Word of the week “Cyber Karma”: Decade of the Data Breach
“Data Breach Fatigue”
The U.K. alone was hit by 796 cyber-attacks in 457 days
Word of the week special “PewDiePie” printer hackers strike again
Hackers have taken control of printers around the world!
Serious Security: When cryptographic certificates attack – merci a Philippe
Crypto challenge of the week
HACKvent 2018 Challenge
Piet’er just opened his gallery to present his pieces to you, they’d make for a great present 🙂
May 25th: GDPR Live! See incidents section below
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
TLS 1.0 and TLS 1.1 ARE GOING!!
Now: HTTPS mandatory
HTTPS everywhere HERE
Why closing port 80 is bad for security
TLS 1.3 – Decryption Misconceptions – thanks to Teo
March 29th 2019: Brexit
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Comic of the week
Some OWASP stuff first
-AppSec Podcast – SecOps Makes Developers Lives Easier (S04E21)
-Jumpstarting Your DevSecOps Pipeline with IAST and RASP
DevSecOps is so much more than automating the scan button – it spans the entire stack and the full software lifecycle including development *and* operation..
OWASP events HERE
All InfoSec events HERE
First AWS Security Conference – AWS re:Inforce 2019
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incidents in the world last week
Other source for incident data HERE Find your country
Data breach statistics HERE – not being kept up-to-date
The problem with lapsing certificates
A report from the US congress this week has revealed that the network breach suffered by Equifax in 2017 was not found due to an expired software certificate.
The certificate was linked to software which monitors networks for suspicious traffic, so the expiration meant that hackers were able to avoid being spotted
Confidential data loss in Denmark
Confidential data of 20,000 residents in Gladsaxe, Denmark has been lost following the theft of a computer from the town’s city hall between November 30th and December 3rd.
The data had been saved locally and included information such as registration numbers, age and addresses. Details of social welfare payments and housing were also reported as being affected
Stay secure; keep on top of the latest security updates
WordPress has issued a security patch which fixes several vulnerabilities including one that led to Google indexing some user passwords.
Detailed information for version 5.0.1 can be read on the WordPress news pages, but crucially a fix has been implemented following an issue in which activation screens for new users were being indexed by Google
Troy Hunt weekly update
Transatlantic Cable podcast, episode 69 – by Kaspersky
2018 statistics and 2019 predictions
Link HERE and
Cyberthreats to financial institutions 2019: OVERVIEW AND PREDICTIONS
- The emergence of new groups due to the fragmentation of Cobalt/Carbnal and Fin7: new groups and new geography
- The first attacks through the theft and use of biometric data
- The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, South-East Asia and Central Europe
- Continuation of the supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world
- Traditional cybercrime will focus on the easiest targets and bypass antifraud solutions: replacement of PoS attacks with attacks on systems accepting online payments
- The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network
- Attacks on mobile banking for business users
- Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wires: result of data leaks
Incidents & events detail
Report: Facebook let major tech firms access private messages, friends lists
NYT: Bing could see nearly “all Facebook users’ friends without consent.”
APT review of the year
What the world’s advanced threat actors got up to in 2018
NASA got hacked
UNIVERSAL ANDROID SSL PINNING IN 10 MINUTES WITH FRIDA
A look at home routers, and a surprising bug in Linux/MIPS
We reviewed 28 popular home routers for basic hardening features. None performed well. Oh, and we found a bug in the Linux/MIPS architecture
From blind XXE to root-level file read access
Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail
Group breaches SMS-protected accounts. It’s still testing attacks against 2fa apps
Crowdstrike’s Cyber Intrusion Services Casebook 2018: One Compromised Laptop Gave Hackers Access to Corporate Network
According to Crowdstrike’s Cyber Intrusion Services Casebook 2018, a single laptop used at a coffee shop was infiltrated and used to gain access to an unnamed company’s entire corporate network. The laptop user visited the website of a partner organization through a phishing email. In this particular case, the hackers exploited a misconfiguration in the company’s Active Directory implementation that granted unnecessary privileges. The security software that the affected company used detected threats only when the device was being used within the organization’s network
Amazon uses dummy parcels to catch thieves
What is going on with OAuth 2.0? And why you should not use it for authentication
Cloudflare Allegedly Counts Identified Terrorist Groups Among Clients
A Huffington Post report alleges that Cloudflare is providing cybersecurity services to seven groups that are under sanctions from the US Treasury Department; of those, six are identified as foreign terrorist groups by the US State Department.
