Security Stack Sheet #34

Word of the week “Toxic Data”

Links HERE and HERE and HERE and HERE and HERE

 

Word of the week special “Robots as a Platform”

Robots are about to become a platform worthy of every developer’s time. After all, every single thing that a phone, desktop, or voice assistant can do, a robot can do. (And yes, like a phone, some robots can even fit in your pocket.)

Link HERE

 

Bonus

A junior, a mid and a senior dev walk into a bar

Link HERE

Links HERE and HERE

Link HERE

Link HERE and the definition of a Linux Desktop HERE

Link HERE

Link to the thread HERE

 

Crypto challenge of the week

35C3CTF

Eat, Sleep, Pwn, Repeat

Link HERE

 

Dates

May 25th: GDPR Live! See incidents section below

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

TLS 1.0 and TLS 1.1 ARE GOING!!

Google HERE Firefox HERE Microsoft HERE

Now: HTTPS mandatory

The year in post-quantum crypto

Link HERE Slides HERE

HTTPS everywhere HERE

A Readable Specification of TLS 1.3

Link HERE

BUT

Why closing port 80 is bad for security

Link HERE

March 29th 2019: Brexit

Spike in Brexit-themed phishing attacks expected once withdrawal agreement is finalised

Russian-linked Fancy Bear among hackers that could target the UK with malware and disinformation

Link HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

Link HERE

 

Comic of the week

Some OWASP stuff first

-AppSec Podcast – OWASP IoT Top 10 (S04E22)

Link HERE

-OWASP Internet of Things Project

Link HERE

-The CIS Critical Security Controls for Effective Cyber Defence

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

CSC 4: Continuous Vulnerability Assessment and Remediation

CSC 5: Controlled Use of Administrative Privileges

CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

CSC 7: Email and Web Browser Protections

CSC 8: Malware Defenses

CSC 9: Limitation and Control of Network Ports, Protocols, and Services

CSC 10: Data Recovery Capability

CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

CSC 12: Boundary Defense

CSC 13: Data Protection

CSC 14: Controlled Access Based on the Need to Know

CSC 15: Wireless Access Control

CSC 16: Account Monitoring and Control

CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps

CSC 18: Application Software Security

CSC 19: Incident Response and Management

CSC 20: Penetration Tests and Red Team Exercises

Link HERE and CIS failures HERE

 

Events

OWASP events HERE

All InfoSec events HERE

AppSec California in January 22-25 2019 HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack Luxembourg presentations

Link HERE

List of Helpful Information Security Multimedia

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents in the world last week

Incident data HERE Find your country

Data breach statistics HERE – not being kept up-to-date

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Troy Hunt weekly update

Link HERE

Transatlantic Cable podcast, episode 72 – by Kaspersky

New Year Episode – Cyber Security Resolutions

Link HERE

 

Incidents & events detail

Beware: There’s a fake Amazon Alexa ‘Setup’ app climbing App Store charts

There’s an app currently circulating around Apple’s App Store pretending to be the official set-up companion for Amazon’s Alexa, and it’s fooled its way to the top of the download charts. At the time of this writing, the fake app sits at #60 overall in the general “Top Free” apps section, while in an even more concerning top 10 place under the Utilities sections at #6

Link HERE

Hacker steals 10 years worth of data from San Diego school district

Officials said the hacker made off with the personal information of over 500,000 student and staff

Link HERE

Cyber-attack disrupts printing of major US newspapers

Link HERE

EU to fund bug bounties for open source projects including PuTTY, Notepad++, KeePass, Filezilla and VLC

Up to $100,000 per bug

Link HERE

JungleSec Ransomware Infects Victims Through IPMI Remote Consoles

Link HERE

Privacy and Facebook…

These are mutually exclusive and should NOT be uttered in the same sentence…

Link HERE and top privacy resources HERE

Guardzilla Home Security System Has Hard-Coded Credentials

A vulnerability in the GZ501W Guardzilla home security device could be exploited to access stored video data. The device uses a shared Amazon S3 credential for storing video in the cloud. Guardzilla learned of the vulnerability on October 24.
[Neely]
The hard-coded credentials provide access to multiple Guardzilla S3 buckets, rather than a device specific storage location. The additional buckets include free and premium storage as well as development and test buckets. The device firmware root account had an easily cracked DES encoded password. The root password and AWS have been published. Mitigation is dependent on a firmware update from Guardzilla. Changing the firmware to use an intermediate system to limit devices to specific storage with end-user supplied credentials as well as resolving any vulnerabilities in supporting software will be a significant change for Guardzilla, who is keeping tight-lipped about their response to the issue

Link HERE

Breaking CAPTCHA Using Machine Learning in 0.05 Seconds

Machine learning model breaks CAPTCHA systems on 33 highly visited websites, concept is based on GANs

Link HERE

 

Research of the week

-Tackling the Human Aspect of Cyber Security: THE PSYCHOLOGY OF A LAW FIRM

Link HERE

-AGILITÉ & SÉCURITÉ NUMÉRIQUES Méthode et outils à l’usage des équipes projet – in French – thanks to Christophe

Link HERE

-Introducing BEC: The Great White Shark of Social Engineering

Link HERE

-Ebook initiative: The white hat hackers guide to hacking & pentesting for the common good – RELAUNCH

Link HERE

 

Tool of the week

-2018 Year in review – ReportURI

Link HERE

-How to get started with Metasploit Framework: Part One

Link HERE

-The complete list of Infosec related cheat sheets

Penetration testing and webapp cheat sheets

Password cracking cheat sheets

Forensics cheat sheets

CISO, blue team, Sysadmin and webadmin cheat sheets

Threat hunting

Privacy

Malware analysis and reverse engineering

Developers/Builders

OWASP cheat-sheets (still in draft/Beta stages)

Deep learning/AI/Machine learning

Link HERE

-Awesome Burp Extensions

A curated list of amazingly awesome Burp Extensions

Link HERE

-500 page PDF of Google Dorks

Submitted to Exploit Database

Link HERE

 

Other interesting articles

The Hotel Room Hacker

Link HERE

 

10 Personal Finance Lessons for Technology Professionals

Link HERE

 

And finally, A Better World in 2018

Link HERE

 

HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://leucosite.com/WebExtension-Security/

More: https://leucosite.com/WebExtension-Security-Part-2/

Description: WebExtension Security

URL: http://bit.ly/2SmvFf6  (+)

Description: How I accidentally found a clickjacking “feature” in Facebook.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *