Security Stack Sheet #56

Word of the week

As you would expect, it’s a “Huge Mistake to Memorize Your Passwords”

Here’s what to do instead — and which services you should use

Image result for passwords

Link HERE

Word of the week special

“Improbable to ransomware” & “Mission Improbable”

cid:<a href=[email protected]″>

Links HERE and HERE and HERE and HERE

Bonus 

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>cid:<a href=[email protected]″>

Links HERE and HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE (link is in English)

cid:<a href=[email protected]″>

1

https://pbs.twimg.com/media/D8Sl_4PWwAATXh0.jpg

2

https://pbs.twimg.com/media/D8SmBoYXYAAADZj.jpg

Link HERE and Apple adds aswebauthenticationsession to OSX 10.15 HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

Hacky Easter 2019! – started on the 16th of April!

Link HERE

https://pbs.twimg.com/profile_images/708919573614039040/EwgmBsjU_400x400.jpg

Try this HARD one:

CoUmpact DiAsc

Today the new eggs for HackyEaster 2019 were delivered, but unfortunately the password was partly destroyed by a water damage

symphony

Link HERE

Facebook CTF 2019 writeups!

cid:<a href=[email protected]″>

Links HERE and HERE and HERE

 

Dates

May 25th 2019: 1 year of GDPR Live! See incidents section below

Documentary on Global Surveillance

Link HERE – thanks to Naz

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers

Link HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

cid:<a href=[email protected]″>

Praise..

cid:<a href=[email protected]″>

Link HERE

Book on the week/month

Super Security Books Hacking 2.0 Bundles – 3 days left!

cid:<a href=[email protected]″>

Link HERE – thanks to Dave

Cipher Newsletter – Electronic Issue (EI) 149,  May 31, 2019

Link HERE

 

Comic of the week

 - Dilbert by Scott Adams

##Some OWASP stuff first

-The Secure Developer – Excellent Ways to Secure Your Spring Boot Application

Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more

Link HERE

-It’s the Little Things II – by Nahamsec

Exploiting Vulnerabilities Through Proper Reconnaissance

https://lh6.googleusercontent.com/CISnERFfRqRQMJyJgQ9X6JAchEtAMvVd95yxPV9I3u_P1WcOQa7dLwvjOXmlEPz0xN2zPmzoKPSol6aCMxMrQbJ-_XWs9aTSfehbPcYhpJY4-9Lj7LwA5ovNQDg7sIPpsgM5JkG3KL8

Tools:

Link HERE

-OWASP Cheat Sheets

Project updates:

  • CSRF, Session management, XSS and Password storage cheat sheets updated.
  • Several typo fixing in several cheat sheets

Link HERE

-OWASP Amass 3.0

In-depth DNS Enumeration and Network Mapping

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019 HAPPENED LAST WEEK!

cid:<a href=[email protected]″>

Global AppSec 2019 – Tel Aviv – mini write-up – Link HERE (videos soon)

OWASP Summit London – this week

Github repo HERE

More news next week!

The complete Security Events calendar – Peerlyst

Link HERE

Application Protection and Performance Monitoring

Using Datadog + Signal Sciences

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

Link HERE

NCSC Weekly Threat Report

Provided Image

Not published yet at the time this was sent.

Last one link HERE

Transatlantic Cable podcast, episode 95 – by Kaspersky

Links HERE

Troy Hunt Weekly update 141

cid:<a href=[email protected]″>

Link HERE

 

Incidents & events detail

Microsoft: Patch Windows BlueKeep Flaw Now!

Image result for bluekeep

The Microsoft Security Response Centre is strongly urging users affected by the Windows BlueKeep (CVE-2019-0708) bug to patch the flaw as soon as possible. The flaw, which lies in the Windows Remote Desktop Protocol (RDP), can be exploited without user interaction and could be used to spread self-replicating malware. More than 900,000 machines are not yet patched.
[Williams]
This is a “patch now” vulnerability! I personally know of multiple individuals with reliable, weaponized exploits for the vuln. The real number of unpatched machines likely remains in the tens of millions, but the 900,000 number reflected in media reporting is just what is publicly accessible from the Internet. So far there hasn’t been much attention paid to the restraint shown by researchers in this matter, but it’s been significant. There would ordinarily be a rush to publish once you’ve developed a working exploit, but I don’t know of anyone who has done so. This restraint won’t stop an eventual worm from emerging when bad actors get code working, but every extra patching day before one emerges is significant

Links HERE and HERE and HERE

NSA warns Microsoft Windows users of cyber-attack risk

Links HERE and HERE

Apple unveiled a new authentication system that will allow users to log into third-party sites with their Apple ID, which the company says will make it tougher for apps to track users
Link HERE

cid:<a href=[email protected]″>

Link HERE

A new malware, which pulls together several open-source components, appears to have been used in several document-based attacks January through April of this year
Link HERE

Expression Injection Vulnerability in Qlik Products

Link HERE

Google is rolling out a series of new policies aimed to eliminate malicious plugins from the extensions store of its Chrome browser
Link HERE

Malvertising attack on Microsoft Games

The have been a number of reports of fake virus warnings when using Microsoft Games (and possibly other apps) 

Image

Link HERE

App Advertisement SDK Forces Apps to Open Scam Banner Ads

App developers say that some of their programs that are available through the Windows Store are opening tech support scam advertisement banner ads without any user interaction. The issue affects apps that use the Advertising Software Development Kit to display ads

Link HERE

How your Company was Hacked using Google Calendar

Be careful with those calendar settings…

Don’t get me wrong… Google Calendar is great! It has tons of features and lets you keep track of your schedule, share it with colleagues and plan meetings within the company. But having so many features means that a small misconfiguration on Google Calendar can mean big digital security concerns for a corporation. Today, we’re gonna talk about how employees’ Google Calendars can pose a security threat to the company, and how a company can mitigate these threats. Let’s go!

Link HERE

ANOTHER MAC BUG LETS HACKERS INVISIBLY CLICK SECURITY PROMPTS

Link HERE

GandCrab ransomware operation says it’s shutting down

GandCrab crew says it made enough money and plans to retire within a month.

The creators of the GandCrab ransomware announced yesterday they were shutting down their Ransomware-as-a-Service (RaaS) operation.

The GandCrab RaaS is an online portal where crooks sign up and pay to get access to custom builds of the GandCrab ransomware, which they later distribute via email spamexploit kits, or other means

Link HERE

Research of the week

Disclosing Tor users’ real IP address through 301 HTTP Redirect Cache Poisoning

This blog post describes an example practical application of the ‘HTTP 301 Cache Poisoning” attack that can be used by a malicious Tor exit node to disclose real IP address of chosen clients

Link HERE

Chaining Multiple Vulnerabilities to Gain Admin Access

Link HERE

Security Monitoring Best Practices for Azure

cid:<a href=[email protected]″>

Link HERE and Microsoft Azure Being Used to Host Malware and C2 Servers HERE

The cost of cybercrime – Bruce Schneier

Link HERE – thanks to Simon

Tool of the week

nginx njs Vulnerability exploit

Link HERE

Remember: Awesome Golang Security

Link HERE

PenTesters Framework (PTF) v2.3

“All the Tools” released. Adds 7 new tools including rdp scanner, support for internal gitlab, support for customized installs of only certain tools, and more

Link HERE

GitHub token scanning

Link HERE

 

Other interesting articles

##The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise

This is about my recent hack and I personally find it one of the most curious and unusual hacks of my bug bounty journey in which an open redirection leads me to access AWS EC2 credentials compromise in India’s leading fintech company. Below I’ll explain how I was able to access AWS credentials by first finding an unusual redirection then getting kind of Remote File Inclusion (RFI), escalating it to Server Side Request Forgery (SSRF) and finally getting hold of AWS EC2 Credential

Link HERE

 

##Bypassing CSP with policy injection

Whilst testing PayPal looking for ways to bypass CSP and mixed content protection I found an interesting behaviour. PayPal was putting a GET parameter called token inside the report-uri directive of their CSP. I found that by changing the token parameter it was possible to inject directives into the policy. Most browsers simply skip over invalid CSP directives, but Edge behaves differently. If it encounters invalid syntax, Edge will drop the entire policy! I fuzzed Edge to find ways of breaking the CSP with as few characters as possible, and found you could simply use a semi-colon and an underscore

Link HERE

 

##Stop writing code comments (Do you agree??)

cid:<a href=[email protected]″>

Link HERE

 

##On Open Source Security – from Jemurai

We have lots of ideas for open tools. Some are harder than others. Some require more input or resources. A smattering:

  1. open static analysis (This seems to be hard)
  2. authorization testing framework
  3. security unit testing framework
  4. auto provisioning / sandboxing for cloud resources
  5. log config / review (cloudtrail)
  6. policies

We actually have a network scanner, a cloud scanner, a code review assist tool and a cloudtrail log analyzer that we built that we might open source

Link HERE

 

##And finally, Not Knowing Is OK (??) and Train yourself to be less naïve

https:<a href=//cdn-images-1.medium.com/fit/c/280/372/1*[email protected]”>

Embrace ambiguity, investigate reality.

What do we trust? What can we believe—and what can’t we? What does it take to change people’s minds, at a moment when the truth itself is in doubt?

Links HERE and HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://ysamm.com/?p=272

Description: Disclose files content from Facebook internal CDNs.

URL: https://portswigger.net/blog/abusing-jquery-for-css-powered-timing-attacks

Description: Abusing jQuery for CSS powered timing attacks.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *