Word of the week “Towards an Information Kill Chain”
Remember: FAKE NEWS
Word of the week special
“It’s not about just shifting left, but starting left,” Pieter Danhieux
MAKE APPSEC GREAT AGAIN
Starling random public security strategy
Link HERE – thanks to Shamshir
Crypto challenge of the week
Hacky Easter 2019! – started on the 16th of April!
Try this easy one:
Don’t’ forget about: Facebook CTF 2019
Facebook will host its first global Capture the Flag (#CTF) competition June 1-3, 2019. CTF participants will be tasked with solving various security challenges to earn points using skills like cryptography, reverse engineering, web & binary exploitation
Link HERE Join team Sagoldiers!
May 25th 2019: 1 year of GDPR Live! See incidents section below
“As a CISO, most important is to leave your ego at the door”
Ben Aung CISO Sage about GDPR 1 year later
June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
HTTPS everywhere HERE
Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Book on the week/month
Comic of the week
##Some OWASP stuff first
-AppSec Podcast – Matt Clapham — A perspective on appsec from the world of medical software
Matt Clapham is a product security person, as a developer, security engineer, advisor, and manager. He began his career as a software tester, which led him down the path of figuring out how to break things. Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!)
-The Secure Developer Sessions – all of them
Ep. #30, Improving Security Culture with Justin Somaini
The Three Faces of DevSecOps
Ep. #29, The State of Open Source & Docker Security
Insecure Transit – Microservice Security
Ep. #28, Developer Empathy with Jason Chan of Netflix
-OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound
-OWASP Mth3l3m3nt Framework
Mth3l3m3nt (Modular Threat Handling Element) Framework is a simple and portable set of utilities designed to make the life of a penetration tester easy
OWASP events HERE
All InfoSec events HERE
First AWS Security Conference – AWS re:Inforce 2019
Hack In Paris 2019 HERE
AppSec Europe Tel-Aviv May 2019 – NEXT WEEK!
OWASP Summit London
AWS Summit 2019 in London – ALL PRESENTATIONS
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Millions of devices affected by Cisco bugs
WhatsApp vulnerability – update your devices
Organisations urged to patch Microsoft SharePoint
Fix released for Windows vulnerability discovered by NCSC
Transatlantic Cable podcast, episode 92 – by Kaspersky
Troy Hunt Weekly update 138
Incidents & events detail
End-to-End Encryption Isn’t as Safe as You Think – CVE-2019-3568
The WhatsApp hack shows how supposedly secure messaging apps have a basic vulnerability.
The Financial Times published that there is a critical vulnerability in the popular WhatsApp messaging application and that it is actively being used to inject spyware into victims phones. According to the report, attackers only need to issue specially crafted VoIP calls to the victim in order to infect it with no user interaction required for the attack to succeed. As WhatsApp is used by 1.5bn people worldwide, both on Android phones and iPhones, the messaging and voice application is known to be a popular target for hackers and governments alike.
As the entire SRTCP module is pretty big, there could be additional patches that we’ve missed. In addition, judging by the nature of the fixed vulnerabilities and by the complexity of the mentioned module, there is also a probable chance that there are still additional unknown parsing vulnerabilities in this module
Microsoft Releases Patches For A Critical ‘Wormable Flaw’ and 78 Other Issues
0 day in the wild – Excel Sheet by Google
This spreadsheet is used to track cases of zero-day exploits that were detected “in the wild”. This means the vulnerability was detected in real attacks against users as a zero-day vulnerability (i.e. not known to the public or the vendor at the time of detection). This data is collected from a range of public sources. We include relevant links to third-party analysis and attribution, but we do this only for your information; their inclusion does not mean we endorse or validate the content there.
Project Zero’s team mission is to “make zero-day hard”, i.e. to make it more costly to discover and exploit security vulnerabilities
Vulnerability in French Government Tchap Chat App
0patch PRO – New Micropatch Program Launched for Windows Platform Zero-day Vulnerabilities
Some Ransomware Recovery Companies Have Been Paying the Ransom
At least two companies that advertise data recovery services for ransomware victims have actually been paying the ransom. The companies often charge their clients high fees in excess of the cost of the ransom. While there are companies that openly pay ransom – often they help victims who are unfamiliar with dealing in cryptocurrency – it is not clear that other companies were forthright with their clients about their methods
XSS on Amazon
Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys
A misconfiguration in the Bluetooth Low Energy version of Google’s Titan Security Key could be exploited to communicate with the key or with the device to which the key is paired. An attacker would need to be within 30 feet of the targeted device. Google will replace affected devices at no cost
Member of Sophisticated China-Based Hacking Group Indicted for Series of Computer Intrusions, Including 2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 78 Million People
Decrypting config.bin files for TP-Link WR841N, WA855RE, and probably more…
New Class of Flaws Affects Intel Chips
Intel has disclosed a new class of speculative execution side-channel attacks affecting its processors. The attacks differ from Meltdown and Spectre and their variants because they could leak data from CPU buffers. Intel calls the flaws Microarchitectural Data Sampling, or MDS. The flaws have been addressed at the hardware level in more recent released of Intel products, and Intel has released microcode and hypervisor updates.
XSS without parentheses and semi-colons – from PortSwigger
San Francisco Bans Facial Recognition
The City of San Francisco, California’s Board of Supervisors has approved an ordinance that prohibits law enforcement and other city agencies from using facial recognition technology on city residents. The ordinance notes that “the propensity for facial recognition technology to endanger civil rights and civil liberties substantially outweighs its purported benefits.” The ordinance also requires that law enforcement disclose what kinds of surveillance they are using
China Spying on Undersea Internet Cables
BOTS TAMPERING WITH TLS TO AVOID DETECTION
Researchers at Akamai observed attackers using a novel approach for evading detection. This new technique – which we call Cipher Stunting – has become a growing threat, with its roots tracing back to early-2018. By using advanced methods, attackers are randomizing SSL/TLS signatures in an attempt to evade detection attempts.
Research of the week
Data Security Report 2019 – Cyber Security Insiders
Post-Quantum Cryptography Standardization
NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. Currently, public-key cryptographic algorithms are specified in FIPS 186-4, Digital Signature Standard, as well as special publications SP 800-56A Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography and SP 800-56B Revision 1, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography. However, these algorithms are vulnerable to attacks from large-scale quantum computers (see NISTIR 8105, Report on Post Quantum Cryptography)
Link HERE – thanks to Alvin
The Cynefin Framework
The Cynefin Framework is central to Cognitive Edge methods and tools. It allows executives to see things from new viewpoints, assimilate complex concepts, and address real-world problems and opportunities. Using the Cynefin framework can help executives sense which context they are in so that they can not only make better decisions but also avoid the problems that arise when their preferred management style causes them to make mistakes. Cynefin, pronounced kuh-nev-in, is a Welsh word that signifies the multiple factors in our environment and our experience that influence us in ways we can never understand
Cyber AI Response: Threat Report 2019
This report details seven case studies of attacks that were intercepted and neutralized by cyber defense AI, including insider threat, ransomware, and IoT attacks. While all threat scenarios were distinct, some fast-moving and others slow and stealthy, in all cases the subtle indicators of suspicious activity were only detectable using Darktrace AI, which learns what is normal for the business environment and autonomously responds to attacks – before damage is done
THREAT HUNTING AT ITS BEST
One day, a recruiter phoned me for a possible opportunity in a US-based banking corporation to fill-up a position as a Cyber Threat Intelligence Analyst. He mentioned that this is an additional headcount to complement their Threat Hunting team.
I paused for a while then asked him what is the task that differentiates their Threat Hunting team vs the Threat intel team? I was curious as I was covering both under the DFIR (digital forensics & incident response) and “Purple Teaming” role. Then he told me that the Threat Hunting team will “proactively” hunt for threats and hand it over to the Incident Response and Threat Intel for the IOC’s that they have gathered from the wild
Wireless Attacks on Aircraft Instrument Landing Systems
Modern aircraft heavily rely on several wireless technologies for communications, control, and navigation. Researchers demonstrated vulnerabilities in many aviation systems. However, the resilience of the aircraft landing systems to adversarial wireless attacks have not yet been studied in the open literature, despite their criticality and the increasing availability of low-cost software-defined radio (SDR) platforms. In this paper, we investigate and demonstrate the vulnerability of aircraft instrument landing systems to wireless attacks. We analyze the instrument landing system (ILS) waveforms’ and show the feasibility of spoofing such radio signals using commercially-available SDR, causing last-minute go around decisions, and even missing the landing zone in low-visibility scenarios. We first show that it is possible to fully and in fine-grain control the course deviation indicator, as displayed by the ILS receiver, in realtime, and demonstrate it on aviation-grade ILS receivers. We analyze the potential of both an overshadowing attack, and a lower-power single-tone attack. In order to evaluate the complete attack, we develop a tightly-controlled closed-loop ILS spoofer. It adjusts the adversary’s transmitted signals as a function of the aircraft GPS location, maintaining power and deviation consistent with the adversary’s target position, causing an undetected off-runway landing. We demonstrate the integrated attack on an FAA certified flight-simulator (XPlane)incorporating a spoofing region detection mechanism, that triggers the controlled spoofing on entering the landing zone to reduce detectability. We systematically evaluate the performance of the attack against X-Plane’s AI-based autoland feature, and demonstrate systematic success rate with offset touchdowns of 18 meters to over 50 meters. Finally, we discuss approaches towards secure and efficient aircraft landing systems
Tool of the week
12 Israeli Infosec Start-up Companies To Notice
Not a tool BUT
The Risk of Authenticated Vulnerability Scans
Iranian Cyberespionage Tools Leaked Online
DSSuite – A Docker Container with Didier’s Tools
Other interesting articles
##AWS Security Essentials
##Building Shopify’s Application Security Program
##Vulnerabilities Management — 5 Ways to Find and Fix Open Source Vulnerabilities + Tools
Open source components are usually safe when they have a large community of people reviewing the code. That said, publishing the source code or having multiple sets of eyes reviewing the source code does not always guarantee that all security issues will be identified and fixed. Therefore, it is vital to include industry standard security policies into applications
##Phishing and security keys
When it comes to online security, confusion about the risks can lead people to obsess over obscure threats while ignoring key innovations that could truly protect them. Even highly-targeted users like politicians and activists don’t fully appreciate the scourge of phishing, and many aren’t familiar with an emerging form of two-factor authentication known as “Security Keys” that we hope can stop it in its tracks
##And finally, We’re under attack! 23+ Node.js security best practices
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Tale of a Wormable Twitter XSS.
Description: 1-click HackerOne account takeover on all Android devices (CVE-2019-5765).