Security Stack Sheet #58

Word of the week“Protection from Deception”

New Chrome Protections from Deception

https://lh5.googleusercontent.com/mYOnRYteS-PGGtNm3Yju_OjSfct7YodyLxg0eG8vUDWj5puSTK2WPgNVfMDhP8NvLQEBOMDuoab3_rR6LSMc2xvOp-IcqEIJ14NGntClCc5rbakSd3asCtguG_CLJ9u-yQIz3XFU

And the Tech

Image result for deception security

And deception based security

Image result for deception security

Links HERE and other deceptive articles HERE and HERE and HERE and HERE and Deception Tech companies HERE

Word of the week special

“Password length mis-management” – part 2

cid:<a href=[email protected]″>

Oldie goldie 🙂

cid:<a href=[email protected]″>

Link HERE

Bonus

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

Link HERE – thanks to Mike

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE and faulty (?) Report HERE

Crypto challenge of the week

Hacky Easter 2019

Link HERE

https://pbs.twimg.com/profile_images/708919573614039040/EwgmBsjU_400x400.jpg

Try this MEDIUM one

Symphony in HEX

A lost symphony of the genius has reappeared.

symphony

Hint: count quavers, read semibreves

Link HERE

Full write up

Link HERE

Dates

May 25th2019: 1 year of GDPR Live! See incidents section below

June 30th2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Deprecating TLSv1.0 and TLSv1.1 gracefully with Cloudflare Workers

Link HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start

Book on the week/month

Remember: AWS Well-Architected Framework

The framework is based on five pillars:

  1. Operational Excellence
  2. Security
  3. Reliability
  4. Performance Efficiency
  5. Cost Optimization

Design Principles

  • Implement a strong identity foundation
  • Enable traceability
  • Apply security at all layers
  • Automate security best practices
  • Protect data in transit and at rest
  • Keep people away from data
  • Prepare for security events

Link HERE – thanks to Alvin

EMV Secure Remote Commerce (SRC)

Set of specifications developed by EMVCo that enable the creation of a ‘virtual payment terminal’. It provides a foundation that will enable industry solutions for the processing of e-commerce transactions in a consistent, streamlined fashion across a variety of remote-checkout environments and consumer devices, including smartphones, tablets, PCs and other connected devices

Link HERE

Sustainable Web Manifesto

“If the Internet was a country, it would be the 6th largest polluter”

Link HERE AND Principles of Chaos Engineering HERE

Comic of the week

 - Dilbert by Scott Adams

##Some OWASPstuff first

-Remember: RSA 2019 – Cheaper by the Dozen: Application Security on a Limited Budget – Security Champions

Everyone wants to improve application security, but what if your company does not have one million dollars to spend? Learn which open source projects fit together to solve application security problems and receive advice on how to get started. Explore OWASP projects, including purpose, usage, risk rating and human resources. Reap enormous benefits and change organizational application security forever. Learning Objectives:

1: Identify which open source projects fit together to solve your application security problems.

2: Locate the right projects to match organizational application security needs.

3: Recognize per project advice on how to use application security improvements for great success

Link HERE

-SecureDeveloper: The New Ways of DevSecOps

DevOps and the subsequent move bring security in under the umbrella of DevSecOps has created a new an ethos for security. This is good, however moving security and devops closer together in many organizations leaves us with questions of how this merge works in practice. What happens to security? To developers? And where does chaos engineering fit in? This talk highlights security’s place in DevOps and how topics ranging from empathy to chaos to system safety fit in organizations today. The hope is to uncover a new playbook for devs, ops, and security to work together

Link HERE

-AppSec Podcast – Bill Sempf — Growing AppSec People and KidzMash

Robert meets up with Bill Sempf at the CodeMash conference and discusses how to grow AppSec people. Developers can transform into application security people. They also cover how to inspire the next generation of cybersecurity people (kids) through the example of KidzMash

Link HERE

-Manicode Security Training June 2019 Update

Link HERE

-Snake Oilers 9 part 1: The best Snake Oilers edition we’ve ever run

Linux security, sensible SOC augmentation PLUS vulnerability management made easier…

Link HERE

-Android App Reverse Engineering 101

Logo

Link HERE

-GREP Cheat Sheet

Link HERE

Events

OWASP eventsHERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019

Link HERE

Hack In Paris 2019 was HERE

Hack In Paris

Some slides HERE

More coming!

AppSec Europe Tel-Aviv May 2019

Slides & presentations soon!

The complete Security Events calendar – Peerlyst

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDEDindicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

cid:<a href=[email protected]″>

NCSC Weekly Threat Report

Provided Image

FTSE 250 companies missing cyber security basics

Security researchers at Rapid7 have found that 88% of FTSE 250+ organisations, have insufficient anti-phishing defences (i.e. DMARC) in the public email configuration of their primary email domains.

The finding is part of their third Industry Cyber-Exposure Report (ICER) examining the overall exposure of the companies listed in the FTSE 250 index

FBI warns users to be wary of phishing sites abusing HTTPS

This week the FBI issued a warning that too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a guarantee that a site is trustworthy

Microsoft warns of email campaign exploiting an old bug

Microsoft’s Security Intelligence team has warned against an active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit

Link HERE

Troy Hunt Weekly update 143

cid:<a href=[email protected]″>

Link HERE

Incidents & events detail

How I Hacked the Microsoft Outlook Android App and Found CVE-2019-1105

https://www.f5.com/content/dam/f5-labs-v2/article/articles/threats/16--2019-apr-jun/20190621_outlook/Figure1_50.png

That grey box—it shouldn’t have been there. When I looked closer, it was clear the JavaScript probably contained HTML code for an iframe that would render normally outside of the mobile application

Links HERE and HERE

Linux and FreeBSD Kernel: Multiple TCP-based remote denial of service vulnerabilities

Link HERE – thanks to Estevan

Microsoft: 70 percent of all security bugs are memory safety issues

Percentage of memory safety issues has been hovering at 70 percent for the past 12 years

Link HERE

Desjardins Breach

Desjardins, Canada’s largest credit union, says that it has suffered a data security breach. An employee, who has since been fired, stole customer information from a Desjardins database and shared it with people outside the financial institution. The breach affected information belonging to 2.9 million members. The compromised data include names, social insurance numbers, email addresses, and details of banking habits. Desjardins has changed the procedure for authenticating customers’ identities so that the stolen information cannot be used for that purpose.
[Neely]
Insider threat is the most difficult to prevent. The most common mitigations include two-person rules, in addition to digital surveillance; regular review of access permissions, including separation of duties to insure no one employee can exceed their authority

Link HERE

NIST Updates SP 800-171 to Help Defend Sensitive Information from Cyberattack 

New Companion Pub Offers ‘Enhanced Security’ for Information Stored in Critical Programs and Assets

Link HERE

Learning from cryptocurrency breaches

Analysing two years and 62 entries in the Blockchain Graveyard

https://cdn-images-1.medium.com/max/800/1*780u6L2qYuLyA6bdswKiQA.png

Link HERE

AND

Wave of SIM swapping attacks hit US cryptocurrency users

Link HERE – thanks to Simon

AND

The Most Expensive Lesson of My Life: Details of SIM Port Hack

Link HERE – thanks to Simon

AND

Is there a weak link in blockchain security?

Link HERE

New Linux malware believed to use code from past Chinese malware
A new malware known as “HiddenWasp” has been spotted in the wild targeting Linux machines. HiddenWasp contains several methods to avoid detection by antivirus solutions, and the attackers are still actively deploying it. Researchers discovered that the malware contains code that is copy and pasted from other, past attacks from Chinese actors. 

Link HERE

New user keystroke impersonation attack uses AI to evade detection

Link HERE

Security Advisory 2019-06-13 – Reduced initial randomness on FIPS keys

https://pbs.twimg.com/card_img/1139658166940176384/zflvuBp_?format=jpg&name=600x314

Link HERE

Mozilla patches Firefox zero-day abused in the wild

New Firefox logo

Mozilla releases Firefox 67.0.3 to fix actively exploited zero-day

Link HERE

Researchers use Rowhammer bit flips to steal 2048-bit crypto key

RAMBleed side-channel attack works even when DRAM is protected by error-correcting code

Link HERE

LaLiga’s app listened in on fans to catch bars illegally streaming soccer

Link HERE

Attack on Tesla Autopilot highlights Bigger Risk of Insecure Sensors

Link HERE – thanks to Alvin

A new backdoor called “HAWKBALL” is targeting government agencies in Central Asia via Microsoft Office vulnerabilities
Link HERE

Nation-sponsored hackers likely carried out hostile takeover of rival group’s servers

Like an episode of Spy vs. Spy, Russian-speaking Turla appears to hijack OilRig’s network

Link HERE

Recent Instagram data leak reveals ‘backdoor’ feature exposes kids’ phone # and email in plain sight to 1B users

https://pbs.twimg.com/media/D9XlH7JUcAA5-s3.jpg

Link HERE

Attackers redirect users to RIG exploit kit, downloads ransomware
A new malvertising campaign in the wild attempts to trick users into clicking on malicious ads, then sending them to a web page containing the RIG exploit kit. Once infected, the kit then downloads the Buran ransomware. Buran is a fairly straightforward ransomware, implementing its encryption process and then displaying a ransom note to the victim

Link HERE

A free Argo Tunnel for your next project

Link HERE

MongoDB’s Field Level Encryption

The MongoDB development team has been working for two years to improve its encryption to reduce breaches, and they have done it by moving from server-side encryption to client-side encryption. The feature called Field Level Encryption, will display encrypted fields as ciphertext on the server; viewing the actual data requires access through the client application and with the necessary keys.
[Murray]
“Field level encryptions,” or any small object encryption, is harder than it looks. Think about how you might encrypt a single bit. Adding it to an existing database is even harder. Lotus Notes has done it well but as part of the original design

Link HERE

Several malicious apps on the Google Play store are able to bypass two-factor authentication systems to steal users’ Bitcoin
Link HERE

IT’S TIME TO SWITCH TO A PRIVACY BROWSER

Link HERE

Chaining Three Bugs to Get RCE in Microsoft AttackSurfaceAnalyzer

Link HERE

Bitdefender Releases GandCrab Decryptor

Link HERE

Security researchers and U.S. power regulators are warning that some of the world’s most powerful hacking groups have zeroed in on attacking U.S. power suppliers
Link HERE

LoudMiner: Cross-platform mining in cracked VST software

The story of a Linux miner bundled with pirated copies of VST (Virtual Studio Technology) software for Windows and macOS

Link HERE

Research of the week

Featured:

Azure API Management, Key Vault and Managed Identities

This post will provide an example of how to integrate Azure API ManagementKey Vault and Managed Identities to securely retrieve and use a secret within an API.

GitHub repository HERE

https://pbs.twimg.com/media/D8-Vf8LUEAAcgIk.png

Link HERE

Next-Gen Application Security

Launch Effective Agile Security for Agile Development

cid:<a href=[email protected]″>

Link HERE

Cloud Security Report 2019

cid:<a href=[email protected]″>

Link HERE

MATURING A THREAT INTELLIGENCE PROGRAM

cid:<a href=[email protected]″>

Discover the state of your current threat intelligence program and uncover a roadmap to getting ahead of today’s threats

Link HERE

Tool of the week

Jscrambler launches Self-Healing JavaScript to prevent code tempering

Jscrambler, a technology company specializing in JavaScript Application Security and Web Page Monitoring solutions announces Self Healing JavaScript – a world first for JavaScript application security.

The latest statistics point out that 97% of modern web sites are running JavaScript, and every single Fortune 500 company uses it to build highly competitive web apps; JavaScript keeps growing as the powerhouse of the Web.

However, because JavaScript code can’t be encrypted, it remains exposed so that anyone can access and modify it. This allows malicious actors to reverse-engineer JavaScript code to uncover a company’s proprietary algorithms or bypass licensing agreements. Once again, Jscrambler is tackling this issue head-on with new proprietary technology: Self-Healing JavaScript

Link HERE

GoBuster

Directory/File, DNS and VHost busting tool written in Go

Link HERE

jadx – Dex to Java decompiler

Command line and GUI tools for produce Java source code from Android Dex and Apk files

Link HERE

The challenge source code and solutions for Facebook CTF 2019

Link HERE

Libra from Facebook – Fakesbook news

Image result for libra facebook

“Move” is a new programming language for implementing custom transaction logic and “smart contracts” on the Libra Blockchain. Because of Libra’s goal to one day serve billions of people, Move is designed with safety and security as the highest priorities. Move takes insights from security incidents that have happened with smart contracts to date and creates a language that makes it inherently easier to write code that fulfils the author’s intent, thereby lessening the risk of unintended bugs or security incidents. Specifically, Move is designed to prevent assets from being cloned. It enables “resource types” that constrain digital assets to the same properties as physical assets: a resource has a single owner, it can only be spent once, and the creation of new resources is restricted. The Move language also facilitates automatic proofs that transactions satisfy certain properties, such as payment transactions only changing the account balances of the payer and receiver. By prioritizing these features, Move will help keep the Libra Blockchain secure

cid:<a href=[email protected]″>thanks to Mithun

Link HERE Whitepaper HERE

Security Products Training Plan Guide – from and for Micro Focus products

Link HERE

PrivX Free

Multi-cloud PAM software – for free

Gain lean and fast access management to your critical assets – without opening your wallet.

Quickly deploy our agentless, credentialess solution that integrates with your existing identity management tools, and start benefitting from secure authorized access to your hybrid and multi-cloud servers and applications

Link HERE

Google Releases Encrypted Multi-Party Computation Tool

Google has rolled out its open-source Private Join and Compute (PJC) secure multi-party computation tool. PJC can be used in studies that require data sets containing sensitive information from two separate parties. PJC will allow two sets of data to be used in computations without exposing the data each set contains. The data are encrypted during the computation; all parties can see the result

Link HERE

New infosec products of the week: June 14, 2019 and June 21, 2019

Highlight:

Threat Stack Application Security Monitoring HERE

Orca Security Full Cloud Security Visibility HERE Orca Book HERE

Links HERE and HERE

Other interesting articles

##Antivirus Evasion with Python

In this article we will present a very straight forward tutorial on how evade antiviruses on fully patched and updated Windows environments using a Python payload.

Keep in mind that bypassing antivirus is a cat and mouse game. Whenever a new evasion technique gets popular, antivirus vendors will eventually learn about it and update their signatures database and block it. Then, new evasion techniques will rise, which will make vendors to add it to their signature database, and so on and so forth

Link HERE

##Bypassing SSRF Protection

https://cdn-images-1.medium.com/max/2400/1*8xcmTjWsz26ASRaHUZXY3A.png

Link HERE

##Chenxi Wang polishes her 2019 crystal ball

Dr. Chenxi Wang, founder of Rain Capital, shares some of her 2019 cyber security predictions about the cloud, GDPR, blockchain, DevSecOps, privacy, and ICS:

1. Increasing cloudiness—which is a good thing

2. GDPR’s worldwide reach brings reach for security too

3. Blockchain blowback

4. DevSecOps rising

5. Privacy a priority—really?

6. Smart—and disconnected

Link HERE

##And finally, Burger King’s Instagram Is Full of Giant P***s Drawings

A San Francisco artist used penis pictures as creative “revenge” after the brand allegedly ripped off his art

Click link for photo

Links HERE and HERE

AND

A Year Later, U.S. Government Websites Are Still Redirecting to H4rdc0re P0rn

Link HERE – thanks to Alvin

AND unrelated to the previous 2 but cool

Thunder from the Cloud: 40,000 Cores Running in Concert on AWS

cid:<a href=[email protected]″>

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/

Description: MyBB <= 1.8.20: From Stored XSS to RCE.

URL: https://appio.dev/vulns/googleplex-com-blind-xss/

Description: XSSing Google Employees — Blind XSS on googleplex.com.

Link HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *