Word of the week
“Shift Left? Shift it right, too?”
Cost of course
Shift left in cloud?
Word of the week special
“Zero Trust Architecture”
Defense Innovation Board Pushing Zero Trust Architecture for Military
The Pentagon’s Defense Innovation Board (DIB) has approved a white paper that calls on the Department of Defense (DOD) to implement zero trust architecture (ZTA) for network access. The paper notes DOD’s currently reliance perimeter-based cybersecurity and says that “Zero Trust Architecture (ZTA) can significantly offset vulnerabilities and threats across DoD networks by creating discrete, granular access rules for specific applications and services within a network.”
Crypto challenge of the week
Cyber Security Challenge Australia 2018
CySCA 2018 In-a-box
Challenge 2019 will be available on 8-9 Oct 2019!
FTC REPORTEDLY HITS FACEBOOK WITH RECORD $5 BILLION SETTLEMENT
Commission fined Facebook a record-setting $5 billion on Friday for privacy violations, according to multiple reports. The penalty comes after an investigation that lasted over a year, and marks the largest in the agency’s history by an order of magnitude
AND the British Airways BREACH is worth £183m
The airline, owned by IAG, says it is “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO).
At the time, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website
[email protected]″> – thanks to Christophe
Now: TLS1.2 mandatory for proper security
HTTPS everywhere HERE
Real Job Ad from LinkedIn
Book on the week/month
Les As du Web : cahier de vacances spécial Cybersécurité pour les 7/11 ans… et les parents ! – in French
Comic of the week
##Some OWASP stuff first
-OWASP: Application Security’s Best Friend
OWASP is vitally important to the application security and development community. All OWASP tools are free and are continually being improved and updated strictly by volunteers who are passionate about application security. The vast amount of tools, resources, and guidance that OWASP offers to assist in secure development and testing is an asset to the information security community. OWASP has been and will continue to be the go-to resource for application security professionals and developers. Hopefully this article has outlined many of the great resources that OWASP provides and highlights the importance of this special community
-Adam Shostack — Threat modeling layer 8 and conflict modelling – AppSec podcast
Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling.
-Smart cities, data protection and security implications
-Turning Your Weapons Against You. – Andrew Blane – Bsides London 2019
My talk is about using security tools setup by an organisation against itself. Specifically vulnerability scanners and NAC solutions. Generally organisations will scan host on a network without think about the consequences of doing this. Often security solutions will blindly attempt to authenticate to a host during the scanning process which can be abused by an attacker to capture credentials used by the the tool to authenticate to large number of host within the enterprise. The talk will include information on general misconfigurations in these solutions and demos of how to exploit them. There will also be a remediation section at the end
-AWS AND HACKERONE: FROM VILLAINS TO HEROES: THE HACKING EVOLUTION
-Nahamsec on Bounties
OWASP events HERE
All InfoSec events HERE
OWASP LONDON next week
Revolut has grown to over 5 million customers. This presentation will give an overview of the lessons we have learnt to scaling security that quickly when security fundamentally represents customer trust.
Have you ever wanted to learn more about how payments work? Do you want to know how criminals bypass security mechanisms on Point of Sales terminals, ATM’s and digital wallets? Payment technologies are a transparent part of our lives. They enable us pay for everything from a coffee to a car. In the first part of this talk we take a look at payment technologies past, present and future. Learn how payments have evolved and what transactions look like today.Next we’ll dive into the different attacks that are possible with each transaction type and discuss which areas security teams should be focused on now, and in the future. Learn how hackers gain access to banking endpoints, bypass fraud detection mechanisms, and how they ultimately cash out.
Bots are generally seen as a bit of a nuisance and widely regarded as the weapon of choice for DDoS attacks. However, modern bots are capable of much more and are claimed to be behind three quarters of all attacks that hit web sites and APIs. Techniques such as rate limiting, IP blacklisting and even CAPTCHAs often do little to prevent the attacks as they evolve, evading controls which try to differentiate between bots and humans. In this session we’re going to look at what bots are and how they’re created, what they’re now capable of, which industries are most affected by them and how they are evolving to avoid our current defences
HACK in Paris 2019
The complete Security Events calendar – Peerlyst
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
ICO issues notice of major fines for BA and Marriott
British Airways (BA) and US hotel group Marriott are facing significant fines, following high profile data breaches reported in 2018.
Zoom fixes video-on vulnerability
Troy Hunt Weekly update 146
Incidents & events detail
HACK BRIEF: A CARD-SKIMMING HACKER GROUP HIT 17K DOMAINS—AND COUNTING
Leaked Palantir ‘Gotham’ user manual shows how fast police and government can grab your info
Google’s Leaked Recordings Violates Data Security Policies
A report, based on the Belgium-based NWT VRT revealed that Google employees routinely listened to audio files recorded by Google Home Smart Home speaker, and Google Assistant smartphones
More than 1,000 Google Assistant recordings leaked
Serious Zoom security flaw could let websites hijack Mac cameras
Certificate Poisoning Threatens GnuPG
OpenPGP installations can break and fail to verify the authenticity of downloaded packages as the key server network has been flooded with thousands of spam signatures attesting ownership of a certificate
Did a hacked smart TV upload footage of couple having sofa s*x to a p*rn website?
UK watchdog plans to fine Marriott £99m
The penalty relates to a data breach that resulted in about 339 million guests having had their personal details exposed.
The incident is thought to date back to 2014 but was only discovered in 2018.
It comes a day after the Information Commissioner’s Office (ICO) said it planned to fine British Airways £183m over a separate breach.
The size of both penalties reflects the fact that the watchdog has greater powers as a result of the EU’s General Data Protection Regulation (GDPR), which came into force last year.
The Marriott data breach included 30 million guest records belonging to Europeans. It occurred within Starwood – a rival hotel group that Marriott acquired three years ago. The compromised guest reservation system has since been phased out
7-Eleven Japan’s weak app security led to a $500,000 customer loss
The 7pay app was deactivated after just a couple of days
Facebook’s crypto presents a massive privacy problem
Research of the week
Smartcard Systems Redesigned
We have successfully delivered the first centralized smartcard signing solution about a year ago. From this week, Windows legacy applications can use smart cards in the cloud
State of Application Security at S&P Global World’s 100 Largest Banks
How to take over a Ruby gem and what to do with it / RubyKaigi 2019 presentation
leHACK 2019: Analyzing CVE-2018-8453: An interesting tale of UAF and Double Free in Windows Kernel
Tool of the week
33 Kubernetes security tools
Kubernetes image scanning and static analysis
Kubernetes runtime security
Kubernetes network security
Image distribution and secrets management
Kubernetes security audit
End-to-end Kubernetes security commercial products
Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in
A Java library for calculating CVSSv2 and CVSSv3 scores and vectors
EU Cyber Sanctions: A Welcome Tool, or Vapid Posturing?
Remember: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Other interesting articles
##The Economics of Penetration Testing for Web Application Security
The true cost of pen test that nobody tell you
##And finally, Google Photos is making your photos semi-public and you probably don’t realise
Whenever you share a photo with a specific person or account on Google Photos, it creates a link that will allow anyone in the world to view those photos, forever, until you go and manually deactivate that link in an obscure part of the interface
Facial Recognition Tech Is Growing Stronger, Thanks to Your Face
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: RCE through Deserialization Attack in OwnBackup app.
Description: Intro to Chrome’s (g)old features.