Security Stack Sheet #27

Word of the week

5 most important vulnerabilities every developer should be aware of

Link HERE

“Securing the future state”

Link HERE and “The Paradox of Choice – How to thrive in an industry with too many possibilities” HERE

 

Word of the week special “We are all Equifax” from OWASP London Stefania Chaplin

In March 2017 hackers took three days to identify and exploit a new vulnerability in Equifax’s web applications. In the post-Equifax world, moving new business requirements (e.g., a non-vulnerable version of Struts2) into production in under three days might just be your new normal. Find out what the analysis of 17,000 applications reveals about the quality and security of software built with open source components. DevSecOps teams are applying lessons from W. Edwards Deming (circa 1982), Malcolm Goldrath (circa 1984) and Gene Kim (circa 2013) to improve their ability to respond to new business requirements and cyber risks

Links HERE and HERE and HERE Presentation and video next week HERE Video from other events HERE and HERE

 

Bonus

Link to presentation HERE AND Beyond passwords: 2FA, U2F and Google Advanced Protection

Link HERE

The Wartime Spies Who Used Knitting as an Espionage Tool

Grandma was just making a sweater. Or was she?

Link HERE

Link HERE

Link HERE

2018 Hacker Kids Gift Guide – holiday gifts to for young hackers

Link HERE

 

Crypto challenge of the week

Image noise

Links HERE and HERE

 

Dates

May 25th: GDPR Live! See incidents section below

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

TLS 1.0 and TLS 1.1 ARE GOING!!

Google HERE Firefox HERE Microsoft HERE

Now: HTTPS mandatory

HTTPS everywhere HERE

Link HERE

BUT

Why closing port 80 is bad for security

Link HERE

March 29th 2019: Brexit

September 2019: PSD2 security mandatory

Near future? – Crypto BTC ETF

 

Comic of the week

 

Some OWASP stuff first

-OWASP London event – 22 Nov – yesterday

  • “We Are All Equifax: Data Behind DevSecOps” – Stefania Chaplin

Conclusion: The title says it all!

  • “I know what you did last summer: New persistent tracking mechanisms used in the wild” – Dr. Alexios Mylonas

Conclusion: Everyone tracks you and if you want to make sure you have deleted that data from your browser do the following: Delete browser history, quit browser, kill browser process… format HDD and shut down computer, pull the plug from the wall.

Also see HERE Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you’re visiting

Link HERE Recording of the event HERE

-FROM THE OWASP TOP TEN(S) TO THE OWASP ASVS

Link HERE

-OWASP Serverless Top 10 – First Released

When adopting serverless technology, we eliminate the need to develop a server to manage our application. By doing so, we also pass some of the security threats to the infrastructure provider such as AWSAzure and Google Cloud. In addition to the many advantages of serverless application development, such as cost and scalability, some security aspects are also handed to our service provider. Serverless services run code without provisioning or managing servers and the code is executed only when needed

Link HERE

-104: The world’s most evil phishing test, and cyborgs in the workplace

Does your employer want to turn you into a cyborg? Was this phishing test devised by an evil genius? And how did a cinema chain get scammed out of millions, time and time again…?

Oh, and the subject of erasable pens comes up again

Link HERE

-Security Culture Hacking: Disrupting the Security Status Quo – Chris Romeo

Link HERE

 

Events

OWASP events HERE

BlackHat London HERE

All InfoSec events HERE

Remember: LocoMocoSec Conference in Hawaii 2018 – Presentations

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

 

Incidents in the world last week

Other source HERE Find your country

Data breach statistics HERE

NO CHANGE SINCE LAST WEEK.

Reported breaches in the first 9 months of 2018 exposed 3.6 billion records

Incidents by data type exposed

Link HERE

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Smishing, the criminal’s data source in your pocket

According to recent reports, smishing, a technique similar to phishing, but using an SMS message rather than an email, is on the rise. The SMS message, which can be disguised to appear from an official source, will have a link which can download malware or redirect the victim to a malicious website to steal credentials or other personal data

Popular GDPR-related plugin compromised

According to media reporting, cyber criminals have recently found and exploited a vulnerability in the popular WordPress plugin WP GDPR Compliance. The vulnerability allowed the malicious actors to access WordPress sites and install backdoor scripts

African ISP inadvertently routes internet traffic via Russia and China

On Monday afternoon there was a widely reported outage of Google services in the US. This lasted for 74 minutes and was due to internet traffic being wrongly directed via Russia and China in a situation known as a “BGP Hijack”

Link HERE

UK Parliament Committee Report: Critical Infrastructure Cyber Security at Risk

According to a report from the UK Parliament’s Joint Committee on National Security Strategy, the UK’s national critical infrastructure is vulnerable to damaging cyber attacks. The report also says that while the risk of cyberattacks on the national critical infrastructure is growing, neither the government nor the private companies that operate elements of critical infrastructure are doing enough to adequately protect it. The report’s authors “are concerned that expectations of the [GCHQ’s] National Cyber Security Centre are outstripping the resources put at its disposal by the Government.” They go on to “urge the Government to appoint a single Cabinet Office Minister who is charged with delivering improved cyber resilience across the UK’s critical national infrastructure.”
“This is a global story and would have been completely valid had “UK” been replaced with the name of many other countries.”

Link HERE

Troy Hunt weekly update

Link HERE

 

Incidents detail

The next version of HTTP won’t be using TCP

HTTP is switching to a protocol layered on top of UDP

Link HERE

Most VPN Services are Terrible

Link HERE

Link HERE

Microsoft menaced with GDPR mega-fines in Europe for ‘large scale and covert’ gathering of people’s info via Office

Telemetry data slurp broke the law, Dutch govt eggheads say

Link HERE

APT29, otherwise known as the Russian threat group “Cozy Bear” is likely behind a massive string of spear-phishing emails over the past few weeks

Link HERE

‘I’m Possibly Alive Because It Exists:’ Why Sleep Apnea Patients Rely on a CPAP Machine Hacker

An Australian hacker has spent thousands of hours hacking the DRM that medical device manufacturers put on CPAP machines to create a free tool that lets patients modify their treatment

Links HERE and HERE

Six Reasons App Security Defence Doesn’t Belong at the Edge

Link HERE

Instagram patched a bug in its website that could allow an attacker to view the passwords of some of its users in plain text

Link HERE

BlackBerry plans to acquire cybersecurity firm Cylance for $1.4 billion
Link HERE

Major SMS security lapse is a reminder to use authenticator apps instead

26 million customer texts were exposed

Link HERE

GPU side channel attacks can enable spying on web activity, password stealing

Link HERE

Gmail Glitch Offers Stealthy Trick for Phishing Attacks

Link HERE

Moody’s Will Factor Risk of Cyber Attacks into Ratings

Moody’s plans to start including the impact a major cybersecurity incident would have on a company in its creditworthiness ratings. Moody’s may move to a separate cyber-risk rating apart from the entity’s credit ranking. According to its website. “Moody’s… provid[es] credit ratings, research, tools and analysis that contribute to transparent and integrated financial markets.”
[Henry]
The insurance agencies are working hard to assess cybersecurity incidents and risk, as are the SEC and other government regulators. Moody’s movement into this area seems to be a logical step. Companies’ values are based on many factors, including their intellectual property, their corporate strategies, and other differentiators. While loss of those assets can impact companies’ ability to compete and should be measured, the methodologies used to assess cybersecurity has typically been a challenge. Moody’s ability to make that assessment will require a lot of thought and calculation.
[Pescatore]
While this sounds like a good thing, in 2017 Moody’s paid nearly $1B in fines to settle government charges that it gave inflated ratings to risky mortgage investments that played major roles in causing the 2008 financial meltdown. If they weren’t trustworthy in their core business of financial risk rating, pretty sure they shouldn’t be at the top of list for cybersecurity risk ratings.
[Northcutt]
There is a pot of gold waiting for the first group to develop an actuarial table for cyber risk, though the reality is it is many tables. They started with utilities; it will be interesting to see how far they are able to get. The press release does show some good architecture with respect to compliance.
www.moodys.com: Research Announcement: Moody’s: As cyber threat intensifies for US utilities, government support remains key to credit profiles

Link HERE

Most ATMs can be hacked in under 20 minutes

Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking

Link HERE and Europol joins forces with ATM business Diebold Nixdorf HERE ATM vulnerabilities HERE

 

Research of the week

-Security recommendations for hosting on AWS

All state of the art hosting services make the security of their infrastructure a number one priority. Regardless, many of their users still suffer from sensitive data exposure and data breaches. Does that imply that the efforts of the hosting service are insufficient? Surprisingly, it does not!

Link HERE

-Remember: Detect naughty devices on your network

Just last week I wrote about how I improved the security and privacy of all devices on my home network using a Raspberry Pi, Pi-Hole and the new 1.1.1.1 resolver from Cloudflare with DoH. Following deployment, the dashboards and metrics on the Pi-Hole really shone a light on some of the things that devices on my network were up to

Link HERE

-Digital Identity Guidelines – new Password Guidelines from NIST

Authentication and Lifecycle Management

Link HERE

-Hybrid cloud complexity pushes organisations to look for more security tools

Link HERE

-Gartner – Critical Capabilities for Cloud Access Security Brokers

Findings:

  • Gartner clients face critical challenges to deploy and manage native security offerings from multiple cloud service providers. This is because different services require separate management consoles, with different security capabilities that do not integrate or share policies.
  • Some clients immediately base their vendor selection on CASB technical architecture, which usually leads to a suboptimal choice. Clients that start with a reasonably detailed listing of use cases that are specific to their exact needs, now and in the expected future, and engage vendors in proofs of concept report better success.
  • CASB products provide the broadest set of security features across multiple cloud services that are managed through a single console. This agility is far outpacing the features being delivered by CSPs, as well as by other vendors that offer a subset of CASB features as an extension of their existing security technologies

Link HERE

-Oracle JRE and JDK Cryptographic Roadmap

Link HERE

 

Tool of the week

-See who is tracking you online: Mozilla Lightbeam

Link HERE

-Netflix Stethoscope – Personalized, user-focused recommendations for employee information security

Link HERE

-Introducing open source security runtime monitoring – Snyk

Snyk has now released the first capability in its application security runtime monitoring solution, allowing developers to monitor the actual behaviour of their open source components at runtime

Link HERE

-Beagle free visual analytics tool helps bring cybercriminals to justice

Link HERE

-Vulnerabilities’ CVSS scores soon to be assigned by AI

Link HERE

-Review: Specops Password Policy

Some 17 years ago Specops Software took on the challenge of developing authentication tools for the Microsoft ecosystem. This review focuses on Specops Password Policy, their flagship tool for preventing Active Directory users from choosing weak passwords

Link HERE

-FLARE VM Update

FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse engineers, malware analysts, and security researchers as their go-to environment for analysing malware

Link HERE

 

Other interesting articles

Four steps to proper application security through its life span

  1. Verify the application composition comes from trusted sources.
    2. Secure the code from vulnerabilities – as built, as deployed and throughout its life.
    3. Govern what connects to the application and what it can connect to – esp. in its development phase.
    4. Secure the application and the data it produces, as well as the data it accesses

Link HERE

 

Steganography: How Spies Rickroll Each Other

There is an image hidden inside this image!

“Steganography” comes from the Greek word steganos, meaning “covered” or “reticent.” Whereas cryptography concerns itself with hiding the contents of a message, steganography concerns itself with hiding the fact that’s there’s even a message at all, which discourages potential code-breakers from looking deeper.

This post is about a certain kind of steganography, termed Least Significant Bits (or LSB steganography)

Link HERE

 

YOU KNOW WHAT? GO AHEAD AND USE THE HOTEL WI-FI

 

AS YOU TRAVEL this holiday season, bouncing from airport to airplane to hotel, you’ll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it.

This advice comes with plenty of qualifiers. If you’re planning to commit crimes online at the Holiday Inn Express, or to visit websites that you’d rather people not know you frequented, you need to take precautionary steps that we’ll get to in a minute. Likewise, if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs. (Also, you’ve probably already been hacked some other way, sorry.)

Link HERE Counter article from a random vendor HERE Protect yourself during the holiday season HERE

 

##And finally, Are We Really Alone? Are we secure from Aliens? 🙂

With all the ways scientists look at space, what are the odds of finding life?

The sky seems so vast, and space beyond it. You leave the city, head out to the country, and discover the blanket of stars. You see the Hubble Deep Field, an image of a seemingly empty spot of sky, revealed to be full of galaxies, clustered like jewels. There’s a Hubble eXtreme Deep Field, too, which reveals even more.

So how could we be alone, with all this space? It seems impossible. It seems impossibly lonely, too

Link HERE

AND How many jobs are vulnerable to automation?

Link HERE

 

HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://apapedulimu.click/clickjacking-on-google-myaccount-worth-7500/

Description: Clickjacking on Google MyAccount Worth 7,500$.

URL: https://xlab.tencent.com/en/2018/11/13/cve-2018-4277/

Description: Spoof All Domains Containing ‘d’ in Apple Products (CVE-2018-4277).

URL: https://medium.com/@mrnikhilsri/oob-xxe-in-prizmdoc-cve-2018-15805-dfb1e474345c

Description: OOB XXE in PrizmDoc (CVE-2018–15805).

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *