Word of the week “Hot tub hack” reveals washed-up security protection
Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed.
Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone
“KringleCON” by SANS
Over the past three years during the SANS #HolidayHack challenge, vicious holiday super villains have conspired to destroy the entire holiday season and the North Pole itself. Santa has just declared, “Enough is enough! It’s time to bring security professionals, hobbyists, and hackers from around the world in a unique meeting of the minds this December, to help improve the state of cyber security world-wide!”
Word of the week special “Top 2018 Security and Privacy Stories”
- Cryptocurrency Mining Malware
It’s been a wild ride with the cryptocurrency boom and sorta bust. The year started out with a steady onslaught of hackers shifting from extorting money from victims via ransomware to planting cryptojacking malware. The switch was to take advantage of sky-high valuations for cryptocurrencies such as Monero. In March, we learned that one cryptoming gang earned $7 million in six months. As of December, the price for virtual currency has dropped so low that ransomware has come back into vogue.
- DDoS Attacks
Compared to 2017, DDoS attacks grew five-fold. Not only did they become more popular, they also became bigger, smarter and more diverse. One of the most notable evolutions in the DDoS landscape over the past year was the growth of peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols. Making matters worse, 2018 also saw a record number of devices, such as routers, become infected with malware such as VPNFilter.
- Breach Fatigue
The year kicked off with the Department of Homeland Security announcing a breach that exposed the data of 240,000 employees. But, things were just getting started. In March, Under Armour reported a breach impacting 150 million MyFitnessPal accounts. And after that, breaches began to pile up from Ticketmaster, Girl Scouts, British Airways, Quora, Marriott and others.
- Meltdown and Spectre
Chip-makers were sent scrambling in January when teams of researchers revealed two major vulnerabilities hiding in microprocessors. Called Meltdown and Spectre, the flaws impacted Intel microprocessors and other modern CPUs. Both vulnerabilities impact how microprocessors isolate sensitive data in memory. It opened the door for an attacker to gain access to data such as passwords, encryption keys or potentially even data from adjacent virtual systems co-located on the same server.
- Facebook Privacy Fiasco
The story broke about Facebook and Cambridge Analytica in the early months of 2018. And Facebook hasn’t stopped saying sorry ever since. The revelations began with the news that Facebook partner Cambridge Analytica had harvested personal data of Facebook users without their consent via the app thisisyourdigitalife. Then came the apology tour with Facebook CEO Mark Zuckerberg making nearly a dozen stops before Congress and the Senate Judiciary Committee. But just when you thought Facebook might catch its breath, in October there were new revelations about a security issue involving access tokens that exposed 50 million users. Then in December more reveals: This time it was a bug that exposed private images of 6.8 million users and then revelations of a data-sharing agreement with 150 tech firms where some had access to private Facebook Direct Messages.
- End-to-End Encryption
The 2018 debate over the government’s authority to access private encrypted data on digital devices was kicked off in January when the FBO Director Christopher Wray called unbreakable encryption an “urgent public safety issue.” The year will likely also be remembered for a controversial bill passed in Australia, which could give the government there access to data otherwise protected by end-to-end encryption. The year also saw challenges to end-to-end encryption by Russian authorities who ordered secure messaging service Telegram to hand over the encryption keys of 9.5 million active Russian users.
- Advanced Persistent Threats
In 2018, activity among the usual Advanced Persistent Threat (APT) suspects has been a little quieter than usual, say researchers. That’s not to say that some – Sofacy, Turla and CozyBear, notably – didn’t make waves this year. According to a year-end analysis by Kaspersky Lab, Sofacy was the most active of the three. “One of the most high-profile incidents was abuse of Computrace LoJack by this actor in order to deploy its malware on victim machines, in what can be considered a UEFI-type rootkit,” Kaspersky researchers wrote. The year also made room for newcomers as well, including Middle East APTs LazyMerkaats, FruityArmor, DarkHydrus and DomesticKittens.
- Destructive Malware
Soon after the start of the Winter Olympics in Pyeongchang, there were reports of malware attacks on infrastructure related to the Games. What became known as Olympic Destroyer shut down display monitors used by Olympic organizers, zapped Wi-Fi networks and prevented visitors from printing tickets by crippling the official Olympics website. The activity was an attribution confusion bomb, so researchers simply call the APT behind it “Hades.” And, we also saw destructive malware in 2018 in the form of the SamSam ransomware which is tied to crippling attacks on the city of Atlanta and Newark, N.J. Data-wiping malware Shamoon reappeared in December destroying drives at an Italian oil and gas company. And an incident in September forced an Indiana hospital to cancel elective surgeries and divert ambulances.
- GDPR Arrives
In late May, the European Union’s General Data Protection Regulation (GDPR) was signed into law. GDPR is considered the most comprehensive regulation on the protection of personal data in the world. It introduces a sweeping set of privacy requirements impacting everything from US consumer privacy, cybersecurity, the role of technology companies and the future of the transatlantic digital economy. Yet, while 2018 may have been a milestone for GDPR, there have been few fines and many are still trying to sort out compliance.
- Router Attacks
As criminals focused on stealing data and growing bot armies, routers became an attractive target for doing both. In May, Talos researchers reported that Russian-speaking threat actors, with links to the BlackEnergy APT group, were behind the VPNFilter malware that infected 500,000 routers. In August, Censys.io reported a massive cryptomining campaign targeting MikroTik routers, infecting 170,000devices with the CoinHive malware. In March, we learned of a cyber-espionage threat, dubbed Slingshot, which targeted routers and used them as a springboard to attack computers within a network. And in November, 45,000 routers were reported compromised by a campaign designed to open networks to attacks by EternalBlue, according to Akamai.
Security Resolutions 2019 – for the regular individual
- Choose strong passwordsand change them on a regular basis.
- Always securemy laptop and portable devices.
- Review my bank and credit cardstatements every month.
- Ensure software on my computer and other devicesis up-to-date.
- Mentora young person in safe computer use practices
SOME 2019 PREDICTIONS (More in the coming weeks!)
- Increasing cloudiness—which is a good thing
- GDPR’s worldwide reach brings reach for security too
- Blockchain blowback
- DevSecOps rising
- Privacy a priority—really?
- Smart—and disconnected
Link HERE Read the whole thread!
Crypto challenge of the week
fake xmass balls
A rogue manufacturer is flooding the market with counterfeit yellow xmas balls. They are popping up like everywhere!
Can you tell them apart from the real ones? Perhaps there is some useful information hidden in the fakes…
Concise Christmas Cryptography Challenges 2019 – from Cloudflare
Last year we published some crypto challenges to keep you momentarily occupied from the festivities. This year, we’re doing the same. Whether you’re bored or just want to learn a bit more about the technologies that encrypt the internet, feel free to give these short cryptography quizzes a go.
We’re withholding answers until the start of the new year, to give you a chance to solve them without spoilers. Before we reveal the answers; if you manage to solve them, we’ll be giving the first 5 people to get the answers right some Cloudflare swag. Fill out your answers and details using this form so we know where to send it.
May 25th: GDPR Live! See incidents section below
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
TLS 1.0 and TLS 1.1 ARE GOING!!
Now: HTTPS mandatory
HTTPS everywhere HERE
Why closing port 80 is bad for security
March 29th 2019: Brexit
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Comic of the week
Some OWASP stuff first
-ODVSA – a Damn Vulnerable #serverless Application
Lessons are available HERE
A serverless application demonstrating common serverless security flaws
With the increasing demand for cloud employees, AWS Educate provides an academic gateway for the next generation of IT and cloud professionals. AWS Educate is Amazon’s global initiative to provide students and educators with the resources needed to accelerate cloud-related learning
-“Building Better Defences: Engineering for the Human Factor”
In this talk, Allison Miller will explore how today’s defenders are evolving from a relatively simple model — isolation- and perimeter-based — into a more dynamic and flexible form that enables interconnectivity and data flows across independent environments, in real time and at scale. Upleveling our game in defense requires a more sophisticated approach to deflecting exploits and vulns, but also means designing for the “human factor”: mapping out complex sets of incentives, designing for interdependencies, and inventing new approaches to thinking about security, risk, & trust. Allison will discuss ideas for the next wave of security engineers and practitioners, including lessons learned from applying big data plus ML/AI in developing real-time risk modeling & algorithmic defense, and how today’s defenders are rewriting the playbooks on protecting the end-user zone
-Dependency Track 3.4
Continuous Component Analysis Platform
OWASP events HERE
All InfoSec events HERE
First AWS Security Conference – AWS re:Inforce 2019
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incidents in the world last week (UK)
Find your country HERE
Data breach statistics HERE – not being kept up-to-date
Cyber breaches abound in 2019
Map of Threat Actors HERE
Troy Hunt weekly update
Transatlantic Cable podcast, episode 71 – by Kaspersky
Holiday tech tips for visiting family
During the course of our chat, we will discuss 12 things that can help secure your relatives and offer some tips to make it a bit less painful, so you can get back to the festivities.
Some additional helpful links include:
Everyday Espionage Podcast
Work-Life balance is real, but it’s not what you’ve been told. Real balance puts you on the edge of falling; the edge of failing. But it also puts you on the edge of success. The world has been sold the lie that less work equals more life. While ‘work-life balance’ has become a multi-million dollar catch phrase, Andrew explains that when life is in the balance, more work equals more life.
In this unprecedented TEDx-style podcast, former covert CIA intelligence officer Andrew Bustamante discusses real-world international espionage techniques that can be used in everyday life. From business to personal relationships, spies know how to control their environment, drive predictable behaviour, and gain unique advantages. Secrets once reserved for the world’s elite intelligence services are now brought to light
Incidents & events detail
FACEBOOK’S IMAGETRAGICK STORY
I want to believe that all of you know about ImageMagick and its Tragick. This issue was found in the end of the April, 2016 and due to many processing plugins depends on the ImageMagick library this issue has a huge impact. Since there were evidences that information about this issue was available not only for researchers, who discovered it and ImageMagick’s development team, but also for others, on the 3rd of May, 2016 the information (without PoC) was disclosed. Many of researchers got this low-hanging fruit while discovering applications which were not updated in time. But for some unknowable reason i was not among them. But this was in May
The Clickjacking Bug that Facebook Won’t Fix
‘Serious’ Twitter flaw allows hackers to post on other people’s accounts
A vulnerability in Twitter allows hackers to send tweets, private messages, post images or videos, and turn off security features, says British security researcher
Common Phishing Attack Types
Click2Gov Breaches Show The Power Of Zero Days
Caribou Coffee notifies customers of data breach
Retailer said 265 stores were tied to months long theft of customer data
DDoS for hire domains seized – thanks to Naz
Amazon inadvertently sent more than 1,700 voice recordings of random people to a man in Germany after the submitted a GDPR request to the company
Earlier this year, Microsoft indicated that it was planning to release a Windows 10 feature called inPrivate Desktop for enterprise users; the feature has been renamed Windows Sandbox and is now available to Windows 10 Pro users as well. Windows Sandbox is “an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC,” according to Microsoft.
Users of Apple iOS have enjoyed such a safe execution environment for years. My PC is configured to resist running any untrusted software or to interpret downloaded data (a pain) and I do all browsing and e-mail on my iPad or iPhone. Software to automagically intercept and interpret all URLs in a virtual machine (“isolated, temporary,” and safe environment) has been available at a price for years. Provision of such an isolated environment by Microsoft is late but powerful. One hopes that it is on by default
Research of the week
-The Layered Cyber Security Approach and Model
-Exploring Quantum Neural Networks – by Google
-Hack the Air Force 3.0 Results
The Hack the Air Force 3.0 bug bounty program took place between October 19 and November 22 of this year. Nearly 30 participants discovered more than 120 vulnerabilities in public-facing Air Force website and services. This is the third bug bounty program for the Air Force and the seventh overall within the Department of Defense (DOD). The competition was open to participants from 191 countries; applicants were vetted by HackerOne, which facilitated the event along with the Department of Defense’s Defense Digital Service.
We have several years of data points showing well-managed bug bounty programs can be both effective and efficient at finding vulnerabilities in systems and software. But, the headlines we really, really need to see are something like “Bug Hunting Challenge Finds No Vulnerabilities in Production Systems Because Bug Hunting Challenge Prior to Production Release Found Them First.”
Tool of the week
-Nmap Cheat Sheet
-Teaching test-driven development and continuous integration with “Evil Fizz Buzz”
Fizz Buzz is the word-game in which players in a circle count from 1 up, substituting multiples of three with “fizz” and multiples of five with “buzz” (“1, 2, Fizz, 4, Buzz, Fizz, 7, 8, Fizz, Buzz, 11, Fizz, 13, 14, Fizz Buzz, 16, 17, Fizz, 19, Buzz, Fizz, 22, 23, Fizz, Buzz, 26, Fizz, 28, 29, Fizz Buzz, 31, 32, Fizz, 34, Buzz, Fizz, …”)
-CLOUD NATIVE APPLICATION BUNDLE from Docker
Other interesting articles
How security features can save your product and make it a super star
Indonesia overturns ban on Tik Tok after video streaming service agrees to increase security controls
After years of data pollution, the perfect storm hits Facebook
Interop’s Labyrinth: Sharing Code Between Web & Electron Apps
Things aren’t always what they seem in this place, so you can’t take anything for granted
And finally, The 60 Dumbest Moments in Tech 2018
Maybe it would have been easier to list the things that happened that weren’t strange, embarrassing, and/or unfortunate
HACKING, TOOLS and FUN – CHECK BELOW!
Description: Exploiting XXE with local DTD files.
Description: How I could have stolen your photos from Google.
Description: Linux privilege escalation via trusted $PATH in keybase-redirector.