All service providers have to deal with the “know your customer” issue and all the various sanctions that home country law places on doing business with blacklisted nations and countries. At any given time, many large service providers have compliance issues – the key is how quickly they deal with known or reported violations
Facebook disclosed a bug that allowed app developers to view users’ photos that they uploaded to Facebook but never shared on their timeline
Signal Says It Cannot Include a Backdoor in its App
In a December 13 blog post, Signal developer Joshua Lund expresses the organization’s frustration with Australia’s new Assistance and Access bill, noting that “attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development.” Lund says that the Signal cannot include a backdoor and that “the end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us.”
Research of the week
-Kaspersky Security Bulletin 2018 STATISTICS
-20 Ways To Block Mobile Attacks
-eBook: Intrusion Detection Guide
-Software Architecture: Architect Your Application with AWS
Nowadays, cloud computing has become a central part of any tech company, that includes every company now since most of them can be categorized under “Software as a Service” (SaaS). In this post, I will try to simplify the most important Amazon cloud/web services known as AWS.
This post will help you to understand different services by Amazon and their different capabilities. and to discover the new opportunities that come with using cloud computing instead of self-managed infrastructures
Tool of the week
-Open Source Network Security Tools for Beginners
-How To Build A Password Cracking Rig
Cracking On A “Budget”
-Static code analysis (SAST) tools in GitLab
|Language / framework||Scan tool|
|Ruby on Rails||brakeman|
|Groovy (Gradle & Grail)||find-sec-bugs|
|Java (Maven & Gradle)||find-sec-bugs|
|.NET||Security Code Scan|
-iOS Pentesting Tools Part 1: App Decryption and class-dump
Other interesting articles
2019 Cybersecurity Predictions: Artificial Intelligence
The Blockchain Is a Reminder of the Internet’s Failure
The same utopian promises that bloomed during the Internet’s early days are back. Be afraid
OATH’S BIG YEAR OF BUG BOUNTIES CAPPED OFF WITH NYC LIVE HACKING EVENT
The past week capped off a record year of bug bounties for Oath, the media giant which boasts a slew of dynamic brands including Yahoo, AOL, Verizon Digital Media Services, and TechCrunch. In 2018, Oath has received over 1,900 valid vulnerabilities through its private bug bounty program, over 300 of which were high or critical severity. Big numbers mean big rewards — Oath has paid $5 million in bounties in 2018. That’s nearly five times the bounties paid in 2017 and nearly 10 times the bounties paid by Oath brands in 2016
When is a vulnerability not a vulnerability?
Recently, I was discussing the types of submissions that are often declined by bug bounty programs with Tomer Schwartz, who works as part of the Microsoft Security Response Center (MSRC). Unfortunately, sometimes he is the person who has to do the declining. He said, “Sometimes a vulnerability just isn’t a vulnerability”. You might think this sounds wrong, but let’s talk about what he meant
The unbelievable tale of a fake hitman, a kill list, a darknet vigilante… and a murder
Hitman-for-hire darknet sites are all scams. But some people turn up dead nonetheless
And finally, What If Reality Isn’t Real?
The rise of the simulation theory tells us a lot about how we live now
The Future of Software Is No Code
Disrupting the disruptor
HACKING, TOOLS and FUN – CHECK BELOW!
Description: From blind XXE to root-level file read access.
Description: RCE in Hubspot with EL injection in HubL.