Security Stack Sheet #54

Word of the week “To Bounty or not to Bounty”

bug bounty programs

cid:<a href=[email protected]″>

Links HERE and HERE and HERE and HERE

Word of the week special

“Threat Modelling Serverless”

Image result for threat modelling serverless

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE

Bonus 

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

Hacky Easter 2019! – started on the 16th of April!

Link HERE

https://pbs.twimg.com/profile_images/708919573614039040/EwgmBsjU_400x400.jpg

Try this easy one:

Call for Papers Challenge

Please read and review my CFP document, for the upcoming IAPLI Symposium.

I didn’t write it myself, but used some artificial intelligence.

What do you think about it?

Link HERE

Don’t’ forget about: Facebook CTF 2019

cid:<a href=[email protected]″>

Facebook will host its first global Capture the Flag (#CTF) competition June 1-3, 2019. CTF participants will be tasked with solving various security challenges to earn points using skills like cryptography, reverse engineering, web & binary exploitation

Link HERE Join team Sagoldiers!

Dates

May 25th 2019: 1 year of GDPR Live! See incidents section below

Remember: GDPR Whiteboard

GDPR Whiteboard

Reasons to love GDPR?!

GDPR Love 02

Link HERE

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers

Link HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

Book on the week/month

Cryptonomicon

Cryptonomicon zooms all over the world, careening conspiratorially back and forth between two time periods–World War II and the present. Our 1940s heroes are the brilliant mathematician Lawrence Waterhouse, crypt analyst extraordinaire, and gung-ho, morphine-addicted marine Bobby Shaftoe. They’re part of Detachment 2702, an Allied group trying to break Axis communication codes while simultaneously preventing the enemy from figuring out that their codes have been broken

Link HERE

 

Comic of the week

Cartoon Post-GDPR World - TeachPrivacy GDPR Training 02 meidum

Same today…

##Some OWASP stuff first

-AppSec Podcast – Nancy Gariché and Tanya Janca — DevSlop, the movement

Link HERE

-The Secure Developer Sessions – Using SS Octopus by Shraya Ramani

As BuzzFeed transitioned to microservices it needed to secure a growing number of internal tools. Our first solution was an open source auth service deployed in front of each app, but this approach had a number of scaling issues. The talk will discuss sso, our open-source, homegrown, centralized solution which elegantly solved this problem

Links HERE

-Remember: Creating a graph-based security organisation – Dinis Cruz (Keynote at DevSecCon London 2017)

Link HERE

-ZAP 2.8.0 SOON!

/var/folders/_1/vhfqbsc17kgbq084mx9cwzx80000gn/T/com.microsoft.Outlook/Content.MSO/B555298F.tmp

Link HERE

-NorthSec CTF 2019 Part 1: DOOM

Last weekend I was in Montreal for the NorthSec conference and Capture The Flag (CTF). Briefly, the CTF is a 48-hour event where teams compete to solve security problems in order to earn points.
Each problem involves finding or otherwise earning a flag, some unique, hard-to-guess text like FLAG_{blah blah}, which you then submit to prove you’ve solved the problem. Flags can be in plain sight around the event site, they can be rewards for completing physical challenges, hidden in audio or image files, or they can be in a file or in memory on some system you need to crack

Link HERE

-Browser Exploitation

cid:<a href=[email protected]″>

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019 – is actually NEXT WEEK!

Link HERE

OWASP Summit London early June 2019

Remember you can join remotely for FREE!

cid:<a href=[email protected]″>

Link HERE

The complete Security Events calendar – Peerlyst

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

Link HERE

NCSC Weekly Threat Report

Provided Image

TalkTalk customer details found online following 2015 data beach

The personal information of 4,545 TalkTalk customers, including bank details, have been found online following a data breach back in 2015.
Viewers had contacted BBC’s Watchdog Live to raise concerns however TalkTalk, who had failed to inform the affected customers, have stressed that details have not been compromised. The firm stated: “The customer data referred to by BBC Watchdog relates to the historical October 2015 data breach. It is not a new incident.”

Instagram data stored unsecurely

Instagram is investigating how contact details of almost 50 million of its users were stored online in an unsecure database.

Security researcher Anurag Sen discovered the database and alerted online publication TechCrunch in an effort to find the owner and get the database secured

Hackers breach Stack Overflow Q&A site

Stack Overflow, a question and answer site for programmers, has suffered a breach in which hackers were able to exploit a bug to gain access.

The company’s latest update confirms that hackers were able to get access to user data but stressed it was for only a small number of users

Link HERE

Transatlantic Cable podcast, episode 93 – by Kaspersky

Links HERE

Troy Hunt Weekly update 139

cid:<a href=[email protected]″>

Link HERE

 

Incidents & events detail

Faulty database script brings Salesforce to its knees

Faulty production script gave users access to all their company’s Salesforce data

cid:<a href=[email protected]″>

Link HERE

Rootpipe Reborn (Part I)

CVE-2019-8513 TimeMachine root command injection

Link HERE

Root account misconfigurations found in 20% of top 1,000 Docker containers

Issue similar to Alpine Linux’s CVE-2019-5021 impacts 194 other Docker images

Links HERE and Nearly 20% of the 1000 Most Popular Docker Containers Have No Root Password HERE

Microsoft Defender ATP for Mac now in open public preview

Link HERE

SHA-1 collision attacks are now actually practical and a looming danger

Research duo showcases chosen-prefix collision attack against SHA-1

Link HERE

Finding Candidates for Subdomain Takeovers

cid:<a href=[email protected]″>

A subdomain takeover occurs when a subdomain (like example.jarv.is) points to a shared hosting account that is abandoned by its owner, leaving the endpoint available to claim for yourself

Link HERE

Coverage available for critical vulnerability in Microsoft Remote Desktop Protocol
Microsoft continues to urge users to update to the latest version of the Remote Desktop Protocol to patch a wormable remote code execution bug. The vulnerability opens up victims to an attack where malware spreads from one machine to another once this bug is exploited only once. The company disclosed this vulnerability last week as part of its monthly security update. The company disclosed this vulnerability as CVE-2019-0708 last week as part of its monthly security update
Links HERE and HERE

GOOGLE HAS STORED SOME PASSWORDS IN PLAINTEXT SINCE 2005

Link HERE

cid:<a href=[email protected]″>

Link HERE

Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

Link HERE

Cisco Starts Patching Firmware Bug; Millions of Devices Still Vulnerable

Link HERE

Online identification is getting more and more intrusive

Phones can now tell who is carrying them from their users’ gaits.

  • Used wisely, behavioural biometrics could be a boon. As Neil Costigan, the boss of BehavioSec, a behavioural-biometrics firm in San Francisco, observes, the software can toil quietly in the background, continuously authenticating account-holders without badgering them for additional passwords, their mother’s maiden name “and all that nonsense”. Unifyid and an unnamed car company are even developing a system that unlocks the doors of a vehicle once the gait of the driver, as measured by his phone, is recognised.
  • Used unwisely, however, the system could become yet another electronic spy on people’s privacy, permitting complete strangers to monitor your every action, from the moment you reach for your phone in the morning, to when you fling it on the floor at night

Link HERE

The Most Expensive Lesson Of My Life: Details of SIM port hack

cid:<a href=[email protected]″>

Link HERE

Database of 49 Million Instagram Influencers Leaked Online

Link HERE

Abusing jQuery for CSS powered timing attacks

Link HERE

cid:<a href=[email protected]″>

Link HERE

Remote iPhone bug

Link HERE

Abusing Code Signing for Profit

Link HERE

Research of the week

Ponemon Institute Research: The State of Web Application Firewalls

This new research, sponsored by Cequence Security‍, reveals a concerning trend – WAFs are failing to provide effective protection against application-layer attacks

cid:<a href=[email protected]″>

Links HERE and HERE

Fun With Custom URI Schemes

Link HERE

Tool of the week

NCSC Exercise in a Box

An online tool which helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment

Link HERE

10 of the most common tools used in Hacking

Featuring:

OpenVas

Open Vulnerability Assessment System (OpenVAS) is a full featured vulnerability scanner that is developed and maintained by GreenBone Networks. It is very similar to Nessus, especially since it was originally forked from the last free version of Nessus and the plugins are still written in the Nessus NASL language

https://res.cloudinary.com/peerlyst/image/upload/c_limit,dpr_auto,f_auto,fl_lossy,h_768,q_auto,w_768/v1/post-attachments/1558197463252_wtdp8w

Link HERE

Pentest/BugBounty progress control with scanning modules

It can launch

  • masscan
  • nmap
  • dirsearch
  • amass
  • patator

against the scope you work on and store the data in a handy form

Link HERE

The SaaS CTO Security Checklist

Security shouldn’t feel like a chore. This second edition of the SaaS CTO Security Checklist provides actionable security best practices for CTOs or developers

Link HERE

Awesome-Cellular-Hacking

Link HERE

Crawler (Bot) searching for credential leaks on different paste sites

Link HERE

Using Shodan Monitoring

Link HERE

SensorID

Sensor Calibration Fingerprinting for Smartphones

Link HERE

 

Other interesting articles

##How to Upgrade Your XSS Bugs from Medium to Critical

Before you report an XSS, look for ways it can be leveraged to increase severity. Here’s my repo containing weaponised JavaScript payloads for popular platforms like WordPress and Drupal

Link HERE

##From Grey to White — An Unspoken Ethical Journey in Cyber Security

I write this blog entry at the risk of tarnishing my personal and professional reputation. I do so in hopes that it will help others who are starting out in this industry or those who are still in the grey zone know that this is likely a familiar path for a lot of us “professionals” in this space. We don’t speak of it, often times because of the ethical oaths we’ve taken in order to obtain our professional certifications or positions in law enforcement, etc. It’s also something I think we’ve put behind us…

Link HERE

 

##And finally, AWS IoT Coffee Monitor – Part 1

If you’re a serial coffee drinker like me, 5 to 10 cups of coffee a day is normal and if your also like me, you get times that your busy/in the zone/distracted and before you know it, that last sip was ice cold, eww.

Getting up to rewarm your coffee in the microwave is super annoying, let’s say I drink best case (worst for some) 10 cups a day, and that 50% go cold while I am working. Then let’s say that I have at least started to sip on the coffee and that half is drank. To heat half a cup takes about 30 seconds, so 5 cups takes about 2.5 minutes a day. That is 12.5 minutes a week, 50 minutes a month and 10 hours a year, give or take. This does not even factor in the trip to the microwave and back (+-20 seconds) or all of the distractions and coworkers along the way.

So I don’t know about you, but wasting +-10 hours a year on reheating coffee is not acceptable

 

https://www.rehanvdm.com/contents/data/2019/04/post5_CoffeeMonitor-Original-cropped.jpg

Link HERE Part 2 HERE

AND

##RealTalk: This Speech Synthesis Model Our Engineers Built Recreates a Human Voice Perfectly

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/450365

Description: Remote Code Execution in epoch via epmd.

URL: https://zeropwn.github.io/2019-05-13-xss-to-rce/

Description: A Questionable Journey From XSS to RCE (CVE-2019-11354).

Link HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *