Security Stack Sheet #52

Word of the week “Password Day”

cid:<a href=[email protected]″>

  • NCSC’s first ‘UK Cyber Survey’ shows 42% of Brits expect to lose money to online fraud
  • Breach analysis finds 23.2 million victim accounts worldwide used 123456 as password
  • Global password risk list published to disclose passwords already known to hackers
  • NCSC urges using 3 random words as passwords on the eve of CYBERUK 2019 event
  • Only 15% say they know a great deal about how to protect themselves from harmful activity
  • The most regular concern is money being stolen – with 42% feeling it likely to happen by 2021
  • 89% use the internet to make online purchases – with 39% on a weekly basis
  • One in three rely to some extent on friends and family for help on cyber security
  • Young people more likely to be privacy conscious and careful of what details they share online
  • 61% of internet users check social media daily, but 21% report they never look at social media
  • 70% always use PINs and passwords for smart phones and tablets
  • Less than half do not always use a strong, separate password for their main email account

https://www.ncsc.gov.uk/static-assets/images/cyber%20survey%20q3.png

Link HERE

Word of the week special

“Repository for ransom”

Code ransomware on GitLab

cid:<a href=[email protected]″>

Links HERE and HERE – thanks to Sylwester

Bonus 

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Smart Threat Modelling

https://pbs.twimg.com/media/D566GOqUYAAHBio.png:large

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>cid:<a href=[email protected]″>

Link HERE – thanks to Shamshir

Crypto challenge of the week

Hacky Easter 2019! – started on the 16th of April!

Link HERE

https://pbs.twimg.com/profile_images/708919573614039040/EwgmBsjU_400x400.jpg

Try this easy one:

rorriM rorriM

Mirror, mirror, on the wall, who’s the fairest of them all?

Challenge 09

Link HERE

Don’t’ forget about: Facebook CTF 2019

cid:<a href=[email protected]″>

Link HERE Join team Sagoldiers!

Shitsco CTF Problem Walkthrough

Link HERE

Dates

May 25th 2018: GDPR Live! See incidents section below

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

Google HERE Firefox HERE Microsoft HERE

HTTPS everywhere HERE

Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers

Link HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

Book on the week/month

cid:<a href=[email protected]″>

Link HERE

 

Comic of the week

Three Problems With Spreadsheet - Dilbert by Scott Adams

##Some OWASP stuff first

-AppSec Podcast – Jon McCoy — Hacker outreach

Jon explains the idea of hacker outreach and breaks down what we can expect if we venture to the DefCon event in Las Vegas.  Jon also remembered a cautionary tale of Robert’s Fitbit out at a DefCon event. Jon is someone we can all learn from about giving back to our community

Link HERE

-Remember: Common API security pitfalls

https://pragmaticwebsecurity.com/talks/commonAPIsecuritypitfalls.png

Link HERE

-Abuse cases Talk

cid:<a href=[email protected]″>

Link HERE

-CyberFirst 2019

 Student courses designed to introduce 14 to 17 year-olds to the exciting world of cyber security

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019

Link HERE

Tribe of Hackers Summit 2019

Link HERE

Adobe @Locomoco Sec 2019

Link HERE

Image result for google io 2019

Securing Web Apps with Modern Platform Features (Google I/O ’19)

Common vulnerabilities such as XSS, CSRF, and others have long plagued the web, accounting for most of the high-risk flaws reported under Google’s Vulnerability Reward Program. Learn about the latest web platform security mechanisms to protect your apps from injections and isolate them from dangerous sites. You’ll leave with a security checklist for defending your applications with new browser features based on Google Security Team’s experience in protecting the web’s most sensitive apps

Link HERE

Linux for Chromebooks: Secure Development (Google I/O ’19)

Learn how Linux for Chromebooks (Crostini) gives you a secure sandbox for development. Through a variety of demos, this talk will explain the architecture underlying Linux for Chromebooks and the design decisions that keep it easy to use

Link HERE

Other brilliant talks HERE

AWS Summit 2019 in London

Related image

Huge crowd

cid:<a href=[email protected]″>

Good principles

cid:<a href=[email protected]″>

AWS Security Hub

cid:<a href=[email protected]″>

AWS Security Solutions

cid:<a href=[email protected]″>

Threat Hunting

cid:<a href=[email protected]″>

Link HERE Keynote HERE

How is AWS doing it?

cid:<a href=[email protected]″>

Link HERE

AND Azure is catching up with AWS HERE

cid:<a href=[email protected]″>

And some Drivers

https://cdn-images-1.medium.com/max/2400/1*YBnoZB2ufSukgcuZecc7hw.png

Cofense Submerge – thanks to Sylwester

Public File Transfer services used in phishing campaigns (% of seen and confirmed phishing campaigns)

cid:<a href=[email protected]″>

Who’s the most phishable? The Technology Sector!

cid:<a href=[email protected]″>

AND Vishing as a Service Link HERE and Ethics In Social Engineering HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

Link HERE

NCSC Weekly Threat Report

Provided Image

Researchers recognise MegaCortex ransomware spike

Cyber security researchers at Sophos have reported a spike in a new ransomware named MegaCortex. The infection targets corporate networks and has reportedly affected customers worldwide, with victims in Italy, the United States, Canada, the Netherlands, Ireland, and France

Concern around computer skills decline in schools

A decline in students under the age 16 obtaining computing qualifications has caused concerns, according to a new report from the University of Roehampton

Link HERE

Transatlantic Cable podcast, episode 91 – by Kaspersky

Links HERE

Troy Hunt Weekly update 137

cid:<a href=[email protected]″>

Link HERE

 

Incidents & events detail

Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone

Link HERE

Cork Tech Summit gives stark demonstration on cybercrime vulnerability

Link HERE

Hackers are Ready to Exploit Zero-Day Flaws; Companies are Slow to Act

Link HERE

Why crypto exchanges keep getting hacked and how to protect yourself

Link HERE

You know how to safeguard your keys in the physical world – here’s how to do it in the online world

Link HERE

Improving privacy and security on the web – by Chromium

Links HERE and HERE

Hijacking Safari; by any means necessary

Link HERE

A MYSTERIOUS HACKER GROUP IS ON A SUPPLY CHAIN HIJACKING SPREE

Link HERE

EVE Online account security – Part 2 – Pwned Passwords details, CSP and HSTS

Link HERE

Security flaws in 100+ Jenkins plugins put enterprise networks at risk

NCC Group researcher finds security flaws impacting more than 100 Jenkins plugins

Link HERE

Avoiding XSS via Markdown in React

Link HERE

Ransomware: The key lesson Maersk learned from battling the NotPetya attack

Link HERE

From NA to $3000 : Facebook’s URL spoofing vulnerability

Link HERE

Research of the week

Slow Loris — Rethinking DoS attacks

https://cdn-images-1.medium.com/max/1600/1*ENb5SaX575TAJ5OU4g7dlQ.jpeg

Link HERE

Behaviour-Driven Penetration Testing

We set out to minimize the time from anyone in the project thinking “What happens if…” to a flashing red light indicating a security issue. We discovered that it is important to create tooling that is accessible to wide range of personas in the project, and that we can integrate the penetration testing infrastructure with our existing CI infrastructure. Making use of Behaviour-Driven Development we were able to adapt existing tools to suit our specific needs and found a development process that works very well for us. This way, we were able to address concrete issues in our software and encouraged developers with various technological backgrounds to participate in this endeavour to make the software we produce safer

Link HERE

NIST Privacy Framework draft

Link HERE

THE BEST, CRAWL, RUN APPROACH TO BUG BOUNTIES

Link HERE

What is CSRF Synchronizer Token Pattern?

Link HERE – thanks to Prash

The First Security Engineer’s 100-day Checklist

Link HERE

Tool of the week

The complete list of Infosec related cheat sheets

Link HERE

Guardrails not Blockers by DisruptOps

Link HERE

Amazon Macie

A machine learning-powered security service to discover, classify, and protect sensitive data

Link HERE and FUN AWS Deepracer HERE

Using the Sumo Logic App for Security Analytics

Link HERE

XSS-Auditor — the protector of unprotected

and the deceiver of protected

Links HERE and HERE

MISP – Malware Information Sharing Platform and Threat Sharing

Link HERE

Unpacking Redaman Malware & Basics of Self-Injection Packers – ft. OALabs

Link HERE

 

Other interesting articles

##How to avoid ruining lives (front-end security matters)

XSS and CSRF are only the tip of the iceberg when it comes to web security. They’re the two that are most likely to affect you as a front-end developer, but they’re by no means the whole picture. Even if the solutions aren’t always implemented on the front-end, don’t forget that each of us has a part to play, and we can only play that part if we’ve got the eyes to see and mind to understand. A safer web for our families, friends, and ourselves starts with each of us taking responsibility and working together!

Link HERE AND Reducing patient stress using secure code review HERE

 

##Why Required Password Changes Reduce Security

, Why Required Password Changes Reduce Security

Link HERE

 

##Working in Cyber Security: “Be prepared to work hard and learn fast”

What is it like to work in cyber security? We ask some of the members of the team in Symantec. Today, we hear from John Dudman, Principal Service Manager for Symantec Managed Security Services (MSS)

Link HERE

 

##And finally, it’s not cyber war. Stop it.

Wheeler_1

Links HERE and HERE and HERE

AND

Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers

cid:<a href=[email protected]″>

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/210779

Description: Invalidating OAuth2 Bearer token makes TweetDeck unavailable.

URL: http://bit.ly/2VE8WQE  (+)

Description: The journey of Web Cache, Firewall Bypass to SSRF to AWS creds compromise!

Link HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *