Word of the week
As you would expect, it’s a “Huge Mistake to Memorize Your Passwords”
Here’s what to do instead — and which services you should use
Word of the week special
“Improbable to ransomware” & “Mission Improbable”
Link HERE (link is in English)
Crypto challenge of the week
Hacky Easter 2019! – started on the 16th of April!
Try this HARD one:
Facebook CTF 2019 writeups!
May 25th 2019: 1 year of GDPR Live! See incidents section below
Documentary on Global Surveillance
Link HERE – thanks to Naz
June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
HTTPS everywhere HERE
Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers
September 2019: PSD2 security mandatory
November 3rd 2020: Trump’s second term start
Book on the week/month
Super Security Books Hacking 2.0 Bundles – 3 days left!
Link HERE – thanks to Dave
Cipher Newsletter – Electronic Issue (EI) 149, May 31, 2019
Comic of the week
##Some OWASP stuff first
-The Secure Developer – Excellent Ways to Secure Your Spring Boot Application
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more
-It’s the Little Things II – by Nahamsec
Exploiting Vulnerabilities Through Proper Reconnaissance
-OWASP Cheat Sheets
-OWASP Amass 3.0
In-depth DNS Enumeration and Network Mapping
OWASP events HERE
All InfoSec events HERE
First AWS Security Conference – AWS re:Inforce 2019
Hack In Paris 2019 HERE
AppSec Europe Tel-Aviv May 2019 – HAPPENED LAST WEEK!
Global AppSec 2019 – Tel Aviv – mini write-up – Link HERE (videos soon)
OWASP Summit London – this week
Github repo HERE
More news next week!
The complete Security Events calendar – Peerlyst
Application Protection and Performance Monitoring
Using Datadog + Signal Sciences
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Not published yet at the time this was sent.
Last one link HERE
Transatlantic Cable podcast, episode 95 – by Kaspersky
Troy Hunt Weekly update 141
Incidents & events detail
Microsoft: Patch Windows BlueKeep Flaw Now!
The Microsoft Security Response Centre is strongly urging users affected by the Windows BlueKeep (CVE-2019-0708) bug to patch the flaw as soon as possible. The flaw, which lies in the Windows Remote Desktop Protocol (RDP), can be exploited without user interaction and could be used to spread self-replicating malware. More than 900,000 machines are not yet patched.
NSA warns Microsoft Windows users of cyber-attack risk
Apple unveiled a new authentication system that will allow users to log into third-party sites with their Apple ID, which the company says will make it tougher for apps to track users
A new malware, which pulls together several open-source components, appears to have been used in several document-based attacks January through April of this year
Expression Injection Vulnerability in Qlik Products
Google is rolling out a series of new policies aimed to eliminate malicious plugins from the extensions store of its Chrome browser
Malvertising attack on Microsoft Games
The have been a number of reports of fake virus warnings when using Microsoft Games (and possibly other apps)
App Advertisement SDK Forces Apps to Open Scam Banner Ads
App developers say that some of their programs that are available through the Windows Store are opening tech support scam advertisement banner ads without any user interaction. The issue affects apps that use the Advertising Software Development Kit to display ads
How your Company was Hacked using Google Calendar
Be careful with those calendar settings…
Don’t get me wrong… Google Calendar is great! It has tons of features and lets you keep track of your schedule, share it with colleagues and plan meetings within the company. But having so many features means that a small misconfiguration on Google Calendar can mean big digital security concerns for a corporation. Today, we’re gonna talk about how employees’ Google Calendars can pose a security threat to the company, and how a company can mitigate these threats. Let’s go!
ANOTHER MAC BUG LETS HACKERS INVISIBLY CLICK SECURITY PROMPTS
GandCrab ransomware operation says it’s shutting down
GandCrab crew says it made enough money and plans to retire within a month.
The creators of the GandCrab ransomware announced yesterday they were shutting down their Ransomware-as-a-Service (RaaS) operation.
Research of the week
Disclosing Tor users’ real IP address through 301 HTTP Redirect Cache Poisoning
This blog post describes an example practical application of the ‘HTTP 301 Cache Poisoning” attack that can be used by a malicious Tor exit node to disclose real IP address of chosen clients
Chaining Multiple Vulnerabilities to Gain Admin Access
Security Monitoring Best Practices for Azure
The cost of cybercrime – Bruce Schneier
Link HERE – thanks to Simon
Tool of the week
nginx njs Vulnerability exploit
Remember: Awesome Golang Security
PenTesters Framework (PTF) v2.3
“All the Tools” released. Adds 7 new tools including rdp scanner, support for internal gitlab, support for customized installs of only certain tools, and more
GitHub token scanning
Other interesting articles
##The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise
This is about my recent hack and I personally find it one of the most curious and unusual hacks of my bug bounty journey in which an open redirection leads me to access AWS EC2 credentials compromise in India’s leading fintech company. Below I’ll explain how I was able to access AWS credentials by first finding an unusual redirection then getting kind of Remote File Inclusion (RFI), escalating it to Server Side Request Forgery (SSRF) and finally getting hold of AWS EC2 Credential
##Bypassing CSP with policy injection
Whilst testing PayPal looking for ways to bypass CSP and mixed content protection I found an interesting behaviour. PayPal was putting a GET parameter called token inside the report-uri directive of their CSP. I found that by changing the token parameter it was possible to inject directives into the policy. Most browsers simply skip over invalid CSP directives, but Edge behaves differently. If it encounters invalid syntax, Edge will drop the entire policy! I fuzzed Edge to find ways of breaking the CSP with as few characters as possible, and found you could simply use a semi-colon and an underscore
##Stop writing code comments (Do you agree??)
##On Open Source Security – from Jemurai
We have lots of ideas for open tools. Some are harder than others. Some require more input or resources. A smattering:
We actually have a network scanner, a cloud scanner, a code review assist tool and a cloudtrail log analyzer that we built that we might open source
##And finally, Not Knowing Is OK (??) and Train yourself to be less naïve
Embrace ambiguity, investigate reality.
What do we trust? What can we believe—and what can’t we? What does it take to change people’s minds, at a moment when the truth itself is in doubt?
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Disclose files content from Facebook internal CDNs.
Description: Abusing jQuery for CSS powered timing attacks.