Word of the week
“Secrets… are the root of cool”
Word of the week special
When Art Director Jonathan Jacques-Belletête sat down to design the overarching look of Deus Ex: Human Revolution, he had two big criteria for his designs to meet. First, he wanted to choose “illustration over simulation” — rather than creating something exactly real, he wanted to make a game that had a definite style. And second, he adhered to the theory that “design distinction creates desire”
Who is it?
Dockerfile Don’ts and Do’s – Secrets
Crypto challenge of the week
Hacky Easter 2019! – started on the 16th of April!
Try this easy one:
Don’t’ forget about: Facebook CTF 2019
Link HERE Join team Sagoldiers!
May 25th 2018: GDPR Live! See incidents section below
June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
HTTPS everywhere HERE
Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries
ITUNES DOESN’T ENCRYPT DOWNLOADS—ON PURPOSE
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Book on the week/month
Comic of the week
Some OWASP stuff first
-Locomocosec CTF challenges
-AppSec Podcast – Omer Levi Hevroni — K8s can keep a secret?
Omer Levi Hevroni has written extensively on the topic of Kubernetes and secrets, and he’s a super dev. He’s the author of a tool for secrets management called Kamus. Kamus is an open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enables users to easily encrypt secrets that can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS, and AES)
Link HERE See the tool Kamus in the tools section below
OWASP events HERE
All InfoSec events HERE
First AWS Security Conference – AWS re:Inforce 2019
Hack In Paris 2019 HERE
AppSec Europe Tel-Aviv May 2019
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
The latest DDoS attacks are mostly multi-vector and morph over time
Transatlantic Cable podcast, episode 90 – by Kaspersky
- Report shows cyber-enabled crimes and costs rose in 2018
- Weaponized USB devices as an attack vector
- Sorting out digital clutter in business
- Fraudster poses as Jason Statham to steal victim’s money
Incidents & events detail
Slack to investors: we might be the target of organized crime, nation-sponsored hackers
Exposed database holds sensitive data on over 80 million US households
Researchers develop new tool for safety-critical software testing
THREAT: FOX STEALER, THE RUSSIAN TELEGRAM SKID ARMY
Hackers Breached a Programming Tool – Docker Hub – Used By Big Tech and Stole Private Keys and Tokens
During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds
Attackers are weaponizing more vulnerabilities than ever before
New Oracle WebLogic zero-day discovered in the wild
Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again
INSIDE THE GITLAB PUBLIC BUG BOUNTY PROGRAM
Remote Code Execution on most Dell computers
Too fast, too insecure: Securing Mongo Express web administrative interfaces
Security Vulnerabilities of Neural Networks
What to do when your network thinks everything is an ostrich
Research of the week
2019 VULNERABILITY STATISTICS REPORT
How to debug memory leaks in a Node.js application on Heroku
Debugging memory leaks is rarely a piece of cake, especially when they only happen in production. The best way I’ve found to debug memory leaks in a Node.js application on Heroku is to analyse heap dumps.
Obtaining such heap dumps in production can be challenging, as it might be hard to connect remotely to a production instance with the debugger.
In this article, we will go through the steps needed to obtain and analyse heap dumps from a running Heroku dyno. This method will also work on other platforms as long as it is possible to perform similar operations
An inside look at how credential stuffing operations work
The Mathematics of (Hacking) Passwords
The science and art of password setting and cracking continues to evolve, as does the war between password users and abusers
Third-Party Risk to the Nth Degree
Managing the cyber risk of third-party vendors and their nth-party ecosystem.
The results of the survey reinforced the initial assumption that companies fail to recognize and make third-party risk management a priority, and nth-party risk even less so. Senior management is rightfully focused on business operations, however evidence from the survey shows it could be detrimental not to apply greater consideration and resources to mitigate the potential impact a breach involving the company’s third- and nth-parties presents. Many organizations continue to feel that if their company has internal policies and controls in place, that their data is safe. The fact that just under half of the companies surveyed experienced a breach due to a third party proves otherwise. As digital transformation and the rapid competitive environment continue to pressure expansion of third parties to achieve business objectives, potential risk, especially nth parties, will continue to escalate. Increasing regulatory requirements and greater potential impact from violations in combination with third-party expansion will result is a recipe for escalating and uncontrollable risk. Readers of this report are encouraged to conduct a third-party risk assessment that not only identifies third and nth parties, but develops risk rankings based on potential business impact and regulatory ramifications
Tool of the week
Introducing Chimera, a modern jailbreak for all devices on iOS 12 — 12.1.2
Regex Cheat Sheet
A browser API that aims to prevent DOM-Based Cross Site Scripting in modern web applications
An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS, Amazon Web Services KMS and AES). To learn more about Kamus, check out the blog postand slides
Meet the new standard for network and security configuration monitoring
A guide for amateurs pen testers and a collection of hacking tools, resources and references to practice ethical hacking, pen testing and web security
Other interesting articles
AWS IAM EXPLOITATION
In AWS, authorization is governed by the Identity and Access Management (IAM) service. Unfortunately, as most software configuration goes, there is ample opportunity for misconfigurations that result in security vulnerabilities. As it pertains to AWS IAM, this typically manifests as privilege escalation. However, in some cases, it can result in something as severe as unauthorized account access. In this blog post, I will cover general classes of IAM exploitation and privilege escalation techniques. Keep in mind that IAM exploitation requires some form of credentials in most cases. In other cases, some alternative information may be required, such as an account ID or an ARN
“CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter
When it comes to bug bounty hunting and finding exciting areas to explore, it is vital to familiarise yourself with the technologies that vendors and companies rely on. One particularly interesting environment that caught our eye was popular integrations used by various open-source projects, primarily as part of their development life cycle. Some prime examples of continuous-integration services (“CI services”) including Travis CI, Circle CI, and GitLab CI turned out to be extremely rewarding for us as bug bounty hunters
And finally, Amazon Could Soon Force You to Go on a Diet, According to One Futurist
Tech giants will overtake our homes — and once you’re locked into one ecosystem, you won’t be able to escape, says Amy Webb
HACKING, TOOLS and FUN – CHECK BELOW!
Description: OE Classic <= 2.8.0 RCE via stored XSS.
Description: DOMXSS on Embedded SDK (Shopify.API.setWindowLocation) abusing cookie stuffing.