Word of the week “Fake Hand”
Hackers Make a Fake Hand to Beat Vein Authentication
One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user’s veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example.
But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.
“It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them,” Krissler explained. In all, the pair took over 2,500 pictures to over 30 days to perfect the process and find an image that worked.
They then used that image to make a wax model of their hands which included the vein detail
Word of the week special “Disruption for Thee, But Not for Me”
The Silicon Valley gospel of “disruption” has descended into caricature, but, at its core, there are some sound tactics buried beneath the self-serving bullshit. A lot of our systems and institutions are corrupt, bloated, and infested with cream-skimming rentiers who add nothing and take so much
Password Managers (read the thread)
GDPR Data Portability
Crypto challenge of the week
Pirating like in the 90ies
Ahoy, my name is Santa and I want to be a pirate!
Challenge link HERE
Write-up for all challenges HERE
May 25th 2018: GDPR Live! See incidents section below
June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
TLS 1.0 and TLS 1.1 ARE GONE!!
Now: HTTPS mandatory
The year in post-quantum crypto
HTTPS everywhere HERE
March 29th 2019: Brexit
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Comic of the week
Some OWASP stuff first
-AppSec podcast – AppSec in Israel and Three Talks to watch from AppSec USA
-Collection of CSP bypasses
-Great people to follow on Twitter
-Version 2.9.0 of the OWASP Amass project for DNS enumeration and network mapping was released!
-Google Launches Opensource.dev as an Introduction to Open Source
OWASP events HERE
All InfoSec events HERE
AppSec California in January 22-25 2019 HERE
First AWS Security Conference – AWS re:Inforce 2019
Hack In Paris 2019 HERE
Popular cybersecurity conference DerbyCon says it is shutting down after this year, citing an inability to control attendees’ behaviour
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Significant Cyber Incidents
Incidents in the world last week
Incident data HERE Find your country
Troy Hunt weekly update
Transatlantic Cable podcast, episode 74 – by Kaspersky
Talk about travel and cybersecurity. From top tips on what to do before travelling, including backing up your data and not using hotel Wi-Fi, right through to how best to keep your private data private when out and about
Exclusive: How a Russian firm helped catch an alleged NSA data thief
Bill Gates’s blog – Lost and Found with “the Most Wondrous Map Ever Produced” – The Gene
Incidents & events detail
.gov security falters during U.S. shutdown – thanks to JuanMi
Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals
Unique phishing method to look out for: the full screen API
Using the browser API to fool you into giving up your details
PoC for Windows VCF zero-day published online
Microsoft said it would fix the vulnerability in Windows 19H1, in April
Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs
Researcher shows how popular app ES File Explorer exposes Android device data
Remember: Cyber Security Skills Strategy
The UK Government has launched a Call for Views on its Initial National Cyber Security Skills Strategy
Security Vulnerabilities in Cell Phone Systems
Brand new USB security feature could change everything
Pass-the-Cache to Domain Compromise
Remember: Exposed JIRA server leaks NASA staff and project data
Fake Movie File Malware
Hackerone Live Hacking events
WindTail APT able to bypass traditional antivirus protections
New Attack Against Electrum Bitcoin Wallets
How the attack works:
- Attacker added tens of malicious servers to the Electrum wallet network.
- Users of legitimate Electrum wallets initiate a Bitcoin transaction.
- If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
- User clicks the link and downloads the malicious update.
- When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
- The malicious Electrum wallet uses the 2FA code to steal the user’s funds and transfer them to the attacker’s Bitcoin addresses.
The problem here is that Electrum servers are allowed to trigger popups with custom text inside users’ wallets
HOW CHINA’S ELITE HACKERS STOLE THE WORLD’S MOST VALUABLE SECRETS
How I Hacked Play-with-Docker and Remotely Ran Code on the Host
Security researchers have found ways attackers could take over construction cranes as well as other large pieces of construction equipment
Research of the week
-Introduction to WebAuthn API
Learn what is FIDO2 and Webauthn, and how to use them to kill passwords
-PCI Software Security Standard new version
It will eventually replace PA-DSS.
PCI SSC has published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as part of a new PCI Software Security Framework. The framework is a collection of software security standards and associated validation and listing programs for the secure design, development and maintenance of modern payment software. In this post PCI SSC Chief Technology Officer Troy Leach highlights what stakeholders need to know about the new standards
-Ball and Chain A New Paradigm in Stored Password Security – thanks to Ben
-True2F: Backdoor-resistant authentication tokens
We present True2F, a system for second-factor authentication that provides the benefits of conventional authentication tokens in the face of phishing and software compromise, while also providing strong protection against token faults and backdoors. To do so, we develop new lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, and we implement new privacy defenses to prevent cross-origin token-fingerprinting attacks. To facilitate real-world deployment, our system is backwards-compatible with today’s U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes just 57ms to complete on the token, compared with 23ms for unprotected U2F
-Machine Learning to Detect Software Vulnerabilities
Tool of the week
-Metasploit 5 released!
Simpleator (“Simple-ator”) is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called “Redstone 4”, with additional improvements that were made in Windows 10 October Update (1809), aka “Redstone 5”.
It is meant as a Proof-of-Concept on how simpler and faster sandboxed detonation environments could be built, as well as even more resource-limited containers that could run serverless workloads (AWS Lambdas / Azure Functions) without requiring a guest operating system
Other interesting articles
Can you ever (safely) include credentials in a URL?
Recommendations for securely including credentials in a URL:
Always use a limited-scope token such as a capability token (key) or limited scope OAuth access token. Ideally the token should only provide access to the one resource named in the URL. Never ever ever put a username and password in a URL.
Set suitable Cache-Control and Referrer-Policy headers on resources protected with capability URLs.
Use HATEOAS and simple UX design principles to make use of capability URLs natural and secure.
Consider binding tokens to other contextual identifiers, such as session cookies or the TLS channel, but consider the usability implications of doing so
Why You Shouldn’t be Using BCrypt and Scrypt
Learn and Catch Hackers
Hackers in Darkweb forums rely heavily on reputation. Previous postings, technical knowledge, possession of code samples, and on and on – are the currencies that allow them to manage and grow influence. The paradox, however, is that no hacker would ever consider exposing their identity to the group – regardless of any presumed anonymity controls. Participants in the Darkweb must therefore stake their positions some other way…
The Failure of Crypto Tribalism
Crypto has an ethics problem and it’s making a mockery of decentralization
All Software Licensing is theft…
Consider the Linux Foundation. This organisation oversees the development of many key parts of what we commonly call “Linux”, including the Linux kernel itself. The Linux Foundation does employ salaried staff, paid for out of the fees paid by its member organisations. These fees add up to around US$6 million a year — provided by companies such as Cisco, Microsoft, Fujitsu, HP, IBM, Intel, NEC, Oracle, Qualcomm, and Samsung. In total, more than 200 organisations contribute to the upkeep of the Foundation. Many of these companies also directly employ people on their own payroll to work on projects supported by the Linux Foundation. They, like Digium, understand that a free and non-scarce Linux boosts their ability to sell their own market offerings — computer or network hardware, mobile phones, etc
And finally, World Economic Forum warns globe is ‘sleepwalking into a crisis’
The report, based on a survey of roughly 1,000 top business executives, politicians and experts, noted that the following five risks were considered the most likely to happen in 2019:
- Extreme weather events (such as floods and storms)
- Failure of climate-change mitigation and adaptation
- Major natural disasters (such as earthquakes and tsunami)
- Massive incident of data fraud/theft
- Large-scale cyberattacks
HACKING, TOOLS and FUN – CHECK BELOW!
Description: XSS in Steam react chat client.
URL: http://bit.ly/2RoDTqv (+)
Description: Open redirects – The vuln class no one but attackers cares about.