Word of the week “Safer Internet Day” – 5th of February
Safer Internet Day 2019 was celebrated globally with the theme: Together for a better internet
National Crime Agency
“I am delighted to support the ongoing work of the UK Safer Internet Centre and Safer Internet Day. Children and young people’s use of technology is constantly evolving and Safer Internet Day provides a great opportunity to promote safe and positive use of the internet. The National Crime Agency’s Child Exploitation and Online Protection Command will continue to work alongside the UK Safer Internet Centre and other key partners to ensure that children are protected and safeguarded online. The NCA is proud to support the day, which is helping professionals and parents/carers to make the internet a safer place.”
Word of the week special “Patronising Penetration For Women” by Eliza May Austin
When I first decided to join Linkedin and join groups on here, Females in Cyber type groups, I thought these would be a place to learn/share techniques and methodologies, with like-minded women. Oh boy was I wrong. Instead, I’m noticing an increase in the amount of winge articles about how women aren’t walking straight into CISO roles, or how men are conspiring against women in the security industry
OSI Layer Based Security Model
Crypto challenge of the week
Cooking for Hackers
No link – find it
How much do you understand about consent in a digital world?
Take our quiz now to find out…
May 25th 2018: GDPR Live! See incidents section below
June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
WHAAT? Introducing Zombie POODLE and GOLDENDOODLE – why you should move to #TLS 1.3
The troublesome feature is that TLSv1.2 supports CBC mode cipher suites – Move to GCM!
TLS 1.0 and TLS 1.1 ARE GONE!!
HTTPS everywhere HERE
March 29th 2019: Brexit
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Book on the month
Comic of the week
Some OWASP stuff first
-Mapping of On-premises Infrastructure Security Components to Cloud Security Services
Link HERE – thanks to Teo
-Pentest Best Practices Checklist
-Pentesting Azure: Thoughts on Security in Cloud Computing
- Do not test the Azure Infrastructure. That is a violation of the user agreement for Azure and will get you into hot water with Microsoft. No one wants that.
- Be extremely careful to only test things that are IN SCOPE for your client.
- Is Azure Security Center turned on? If not, turn it on. I love ASC.
- Do all subscriptions/sub-subscriptions have it on? Do you have complete coverage? If not, definitely report it.
- Is there a policy set (settings that the org has chosen as “secure”, such as all storage must be encrypted at rest)? If so, what are the settings? Do they look good? Also, what level of compliance do they have? Everything that is not compliant should be reported.
- Is threat protection (storage and databases only), monitoring and auditing set up on every possible resource? If not, report it.
- Look at the network in the same way you would look at a traditional network, is anything out of place? Also, are they doing Zoning or Zero-trust or something else? Which network security model are they using? Make sure they are compliant with their own plan. Ask them what their plan is for their network to start. If they don’t have an answer, that’s another issue altogether.
- Do they have “just in time” (JIT) set up on all ports on all servers/VMs? Or are they using a JumpBox to access VMs from outside Azure? Or is that not allowed at all? They should use JIT and Network Security Groups (NSGs)for *everything*.
- Do they have app whitelisting enabled on VMs? It’s called Adaptive Application Controls, and it’s right underneath JIT in the security center (ASC) menu, under “Advanced Cloud Defense”. They should have that turned on for *all* servers.
- Are they using a SIEM (Security incident and event management system)? Are they using it well? Are they monitoring it? What kind of coverage is it getting? Does ASC feed into it? It should.
- Are they using a WAF (Web Application Firewall)? If so, test it. If they aren’t, mark it as advice for improvement.
- Any other 3rd party security tools (IPS/IDS/HIPS/Other)? If so, are those getting complete coverage of all assets that are covered by this test? And are they configured well?
- Look in “Recommendations” tab of Azure Security Center and it will tell you all the problems (network issues, config errors, missing patches, more) that you haven’t spotted yet. Really, you could likely start here. This is a list of everything that is not compliant with your policy, in order of importance.
- If you are assessing web apps within Azure, APIs, and functions (serverless), that’s a whole other topic, but all of the regular security testing rules would apply, Azure or not.
- If your org is using Azure DevOps I suggest adding several security tests to your pipeline including Azure Secure DevOps Kit. It’s strict; you likely won’t pass the first few times around, so prepare your developers for a bit of disappointment. There are a TON of great security tools in the Azure Marketplace, add a few, one is not enough.
- Turn on VA for SQL DataBases as part of the Azure Threat Protection and kick off a scan right away to see if anything is happening. It will likely have a lot of advice for you.
- Look in the Threat Detection part of Security Centre, verify that there are no active attacks happening or recent ones, investigate accordingly.
-OSHP (OWASP Secure Headers Project)
-KNOCK KNOCK, WHO’S THERE?
-AppSec Podcast – Rapid Threat Model Prototyping Process (S04E26)
-Sichere Softwareentwicklung (in German)
Ein praktischer Einstieg
-A Java library for programmatically calculating OWASP Risk Rating scores
-Some useful Appsec learning resources
OWASP events HERE
All InfoSec events HERE
AppSec California HERE – slides / presos not available yet
Write up HERE
First AWS Security Conference – AWS re:Inforce 2019
Hack In Paris 2019 HERE
AppSec Europe Tel-Aviv May 2019
Securing Cloud Native: 10 Tips for Better Container Security
February 19, 2019 | 10am – 11am PST
- Tooling available to keep your cloud native environment secure
- Best practices in secure Kubernetes development
- How to identify various attacks on cloud native applications
- How you can build more secure clusters
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
Iranian hackers believed to be targeting sensitive personal data
Security researchers at FireEye have reported that Iranian hackers are targeting businesses in the telecommunications and travel industries as part of an international surveillance campaign.
Whilst the group has primarily been active in the Middle East, individuals in nations such as the US, Australia, Norway and Spain are also known to have been targeted, according to FireEye. They have named the group APT39
B&Q reportedly exposes details of suspected thieves
B&Q reportedly exposed details of suspected store thieves to the internet without password protection, according to a security researcher.
The exposed records reportedly included 70,000 offender and incident logs, including full names, physical characteristics, vehicle details and the value of the goods stolen.
The data is believed to have been kept in Internet-accessible data store that had not been set up to require user-ID authentication
FaceTime privacy bug allows unauthorised eavesdropping
Researchers identified a flaw in Apple’s FaceTime application affecting the camera and microphone of iPhones and Macs that could allow attackers to eavesdrop on another FaceTime user, even when the recipient doesn’t accept the call.
The flaw allows attackers to access the recipient’s front-facing camera and can also reportedly be exploited when the device is in “Do Not Disturb” mode
Troy Hunt weekly update
Transatlantic Cable podcast, episode 77 – by Kaspersky
Incidents & events detail
Clever Phishing Attack Enlists Google Translate to Spoof Login Page
A tricky two-stage phishing scam is targeting Facebook and Google credentials using a landing page that hides behind Google’s translate feature.
UPDATE – Recently-discovered phishing emails scoop up victims’ Facebook and Google credentials and hides its malicious landing page via a novel method – Google Translate
Metro Bank hit by cyber attack used to empty customer accounts
Crooks Continue to Exploit GoDaddy Hole
Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal
Forget snowmageddon, it’s dropageddon in Azure SQL world: Microsoft accidentally deletes customer DBs
Five-minute gap in which transactions for some punters are toast
It’s possible to obtain users’ passwords from old and discarded smart lightbulbs
Many car models are at risk of keyless theft via relay attacks
Rising Threats in CyberSpace – Organizations Must be Prepared to Experience
Facebook Makes Big Move Towards The Blockchain
Link HERE and
How secure is Cardano?
Lately, 51% attacks on cryptocurrencies have been a hot topic. Particularly the recent attack on Ethereum Classic left communities of other cryptocurrencies wondering if their blockchains are actually secure. This long-read attempts to give a complete overview of the security model of Cardano’s settlement layer. The article first addresses Bitcoin’s security, 51% attacks and common problems in the security model of most Proof-of-Stake (PoS) cryptocurrencies on the market today. The article then continues by describing how Cardano’s PoS consensus mechanism (Ouroboros) works, the coins’ initial and current distribution, how stake pool distribution is incentivized and closes with some final thoughts
Apps Installed On Millions Of Android Phones Tracked User Behaviour To Execute A Multimillion-Dollar Ad Fraud Scheme
How to set up a secure digital forensics lab
Research of the week
-Application development collection
Recommendations for the secure development, procurement and deployment of generic and platform-specific applications.
This guidance provides advice on how to minimise the loss of data from applications running on devices handling sensitive data. It is primarily for risk assessors and application developers, and contains recommendations for the secure development, procurement and deployment of generic and platform-specific applications
-What Are Compression Side Channel Attacks?
A side-channel attack is any attack based on information gained from the implementation of a computer system, rather than weaknesses in the implemented algorithm itself (e.g. cryptanalysis and software bugs). Surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search despite HTTPS protection.
Compression side-channel attacks can be used to read some data by knowing only the size of the compressed data such as the CRIME, and BREACH attacks. To understand how compression side-channel attacks work, we must have a fair understanding of compression algorithms
-Maximizing the value of your data privacy investments
Data Privacy Benchmark Study by Cisco
Link HERE – thanks to Naz
-Happiness Report 2018
-Cybersecurity in 2018: the bad, the worse and the downright nasty
If you compare cybersecurity to wine, 2018 was definitely a great vintage. Here’s my overview of this fine cybercrime grand cru
Tool of the week
-Protect your accounts from data breaches with Password Checkup
-Search engines for hackers
-Remember – Prowler
AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and DOZENS of additional checks including GDPR and HIPAA (+90). Official CIS for AWS guide: HERE
-Remember – Cloud Custodian
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
An artisan command to check your code standards via pre-commit git hook
A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing
-Security Engineering Resource list from Microsoft
-Virus scanning in the Cloud – thanks to David
Virus Scan File Uploads Using Multi-Container Web App
Creating an Azure AntiVirus Scanner – Getting an antivirus service in a docker container up and running locally (on windows)
-List of open source tools for AWS security
Defensive, offensive, auditing, DFIR, etc.
Other interesting articles
Web Security for Single Page Applications: great impact with little effort
As the web keeps growing, so do the challenges that we need to undertake in order to maintain a high level of trust and security for our Web Applications. Recently browser vendors have been implementing great new features based on the W3C specs to provide better and more advanced tools to allow us, developers, to keep up with those challenges.
In this article, we are going to look at some of those tools and show you how much you can achieve with minimal effort. If you’re familiar with the Pareto principle (also known as the 80/20 rule), that’s exactly what I’m talking about
##Top 7 Myths of AppSec Automation
Is there anything keeping you back from implementing application security automation? Check out this post on the top seven AppSec automation myths
- MYTH: DAST + SAST = Complete Automation. Nothing More.
- MYTH: Security Automation Will “Always” Delay my Build Timeframes
- MYTH: Quality Assurance (QA) and Security Are Mutually Exclusive
- MYTH: There Is no Change Needed in the Current Penetration Testing Process
- MYTH: Automation Replaces Manual Penetration Testing
- MYTH: Testers Need Not Have Coding Skills
- MYTH: AppSec Automation Kicks in 100 Percent From Day One of Implementation
Getting into Industry: expectations and realities
When I first started thinking about getting into computer security, it was the thrill and excitement that pulled me in. I would be surprised if you meet someone in industry that didn’t think the movie ‘Hacking’ was fun to watch and that it gave you that “oooh” feeling. I used to get chills when seeing the hero or villain use hacking or any form of super technical computing wizardry in movies and games. I wanted to do it and see it for myself
INFOSEC SOAP OPERA / TELENOVELA at DerbyCon
One Person’s Trauma is Another Person’s Drama
And finally, What Does Big Tech Know About You? Basically Everything
The seemingly endless stream of Facebook privacy scandals of late—including the latest involving users as young as 13 years old—may have you questioning how much the social network and other tech giants actually know about you.
Here’s a hint: practically everything
HACKING, TOOLS and FUN – CHECK BELOW!
Description: $7.5k Google Cloud Platform organization issue.
URL: http://bit.ly/2Wxv50A (+)
Description: How I abused 2FA to maintain persistence after a password change.