Security Stack Sheet #53

Word of the week “Towards an Information Kill Chain”

cyber kill chain

Remember: FAKE NEWS

Seven Commandments of Fake News – New York Times exposes Kremlin’s methods

  • Step 1: Find the cracks in the fabric of society — the social, demographic, economic and ethnic divisions.
  • Step 2: Seed distortion by creating alternative narratives. In the 1980s, this was a single “big lie,” but today it is more about many contradictory alternative truths — a “firehose of falsehood” — that distorts the political debate.
  • Step 3: Wrap those narratives around kernels of truth. A core of fact helps the falsities spread.
  • Step 4: (This step is new.) Build audiences, either by directly controlling a platform (like RT) or by cultivating relationships with people who will be receptive to those narratives.
  • Step 5: Conceal your hand; make it seem as if the stories came from somewhere else.
  • Step 6: Cultivate “useful idiots” who believe and amplify the narratives. Encourage them to take positions even more extreme than they would otherwise.
  • Step 7: Deny involvement, even if the truth is obvious.
  • Step 8: Play the long game. Strive for long-term impact over immediate impact.

Links HERE and HERE and HERE and HERE and HERE and HERE

Word of the week special

“It’s not about just shifting left, but starting left,” Pieter Danhieux

MAKE APPSEC GREAT AGAIN

Shift-Left, Security by Design and DevSecOps

Links HERE and HERE and HERE and Posters! HERE

Bonus 

cid:<a href=[email protected]″>

Starling random public security strategy

cid:<a href=[email protected]″>

Expert reaction:

cid:<a href=[email protected]″>

Link HERE – thanks to Shamshir

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

Hacky Easter 2019! – started on the 16th of April!

Link HERE

https://pbs.twimg.com/profile_images/708919573614039040/EwgmBsjU_400x400.jpg

Try this easy one:

Memeory 2.0

We improved Memeory 1.0 and added an insane serverside component. So, no more CSS-tricks. Muahahaha.

Flagbounty for everyone who can solve 10 successive rounds. Time per round is 30 seconds and only 3 missclicks are allowed.

Good game.

Meme

Link HERE

Don’t’ forget about: Facebook CTF 2019

cid:<a href=[email protected]″>

Facebook will host its first global Capture the Flag (#CTF) competition June 1-3, 2019. CTF participants will be tasked with solving various security challenges to earn points using skills like cryptography, reverse engineering, web & binary exploitation

Link HERE Join team Sagoldiers!

Dates

May 25th 2019: 1 year of GDPR Live! See incidents section below

“As a CISO, most important is to leave your ego at the door”

Image result for gdpr sage

Ben Aung CISO Sage about GDPR 1 year later

Link HERE

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers

Link HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

Book on the week/month

https://images-na.ssl-images-amazon.com/images/I/51s9zG-E-4L._SX404_BO1,204,203,200_.jpg

Link HERE

 

Comic of the week

 - Dilbert by Scott Adams

##Some OWASP stuff first

-AppSec Podcast – Matt Clapham — A perspective on appsec from the world of medical software

Matt Clapham is a product security person, as a developer, security engineer, advisor,  and manager. He began his career as a software tester, which led him down the path of figuring out how to break things.   Matt lives in the medical software world and visited the Healthcare Information and Management Systems Society (HIMSS) conference. Matt shares his perspectives on application/cybersecurity through the eyes of the healthcare industry. There is much for us to understand by viewing how other segments approach security and privacy. Matt believes in stepping outside the echo chamber and experiencing how other industries see security, and he achieved that by visiting this non-security conference and sharing his experiences with us. (And if he visits your booth at an event, you better know how your companies make a secure product or solution!)

Link HERE

-The Secure Developer Sessions – all of them

Including:

cid:<a href=[email protected]″>

Ep. #30, Improving Security Culture with Justin Somaini

The Three Faces of DevSecOps

Ep. #29, The State of Open Source & Docker Security

Insecure Transit – Microservice Security

Ep. #28, Developer Empathy with Jason Chan of Netflix

Links HERE and HERE

-OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound

Access Tokens

draft-ietf-oauth-mtls-14

Link HERE

-OWASP Mth3l3m3nt Framework

Mth3l3m3nt (Modular Threat Handling Element) Framework is a simple and portable set of utilities designed to make the life of a penetration tester easy

https://hakin9.org/wp-content/uploads/2019/05/Mth3l3m3nt-dashboard.jpg

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019NEXT WEEK!

Link HERE

OWASP Summit London

cid:<a href=[email protected]″>

Lin HERE

AWS Summit 2019 in London – ALL PRESENTATIONS

Related image

Including:

cid:<a href=[email protected]″>[]cid:<a href=[email protected]″>[]cid:<a href=[email protected]″>

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

Link HERE

NCSC Weekly Threat Report

Provided Image

Millions of devices affected by Cisco bugs

Two bugs affecting networks have been disclosed by Cisco this week. 

The first vulnerability is in the logic that handles access controls to one of the hardware components in Cisco’s proprietary Secure Boot implementation. The vulnerability could allow an authenticated local attacker to “write a modified firmware image to the component”. Cisco have confirmed that software updates will be released to address the vulnerability.  

The detail of how the vulnerability came to be and future updates can be found on the relevant Cisco advisory

WhatsApp vulnerability – update your devices

Users of WhatsApp have been encouraged to download the latest update this week. 

security advisory from Facebook, who run the messaging service, told users to update the app as a precaution. 

The NCSC also published advice for users on Tuesday which outlined affected devices and gave some steps on how to ensure updates were triggered

Organisations urged to patch Microsoft SharePoint

The Canadian Cyber Security Centre and Saudi Arabian National Cyber Security Centre have published advisories warning on the active exploitation of an exploit that grants remote code execution against Microsoft SharePoint. 

Security researchers have reportedly identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors

Fix released for Windows vulnerability discovered by NCSC

Microsoft has released a fix for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – formerly known as Terminal Services – that affects some older versions of Windows

Link HERE

Transatlantic Cable podcast, episode 92 – by Kaspersky

Links HERE

Troy Hunt Weekly update 138

cid:<a href=[email protected]″>

Link HERE

 

Incidents & events detail

End-to-End Encryption Isn’t as Safe as You Think – CVE-2019-3568

https://research.checkpoint.com/wp-content/uploads/2019/05/Social_1200x628_v2.jpg

The WhatsApp hack shows how supposedly secure messaging apps have a basic vulnerability.

The Financial Times published that there is a critical vulnerability in the popular WhatsApp messaging application and that it is actively being used to inject spyware into victims phones. According to the report, attackers only need to issue specially crafted VoIP calls to the victim in order to infect it with no user interaction required for the attack to succeed. As WhatsApp is used by 1.5bn people worldwide, both on Android phones and iPhones, the messaging and voice application is known to be a popular target for hackers and governments alike.

As the entire SRTCP module is pretty big, there could be additional patches that we’ve missed. In addition, judging by the nature of the fixed vulnerabilities and by the complexity of the mentioned module, there is also a probable chance that there are still additional unknown parsing vulnerabilities in this module

https://research.checkpoint.com/wp-content/uploads/2019/05/fig2.png

Link HERE Tech details HERE

Microsoft Releases Patches For A Critical ‘Wormable Flaw’ and 78 Other Issues

cid:<a href=[email protected]″>

Link HERE

0 day in the wild – Excel Sheet by Google

This spreadsheet is used to track cases of zero-day exploits that were detected “in the wild”. This means the vulnerability was detected in real attacks against users as a zero-day vulnerability (i.e. not known to the public or the vendor at the time of detection). This data is collected from a range of public sources. We include relevant links to third-party analysis and attribution, but we do this only for your information; their inclusion does not mean we endorse or validate the content there.

Project Zero’s team mission is to “make zero-day hard”, i.e. to make it more costly to discover and exploit security vulnerabilities 

Link HERE and Article HERE

Vulnerability in French Government Tchap Chat App

Link HERE

0patch PRO – New Micropatch Program Launched for Windows Platform Zero-day Vulnerabilities

Link HERE

Some Ransomware Recovery Companies Have Been Paying the Ransom

At least two companies that advertise data recovery services for ransomware victims have actually been paying the ransom. The companies often charge their clients high fees in excess of the cost of the ransom. While there are companies that openly pay ransom – often they help victims who are unfamiliar with dealing in cryptocurrency – it is not clear that other companies were forthright with their clients about their methods

Link HERE

XSS on Amazon

Link HERE

Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys

A misconfiguration in the Bluetooth Low Energy version of Google’s Titan Security Key could be exploited to communicate with the key or with the device to which the key is paired. An attacker would need to be within 30 feet of the targeted device. Google will replace affected devices at no cost

Link HERE

Member of Sophisticated China-Based Hacking Group Indicted for Series of Computer Intrusions, Including 2015 Data Breach of Health Insurer Anthem Inc. Affecting Over 78 Million People

Link HERE

Decrypting config.bin files for TP-Link WR841N, WA855RE, and probably more…

Link HERE

New Class of Flaws Affects Intel Chips

cid:<a href=[email protected]″>

Intel has disclosed a new class of speculative execution side-channel attacks affecting its processors. The attacks differ from Meltdown and Spectre and their variants because they could leak data from CPU buffers. Intel calls the flaws Microarchitectural Data Sampling, or MDS. The flaws have been addressed at the hardware level in more recent released of Intel products, and Intel has released microcode and hypervisor updates.
[Neely]
As researchers assess other ways speculative execution can be abused, expect more MDS family types of flaws. These are currently low risk due to the degree of difficulty to exploit. Beware of attention getting names, and accompanying icons, like ZombieLoad, that shift focus from the true risk to the headlines.

Links HERE and HERE

XSS without parentheses and semi-colons – from PortSwigger

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=image030[email protected]″>

Link HERE

San Francisco Bans Facial Recognition

The City of San Francisco, California’s Board of Supervisors has approved an ordinance that prohibits law enforcement and other city agencies from using facial recognition technology on city residents. The ordinance notes that “the propensity for facial recognition technology to endanger civil rights and civil liberties substantially outweighs its purported benefits.” The ordinance also requires that law enforcement disclose what kinds of surveillance they are using

Links HERE and HERE

China Spying on Undersea Internet Cables

Link HERE

BOTS TAMPERING WITH TLS TO AVOID DETECTION

Researchers at Akamai observed attackers using a novel approach for evading detection. This new technique – which we call Cipher Stunting – has become a growing threat, with its roots tracing back to early-2018. By using advanced methods, attackers are randomizing SSL/TLS signatures in an attempt to evade detection attempts.

Attackers have continued to change the way they operate, adding complexity and sophistication to their evasion techniques as they target businesses like airlines, banking, and dating websites. Over the last few months, attackers have been tampering with SSL/TLS signatures at a scale never before seen by Akamai

Link HERE

Research of the week

Data Security Report 2019 – Cyber Security Insiders

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

Link HERE

Post-Quantum Cryptography Standardization

NIST has initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. Currently, public-key cryptographic algorithms are specified in FIPS 186-4, Digital Signature Standard, as well as special publications SP 800-56A Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography and SP 800-56B Revision 1, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography. However, these algorithms are vulnerable to attacks from large-scale quantum computers (see NISTIR 8105, Report on Post Quantum Cryptography)

Link HERE – thanks to Alvin

The Cynefin Framework

The Cynefin Framework is central to Cognitive Edge methods and tools. It allows executives to see things from new viewpoints, assimilate complex concepts, and address real-world problems and opportunities. Using the Cynefin framework can help executives sense which context they are in so that they can not only make better decisions but also avoid the problems that arise when their preferred management style causes them to make mistakes. Cynefin, pronounced kuh-nev-in, is a Welsh word that signifies the multiple factors in our environment and our experience that influence us in ways we can never understand

Link HERE

Cyber AI Response: Threat Report 2019

This report details seven case studies of attacks that were intercepted and neutralized by cyber defense AI, including insider threat, ransomware, and IoT attacks. While all threat scenarios were distinct, some fast-moving and others slow and stealthy, in all cases the subtle indicators of suspicious activity were only detectable using Darktrace AI, which learns what is normal for the business environment and autonomously responds to attacks – before damage is done

cid:<a href=[email protected]″>

Link HERE

THREAT HUNTING AT ITS BEST

One day, a recruiter phoned me for a possible opportunity in a US-based banking corporation to fill-up a position as a Cyber Threat Intelligence Analyst. He mentioned that this is an additional headcount to complement their Threat Hunting team.

I paused for a while then asked him what is the task that differentiates their Threat Hunting team vs the Threat intel team? I was curious as I was covering both under the DFIR (digital forensics & incident response) and “Purple Teaming” role. Then he told me that the Threat Hunting team will “proactively” hunt for threats and hand it over to the Incident Response and Threat Intel for the IOC’s that they have gathered from the wild

https://res.cloudinary.com/peerlyst/image/upload/c_limit,dpr_auto,f_auto,fl_lossy,h_772,q_auto,w_772/v1/post-attachments/LulzSec_basbta

Link HERE

Wireless Attacks on Aircraft Instrument Landing Systems

Modern aircraft heavily rely on several wireless technologies for communications, control, and navigation. Researchers demonstrated vulnerabilities in many aviation systems. However, the resilience of the aircraft landing systems to adversarial wireless attacks have not yet been studied in the open literature, despite their criticality and the increasing availability of low-cost software-defined radio (SDR) platforms. In this paper, we investigate and demonstrate the vulnerability of aircraft instrument landing systems to wireless attacks. We analyze the instrument landing system (ILS) waveforms’ and show the feasibility of spoofing such radio signals using commercially-available SDR, causing last-minute go around decisions, and even missing the landing zone in low-visibility scenarios. We first show that it is possible to fully and in fine-grain control the course deviation indicator, as displayed by the ILS receiver, in realtime, and demonstrate it on aviation-grade ILS receivers. We analyze the potential of both an overshadowing attack, and a lower-power single-tone attack. In order to evaluate the complete attack, we develop a tightly-controlled closed-loop ILS spoofer. It adjusts the adversary’s transmitted signals as a function of the aircraft GPS location, maintaining power and deviation consistent with the adversary’s target position, causing an undetected off-runway landing. We demonstrate the integrated attack on an FAA certified flight-simulator (XPlane)incorporating a spoofing region detection mechanism, that triggers the controlled spoofing on entering the landing zone to reduce detectability. We systematically evaluate the performance of the attack against X-Plane’s AI-based autoland feature, and demonstrate systematic success rate with offset touchdowns of 18 meters to over 50 meters. Finally, we discuss approaches towards secure and efficient aircraft landing systems

Links HERE

Tool of the week

12 Israeli Infosec Start-up Companies To Notice

  • GuardiCore
  • BioCatch
  • NeuraLegion
  • Perimeter 81
  • Cognigo
  • SecBi
  • Cymulate
  • SCADAfence
  • Sixgill
  • Cynerio
  • PlainID
  • Cyabra

Link HERE

Remember: Tink

cid:<a href=[email protected]″>

Link HERE

Not a tool BUT

The Risk of Authenticated Vulnerability Scans

Link HERE

Iranian Cyberespionage Tools Leaked Online

Link HERE

DSSuite – A Docker Container with Didier’s Tools

Link HERE

 

Other interesting articles

##AWS Security Essentials

cid:<a href=[email protected]″>

Checklist:

  1. All infrastructure is recorded as code (e.g. Terraform, CloudFormation, Ansible, etc.)
  2. All infrastructure changes are made by an automated tool
  3. Console logins are restricted (perhaps to a handful of admins)
  4. Teams are educated and empowered to make necessary changes with automation
  5. Any existing directory (e.g. Active Directory) is replicated into AWS and used as the system of record
  6. Root account usage is limited to the tasks that require the root account
  7. Root account has MFA enabled
  8. Root account has no access keys (if possible)
  9. Users have no permissions outside ability to use STS to assume roles (side effect: less console usage!)
  10. MFA is enabled for all human users
  11. MFA required to access privileged roles
  12. Users are trained and given tools to make role assumption seamless and easy
  13. Users have no inline IAM policies
  14. Everything is deployed inside a VPC
  15. Flow logs are enabled and monitored
  16. Everything has a security group attached
  17. Any security group that allows access from 0.0.0.0/0 (any host on the Internet) has a detailed description and justification (perhaps using tags)
  18. All master keys / key encryption keys are stored with KMS
  19. All KMS keys have the rotation option enabled
  20. All AWS services that store data should use KMS
  21. Data encryption keys are generated using KMS master keys and stored encrypted
  22. Configuration analysis is performed at least daily, if not for every change
  23. CloudTrail is enabled for all active regions (or for all regions!)
  24. CloudWatch metrics and alarms are implemented for major violation cases
  25. GuardDuty is enabled
  26. All infrastructure changes trigger configuration audits
  27. Critical issues found in CI trigger an immediate response
  28. Use the CI pipeline to create a sign-off process that allows teams to move faster

Links HERE and HERE

 

##Building Shopify’s Application Security Program

  • Scaling Secure Applications
  • Scaling Security Teams
  • Scaling Security interactions

Link HERE

 

##Vulnerabilities Management — 5 Ways to Find and Fix Open Source Vulnerabilities + Tools

Open source components are usually safe when they have a large community of people reviewing the code. That said, publishing the source code or having multiple sets of eyes reviewing the source code does not always guarantee that all security issues will be identified and fixed. Therefore, it is vital to include industry standard security policies into applications

Link HERE

 

##Phishing and security keys

When it comes to online security, confusion about the risks can lead people to obsess over obscure threats while ignoring key innovations that could truly protect them. Even highly-targeted users like politicians and activists don’t fully appreciate the scourge of phishing, and many aren’t familiar with an emerging form of two-factor authentication known as “Security Keys” that we hope can stop it in its tracks

https:<a href=//cdn-images-1.medium.com/max/1600/1*[email protected]”>

Link HERE

 

##And finally, We’re under attack! 23+ Node.js security best practices

https://cdn-images-1.medium.com/max/2600/1*nghBQU3tsLpuMpuy2f3xoA.png

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://www.virtuesecurity.com/tale-of-a-wormable-twitter-xss/

Description: Tale of a Wormable Twitter XSS.

URL: https://hackerone.com/reports/563870

Description: 1-click HackerOne account takeover on all Android devices (CVE-2019-5765).

Link HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *