Security Stack Sheet #59

Word of the week

“Ransomware: To Pay or Not to Pay?”

Image result for ransomware pay message

In a recent report, Forrester Research analysts argue that organizations should “recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that [they]’re making the best decision for [their] organization.” In a separate story, the Editorial Board of the Washington Post argues that “taxpayer money should not be used to reward criminal enterprises,” and proposes making it illegal to pay ransomware demands.
[Pescatore]
Forget ransomware for a second and think about the older form of ransom when a business executive is kidnapped, which was happening long before ransomware started. Many companies have Kidnapping/Ransom/Extortion insurance to cover that scenario. I doubt any state governments do and I’m pretty sure the policy language for those may exclude ransomware attempts. But the question about what to do about extortion is a business question, not a security question. That said, part of the business question is “can we self-insure?” – that is the essential question CEOs and boards ask about cybersecurity, too.
[Murray]
I agree with John Pescatore that this is a business decision. So is the decision as to whether to accept the risk or to reduce it by implementing strong authentication, “least privilege” access control, end-to-end application layer security, Privileged Access Management (PAM), and secure backup with fast recovery. The cost of prevention, while optional, is efficient; it is almost always cheaper than the mandatory cost of remediation. That is why we call it “security.”

[Neely]
I agree with John & Bill. The question of can we self-insure – as well as are our practices commensurate with current mitigations; including strong authentication, incremental secure backups that can be restored readily, communication and service restoration plans, need an honest assessment, including validation, prior to making a decision. Additionally, don’t assume payment will result in full data recovery

cid:<a href=[email protected]″>

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE – thanks to SANS

Word of the week special

“Private Internet connection”

Why VPNs Are Suddenly Everywhere, and How to Pick the Best One

cid:<a href=[email protected]″>

Is a ‘private’ internet connection really worth it?

Here are the most important factors to check:

  1. Who owns the VPN service, and is it the only product they offer? If it isn’t immediately apparent who’s running the service, that’s a red flag.
  2. Where are the VPN service’s servers hosted? This is an important question, because you’ll probably want options for connecting to specific countries.
  3. Does the VPN service log any data, and for how long? A paid VPN service that cares about privacy should log as little information as possible, so that you aren’t exposed retroactively should they suffer a security breach in the future. Setting this up correctly is quite difficult, so the company should have a clear policy about what it logs, why it does so, and for how long.
  4. What country is the VPN service founded in? Is that country a part of the Five Eyes, Nine Eyes, or 14 Eyes spying agreements, where countries — led by U.S. authorities — work together to collect data on internet usersin secret?
  5. Is this VPN service using modern encryption technology that will actually hide your traffic? This might include things like SSH tunnels, which mask your habits

cid:<a href=[email protected]″>

Link HERE and Evaluator of VPNs HERE

AND Becoming virtually untraceable

https://res.cloudinary.com/peerlyst/image/upload/c_limit,dpr_auto,f_auto,fl_lossy,h_464,q_auto,w_464/v1/post-attachments/1561338938445_z1crzh

Link HERE

Bonus 

cid:<a href=[email protected]″>

Security people will always have a job!

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

Hacky Easter 2019

Link HERE

https://pbs.twimg.com/profile_images/708919573614039040/EwgmBsjU_400x400.jpg

Try this HARD one

Scrambled Egg

This Easter egg image is a little distorted…

Can you restore it?

scrambled egg

Link HERE

Full write up

Link HERE

AND

The CEO Cyber Security Challenge

https://i1.wp.com/www.davidfroud.com/wp-content/uploads/2019/06/CEO-Cybersecurity-Challenge.png?fit=440%2C253&ssl=1

Link HERE

 

Dates

May 25th 2019: 1 year of GDPR Live! See incidents section below

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Halloween Brexit! or later or not or bust Brexit Fatigue HERE

Boris Johnson and GDPR

Might there have been a breach of data protection law in the recording, apparently by neighbours, of incidents at Boris Johnson’s home, and the passing of the recording to the media and the police? Almost certainly not

Link HERE

September 2019: PSD2 security mandatory

Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2

Link HERE – thanks to Marius

November 3rd 2020: Trump’s second term start

The Rise (and Rise) of the Imbecile

Why the West is Drowning in a Tidal Wave of Ignorance, Demagoguery, and Self-Inflicted Catastrophe

Link HERE

Book on the week/month

Security Engineering — Third Edition

I’m writing a third edition of Security Engineering, and hope to have it finished in early 2020 so it can be in bookstores by Academic Year 2020-1

cover

Link HERE

Unlocking the Cloud Operating Model – by Hashicorp

cid:<a href=[email protected]″>

Link HERE

 

Comic of the week

Lawyer Can't Be Too Careful - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP Cheat Sheet on Server Side Request Forgery (SSRF) attack

cid:<a href=[email protected]″>

Link HERE and SSRF Lab solutions from Portswigger HERE

-SwigCast, Episode 2: ENCRYPTION

In the second episode of SwigCast, we talk all things encryption with guest Bruce Schneier

https://portswigger.net/cms/images/16/3d/e196dc6d92c4-article-2-main-image-swigcast-encryption.png

Link HERE

-ModSecurity: OWASP Core Rule Set update addresses denial-of-service vulnerability

https://portswigger.net/cms/images/64/71/4fd0c19fac64-article-190328-waf-modsec-body-text.jpg

Link HERE

cid:<a href=[email protected]″>

Link HERE

-Content Security Policy: A successful mess between hardening and mitigation – Spagnuolo/Weichselbaum

cid:<a href=[email protected]″>

Link HERE

-Fridamania in Security

cid:<a href=[email protected]″>

Using Frida as an Attacker

Link HERE

-Kali Linux sets out its roadmap for 2019/20

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019 in Boston US

re:Inforce conference

Security Deep Dive

The Foundation

Governance, Risk & Compliance

Security Pioneers

Wrap up and Links HERE

cid:<a href=[email protected]″>

Link HERE

Hack In Paris 2019 was HERE

Hack In Paris

Some slides HERE

More coming!

AppSec Europe Tel-Aviv May 2019

Slides & presentations soon!

The complete Security Events calendar – Peerlyst

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

cid:<a href=[email protected]″>

NCSC Weekly Threat Report

Provided Image

Florida towns pay out more than $1m to hackers

This week it was reported that two towns in Florida had paid $1.1 million to hackers after suffering ransomware attacks.

Officials in Lake City and Riviera Beach voted to make payments after computer systems were downed, locking municipal staff out of important files, affecting emergency response systems and stopping the public making online payments

Link HERE

Firefox’s random password generator

Following Google’s move – roughly a year later – Mozilla is adding a random password generator to Firefox.

Infosec reporters say the add-on is expected to be rolled out for all Firefox users when Firefox 69 is released later this year and will work alongside the browser’s built-in password manager.

Troy Hunt Weekly update 145

cid:<a href=[email protected]″>

Link HERE

Welcome to Crypto Week 2019 @Cloudflare

https://blog.cloudflare.com/content/images/2019/06/image21.png

Link HERE

 

Incidents & events detail

How A Small ISP in Pennsylvania Tanked a Big Chunk of the Web on Monday

And how Verizon apparently made it much worse.

cid:<a href=[email protected]″>

The outage was an abrupt reminder that the internet is a fragile place where one little error—in this case, by a small company in Pennsylvania—can cause swaths of the web to break with little warning. In Monday’s case, it was because the internet’s map got broken

Link HERE and Cloudflare status HERE and write-up HERE

Excel Power Query Feature Can Be Exploited to Infect Systems with Malware

Researchers have developed proof-of-concept code that exploits a legitimate feature in Microsoft Office’s Excel to place malware on systems remotely. The Power Query feature allows users to embed external data sources in Excel spreadsheets. The exploit launches a Dynamic Data Exchange (DDE) attack.
[Murray]
Escape mechanisms in applications have been problematic for generations, best illustrated by the “debug” feature in sendmail. Both Microsoft and IBM have done a good job of providing controls over their use. However, many are enabled by default

Link HERE

Social Engineering Forum Hacked, Data Shared on Leak Sites

Link HERE

An Australian worker won a landmark privacy case against his employer after he was fired for refusing to use a fingerprint scanner

Link HERE

OPERATION SOFT CELL: A WORLDWIDE CAMPAIGN AGAINST TELECOMMUNICATIONS PROVIDERS

Link HERE and Hackers are stealing years of call records from hacked cell networks Link HERE

WeTransfer sends user file links to wrong people

Link HERE

Inside the West’s failed fight against China’s ‘Cloud Hopper’ hackers

Link HERE

NASA hacked! An unauthorized Raspberry Pi connected to its network was the entry point

Link HERE

ProtonMail voluntarily offers Assistance for Real-Time Surveillance

Link HERE

Docker Snafu Leads to Millions of Downloads of Vulnerable JDK

Millions of developers mistakenly downloaded bug- and CVE-vulnerability-ridden versions of 8u212 and 11.0.3 thinking they were the real thing

Link HERE

Google Play Store Security Fails As Malware Invades (Fake News?)

Link HERE

Security Flaw in Pre-Installed Dell Support Software Affects Million of Computers

Link HERE

Botnet Uses SSH and ADB to Create Android Cryptomining Army

Link HERE

PILLAGING THE JENKINS TREASURE CHEST

Jenkins is a popular target for penetration testers mainly because certain server configurations expose the Groovy Script Editor which, provided the proper payload, can lead to remote code execution on the server. More and more commonly though, this technique is working less and less.

cid:<a href=[email protected]″>

During a pentest, we found a Jenkins server with hundreds of “builds”, each containing a handy button on the left side called “Console Output”

Link HERE

The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types

Link HERE

Research of the week

NIST Publication on IoT Security
The US National Institute of Standards and Technology (NIST) has published a paper that aims “to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles.” The paper, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, is the foundational publication for what will be a series of publications that offer more specific aspects of managing IoT security.
[Neely]
This document identifies areas of concern for IoT security, the challenges, and how the relevant controls in the RMF would need adjustment for these devices. While there are many issues, the paper groups them for relevance and understanding to support a risk based approach for securing IoT. The appendix of desired privacy and cybersecurity capabilities and examples will be released as a separate publication

Link HERE

Site Isolation: Process Separation for Web Sites within the Browser

Current production web browsers are multi-process but place different web sites in the same renderer process, which is not sufficient to mitigate threats present on the web today. With the prevalence of private user data stored on web sites, the risk posed by compromised renderer processes, and the advent of transient execution attacks like Spectre and Meltdown that can leak data via microarchitectural state, it is no longer safe to render documents from different web sites in the same process. In this paper, we describe our successful deployment of the Site Isolation architecture to all desktop users of Google Chrome as a mitigation for process-wide attacks. Site Isolation locks each renderer process to documents from a single site and filters certain cross-site data from each process. We overcame performance and compatibility challenges to adapt a production browser to this new architecture. We find that this architecture offers the best path to protection against compromised renderer processes and same-process transient execution attacks, despite current limitations. Our performance results indicate it is practical to deploy this level of isolation while sufficiently preserving compatibility with existing web content. Finally, we discuss future directions and how the current limitations of Site Isolation might be addressed

Link HERE

New AI programming language goes beyond deep learning

General-purpose language works for computer vision, robotics, statistics, and more.

In a paper presented at the Programming Language Design and Implementation conference this week, the researchers describe a novel probabilistic-programming system named “Gen.” Users write models and algorithms from multiple fields where AI techniques are applied — such as computer vision, robotics, and statistics — without having to deal with equations or manually write high-performance code. Gen also lets expert researchers write sophisticated models and inference algorithms — used for prediction tasks — that were previously infeasible

Users feed Gen relatively short code defining a target task, and the system automatically generates the results.

Link HERE

Electronic Code Book (ECB) and Cipher Block Chaining (CBC)

Encryption normally works by taking a number of text blocks, and then applies a key to these to produce cipher blocks. Typical block sizes are 128 or 256 bytes. Unfortunately, the cipher blocks could end up being the same, for the same input text. Thus an intruder could try and guess the cipher text. This is known as electronic code book

https://cdn-images-1.medium.com/max/1600/0*xlfu5L3vQPOs59FT.png

Link HERE

 

Tool of the week

Featuring:

SURVEILLANCE SELF-DEFENSE

Home

TIPS, TOOLS AND HOW-TOS FOR SAFER ONLINE COMMUNICATIONS

Link HERE – thanks to Alvin

Proving security at scale with automated reasoning

https://www.allthingsdistributed.com/images/security5.jpg

Customers often ask me how AWS maintains security at scale as we continue to grow so rapidly. They want to make sure that their data is secure in the AWS Cloud, and they want to understand how to better secure themselves as they grow.

We have a Shared Responsibility Model at AWS, in which we are responsible for security of the cloud, and you are responsible for security in the cloud. This enables you to focus on strategic efforts while AWS oversees operational tasks

Link HERE

CloudGoat 2: The New & Improved “Vulnerable by Design” AWS Deployment Tool

Image result for cloudgoat 2

Link HERE

AWS – VPC Traffic Mirroring – Capture & Inspect Network Traffic

This is a new feature that you can use with your existing Virtual Private Clouds (VPCs) to capture and inspect network traffic at scale. This will allow you to:

  • Detect Network & Security Anomalies – You can extract traffic of interest from any workload in a VPC and route it to the detection tools of your choice. You can detect and respond to attacks more quickly than is possible with traditional log-based tools.
  • Gain Operational Insights – You can use VPC Traffic Mirroring to get the network visibility and control that will let you make security decisions that are better informed.
  • Implement Compliance & Security Controls – You can meet regulatory & compliance requirements that mandate monitoring, logging, and so forth.
  • Troubleshoot Issues – You can mirror application traffic internally for testing and troubleshooting. You can analyze traffic patterns and proactively locate choke points that will impair the performance of your applications

Link HERE

Introducing Elastic SIEM

Elastic SIEM

Link HERE

Microsoft unveils public preview for Azure Bastion

Microsoft has lifted the lid on its managed platform as a service (PaaS) product that seeks to protect exposed virtual machines (VMs) from outside threats. The firm says it’s worked with hundreds of cloud customers across a wide area of industries to launch a preview of the service, which sits between the Azure portal to virtual interfaces. It is said to guarantee a degree of safety when accessing off-internet VMs by providing seamless remote desktop protocol (RDP) and secure shell (SSH) connectivity via the secure sockets layer (SSL)

Link HERE

TrackThis Demonstrates How Advertisers Track You

cid:<a href=[email protected]″>

Link HERE

VulnerableContainers.org

Link HERE

Intentionally Vulnerable Systems for Penetration Testing Practice, CTFs and a few Games

Link HERE

Top Digital Forensics Incident Response Tools – 2019 edition

https://res.cloudinary.com/peerlyst/image/upload/c_limit,dpr_auto,f_auto,fl_lossy,h_388,q_auto,w_388/v1/post-attachments/1560871306584_gljvqh

Link HERE

BURP Enterprise Edition 1.1

Link HERE

How to host and manage an entire private certificate infrastructure in AWS

Link HERE

 

Other interesting articles

##From last week – Cyber Deception Vendors

cid:<a href=[email protected]″>

Link HERE

 

##Do I really have to say it? Stop resisting multifactor authentication

https://d1l21ng1r9w8na.cloudfront.net/article/images/740x500/dimg/dreamstime_l_71285521.jpg

Link HERE

 

##Remember: FTPS (FTP over SSL) vs. SFTP (SSH File Transfer Protocol)

Image result for ftps vs sftp

Links HERE and HERE

##And finally, the United States of Crypto

Celebrating Independence Day and Ideals such as Life, Liberty, and the Pursuit of Economic Freedom

cid:<a href=[email protected]″>

  • Currently, 58 percent of Americans say they’ve heard of Bitcoin.
  • Over the past year, more people searched on Google for Bitcoin than the “royal wedding” or “election results.”
  • To date, more than 70 percent of US States have enacted legislation that addresses cryptocurrency or blockchain.
  • Crypto is becoming an increasingly important aspect of local economies. The top 10 US States for percentage of the population that owns crypto are: California, New Jersey, Washington, New York, Colorado, Utah, Florida, Alaska, Nevada, and Massachusetts.

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://medium.com/@mr_hacker/a-5000-idor-f4268fffcd2e

Description: A $5000 IDOR…

URL: http://bit.ly/2ZzYurC  (+)

Description: Chaining Three Bugs to Get RCE in Microsoft AttackSurfaceAnalyzer.

Link HERE and credits to HERE

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *