Security Stack Sheet #39

Word of the week “Safer Internet Day” – 5th of February

Safer Internet Day 2019 was celebrated globally with the theme: Together for a better internet

National Crime Agency

“I am delighted to support the ongoing work of the UK Safer Internet Centre and Safer Internet Day. Children and young people’s use of technology is constantly evolving and Safer Internet Day provides a great opportunity to promote safe and positive use of the internet. The National Crime Agency’s Child Exploitation and Online Protection Command will continue to work alongside the UK Safer Internet Centre and other key partners to ensure that children are protected and safeguarded online. The NCA is proud to support the day, which is helping professionals and parents/carers to make the internet a safer place.”

Links HERE and HERE and HERE

 

Word of the week special “Patronising Penetration For Women” by Eliza May Austin

When I first decided to join Linkedin and join groups on here, Females in Cyber type groups, I thought these would be a place to learn/share techniques and methodologies, with like-minded women. Oh boy was I wrong. Instead, I’m noticing an increase in the amount of winge articles about how women aren’t walking straight into CISO roles, or how men are conspiring against women in the security industry

Links HERE and HERE

 

Bonus

Link HERE

Link HERE

Link HERE

Link HERE

Link HERE

OSI Layer Based Security Model

Link HERE

Link HERE

Link HERE

 

Crypto challenge of the week

Cooking for Hackers

No link – find it

How much do you understand about consent in a digital world?

Take our quiz now to find out…

Link HERE

 

Dates

May 25th 2018: GDPR Live! See incidents section below

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

WHAAT? Introducing Zombie POODLE and GOLDENDOODLE – why you should move to #TLS 1.3

The troublesome feature is that TLSv1.2 supports CBC mode cipher suites – Move to GCM!

Link HERE

TLS 1.0 and TLS 1.1 ARE GONE!!

Google HERE Firefox HERE Microsoft HERE

HTTPS everywhere HERE

March 29th 2019: Brexit

Link HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

 

Book on the month

Link HERE

 

Comic of the week

Some OWASP stuff first

-Mapping of On-premises Infrastructure Security Components to Cloud Security Services

Link HERE – thanks to Teo

-Pentest Best Practices Checklist

Link HERE

AND

-Pentesting Azure:  Thoughts on Security in Cloud Computing

  1. Do not test the Azure Infrastructure. That is a violation of the user agreement for Azure and will get you into hot water with Microsoft. No one wants that.
  2. Be extremely careful to only test things that are IN SCOPE for your client.
  3. Is Azure Security Center turned on? If not, turn it on. I love ASC.
  4. Do all subscriptions/sub-subscriptions have it on? Do you have complete coverage? If not, definitely report it.
  5. Is there a policy set (settings that the org has chosen as “secure”, such as all storage must be encrypted at rest)? If so, what are the settings? Do they look good? Also, what level of compliance do they have? Everything that is not compliant should be reported.
  6. Is threat protection (storage and databases only), monitoring and auditing set up on every possible resource? If not, report it.
  7. Look at the network in the same way you would look at a traditional network, is anything out of place? Also, are they doing Zoning or Zero-trust or something else? Which network security model are they using? Make sure they are compliant with their own plan. Ask them what their plan is for their network to start. If they don’t have an answer, that’s another issue altogether.
  8. Do they have “just in time” (JIT) set up on all ports on all servers/VMs? Or are they using a JumpBox to access VMs from outside Azure? Or is that not allowed at all? They should use JIT and Network Security Groups (NSGs)for *everything*.
  9. Do they have app whitelisting enabled on VMs? It’s called Adaptive Application Controls, and it’s right underneath JIT in the security center (ASC) menu, under “Advanced Cloud Defense”. They should have that turned on for *all* servers.
  10. Are they using a SIEM (Security incident and event management system)? Are they using it well? Are they monitoring it? What kind of coverage is it getting? Does ASC feed into it? It should.
  11. Are they using a WAF (Web Application Firewall)? If so, test it. If they aren’t, mark it as advice for improvement.
  12. Any other 3rd party security tools (IPS/IDS/HIPS/Other)? If so, are those getting complete coverage of all assets that are covered by this test? And are they configured well?
  13. Look in “Recommendations” tab of Azure Security Center and it will tell you all the problems (network issues, config errors, missing patches, more) that you haven’t spotted yet. Really, you could likely start here. This is a list of everything that is not compliant with your policy, in order of importance.
  14. If you are assessing web apps within Azure, APIs, and functions (serverless), that’s a whole other topic, but all of the regular security testing rules would apply, Azure or not.
  15. If your org is using Azure DevOps I suggest adding several security tests to your pipeline including Azure Secure DevOps Kit. It’s strict; you likely won’t pass the first few times around, so prepare your developers for a bit of disappointment. There are a TON of great security tools in the Azure Marketplace, add a few, one is not enough.
  16. Turn on VA for SQL DataBases as part of the Azure Threat Protection and kick off a scan right away to see if anything is happening. It will likely have a lot of advice for you.
  17. Look in the Threat Detection part of Security Centre, verify that there are no active attacks happening or recent ones, investigate accordingly.

Link HERE

AND

Link HERE

-OSHP (OWASP Secure Headers Project)

Link HERE

-KNOCK KNOCK, WHO’S THERE?

Link HERE

-AppSec Podcast – Rapid Threat Model Prototyping Process (S04E26)

Link HERE

-Sichere Softwareentwicklung (in German)

Ein praktischer Einstieg

Link HERE

-A Java library for programmatically calculating OWASP Risk Rating scores

Link HERE

-Some useful Appsec learning resources

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

AppSec California HERE – slides / presos not available yet

Write up HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019

Link HERE

Securing Cloud Native: 10 Tips for Better Container Security

February 19, 2019 | 10am – 11am PST

  • Tooling available to keep your cloud native environment secure
  • Best practices in secure Kubernetes development
  • How to identify various attacks on cloud native applications
  • How you can build more secure clusters

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incident data HERE Find your country

Iranian hackers believed to be targeting sensitive personal data

Security researchers at FireEye have reported that Iranian hackers are targeting businesses in the telecommunications and travel industries as part of an international surveillance campaign.

Whilst the group has primarily been active in the Middle East, individuals in nations such as the US, Australia, Norway and Spain are also known to have been targeted, according to FireEye. They have named the group APT39

B&Q reportedly exposes details of suspected thieves 

B&Q reportedly exposed details of suspected store thieves to the internet without password protection, according to a security researcher.

The exposed records reportedly included 70,000 offender and incident logs, including full names, physical characteristics, vehicle details and the value of the goods stolen.

The data is believed to have been kept in Internet-accessible data store that had not been set up to require user-ID authentication

FaceTime privacy bug allows unauthorised eavesdropping 

Researchers identified a flaw in Apple’s FaceTime application affecting the camera and microphone of iPhones and Macs that could allow attackers to eavesdrop on another FaceTime user, even when the recipient doesn’t accept the call.

The flaw allows attackers to access the recipient’s front-facing camera and can also reportedly be exploited when the device is in “Do Not Disturb” mode

Link HERE

Troy Hunt weekly update

Link HERE

Transatlantic Cable podcast, episode 77 – by Kaspersky

EU orders recall of children’s smartwatch over severe privacy concerns

NSA-branded webcam covers are see-through

Apple plans to limit accelerometer and gyroscope access in Safari for iOS

Scammer groups are exploiting Gmail “dot accounts” for online fraud

Police raids target “hundreds of UK web attackers”

Link HERE

 

Incidents & events detail

Clever Phishing Attack Enlists Google Translate to Spoof Login Page

A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.

UPDATE – Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate

Link HERE and How to spot a phishing email HERE

Metro Bank hit by cyber attack used to empty customer accounts

Link HERE

Crooks Continue to Exploit GoDaddy Hole

Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal

Link HERE

Forget snowmageddon, it’s dropageddon in Azure SQL world: Microsoft accidentally deletes customer DBs

Five-minute gap in which transactions for some punters are toast

Link HERE

It’s possible to obtain users’ passwords from old and discarded smart lightbulbs

Link HERE
Many car models are at risk of keyless theft via relay attacks

Link HERE

Rising Threats in CyberSpace – Organizations Must be Prepared to Experience

Link HERE

Facebook Makes Big Move Towards The Blockchain

Link HERE and

How secure is Cardano?

Lately, 51% attacks on cryptocurrencies have been a hot topic. Particularly the recent attack on Ethereum Classic left communities of other cryptocurrencies wondering if their blockchains are actually secure. This long-read attempts to give a complete overview of the security model of Cardano’s settlement layer. The article first addresses Bitcoin’s security, 51% attacks and common problems in the security model of most Proof-of-Stake (PoS) cryptocurrencies on the market today. The article then continues by describing how Cardano’s PoS consensus mechanism (Ouroboros) works, the coins’ initial and current distribution, how stake pool distribution is incentivized and closes with some final thoughts

Link HERE

Link HERE

Apps Installed On Millions Of Android Phones Tracked User Behaviour To Execute A Multimillion-Dollar Ad Fraud Scheme

Link HERE

How to set up a secure digital forensics lab

Link HERE

 

Research of the week

-Application development collection

Recommendations for the secure development, procurement and deployment of generic and platform-specific applications.

This guidance provides advice on how to minimise the loss of data from applications running on devices handling sensitive data. It is primarily for risk assessors and application developers, and contains recommendations for the secure developmentprocurement and deployment of generic and platform-specific applications

Link HERE

-What Are Compression Side Channel Attacks?

A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search despite HTTPS protection.

Compression side-channel attacks can be used to read some data by knowing only the size of the compressed data such as the CRIME, and BREACH attacks. To understand how compression side-channel attacks work, we must have a fair understanding of compression algorithms

Link HERE

-Maximizing the value of your data privacy investments

Data Privacy Benchmark Study by Cisco

Link HERE – thanks to Naz

-Happiness Report 2018

Top 30

Link HERE

-Cybersecurity in 2018: the bad, the worse and the downright nasty

If you compare cybersecurity to wine, 2018 was definitely a great vintage. Here’s my overview of this fine cybercrime grand cru

Link HERE

 

Tool of the week

-Protect your accounts from data breaches with Password Checkup

Link HERE

-Search engines for hackers

https://censys.io/ 

https://www.shodan.io/ 

https://viz.greynoise.io/table 

https://www.zoomeye.org/ 

https://fofa.so/ 

https://www.onyphe.io/ 

https://app.binaryedge.io/ 

https://hunter.io/ 

https://wigle.net/ 

Link HERE

-Remember – Prowler

AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+90). Official CIS for AWS guide: HERE

Lin HERE

-Remember – Cloud Custodian

Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources

Link HERE

-Gitsniffer

An artisan command to check your code standards via pre-commit git hook

Link HERE

-Reconnoitre

A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing

Link HERE

-Security Engineering Resource list from Microsoft

Link HERE

-Virus scanning in the Cloud – thanks to David

Virus Scan File Uploads Using Multi-Container Web App

Creating an Azure AntiVirus Scanner – Getting an antivirus service in a docker container up and running locally (on windows)

Links HERE and HERE

-List of open source tools for AWS security

Defensive, offensive, auditing, DFIR, etc.

Link HERE

 

Other interesting articles

Web Security for Single Page Applications: great impact with little effort

As the web keeps growing, so do the challenges that we need to undertake in order to maintain a high level of trust and security for our Web Applications. Recently browser vendors have been implementing great new features based on the W3C specs to provide better and more advanced tools to allow us, developers, to keep up with those challenges.

In this article, we are going to look at some of those tools and show you how much you can achieve with minimal effort. If you’re familiar with the Pareto principle (also known as the 80/20 rule), that’s exactly what I’m talking about

Link HERE

 

##Top 7 Myths of AppSec Automation

Is there anything keeping you back from implementing application security automation? Check out this post on the top seven AppSec automation myths

  1. MYTH: DAST + SAST = Complete Automation. Nothing More.
  2. MYTH: Security Automation Will “Always” Delay my Build Timeframes
  3. MYTH: Quality Assurance (QA) and Security Are Mutually Exclusive
  4. MYTH: There Is no Change Needed in the Current Penetration Testing Process
  5. MYTH: Automation Replaces Manual Penetration Testing
  6. MYTH: Testers Need Not Have Coding Skills
  7. MYTH: AppSec Automation Kicks in 100 Percent From Day One of Implementation

Link HERE

 

Getting into Industry: expectations and realities

When I first started thinking about getting into computer security, it was the thrill and excitement that pulled me in. I would be surprised if you meet someone in industry that didn’t think the movie ‘Hacking’ was fun to watch and that it gave you that “oooh” feeling. I used to get chills when seeing the hero or villain use hacking or any form of super technical computing wizardry in movies and games. I wanted to do it and see it for myself

Link HERE

 

INFOSEC SOAP OPERA / TELENOVELA at DerbyCon

One Person’s Trauma is Another Person’s Drama

Links HERE and HERE

 

And finally, What Does Big Tech Know About You? Basically Everything

The seemingly endless stream of Facebook privacy scandals of late—including the latest involving users as young as 13 years old—may have you questioning how much the social network and other tech giants actually know about you.

Here’s a hint: practically everything

Link HERE and Becoming Virtually untraceable HERE

 

HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://www.ezequiel.tech/2019/01/75k-google-cloud-platform-organization.html

Description: $7.5k Google Cloud Platform organization issue.

URL: http://bit.ly/2Wxv50A  (+)

Description: How I abused 2FA to maintain persistence after a password change.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *