Security Stack Sheet #36

Word of the week “Fake Hand”

Hackers Make a Fake Hand to Beat Vein Authentication

One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user’s veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example.

But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.

“It’s enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them,” Krissler explained. In all, the pair took over 2,500 pictures to over 30 days to perfect the process and find an image that worked.

They then used that image to make a wax model of their hands which included the vein detail

Link HERE

 

Word of the week special “Disruption for Thee, But Not for Me”

The Silicon Valley gospel of “disruption” has descended into caricature, but, at its core, there are some sound tactics buried beneath the self-serving bullshit. A lot of our systems and institutions are corrupt, bloated, and infested with cream-skimming rentiers who add nothing and take so much

Link HERE Disruptors HERE and HERE and HERE and HERE

 

Bonus

Password Managers (read the thread)

Link HERE

GDPR Data Portability

Link HERE

Link HERE

Link HERE Launch career in cyber HERE

 

Crypto challenge of the week

Pirating like in the 90ies

Ahoy, my name is Santa and I want to be a pirate!

Challenge link HERE

Write-up for all challenges HERE

Packet Challenge

Link HERE

 

Dates

May 25th 2018: GDPR Live! See incidents section below

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

TLS 1.0 and TLS 1.1 ARE GONE!!

Google HERE Firefox HERE Microsoft HERE

Now: HTTPS mandatory

The year in post-quantum crypto

HTTPS everywhere HERE

March 29th 2019: Brexit

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

 

Comic of the week

Some OWASP stuff first

-AppSec podcast – AppSec in Israel and Three Talks to watch from AppSec USA

Link HERE

-Collection of CSP bypasses

Link HERE

-Great people to follow on Twitter

Link HERE

-Version 2.9.0 of the OWASP Amass project for DNS enumeration and network mapping was released!

Link HERE

-Google Launches Opensource.dev as an Introduction to Open Source

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

AppSec California in January 22-25 2019 HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

Popular cybersecurity conference DerbyCon says it is shutting down after this year, citing an inability to control attendees’ behaviour
Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Significant Cyber Incidents

Link HERE

Incidents in the world last week

Incident data HERE Find your country

Troy Hunt weekly update

Link HERE

Transatlantic Cable podcast, episode 74 – by Kaspersky

Talk about travel and cybersecurity. From top tips on what to do before travelling, including backing up your data and not using hotel Wi-Fi, right through to how best to keep your private data private when out and about

Link HERE

AND

Exclusive: How a Russian firm helped catch an alleged NSA data thief

Link HERE

Bill Gates’s blog – Lost and Found with “the Most Wondrous Map Ever Produced” – The Gene

Link HERE

 

Incidents & events detail

.gov security falters during U.S. shutdown – thanks to JuanMi

Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals

Link HERE

Unique phishing method to look out for: the full screen API

Using the browser API to fool you into giving up your details

Link HERE

PoC for Windows VCF zero-day published online

Microsoft said it would fix the vulnerability in Windows 19H1, in April

Link HERE

Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs

Link HERE
Researcher shows how popular app ES File Explorer exposes Android device data

Link HERE

Remember: Cyber Security Skills Strategy

The UK Government has launched a Call for Views on its Initial National Cyber Security Skills Strategy

Link HERE

Security Vulnerabilities in Cell Phone Systems

Link HERE

Brand new USB security feature could change everything

Link HERE

Pass-the-Cache to Domain Compromise

Link HERE

Remember: Exposed JIRA server leaks NASA staff and project data

Link HERE

Fake Movie File Malware

Link HERE

Hackerone Live Hacking events

Link HERE

WindTail APT able to bypass traditional antivirus protections

Link HERE

New Attack Against Electrum Bitcoin Wallets

How the attack works:

  • Attacker added tens of malicious servers to the Electrum wallet network.
  • Users of legitimate Electrum wallets initiate a Bitcoin transaction.
  • If the transaction reaches one of the malicious servers, these servers reply with an error message that urges users to download a wallet app update from a malicious website (GitHub repo).
  • User clicks the link and downloads the malicious update.
  • When the user opens the malicious Electrum wallet, the app asks the user for a two-factor authentication (2FA) code. This is a red flag, as these 2FA codes are only requested before sending funds, and not at wallet startup.
  • The malicious Electrum wallet uses the 2FA code to steal the user’s funds and transfer them to the attacker’s Bitcoin addresses.

The problem here is that Electrum servers are allowed to trigger popups with custom text inside users’ wallets

Link HERE

HOW CHINA’S ELITE HACKERS STOLE THE WORLD’S MOST VALUABLE SECRETS

Link HERE

How I Hacked Play-with-Docker and Remotely Ran Code on the Host

Link HERE

Security researchers have found ways attackers could take over construction cranes as well as other large pieces of construction equipment
Link HERE

 

Research of the week

-Introduction to WebAuthn API

Learn what is FIDO2 and Webauthn, and how to use them to kill passwords

Link HERE

-PCI Software Security Standard new version

It will eventually replace PA-DSS.

PCI SSC has published the PCI Secure Software Standard and the PCI Secure Software Lifecycle (Secure SLC) Standard as part of a new PCI Software Security Framework. The framework is a collection of software security standards and associated validation and listing programs for the secure design, development and maintenance of modern payment software. In this post PCI SSC Chief Technology Officer Troy Leach highlights what stakeholders need to know about the new standards

Link HERE

-Ball and Chain A New Paradigm in Stored Password Security – thanks to Ben

Link HERE

-True2F: Backdoor-resistant authentication tokens

We present True2F, a system for second-factor authentication that provides the benefits of conventional authentication tokens in the face of phishing and software compromise, while also providing strong protection against token faults and backdoors. To do so, we develop new lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, and we implement new privacy defenses to prevent cross-origin token-fingerprinting attacks. To facilitate real-world deployment, our system is backwards-compatible with today’s U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes just 57ms to complete on the token, compared with 23ms for unprotected U2F

Link HERE

-Machine Learning to Detect Software Vulnerabilities

Link HERE

 

Tool of the week

-Metasploit 5 released!

Link HERE

-pwnhead

Link HERE BUT everyone is against it! HERE and HERE

-Simpleator

Simpleator (“Simple-ator”) is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called “Redstone 4”, with additional improvements that were made in Windows 10 October Update (1809), aka “Redstone 5”.

It is meant as a Proof-of-Concept on how simpler and faster sandboxed detonation environments could be built, as well as even more resource-limited containers that could run serverless workloads (AWS Lambdas / Azure Functions) without requiring a guest operating system

Link HERE

 

Other interesting articles

Can you ever (safely) include credentials in a URL?

Recommendations for securely including credentials in a URL:

Always use a limited-scope token such as a capability token (key) or limited scope OAuth access token. Ideally the token should only provide access to the one resource named in the URL. Never ever ever put a username and password in a URL.

Prefer putting the unguessable token in the userinfo or fragmentcomponents of the URL as these are least likely to be accidentally leaked. Use Javascript to retrieve the token and submit to the server in an Authorization header using the Bearer auth scheme.

Set suitable Cache-Control and Referrer-Policy headers on resources protected with capability URLs.

Use HATEOAS and simple UX design principles to make use of capability URLs natural and secure.

Consider binding tokens to other contextual identifiers, such as session cookies or the TLS channel, but consider the usability implications of doing so

Link HERE Are secret URLs truly secure? HERE

 

Why You Shouldn’t be Using BCrypt and Scrypt

Link HERE and reaction against this HERE and MD5 and SHA1 still used HERE

 

Learn and Catch Hackers

Hackers in Darkweb forums rely heavily on reputation. Previous postings, technical knowledge, possession of code samples, and on and on – are the currencies that allow them to manage and grow influence. The paradox, however, is that no hacker would ever consider exposing their identity to the group – regardless of any presumed anonymity controls. Participants in the Darkweb must therefore stake their positions some other way…

Link HERE AND Microsoft LAPS – Blue Team / Red Team HERE

 

The Failure of Crypto Tribalism

Crypto has an ethics problem and it’s making a mockery of decentralization

Link HERE

 

All Software Licensing is theft…

Consider the Linux Foundation. This organisation oversees the development of many key parts of what we commonly call “Linux”, including the Linux kernel itself. The Linux Foundation does employ salaried staff, paid for out of the fees paid by its member organisations. These fees add up to around US$6 million a year — provided by companies such as Cisco, Microsoft, Fujitsu, HP, IBM, Intel, NEC, Oracle, Qualcomm, and Samsung. In total, more than 200 organisations contribute to the upkeep of the Foundation. Many of these companies also directly employ people on their own payroll to work on projects supported by the Linux Foundation. They, like Digium, understand that a free and non-scarce Linux boosts their ability to sell their own market offerings — computer or network hardware, mobile phones, etc

Link HERE

 

And finally, World Economic Forum warns globe is ‘sleepwalking into a crisis’

The report, based on a survey of roughly 1,000 top business executives, politicians and experts, noted that the following five risks were considered the most likely to happen in 2019:

  • Extreme weather events (such as floods and storms)
  • Failure of climate-change mitigation and adaptation
  • Major natural disasters (such as earthquakes and tsunami)
  • Massive incident of data fraud/theft
  • Large-scale cyberattacks

Link HERE

 

HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/409850

Description: XSS in Steam react chat client.

URL: http://bit.ly/2RoDTqv  (+)

Description: Open redirects – The vuln class no one but attackers cares about.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *