Word of the week
“Table Stakes & Vegas Rules” from the Expedia AWS event in London April 2019
Herding Expedia Group Toward a Resilient Lodging Platform
Resilience–recovery from unknown & unexpected failures
Robustness–handling expected failures
Word of the week special
Defeating Pass the Hash HERE
Am I a “real” Software Engineer yet? A Developer’s Insecurities!
Crypto challenge of the week
Hacky Easter 2019! – started on the 16th of April!
Try this easy one: Sloppy Encryption
Facebook CTF 2019
Link HERE Join team Sagoldiers!
May 25th 2018: GDPR Live! See incidents section below
June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
HTTPS everywhere HERE
Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
Repeat: Interview with Scott Helme: The Entire Web Should Be Encrypted
Why Every Privacy Activist Should Embrace* DNS-over-HTTPS
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Book on the week/month
“The best book for learning about security concepts you’ll likely use in your work around AWS is Securing DevOps: Security in the Cloud by Julien Vehent, who manages Firefox Operations Security”
Comic of the week
Some OWASP stuff first
-Application Security Podcast – Command line threat modeling with pytm
Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a “A Pythonic framework for threat modeling”. The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system
-Human Factor Security
Meadow is a hardware security dark witch with a keen eye and open heart to how normal users take what we, the security nerds, provide them with.
Meadow also specialises in automation for the purpose of removing humans from the equation and is a firm believer in security serving normal users, not the other way around
-CNCF: Onboarding OSS Projects (at Google)
Security indicators for open-source projects
-Container, Orchestration, and Microservice Security
-OWASP Cheat Sheet updates – check it out!
- New cheat sheet about the management of the vulnerable dependencies
- .NET security, CSRF, TLS Cipher String and Docker cheat sheets updated
OWASP events HERE
All InfoSec events HERE
First AWS Security Conference – AWS re:Inforce 2019
Hack In Paris 2019 HERE
AppSec Europe Tel-Aviv May 2019
Expedia Group AWS event in London – presentations
Our journey with Squid Proxy
Presentations from LocoMoco Sec
Who Wants a Thousand Free Puppies
About the Locomocosec Conference – write-up
Slides from OPCDE
- Automated Reverse Engineering of Industrial Control Systems Binaries – Mihalis Maniatakos (@realmomalab)
- Using Symbolic Execution to Root Routers – Mathy Vanhoef (@vanhoefm)
- Evolving Attacker Techniques in Account Takeover – Philip Martin (@securityguyphil)
- Lions at the watering hole – Andrei Boz (@dekeneas)
- Next Gen IoT Botnets – owning 450.000 devices from a single vendor – Alex “Jay” Balan (@jaymzu)
- Danger of using fully homomorphic encryption，a look at Microsoft SEAL – Zhiniang Peng (@edwardzpeng)
- (SAP) Gateway to Heaven – Mathieu Geli & Dmitry Chastuhin (@gelim, @_chipik)
- NTLM Relay Is Dead,NO, this is impossible – sanr, Yang Zhang (@by_sanr, @izykw)
- Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software – Alex Matrosov (@matrosov)
- Practical Uses for Memory Visualization – Ulf Frisk (@UlfFrisk)
- Trade War: Shellcode’s Wielding of Imports and Exports – Willi Ballenthin (@williballenthin)
- WhatsApp Digger – Deemah A Alotaibi, Lamyaa S Alsaleem, Malak F Aldakheel, Sarah A Alqhtani (@_Saraque @Lamya_Alsleem @DeemaAlotaibi5 @Malakfsd)
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
Password risk list – have you strengthened your approach?
The list (which you can read in full here) shows the top 100,000 passwords that have been involved in global cyber breaches. We released this in collaboration with international web security expert Troy Hunt, as part of the Have I Been Pwned dataset. His website allows people to check if they have an account that has been compromised in a data breach
Customer data could have been lifted from online fitness and bodybuilding store
Bodybuilding.com, described as the internet’s biggest online store and forum for gym enthusiasts, has disclosed information of a cyber incident following unauthorised access to its systems which they became aware of in February
Troy Hunt weekly update
Transatlantic Cable podcast, episode 89 – by Kaspersky
- Facebook hoovered up 1.5 million users’ email contacts
- 10 tips to improve your Internet privacy
- Social media influencer plotted to take Internet domain at gunpoint
- OpenAI’s “Dota 2” team is crushing humans online, but players are not giving up
- The startup behind that deep-fake David Beckham video just raised $3M
Incidents & events detail
How I found 5 ReDOS Vulnerabilities in Mod Security CRS
PDF: The vehicle of choice for malware and fraud
There has been a substantial increase of fraudulent PDF files, according to a report by SonicWall Capture Labs threat researchers
Don’t leak sensitive data via security scanning tools
Mac OS X-Protect Now Covering Windows Malware
Millions using 123456 as password, security study finds
A hotspot finder app exposed 2 million Wi-Fi network passwords
Active Exploitation of Confluence Vulnerability CVE-2019-3396 Dropping Gandcrab Ransomware
Supply Chain Hackers Target Video Game Development Software
Researchers from two separate companies say that the same group of hackers that used the Asus software update mechanism to infect machines with malware have launched a similar supply chain attack against video game developers. The hackers managed to slip malware into the Microsoft Video Studio development tool which was then used by three separate video game companies
Google bans logins from embedded browser frameworks to prevent MitM phishing
Palo Alto Networks and GoDaddy Take Down Scamming Subdomains
Palo Alto Networks and GoDaddy worked together to take down more than 15,000 subdomains that were being used in spam operations to sell purported weight loss drugs, brain enhancing supplements and other dodgy pharmaceutical products. The spammers compromised GoDaddy customer accounts and created subdomains that they used to send the spam
It’s Not Our Sandbox :: Auditing Foxit Reader’s PDF Printer For an Elevation of Privilege
Digital Moat for Pentagon
The US Defense Information Systems Agency (DISA) has awarded a pair of contracts to develop a cloud-based digital “moat” to isolate the Pentagon’s internal networks from the rest of the Internet, while still allowing Pentagon employees to access the Internet
End-to-end application layer security is preferable
Threat actors abuse GitHub service to host a variety of phishing kits
Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903
Research of the week
Gartner’s Magic Quadrant for Application Security Testing (AST)
The state of open source security – 2019
Snyk’s annual state of open source security report 2019.
This report is split into several posts:
- Maven Central packages double as a quarter of a million new packages indexed in npm in 2018
- 88% increase in application library vulnerabilities over two years
- 81% believe developers should own security, but they aren’t well-equipped
- Open source maintainers want to be secure, but 70% lack skills
- Top ten most popular docker images each contain at least 30 vulnerabilities
- ReDoS vulnerabilities in npm spikes by 143% and XSS continues to grow
- 78% of vulnerabilities are found in indirect dependencies, making remediation complex
- 56% of developers (often volunteers) of open source packages aim to respond to vulnerability reports within a day, and 84% within a week
The state of Code Review 2018
- Perceptions on Code Quality
- Approaches to Code Review
- Code Review Tools and Decision Making
- Actionable Recommendations for Your Team
Switching to Elasticsearch to Improve Cybersecurity for the World’s Fastest Supercomputer
Differential equations and exact solutions in the moving sofa problem
“Odd,” agreed Reg. “I’ve certainly never come across any irreversible mathematics involving sofas. Could be a new field. Have you spoken to any spatial geometricians?” —Douglas Adams, “Dirk Gently’s Holistic Detective Agency”
The moving sofa problem, posed by L. Moser in 1966, asks for the planar shape of maximal area that can move around a right-angled corner in a hallway of unit width, and is conjectured to have as its solution a complicated shape derived by Gerver in 1992. We extend Gerver’s techniques by deriving a family of six differential equations arising from the area-maximization property. We then use this result to derive a new shape that we propose as a possible solution to the ambidextrous moving sofa problem, a variant of the problem previously studied by Conway and others in which the shape is required to be able to negotiate a right-angle turn both to the left and to the right. Unlike Gerver’s construction, our new shape can be expressed in closed form, and its boundary is a piecewise algebraic curve. Its area is equal to X + arctan Y , where X and Y are solutions to the cubic equations x 2 (x + 3) = 8 and x(4x 2 + 3) = 1, respectively
Tool of the week
Helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file which contains the findings in the report. Each finding includes a request, associated session rules or macros, and logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report. Developers can then open the file within Burp and replicate the issues. When vulnerabilities have been fixed, Replicator provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in case alternative attack vectors remain exploitable
Cerberus Phone Security (Antitheft)
Triple protection for your devices
Bcrypt for hashing
Falco – Container Native Runtime Security
Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms such as Kubernetes, Mesosphere, and Cloud Foundry. Detect abnormal application behaviour. Alert via Slack, Fluentd, NATS, and more. Protect your platform by taking action through serverless (FaaS) frameworks, or other automation
Link HERE – thanks to Jocelyn and Andi
Other interesting articles
Using mutual TLS authentication in a Serverless world
Ultimately with the broad adoption of public cloud services and more specifically, serverless, there will need to be a shift in security architectures and how underlying infrastructures are treated. Applying a perimeter-based approach is not sufficient, even flawed in a serverless/services based context. The fundamentals of Zero Trust Networking provides us with the guidance to implement more robust security but this will not only require changes in the application and supporting software, but also the handling of infrastructure and the determination of trust over time(think Kairos, not Khronos)
Link HERE – thanks to Estevan
Everything Is Awesome In Banking And Design If We Ignore The Butt Naked Emperor
The Path to Code Provenance
The term “provenance” refers to a place of origin or history of ownership. For Uber’s application security team, code provenance is a strategy for ensuring we have a verifiable attestation of the origin of all code running in production
Microsoft knows password-expiration policies are useless
But it isn’t doing away with them across the board, yet.
Microsoft admitted today that password-expiration policies are a pointless security measure. Such requirements are “an ancient and obsolete mitigation of very low value,” the company wrote in a blog post on draft security baseline settings for Windows 10 v1903 and Windows Server v1903. Microsoft isn’t doing away with its password-expiration policies across the board, but the blog post makes the company’s stance clear: expiring passwords does little good
And finally, Gallup’s Positive Experience Index
Representing the views of citizens from more than 140 countries and areas, this study measures life’s intangibles — feelings and emotions — that traditional economic indicators such as GDP were never intended to capture.
Gallup’s Positive Experience Index questions are:
- Did you feel well-rested yesterday?
- Were you treated with respect all day yesterday?
- Did you smile or laugh a lot yesterday?
- Did you learn or do something interesting yesterday?
- Did you experience the following feelings during a lot of the day yesterday? How about enjoyment?
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: RCE in EA’s Origin Desktop Client.
Description: Attacking Cloud Containers Using SSRF (GitLab CI PoC).
URL: http://bit.ly/2KMwUF1 (+)
Description: Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice.