Security Stack Sheet #55

Word of the week

Links HERE and HERE and HERE and HERE and HERE and Node.js Application Security HERE and HERE and Angular 5 Security HERE

Magecart Supply-chain Frenzy Continues With AppLixir, RYVIU, OmniKick, eGain, AdMaxim, CloudCMS & Picreel

Link HERE

Word of the week special

“Internet of Shit”

cid:<a href=[email protected]″>

Link HERE – thanks to Mike HERE

Other links HERE and HERE and HERE and HERE and HERE

Bonus 

cid:<a href=[email protected]″>

https://pbs.twimg.com/media/D62BtWHWwAAMDrx.jpg:large

Acquisitions

cid:<a href=[email protected]″>

Link HERE

https://thedailywtf.com/images/19/q1/e347/Pic-6.png

What page is this? Oh, yes..

“In a case like this, the name of the tab kind of explains what’s going on, but hey, at least the login prompt is still there!” Geoff G.writes.

https://pbs.twimg.com/media/D7g1dCfVsAARGD3.jpg:large

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

Hacky Easter 2019! – started on the 16th of April!

Link HERE

https://pbs.twimg.com/profile_images/708919573614039040/EwgmBsjU_400x400.jpg

Try this MEDIUM one:

Egg Storage

Challenge 18

Last year someone stole some eggs from Thumper.

This year he decided to use cutting edge technology to protect his eggs.

Link HERE

Don’t’ forget about: Facebook CTF 2019 Starts this Saturday!

cid:<a href=[email protected]″>

Facebook will host its first global Capture the Flag (#CTF) competition June 1-3, 2019. CTF participants will be tasked with solving various security challenges to earn points using skills like cryptography, reverse engineering, web & binary exploitation

Link HERE Join team Sagoldiers!

Dates

May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR After One Year: Costs and Unintended Consequences

cid:<a href=[email protected]″>

Link HERE

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers

Link HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

Book on the week/month

Super Security Books Hacking 2.0 Bundles

cid:<a href=[email protected]″>

Link HERE – thanks to Dave

 

Comic of the week

Counting Morons - Dilbert by Scott Adams

##Some OWASP stuff first

-AppSec Podcast – Björn Kimminich — The new JuiceShop, GSOC, and OWASP Summit

Link HERE

-Securing Web Apps with Modern Platform Features

cid:<a href=[email protected]″>

Link HERE

-The Secure Developer – Ep. #31, Evangelizing Security with Tanya Janca of Microsoft

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019 HAPPENED THIS WEEK, more news next week!

cid:<a href=[email protected]″>

OWASP Top 10 for Javascript Developers Link HERE

Event Link HERE

OWASP Summit London early June 2019

Remember you can join remotely for FREE!

cid:<a href=[email protected]″>

Link HERE

The complete Security Events calendar – Peerlyst

Link HERE

LEVELUP 0X04 – June ½ Online Conference

LevelUp is a free series of online security conferences with content for the hacker and security researcher community.

LevelUp 0x04 features two days of content on all things android hacking, penetration testing, collaborative hacking, OWASP, car hacking, and leveraging Frida for mobile

 

https://www.bugcrowd.com/wp-content/uploads/2019/05/LevelUp0x04_LogoDesign_051719-01.jpg

Link HERE

2019 – Conference Survival Guide

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

Link HERE

NCSC Weekly Threat Report

Provided Image

Online services suffer hacks exposing customer data

This week two popular online sites suffered hacks, exposing sensitive customer data.

Flipboard, a popular news aggregation app, confirmed that it had seen unauthorised access to databases containing some users’ account information, including full names, usernames, hashed passwords and email addresses

Windows vulnerability still affecting nearly 1 million computers

A couple of weeks ago we wrote about a Remote Code Execution vulnerability (CVE-2019-0708) in our threat report, but to date almost a million computers are still vulnerable.

The vulnerability, which was privately reported to Microsoft by the NCSC, affects older versions of Windows and it poses a serious threat. The NCSC works with vendors to help mitigate critical security issues before they cause real harm. We have a history of disclosing vulnerabilities to major software vendors and the disclosure of CVE-2019-0708 to Microsoft is an example of that

Link HERE

Transatlantic Cable podcast, episode 94 – by Kaspersky

Links HERE

Troy Hunt Weekly update 140

cid:<a href=[email protected]″>

Link HERE

 

Incidents & events detail

Back to Firefox!!

Google to restrict modern ad blocking Chrome extensions to enterprise users

Link HERE

An estimated one million devices are still vulnerable to the wormable vulnerability that people are calling “BlueKeep,” which Microsoft disclosed earlier this month
Link HERE

HTTP Strict Transport Security — Why you need it, five common mistakes and how to fix them

https://cdn-images-1.medium.com/max/1600/1*T_7ld-fjjyLL7Ofr3BAFCQ.png

Link HERE

Exploiting two zero days in a Darktrace appliance (CVE-2019-9596 and CVE-2019-9597)

Link HERE

Increased Scanning for BlueKeep RDP Flaw

Over the weekend, a threat intelligence company detected increased scanning for Windows systems that have not patched the BlueKeep remote Desktop protocol (RDP) vulnerability. Microsoft released fixes for the flaw on Tuesday, May 14 as part of its month security update. In a nod to the severity of the issue, the company released fixes for Windows XP, Vista, and other operating systems that are no longer actively supported. Users have been urged to upgrade as soon as possible as the flaw could be exploited to create wormable exploits.

Editor’s Note
[Neely]
While there are still no published exploits for this flaw, security companies have successfully developed exploits. Long story short: patch now and disable unneeded RDP.
[Murray]
As a rule, it is more important to patch thoroughly than urgently. There are exceptions

Link HERE

Google data shows 2-factor authentication blocks 100% of automated bot hacks

Link HERE

A phony, malicious app on the Google Play store that steals users’ cryptocurrencies was downloaded more than 1,000 times before being removed recently

Link HERE

NSA’s EternalBlue is Being Used in Ransomware Attacks

The ransomware attack that has crippled the city of Baltimore’s computer systems was fueled in part by a hacking tool developed by the National Security Agency (NSA). Dubbed EternalBlue by the NSA, the tool was stolen and leaked by a group known as Shadow Brokers in 2017. EternalBlue appears to have played a part in attacks against other cities’ IT systems, as well as systems at hospitals, airports, and other industries. Former NSA employees speaking anonymously said that prior to its theft, the agency considered EternalBlue such a useful tool that it did not consider telling Microsoft about the flaws it exploited until EternalBlue was leaked online

Link HERE

Hackers claim to have stolen the personal data of millions of Australian graphic design startup Canva’s users

Link HERE

MacOS X GateKeeper Bypass

Link HERE

First American Mortgage Data Leak

First America Mortgage Corp., a real estate title insurance company, has acknowledged that 885 million files were inadvertently exposed due to a flaw in the company’s document transfer system. The affected documents date as far back as 2003. The documents contain bank account numbers, tax and mortgage records, and other sensitive information.
[Murray]
Save your CEO’s job. Ensure that you do not store privileges, capabilities, or sensitive data in the clear in URLs

Link HERE

New research: How effective is basic account hygiene at preventing hijacking

https://2.bp.blogspot.com/-2FvyOSlV3f8/XN4qy-LbWjI/AAAAAAAAAiY/m6skYaPJodMJgKv_gxtpvWZCwWulyLfxACLcBGAs/s640/infographic%25402x.png

Link HERE

Security Pitfalls with Multicloud Deployments

Link HERE

Snapchat pushed back on a report that some of its employees used privileged access to spy on some user

Link HERE

Winnti malware now appears on Linux
A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files – a main backdoor and a library that can hide the malware’s activity. Winnti’s primary role is to handle communications and deploy other modules directly from the command and control (C2) server

Link HERE

Research of the week

A glimpse into NATO’s Offensive Defence strategy

cid:<a href=[email protected]″>

Link HERE – thanks to Naz

XML external entity (XXE) injection – explained by the creators of Burp

cid:<a href=[email protected]″>

Link HERE

A Style-Based Generator Architecture for Generative Adversarial Networks

We propose an alternative generator architecture for generative adversarial networks, borrowing from style transfer literature. The new architecture leads to an automatically learned, unsupervised separation of high-level attributes (e.g., pose and identity when trained on human faces) and stochastic variation in the generated images (e.g., freckles, hair), and it enables intuitive, scale-specific control of the synthesis. The new generator improves the state-of-the-art in terms of traditional distribution quality metrics, leads to demonstrably better interpolation properties, and also better disentangles the latent factors of variation. To quantify interpolation quality and disentanglement, we propose two new, automated methods that are applicable to any generator architecture. Finally, we introduce a new, highly varied and high-quality dataset of human faces

cid:<a href=[email protected]″>

Link HERE

Counting Outdated Honeypots: Legal and Useful

Honeypots are intended to be covert and so little is known about how many are deployed or who is using them. We used protocol deviations at the SSH transport layer to fingerprint Kippo and Cowrie, the two most popular medium interaction SSH honeypots. Several Internet-wide scans over a one year period revealed the presence of thousands of these honeypots. Sending specific commands revealed their patch status and showed that many systems were not up to date: a quarter or more were not fully updated and by the time of our last scan 20% of honeypots were still running Kippo, which had last been updated several years earlier. However, our paper reporting these results was rejected from a major conference on the basis that our interactions with the honeypots were illegal and hence the research was unethical. We later published a much redacted account of our research which described the fingerprinting but omitted the results we had gained from the issuing of commands to check the patch status. In the present work we provide the missing results, but start with an extended ethical justification for our research and a detailed legal analysis to show why we did not infringe cybersecurity laws

Link HERE

cid:<a href=[email protected]″>

Link HERE

Tool of the week

Block ads at home using Pi-hole and a Raspberry Pi

cid:<a href=[email protected]″>

Link HERE

Writing a Password Protected Bind Shell (Linux/x64)

Link HERE

Hands-on Penetration Testing with Metasploit 5

Link HERE

Continuous ThreatModeling methodology from Autodesk

Link HERE

 

Other interesting articles

##Provoking browser quirks with behavioural fuzzing

Fuzzing Firefox

In this post I’m going to walk you through how I used behavioural fuzzing to find multiple quirks in Firefox. Normally, when fuzzing the goal is to find a crash indicating memory corruption, but my goal is different; I want to find interesting browser behaviour. That could be characters that open or close a tag that’s out of the ordinary or maybe characters that are ignored by the JavaScript parser. Such unexpected behaviour can often be used aid XSS attacks by bypassing security filters and escaping from JavaScript sandboxes

Link HERE

 

##How to store/use sensitive information in Android development

https://cdn-images-1.medium.com/fit/t/1600/480/1*d3SwViNwA-xgfeklo2L4XQ.png

Safely store sensitive information in the repository to share them with your colleagues and also CI/CD

Link HERE

AND

Android vs iOS – which is more secure?

https://cdn-images-1.medium.com/fit/t/1600/480/0*uVQAC30tyLuYzO1h

Link HERE

 

##Automate Your Initial Phase of Pentesting

Different automation & manual tools/ techniques are used in pentesting. Considering on the target web application scenario scanning is performed. Security researchers/ pentesters always tries to found the vulnerability in source code or ports which are vulnerable. Ethical hacking researcher, Delhi India of International Institute of Cyber Security, recently demonstrated a critical vulnerability using a very basic…

Link HERE

 

##Facebook crypto to launch next year

Facebook wants to start testing its crypto-currency — known internally as “GlobalCoin” — by the end of this year, and launch in about a dozen countries in early 2020, according to reports. The social media giant intends to set up a digital system that allows for affordable and secure payment, even for users without bank accounts. The move could help Facebook diversify its revenue away from advertising. Regulators will likely keep a close eye, however, given recent criticism over the company’s handling of user data

cid:<a href=[email protected]″>

Link HERE

 

##And finally, The world of hackers

cid:<a href=[email protected]″>

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/341908

Description: XSS via Direct Message deeplinks.

URL: http://bit.ly/2WjQywF  (+)

Description: SVG XLink SSRF fingerprinting libraries version.

URL: https://medium.com/tenable-techblog/stealing-downloads-from-slack-users-be6829a55f63

Description: Stealing Downloads from Slack Users.

Link HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *