Security Stack Sheet #50

Word of the week

“Table Stakes & Vegas Rules” from the Expedia AWS event in London April 2019

Herding Expedia Group Toward a Resilient Lodging Platform

Resilience–recovery from unknown & unexpected failures

vs

Robustness–handling expected failures

Link HERE

 

Word of the week special

“Kerberoasting”

Links HERE and HERE and HERE and HERE – thanks to Ben

Defeating Pass the Hash HERE

Am I a “real” Software Engineer yet? A Developer’s Insecurities!

Link HERE

 

Bonus

Link HERE

Link HERE

Link HERE

Link HERE

Link HERE

 

Crypto challenge of the week

Hacky Easter 2019! – started on the 16th of April!

Link HERE

Try this easy one: Sloppy Encryption

Link HERE

Facebook CTF 2019

Link HERE Join team Sagoldiers!

 

Dates

May 25th 2018: GDPR Live! See incidents section below

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

Google HERE Firefox HERE Microsoft HERE

HTTPS everywhere HERE

BUT,

Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries

Link HERE

Repeat: Interview with Scott Helme: The Entire Web Should Be Encrypted

Link HERE

Why Every Privacy Activist Should Embrace* DNS-over-HTTPS

Link HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

 

Book on the week/month

Factfulness

Link HERE Summary HERE – thanks to Alvin

Securing DevOps

“The best book for learning about security concepts you’ll likely use in your work around AWS is Securing DevOps: Security in the Cloud by Julien Vehent, who manages Firefox Operations Security”

Link HERE

 

Comic of the week

 

Some OWASP stuff first

-Application Security Podcast – Command line threat modeling with pytm

Izar Tarandach is a threat modeling pioneer, seen as one of the movers and shakers in the threat modeling world. Izar leads a small team that develops the pytm tool, which is self-described as a “A Pythonic framework for threat modeling”. The GitHub page goes on to say define your system in Python using the elements and properties described in the pytm framework. Based on your definition, pytm can generate, a Data Flow Diagram (DFD), a Sequence Diagram and most important of all, threats to your system

Link HERE

-Human Factor Security

Meadow is a hardware security dark witch with a keen eye and open heart to how normal users take what we, the security nerds, provide them with.

Meadow also specialises in automation for the purpose of removing humans from the equation and is a firm believer in security serving normal users, not the other way around

Link HERE

-CNCF: Onboarding OSS Projects (at Google)

Security indicators for open-source projects

Link HERE

-Container, Orchestration, and Microservice Security

Link HERE

-OWASP Cheat Sheet updates – check it out!

  • New cheat sheet about the management of the vulnerable dependencies
  • .NET security, CSRF, TLS Cipher String and Docker cheat sheets updated

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019

Link HERE

Expedia Group AWS event in London – presentations

Our journey with Squid Proxy

Link HERE

Presentations from LocoMoco Sec

Who Wants a Thousand Free Puppies

Link HERE

About the Locomocosec Conference – write-up

Link HERE

Link HERE

Link HERE

Link HERE Cookies, tokens and APIs HERE

Slides from OPCDE

  • Automated Reverse Engineering of Industrial Control Systems Binaries – Mihalis Maniatakos (@realmomalab)
  • Using Symbolic Execution to Root Routers – Mathy Vanhoef (@vanhoefm)
  • Evolving Attacker Techniques in Account Takeover – Philip Martin (@securityguyphil)
  • Lions at the watering hole – Andrei Boz (@dekeneas)
  • Next Gen IoT Botnets – owning 450.000 devices from a single vendor – Alex “Jay” Balan (@jaymzu)
  • Danger of using fully homomorphic encryption,a look at Microsoft SEAL – Zhiniang Peng (@edwardzpeng)
  • (SAP) Gateway to Heaven – Mathieu Geli & Dmitry Chastuhin (@gelim, @_chipik)
  • NTLM Relay Is Dead,NO, this is impossible – sanr, Yang Zhang (@by_sanr, @izykw)
  • Modern Secure Boot Attacks: Bypassing Hardware Root of Trust from Software – Alex Matrosov (@matrosov)
  • Practical Uses for Memory Visualization – Ulf Frisk (@UlfFrisk)
  • Trade War: Shellcode’s Wielding of Imports and Exports – Willi Ballenthin (@williballenthin)
  • WhatsApp Digger – Deemah A Alotaibi, Lamyaa S Alsaleem, Malak F Aldakheel, Sarah A Alqhtani (@_Saraque @Lamya_Alsleem @DeemaAlotaibi5 @Malakfsd)

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incident data HERE Find your country

Link HERE

Password risk list – have you strengthened your approach?

The list (which you can read in full here) shows the top 100,000 passwords that have been involved in global cyber breaches. We released this in collaboration with international web security expert Troy Hunt, as part of the Have I Been Pwned dataset. His website allows people to check if they have an account that has been compromised in a data breach

Customer data could have been lifted from online fitness and bodybuilding store

Bodybuilding.com, described as the internet’s biggest online store and forum for gym enthusiasts, has disclosed information of a cyber incident following unauthorised access to its systems which they became aware of in February

Link HERE

Troy Hunt weekly update

Link HERE

Transatlantic Cable podcast, episode 89 – by Kaspersky

Links HERE

 

Incidents & events detail

How I found 5 ReDOS Vulnerabilities in Mod Security CRS

Link HERE

PDF: The vehicle of choice for malware and fraud

There has been a substantial increase of fraudulent PDF files, according to a report by SonicWall Capture Labs threat researchers

Link HERE

Don’t leak sensitive data via security scanning tools

Link HERE

Mac OS X-Protect Now Covering Windows Malware

Link HERE

Millions using 123456 as password, security study finds

Link HERE

A hotspot finder app exposed 2 million Wi-Fi network passwords

Link HERE

Active Exploitation of Confluence Vulnerability CVE-2019-3396 Dropping Gandcrab Ransomware

Link HERE

Supply Chain Hackers Target Video Game Development Software

Researchers from two separate companies say that the same group of hackers that used the Asus software update mechanism to infect machines with malware have launched a similar supply chain attack against video game developers. The hackers managed to slip malware into the Microsoft Video Studio development tool which was then used by three separate video game companies

Link HERE

Google bans logins from embedded browser frameworks to prevent MitM phishing

Google previously banned logins initiated from browsers where JavaScript had been disabled

Link HERE

Palo Alto Networks and GoDaddy Take Down Scamming Subdomains

Palo Alto Networks and GoDaddy worked together to take down more than 15,000 subdomains that were being used in spam operations to sell purported weight loss drugs, brain enhancing supplements and other dodgy pharmaceutical products. The spammers compromised GoDaddy customer accounts and created subdomains that they used to send the spam

Link HERE

It’s Not Our Sandbox :: Auditing Foxit Reader’s PDF Printer For an Elevation of Privilege

Link HERE

Digital Moat for Pentagon

The US Defense Information Systems Agency (DISA) has awarded a pair of contracts to develop a cloud-based digital “moat” to isolate the Pentagon’s internal networks from the rest of the Internet, while still allowing Pentagon employees to access the Internet
[Murray]
End-to-end application layer security is preferable

Link HERE

Threat actors abuse GitHub service to host a variety of phishing kits

Link HERE

Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903

Link HERE

 

Research of the week

Gartner’s Magic Quadrant for Application Security Testing (AST)

Link HERE

The state of open source security – 2019

Snyk’s annual state of open source security report 2019.
This report is split into several posts:

Link HERE

The state of Code Review 2018

  • Perceptions on Code Quality
  • Approaches to Code Review
  • Code Review Tools and Decision Making
  • Actionable Recommendations for Your Team

Link HERE

Switching to Elasticsearch to Improve Cybersecurity for the World’s Fastest Supercomputer

Link HERE

Differential equations and exact solutions in the moving sofa problem

“Odd,” agreed Reg. “I’ve certainly never come across any irreversible mathematics involving sofas. Could be a new field. Have you spoken to any spatial geometricians?” —Douglas Adams, “Dirk Gently’s Holistic Detective Agency”

 

The moving sofa problem, posed by L. Moser in 1966, asks for the planar shape of maximal area that can move around a right-angled corner in a hallway of unit width, and is conjectured to have as its solution a complicated shape derived by Gerver in 1992. We extend Gerver’s techniques by deriving a family of six differential equations arising from the area-maximization property. We then use this result to derive a new shape that we propose as a possible solution to the ambidextrous moving sofa problem, a variant of the problem previously studied by Conway and others in which the shape is required to be able to negotiate a right-angle turn both to the left and to the right. Unlike Gerver’s construction, our new shape can be expressed in closed form, and its boundary is a piecewise algebraic curve. Its area is equal to X + arctan Y , where X and Y are solutions to the cubic equations x 2 (x + 3) = 8 and x(4x 2 + 3) = 1, respectively

Link HERE

 

Tool of the week

Replicator

Helps developers to reproduce issues discovered by pen testers. The pen tester produces a Replicator file which contains the findings in the report. Each finding includes a request, associated session rules or macros, and logic to detect presence of the vulnerability. The tester sends the Replicator file to the client alongside the report. Developers can then open the file within Burp and replicate the issues. When vulnerabilities have been fixed, Replicator provides confirmation that the attack vector used in the pen test is now blocked. A retest is still recommended, in case alternative attack vectors remain exploitable

Link HERE

Cerberus Phone Security (Antitheft)

Triple protection for your devices

Link HERE

Bcrypt for hashing

About it HERE Discussion on best usage HERE

Falco – Container Native Runtime Security

Falco is an open source project for intrusion and abnormality detection for Cloud Native platforms such as Kubernetes, Mesosphere, and Cloud Foundry. Detect abnormal application behaviour. Alert via Slack, Fluentd, NATS, and more. Protect your platform by taking action through serverless (FaaS) frameworks, or other automation

Link HERE – thanks to Jocelyn and Andi

 

Other interesting articles

Using mutual TLS authentication in a Serverless world

Ultimately with the broad adoption of public cloud services and more specifically, serverless, there will need to be a shift in security architectures and how underlying infrastructures are treated. Applying a perimeter-based approach is not sufficient, even flawed in a serverless/services based context. The fundamentals of Zero Trust Networking provides us with the guidance to implement more robust security but this will not only require changes in the application and supporting software, but also the handling of infrastructure and the determination of trust over time(think Kairos, not Khronos)

Link HERE – thanks to Estevan

 

Everything Is Awesome In Banking And Design If We Ignore The Butt Naked Emperor

Link HERE

 

The Path to Code Provenance

The term “provenance” refers to a place of origin or history of ownership. For Uber’s application security team, code provenance is a strategy for ensuring we have a verifiable attestation of the origin of all code running in production

Link HERE and THE REAL REASON TECH STRUGGLES WITH ALGORITHMIC BIAS HERE

 

Microsoft knows password-expiration policies are useless

But it isn’t doing away with them across the board, yet.

Microsoft admitted today that password-expiration policies are a pointless security measure. Such requirements are “an ancient and obsolete mitigation of very low value,” the company wrote in a blog post on draft security baseline settings for Windows 10 v1903 and Windows Server v1903. Microsoft isn’t doing away with its password-expiration policies across the board, but the blog post makes the company’s stance clear: expiring passwords does little good

Link HERE Blog post HERE

 

And finally, Gallup’s Positive Experience Index

Representing the views of citizens from more than 140 countries and areas, this study measures life’s intangibles — feelings and emotions — that traditional economic indicators such as GDP were never intended to capture.

Gallup’s Positive Experience Index questions are:

  • Did you feel well-rested yesterday?
  • Were you treated with respect all day yesterday?
  • Did you smile or laugh a lot yesterday?
  • Did you learn or do something interesting yesterday?
  • Did you experience the following feelings during a lot of the day yesterday? How about enjoyment?

Link HERE PDF HERE and Will Education be pointless 30 years from now? Link HERE

 

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.underdogsecurity.com/rce_in_origin_client/

Description: RCE in EA’s Origin Desktop Client.

URL: https://hackerone.com/reports/369451

Blog: https://dylankatz.com/attacking-cloud-containers-using-ssrf/

Description: Attacking Cloud Containers Using SSRF (GitLab CI PoC).

URL: http://bit.ly/2KMwUF1  (+)

Description: Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice.

Link HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *