Security Stack Sheet #61

Word of the week

“Shift Left? Shift it right, too?”

https://blogs.bmc.com/wp-content/uploads/2017/07/GettyImages-103332502-copy.jpg

Cost of course

https://blogs.bmc.com/wp-content/uploads/2017/07/Per-IBM-Security-1024x288.jpg

Shift left in cloud?

Shift-Left-Unit-Integration-Tests

Links HERE and HERE and HERE and HERE and HERE

Word of the week special

“Zero Trust Architecture”

Defense Innovation Board Pushing Zero Trust Architecture for Military

The Pentagon’s Defense Innovation Board (DIB) has approved a white paper that calls on the Department of Defense (DOD) to implement zero trust architecture (ZTA) for network access. The paper notes DOD’s currently reliance perimeter-based cybersecurity and says that “Zero Trust Architecture (ZTA) can significantly offset vulnerabilities and threats across DoD networks by creating discrete, granular access rules for specific applications and services within a network.”
[Murray]
Current architectures and policies have been proven to be too vulnerable in the face of the increasingly hostile environment. “Zero trust” must go beyond structured networks or end-to-end application layer encryption to include strong authentication, least privilege access control, privileged access management (PAM), and continuous monitoring and measurement

Image result for zero trust architecture

Links HERE and HERE

Bonus 

cid:<a href=[email protected]″>

Link HERE

No alternative text description for this image

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

Cyber Security Challenge Australia 2018

Cyber challenge Australia logo

CySCA 2018 In-a-box

Challenge 2019 will be available on 8-9 Oct 2019!

Link HERE Write-ups for 2018 HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

FTC REPORTEDLY HITS FACEBOOK WITH RECORD $5 BILLION SETTLEMENT

Commission fined Facebook a record-setting $5 billion on Friday for privacy violations, according to multiple reports. The penalty comes after an investigation that lasted over a year, and marks the largest in the agency’s history by an order of magnitude

Image result for facebook 5 billion fine

Link HERE

AND the British Airways BREACH is worth £183m

/var/folders/_1/vhfqbsc17kgbq084mx9cwzx80000gn/T/com.microsoft.Outlook/Content.MSO/5B016A84.tmp

The airline, owned by IAG, says it is “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO).

At the time, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website

Link HERE and remember the hack HERE

Breaches:

cid:<a href=[email protected]″> – thanks to Christophe

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE
  • September 2019: PSD2 security mandatory
  • November 3rd 2020: Trump’s second term start

cid:<a href=[email protected]″>

Real Job Ad from LinkedIn

Book on the week/month

Les As du Web : cahier de vacances spécial Cybersécurité pour les 7/11 ans… et les parents ! – in French

Les As du Web

Link HERE Cahier ICI

 

Comic of the week

Finding A Scapegoat - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP: Application Security’s Best Friend

OWASP is vitally important to the application security and development community. All OWASP tools are free and are continually being improved and updated strictly by volunteers who are passionate about application security. The vast amount of tools, resources, and guidance that OWASP offers to assist in secure development and testing is an asset to the information security community. OWASP has been and will continue to be the go-to resource for application security professionals and developers. Hopefully this article has outlined many of the great resources that OWASP provides and highlights the importance of this special community

Link HERE

-Adam Shostack — Threat modeling layer 8 and conflict modelling – AppSec podcast

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups. Adam is known for his work with threat modeling. In this episode, we take threat modeling to a whole new level as we explore the idea of threat modeling layer 8 or human beings, and explore the concept of conflict modeling.

You’ll find Adam’s conflict modeling work on GitHub HERE

Link HERE

-Smart cities, data protection and security implications

https://gdpr.report/wp-content/uploads/2019/07/Joe-Dignan-635x360.png

Link HERE

-Turning Your Weapons Against You. – Andrew Blane – Bsides London 2019

My talk is about using security tools setup by an organisation against itself. Specifically vulnerability scanners and NAC solutions. Generally organisations will scan host on a network without think about the consequences of doing this. Often security solutions will blindly attempt to authenticate to a host during the scanning process which can be abused by an attacker to capture credentials used by the the tool to authenticate to large number of host within the enterprise. The talk will include information on general misconfigurations in these solutions and demos of how to exploit them. There will also be a remediation section at the end

Link HERE

-AWS AND HACKERONE: FROM VILLAINS TO HEROES: THE HACKING EVOLUTION

Link HERE

-Nahamsec on Bounties

cid:<a href=[email protected]″>

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

OWASP LONDON next week

/var/folders/_1/vhfqbsc17kgbq084mx9cwzx80000gn/T/com.microsoft.Outlook/Content.MSO/170F8207.tmp

  • Lightning Talk – “Scaling Security – Move fast and make things” – Paul Heffernan

Revolut has grown to over 5 million customers. This presentation will give an overview of the lessons we have learnt to scaling security that quickly when security fundamentally represents customer trust.

  • “Hack In, Cash Out: Hacking and Securing Payment Technologies” – Tim Yunusov

Have you ever wanted to learn more about how payments work? Do you want to know how criminals bypass security mechanisms on Point of Sales terminals, ATM’s and digital wallets? Payment technologies are a transparent part of our lives. They enable us pay for everything from a coffee to a car. In the first part of this talk we take a look at payment technologies past, present and future. Learn how payments have evolved and what transactions look like today.Next we’ll dive into the different attacks that are possible with each transaction type and discuss which areas security teams should be focused on now, and in the future. Learn how hackers gain access to banking endpoints, bypass fraud detection mechanisms, and how they ultimately cash out.

  • “Advanced Bots and Security Evasion Techniques” – David Warburton

Bots are generally seen as a bit of a nuisance and widely regarded as the weapon of choice for DDoS attacks. However, modern bots are capable of much more and are claimed to be behind three quarters of all attacks that hit web sites and APIs. Techniques such as rate limiting, IP blacklisting and even CAPTCHAs often do little to prevent the attacks as they evolve, evading controls which try to differentiate between bots and humans. In this session we’re going to look at what bots are and how they’re created, what they’re now capable of, which industries are most affected by them and how they are evolving to avoid our current defences

Link HERE

HACK in Paris 2019

https://yt3.ggpht.com/a/AGF-l7-MlQm_bk2c1zig7jAaasug0HbsK49K2wKAHw=s288-mo-c-c0xffffffff-rj-k-no

Slides and videos HERE and HERE

The complete Security Events calendar – Peerlyst

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image

ICO issues notice of major fines for BA and Marriott

British Airways (BA) and US hotel group Marriott are facing significant fines, following high profile data breaches reported in 2018.

The Information Commissioner’s Office (ICO) has issued notices of intent to fine BA a record £183m, whilst Marriott faces a £92.2m penalty. You can read the ICO’s statements on their website

Zoom fixes video-on vulnerability

Following widespread media coverage on what was considered a “low-risk” vulnerability, Zoom has pushed out a patch to fix a zero-day vulnerability for Mac users who have the Zoom app installed.

It was reported that the vulnerability could allow hackers to access Mac webcams, forcing users to launch a video chat

Link HERE

Troy Hunt Weekly update 146

cid:<a href=[email protected]″>

Link HERE

 

Incidents & events detail

HACK BRIEF: A CARD-SKIMMING HACKER GROUP HIT 17K DOMAINS—AND COUNTING

cid:<a href=[email protected]″>

Link HERE

Leaked Palantir ‘Gotham’ user manual shows how fast police and government can grab your info

Link HERE

Google’s Leaked Recordings Violates Data Security Policies

A report, based on the Belgium-based NWT VRT revealed that Google employees routinely listened to audio files recorded by Google Home Smart Home speaker, and Google Assistant smartphones

Link HERE

AND

More than 1,000 Google Assistant recordings leaked

Link HERE

Serious Zoom security flaw could let websites hijack Mac cameras

cid:<a href=[email protected]″>

Links HERE and HERE

Certificate Poisoning Threatens GnuPG

OpenPGP installations can break and fail to verify the authenticity of downloaded packages as the key server network has been flooded with thousands of spam signatures attesting ownership of a certificate

Link HERE

Did a hacked smart TV upload footage of couple having sofa s*x to a p*rn website?

Link HERE

UK watchdog plans to fine Marriott £99m

The penalty relates to a data breach that resulted in about 339 million guests having had their personal details exposed.

The incident is thought to date back to 2014 but was only discovered in 2018.

It comes a day after the Information Commissioner’s Office (ICO) said it planned to fine British Airways £183m over a separate breach.

The size of both penalties reflects the fact that the watchdog has greater powers as a result of the EU’s General Data Protection Regulation (GDPR), which came into force last year.

The Marriott data breach included 30 million guest records belonging to Europeans. It occurred within Starwood – a rival hotel group that Marriott acquired three years ago. The compromised guest reservation system has since been phased out

Link HERE

7-Eleven Japan’s weak app security led to a $500,000 customer loss

The 7pay app was deactivated after just a couple of days

Link HERE

Facebook’s crypto presents a massive privacy problem

Link HERE

Research of the week

Smartcard Systems Redesigned

We have successfully delivered the first centralized smartcard signing solution about a year ago. From this week, Windows legacy applications can use smart cards in the cloud

At the beginning, there was a hardware platform that made smartcards available via TCP/IP. We used it extensively as a local hardware crypto provider – it is amazing to have a few hundred encryption engines with FIPS140-2 security certification in a 1U server enclosure

https://magicofsecurity.com/wp-content/uploads/2019/07/CloudFoxy_eIDAS_PDF_signing-1-1024x766.png

Link HERE

State of Application Security at S&P Global World’s 100 Largest Banks

KEY FINDINGS

Compliance:

– 85 e-banking web application failed GDPR compliance test

– 49 e-banking web applications failed PCI DSS compliance test

– 25 e-banking web applications are not protected by a Web Application Firewall

Security Vulnerabilities:

– 7 e-banking web applications contain known and exploitable vulnerabilities

– The oldest unpatched vulnerability is known and publicly disclosed since 2011

– 92% of mobile banking applications contain at least 1 medium-risk security vulnerability

– 100% of the banks have security vulnerabilities or issues related to forgotten subdomains

Link HERE

How to take over a Ruby gem and what to do with it / RubyKaigi 2019 presentation

Link HERE

leHACK 2019: Analyzing CVE-2018-8453: An interesting tale of UAF and Double Free in Windows Kernel

Link HERE

 

Tool of the week

33 Kubernetes security tools

Kubernetes image scanning and static analysis

Kubernetes runtime security

Kubernetes network security

Image distribution and secrets management

Kubernetes security audit

End-to-end Kubernetes security commercial products

Link HERE

Announcing the public preview of Azure AD support for FIDO2-based passwordless sign-in

Link HERE AND Your Pa$$word doesn’t matter HERE

CVSS Calculator

A Java library for calculating CVSSv2 and CVSSv3 scores and vectors

Link HERE

EU Cyber Sanctions: A Welcome Tool, or Vapid Posturing?

Link HERE

Remember: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Link HERE

 

Other interesting articles

##The Economics of Penetration Testing for Web Application Security

The true cost of pen test that nobody tell you

cid:<a href=[email protected]″>

Link HERE

##And finally, Google Photos is making your photos semi-public and you probably don’t realise

Whenever you share a photo with a specific person or account on Google Photos, it creates a link that will allow anyone in the world to view those photos, forever, until you go and manually deactivate that link in an obscure part of the interface

cid:<a href=[email protected]″>

Link HERE

AND

Facial Recognition Tech Is Growing Stronger, Thanks to Your Face

The Brainwash database, created by Stanford University researchers, contained more than 10,000 images and nearly 82,000 annotated heads.

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/562335

Description: RCE through Deserialization Attack in OwnBackup app.

URL: https://shhnjk.blogspot.com/2019/07/intro-to-chromes-gold-features.html

Description: Intro to Chrome’s (g)old features.

Link HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *