Security Stack Sheet #32

Word of the week “Cyber Karma”: Decade of the Data Breach

Link HERE

AND

“Data Breach Fatigue”

The U.K. alone was hit by 796 cyber-attacks in 457 days

Link HERE

 

Word of the week special “PewDiePie” printer hackers strike again

Hackers have taken control of printers around the world!

Link HERE

 

Bonus

Link HERE

Serious Security: When cryptographic certificates attack – merci a Philippe

Link HERE

Links HERE and HERE

Link HERE

Link HERE

Link HERE

Link HERE

 

Crypto challenge of the week

HACKvent 2018 Challenge

Mondrian

Piet’er just opened his gallery to present his pieces to you, they’d make for a great present 🙂

Link HERE

 

Dates

May 25th: GDPR Live! See incidents section below

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

TLS 1.0 and TLS 1.1 ARE GOING!!

Google HERE Firefox HERE Microsoft HERE

Now: HTTPS mandatory

HTTPS everywhere HERE

BUT

Why closing port 80 is bad for security

Link HERE

TLS 1.3 – Decryption Misconceptions – thanks to Teo

Link HERE

March 29th 2019: Brexit

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

 

Comic of the week

Some OWASP stuff first

-AppSec Podcast – SecOps Makes Developers Lives Easier (S04E21)

Link HERE

-Jumpstarting Your DevSecOps Pipeline with IAST and RASP

DevSecOps is so much more than automating the scan button – it spans the entire stack and the full software lifecycle including development *and* operation..

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

 

Incidents in the world last week

Other source for incident data HERE Find your country

Data breach statistics HERE – not being kept up-to-date

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

The problem with lapsing certificates

A report from the US congress this week has revealed that the network breach suffered by Equifax in 2017 was not found due to an expired software certificate.

The certificate was linked to software which monitors networks for suspicious traffic, so the expiration meant that hackers were able to avoid being spotted

Confidential data loss in Denmark

Confidential data of 20,000 residents in Gladsaxe, Denmark has been lost following the theft of a computer from the town’s city hall between November 30th and December 3rd.

The data had been saved locally and included information such as registration numbers, age and addresses. Details of social welfare payments and housing were also reported as being affected

Stay secure; keep on top of the latest security updates

WordPress has issued a security patch which fixes several vulnerabilities including one that led to Google indexing some user passwords.

Detailed information for version 5.0.1 can be read on the WordPress news pages, but crucially a fix has been implemented following an issue in which activation screens for new users were being indexed by Google

Link HERE

Troy Hunt weekly update

Link HERE

Transatlantic Cable podcast, episode 69 – by Kaspersky

2018 statistics and 2019 predictions

Link HERE and

Cyberthreats to financial institutions 2019: OVERVIEW AND PREDICTIONS

  • The emergence of new groups due to the fragmentation of Cobalt/Carbnal and Fin7: new groups and new geography
  • The first attacks through the theft and use of biometric data
  • The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, South-East Asia and Central Europe
  • Continuation of the supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world
  • Traditional cybercrime will focus on the easiest targets and bypass antifraud solutions: replacement of PoS attacks with attacks on systems accepting online payments
  • The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network
  • Attacks on mobile banking for business users
  • Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wires: result of data leaks

Link HERE

 

Incidents & events detail

Report: Facebook let major tech firms access private messages, friends lists

NYT: Bing could see nearly “all Facebook users’ friends without consent.”

Link HERE

APT review of the year

What the world’s advanced threat actors got up to in 2018

Link HERE

NASA got hacked

Link HERE

UNIVERSAL ANDROID SSL PINNING IN 10 MINUTES WITH FRIDA

Link HERE

A look at home routers, and a surprising bug in Linux/MIPS

We reviewed 28 popular home routers for basic hardening features. None performed well. Oh, and we found a bug in the Linux/MIPS architecture

Link HERE

From blind XXE to root-level file read access

Link HERE

Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail

Group breaches SMS-protected accounts. It’s still testing attacks against 2fa apps

Link HERE

Crowdstrike’s Cyber Intrusion Services Casebook 2018: One Compromised Laptop Gave Hackers Access to Corporate Network

According to Crowdstrike’s Cyber Intrusion Services Casebook 2018, a single laptop used at a coffee shop was infiltrated and used to gain access to an unnamed company’s entire corporate network. The laptop user visited the website of a partner organization through a phishing email. In this particular case, the hackers exploited a misconfiguration in the company’s Active Directory implementation that granted unnecessary privileges. The security software that the affected company used detected threats only when the device was being used within the organization’s network

Link HERE

Amazon uses dummy parcels to catch thieves

Link HERE

What is going on with OAuth 2.0? And why you should not use it for authentication

Link HERE

Cloudflare Allegedly Counts Identified Terrorist Groups Among Clients

A Huffington Post report alleges that Cloudflare is providing cybersecurity services to seven groups that are under sanctions from the US Treasury Department; of those, six are identified as foreign terrorist groups by the US State Department.
[Pescatore]
All service providers have to deal with the “know your customer” issue and all the various sanctions that home country law places on doing business with blacklisted nations and countries. At any given time, many large service providers have compliance issues – the key is how quickly they deal with known or reported violations

Link HERE
Android’s facial recognition technology on its smartphones can be tricked by a 3-D printed head
Link HERE

Facebook disclosed a bug that allowed app developers to view users’ photos that they uploaded to Facebook but never shared on their timeline

Links HERE and HERE and HERE

Signal Says It Cannot Include a Backdoor in its App

In a December 13 blog post, Signal developer Joshua Lund expresses the organization’s frustration with Australia’s new Assistance and Access bill, noting that “attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development.” Lund says that the Signal cannot include a backdoor and that “the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us.”

Link HERE

 

Research of the week

-Kaspersky Security Bulletin 2018 STATISTICS

Link HERE

-20 Ways To Block Mobile Attacks

Link HERE

-eBook: Intrusion Detection Guide

Link HERE

-Software Architecture: Architect Your Application with AWS

Nowadays, cloud computing has become a central part of any tech company, that includes every company now since most of them can be categorized under “Software as a Service” (SaaS). In this post, I will try to simplify the most important Amazon cloud/web services known as AWS.

This post will help you to understand different services by Amazon and their different capabilities. and to discover the new opportunities that come with using cloud computing instead of self-managed infrastructures

Link HERE

 

Tool of the week

-Open Source Network Security Tools for Beginners

Link HERE

-How To Build A Password Cracking Rig

Cracking On A “Budget”

Link HERE

-Static code analysis (SAST) tools in GitLab

Language / framework Scan tool
C/C++ Flawfinder
Python bandit
Ruby on Rails brakeman
Groovy (Gradle & Grail) find-sec-bugs
Java (Maven & Gradle) find-sec-bugs
Scala (sbt) find-sec-bugs
Go Gosec
PHP phpcs-security-audit
.NET Security Code Scan
Node.js NodeJsScan

Link HERE Container scanning HERE and DAST HERE and Dependency Checking HERE Other SAST tools HERE

-iOS Pentesting Tools Part 1: App Decryption and class-dump

Link HERE Part 2 HERE Part 3 HERE and Frida workshop HERE

 

Other interesting articles

2019 Cybersecurity Predictions: Artificial Intelligence

Link HERE and Search for skills, the gap between C-suite and IT security, and flaws in critical infrastructure top 2019 CISO predictions HERE

 

The Blockchain Is a Reminder of the Internet’s Failure

The same utopian promises that bloomed during the Internet’s early days are back. Be afraid

Link HERE

 

OATH’S BIG YEAR OF BUG BOUNTIES CAPPED OFF WITH NYC LIVE HACKING EVENT

The past week capped off a record year of bug bounties for Oath, the media giant which boasts a slew of dynamic brands including Yahoo, AOL, Verizon Digital Media Services, and TechCrunch. In 2018, Oath has received over 1,900 valid vulnerabilities through its private bug bounty program, over 300 of which were high or critical severity. Big numbers mean big rewards — Oath has paid $5 million in bounties in 2018. That’s nearly five times the bounties paid in 2017 and nearly 10 times the bounties paid by Oath brands in 2016

Link HERE and GRAMMARLY’S BUG BOUNTY PROGRAM GOES PUBLIC: Q&A WITH VP OF ENGINEERING JOE XAVIER HERE

AND

When is a vulnerability not a vulnerability?

Recently, I was discussing the types of submissions that are often declined by bug bounty programs with Tomer Schwartz, who works as part of the Microsoft Security Response Center (MSRC). Unfortunately, sometimes he is the person who has to do the declining. He said, “Sometimes a vulnerability just isn’t a vulnerability”. You might think this sounds wrong, but let’s talk about what he meant

Link HERE

 

The unbelievable tale of a fake hitman, a kill list, a darknet vigilante… and a murder

Hitman-for-hire darknet sites are all scams. But some people turn up dead nonetheless

Link HERE

 

And finally, What If Reality Isn’t Real?

The rise of the simulation theory tells us a lot about how we live now

Link HERE

AND

The Future of Software Is No Code

Disrupting the disruptor

Link HERE

 

HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://www.honoki.net/2018/12/from-blind-xxe-to-root-level-file-read-access/

Description: From blind XXE to root-level file read access.

URL: https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html

Description: RCE in Hubspot with EL injection in HubL.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *