s may move to a separate cyber-risk rating apart from the entity’s credit ranking. According to its website. “Moody’s… provid[es] credit ratings, research, tools and analysis that contribute to transparent and integrated financial markets.”
The insurance agencies are working hard to assess cybersecurity incidents and risk, as are the SEC and other government regulators. Moody’s movement into this area seems to be a logical step. Companies’ values are based on many factors, including their intellectual property, their corporate strategies, and other differentiators. While loss of those assets can impact companies’ ability to compete and should be measured, the methodologies used to assess cybersecurity has typically been a challenge. Moody’s ability to make that assessment will require a lot of thought and calculation.
While this sounds like a good thing, in 2017 Moody’s paid nearly $1B in fines to settle government charges that it gave inflated ratings to risky mortgage investments that played major roles in causing the 2008 financial meltdown. If they weren’t trustworthy in their core business of financial risk rating, pretty sure they shouldn’t be at the top of list for cybersecurity risk ratings.
There is a pot of gold waiting for the first group to develop an actuarial table for cyber risk, though the reality is it is many tables. They started with utilities; it will be interesting to see how far they are able to get. The press release does show some good architecture with respect to compliance.
www.moodys.com: Research Announcement: Moody’s: As cyber threat intensifies for US utilities, government support remains key to credit profiles
Most ATMs can be hacked in under 20 minutes
Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking
Research of the week
-Security recommendations for hosting on AWS
All state of the art hosting services make the security of their infrastructure a number one priority. Regardless, many of their users still suffer from sensitive data exposure and data breaches. Does that imply that the efforts of the hosting service are insufficient? Surprisingly, it does not!
-Remember: Detect naughty devices on your network
Just last week I wrote about how I improved the security and privacy of all devices on my home network using a Raspberry Pi, Pi-Hole and the new 188.8.131.52 resolver from Cloudflare with DoH. Following deployment, the dashboards and metrics on the Pi-Hole really shone a light on some of the things that devices on my network were up to
-Digital Identity Guidelines – new Password Guidelines from NIST
Authentication and Lifecycle Management
-Hybrid cloud complexity pushes organisations to look for more security tools
-Gartner – Critical Capabilities for Cloud Access Security Brokers
- Gartner clients face critical challenges to deploy and manage native security offerings from multiple cloud service providers. This is because different services require separate management consoles, with different security capabilities that do not integrate or share policies.
- Some clients immediately base their vendor selection on CASB technical architecture, which usually leads to a suboptimal choice. Clients that start with a reasonably detailed listing of use cases that are specific to their exact needs, now and in the expected future, and engage vendors in proofs of concept report better success.
- CASB products provide the broadest set of security features across multiple cloud services that are managed through a single console. This agility is far outpacing the features being delivered by CSPs, as well as by other vendors that offer a subset of CASB features as an extension of their existing security technologies
-Oracle JRE and JDK Cryptographic Roadmap
Tool of the week
-See who is tracking you online: Mozilla Lightbeam
-Netflix Stethoscope – Personalized, user-focused recommendations for employee information security
-Introducing open source security runtime monitoring – Snyk
Snyk has now released the first capability in its application security runtime monitoring solution, allowing developers to monitor the actual behaviour of their open source components at runtime
-Beagle free visual analytics tool helps bring cybercriminals to justice
-Vulnerabilities’ CVSS scores soon to be assigned by AI
-Review: Specops Password Policy
Some 17 years ago Specops Software took on the challenge of developing authentication tools for the Microsoft ecosystem. This review focuses on Specops Password Policy, their flagship tool for preventing Active Directory users from choosing weak passwords
-FLARE VM Update
FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse engineers, malware analysts, and security researchers as their go-to environment for analysing malware
Other interesting articles
Four steps to proper application security through its life span
- Verify the application composition comes from trusted sources.
2. Secure the code from vulnerabilities – as built, as deployed and throughout its life.
3. Govern what connects to the application and what it can connect to – esp. in its development phase.
4. Secure the application and the data it produces, as well as the data it accesses
Steganography: How Spies Rickroll Each Other
There is an image hidden inside this image!
“Steganography” comes from the Greek word steganos, meaning “covered” or “reticent.” Whereas cryptography concerns itself with hiding the contents of a message, steganography concerns itself with hiding the fact that’s there’s even a message at all, which discourages potential code-breakers from looking deeper.
This post is about a certain kind of steganography, termed Least Significant Bits (or LSB steganography)
YOU KNOW WHAT? GO AHEAD AND USE THE HOTEL WI-FI
AS YOU TRAVEL this holiday season, bouncing from airport to airplane to hotel, you’ll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it.
This advice comes with plenty of qualifiers. If you’re planning to commit crimes online at the Holiday Inn Express, or to visit websites that you’d rather people not know you frequented, you need to take precautionary steps that we’ll get to in a minute. Likewise, if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs. (Also, you’ve probably already been hacked some other way, sorry.)
##And finally, Are We Really Alone? Are we secure from Aliens? :)
With all the ways scientists look at space, what are the odds of finding life?
The sky seems so vast, and space beyond it. You leave the city, head out to the country, and discover the blanket of stars. You see the Hubble Deep Field, an image of a seemingly empty spot of sky, revealed to be full of galaxies, clustered like jewels. There’s a Hubble eXtreme Deep Field, too, which reveals even more.
So how could we be alone, with all this space? It seems impossible. It seems impossibly lonely, too
AND How many jobs are vulnerable to automation?
HACKING, TOOLS and FUN – CHECK BELOW!
Description: Clickjacking on Google MyAccount Worth 7,500$.
Description: Spoof All Domains Containing ‘d’ in Apple Products (CVE-2018-4277).
Description: OOB XXE in PrizmDoc (CVE-2018–15805).