Security Stack Sheet #60

Word of the week

“Internet Villain”  

https://pbs.twimg.com/media/D-n8WlvX4AAnWIW.jpg

  • Mozilla – for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK
  • Article 13 Copyright Directive – for threatening freedom of expression online by requiring ‘content recognition technologies’ across platforms
  • President Donald Trump – for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security

Link HERE and Mozilla anti-tracking policy HERE

Word of the week special

“QR Code Phishing”

QR codes used as a phishing tactic

https://cofense.com/wp-content/uploads/2019/06/Picture1-6-480x358.jpg

Link HERE

Bonus 

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE 

Crypto challenge of the week

Top Secret puzzle

cid:<a href=[email protected]″>

Link HERE – thanks to Alvin

Hacky Easter 2019

Full write up

Link HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below
  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE
  • September 2019: PSD2 security mandatory
  • November 3rd 2020: Trump’s second term start

Trump officials weigh encryption crackdown

Link HERE

Book on the week/month

The Rules of Security: Staying Safe in a Risky World

The Rules of Security: Staying Safe in a Risky World by [Martin, Paul]

Link HERE – thanks to Naz

 

Comic of the week

When Wally Is Busy - Dilbert by Scott Adams

##Some OWASP stuff first

-“Security Learns to Sprint: DevSecOps” – Tanya Janca

cid:<a href=[email protected]″>

Link HERE

-Zoe Braiterman — AI, ML, AppSec, and a dose of data protection

Zoe Braiterman is an Innovation Intelligence Strategist focused on both the Machine and Human and also the OWASP WIA Chair. We explore the intersection of application security with artificial intelligence and machine learning and end up discussing data protection. Zoe approaches AppSec from a different angle, and her perspectives get us thinking about the importance of appsec in the future of autonomous everything

Link HERE

-Security Vulnerabilities Decomposition: Another way to look at Vulnerabilities – Katy Anton

In most companies security is driven by compliance regulations. The policies are designed to contain the CWEs each company is interested to comply with. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to secure the software in a more developer friendly manner? This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (measured at the end) to focus on the security controls which can be used by developers from beginning in software development cycle. Recommended to all developers looking to integrate security in their software applications

Link HERE

-Con 2019- Tail Call Optimization: The Musical!! by Anjana Vakil & Natalia Margoli

cid:<a href=[email protected]″>

Link HERE

-Remember: OWASP SecureHeaders Project – OSHP

Link HERE

-Crazy blind SSRF exploitation technique using Windows Defender – WCTF2019: Gyotaku The Flag

Link HERE

-How to HackTheBox – Arctic Machine Writeup

Link HERE and

Google CTF Quals 2019: GLotto Writeup

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

AppSec Europe Tel-Aviv May 2019

Image result for OWASP telaviv

44 (!!) Videos

cid:<a href=[email protected]″>

Link HERE

InfoSec Girls Videos

Link HERE

CyberSecurity/InfoSec/AppSec Conferences/Meetups/Events in London

cid:<a href=[email protected]″>

Link HERE

The complete Security Events calendar – Peerlyst

Link HERE

Exploring the Most Exploited Vulnerabilities of 2019 (So Far) – Webinar – 16th of July

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image

Cyber incident reports from UK finance sector spiked by 1,000% in 2018

New data obtained by RSM under a freedom of information request has revealed that financial services firms reported 819 cyber incidents to the Financial Conduct Authority (FCA) in 2018, a significant increase on the 69 incidents reported in 2017

Sodinokibi ransomware exploits Windows vulnerability

A ransomware strain named Sodinokibi (also Sodin or REvil) is exploiting a vulnerability patched by Windows last year.

Microsoft issued a patch for the vulnerability, a privilege escalation flaw known as CVE-2018-8453, back in October 2018

Cirque du Soleil app reported to be vulnerable

An application for the Cirque du Soleil show, Toruk – The First Flight, is reportedly vulnerable due to a lack of focus on security according to a blog post from researchers at ESET.

The show, which had its final night in London on June 30th, encouraged users to download the app so they could enhance their evening with content such as backstage videos and images

Link HERE

Troy Hunt Weekly update 146

cid:<a href=[email protected]″>

Link HERE

 

Incidents & events detail

CLOUDFLARE OUTAGE

cid:<a href=[email protected]″>

Truth

cid:<a href=[email protected]″>

ALSO

“I’ve seen a bunch of speculation that today’s @Cloudflare outage was caused by a DDoS from China, Iran, North Korea, etc. etc. It was not an attack by anyone from anywhere.”

cloudflare down

Links HERE and HERE

Maryland Department Of Labour Database Breached, 78K Customers May Have Had Personal Information Taken

Link HERE

Hillary Clinton Withdraws From Cybersecurity Conference Speaking Gig, Citing ‘Unforeseen Circumstance’

Hillary Clinton Withdraws From Cybersecurity Conference Speaking Gig, Citing ‘Unforeseen Circumstance’

Link HERE

UK’s largest police forensics lab Eurofins pays ransom to hackers

Link HERE

YouTube mystery ban on hacking videos has content creators puzzled

Recent policy remains unclear about what’s disallowed

https://www.malwaretech.com/wp-content/uploads/2019/07/NewPolicy.png

Links HERE and HERE

AND

Bulgarian IT Expert Arrested After Posting Software Vulnerability Demo on Facebook

Authorities in Bulgaria have arrested an individual after he demonstrated a vulnerability in software used in local government web portals. In a video that he posted to Facebook, the man demonstrated the vulnerability by downloading personally identifiable information belonging to more than 235,000 people who live in the province of Stara Zagora. The software in question is used to allow residents to register their children for kindergarten. Stara Zagora officials have taken down the software on that province’s portal, but the same software is used by other local governments in Bulgaria.
[Neely]
Having permission to find and disclose vulnerabilities is a good first step when researching systems. Responsible disclosure includes making sure you won’t get arrested or sued for releasing the information. Publicly disclosing the vulnerability, exploit code, and a how-to video is going to be unwelcome in almost any context

Link HERE

Cisco put Huawei X.509 certificates and keys into its own switches

How did cryptographic certificates and keys issued to Huawei end up in Cisco gear?

Link HERE

DirtySecurity Podcast: Rob Bathurst on the Challenge of Securing Connected Medical Devices

Link HERE

Squirrel Exploit Leaves Microsoft Teams Vulnerable to Privilege Escalation

Link HERE

Research of the week

2019 State of the Software Supply Chain

cid:<a href=[email protected]″>

The 2019 State of the Software Supply Chain Report blends a broad set of public and proprietary data with survey results, expert research, and analysis to reveal the following:

75% growth in supply of open source component releases over the past two years (Chapter 1)

68% year over year growth in download requests from the Central Repository to 146 billion (Chapter 2)

18x faster median time to update dependencies for exemplary open source components (Chapter 3)

55% reduction in the use of vulnerable open source component releases within managed software supply chains (Chapter 4)

71% increase in confirmed or suspected open source related breaches since 2014 (Chapter 5)

Link HERE

Top 20 Public Bug Bounty Programs

The biggest, fastest, and most lucrative bounty programs on the HackerOne platform

cid:<a href=[email protected]″>

Link HERE

Diffprivlib: The IBM Differential Privacy Library

Since its conception in 2006, differential privacy has emerged as the de-facto standard in data privacy, owing to its robust mathematical guarantees, generalised applicability and rich body of literature. Over the years, researchers have studied differential privacy and its applicability to an ever-widening field of topics. Mechanisms have been created to optimise the process of achieving differential privacy, for various data types and scenarios. Until this work however, all previous work on differential privacy has been conducted on a ad-hoc basis, without a single, unifying codebase to implement results.
In this work, we present the IBM Differential Privacy Library, a general purpose, open source library for investigating, experimenting and developing differential privacy applications in the Python programming language. The library includes a host of mechanisms, the building blocks of differential privacy, alongside a number of applications to machine learning and other data analytics tasks. Simplicity and accessibility has been prioritised in developing the library, making it suitable to a wide audience of users, from those using the library for their first investigations in data privacy, to the privacy experts looking to contribute their own models and mechanisms for others to use

Link HERE

Advanced Data Structures courses at MIT

cid:<a href=[email protected]″>

Link HERE

 

Tool of the week

Security Operations Center (SOC) Service Level Agreement (SLA) – Template

Link HERE

How I use the Harvester for Recon – KALI Linux

Link HERE

npm audit

Production is now available in npm v6.10.0 – only audit your production JavaScript dependencies

Link HERE

Mozilla revamps SSL Configuration Generator tool

Link HERE

Puresec – RASP for serverless – Comparison with traditional appsec products

Link HERE and Secure Serverless CI/CD with Codeship, PureSec, and AWS Lambda HERE and HERE

Google’s robots.txt Parser is Now Open Source

Link HERE

Lynis : Security Auditing Tool for Unix/Linux Systems

Link HERE

 

Other interesting articles

##One-Two Punch: Using AppSec to Up Your Pentests and Phishing Gigs

https://cdn-images-1.medium.com/max/1600/0*gkcC22N_n1khQCgb.jpg

Link HERE

 

##What is Cross-Site Scripting

https://cdn-images-1.medium.com/max/1600/1*xfi1xm-5tsGmxhLF-Z5scQ.jpeg

Link HERE

##And finally, the Future Of Work Will Be Told In Pictures

Nordstrom Innovation Lab: Design Thinking, Lean Startup, and Agile Execution

Link HERE – thanks to Andre

AND

Fully Automated Luxury Communism Isn’t Our Future

A new fantasy from the far left holds that far from taking our jobs, automation could liberate us. But it’s a false hope

https://cdn-images-1.medium.com/focal/1600/480/50/29/1*s6xlNT2ksoJIHMWe6TnhTw.jpeg

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackademic.co.in/youtube-bug/

Description: How I could have hijacked a victim’s YouTube notifications!

URL: https://www.cyberark.com/threat-research-blog/outlook-for-android-xss/

Description: Outlook for Android XSS (CVE-2019-1105).

Link HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *