Word of the week “Ambient Privacy” Bruce Schneier – For the purposes of this essay, I’ll call it “ambient privacy” — the understanding that there is value in having our everyday interactions with one another remain outside the reach of monitoring, and that the small details of our daily lives should pass by unremembered. What we do at home, work, church, school, or in our leisure time does not belong in a permanent record. Not every conversation needs to be a deposition. Until recently, ambient privacy was a simple fact of life. Recording something for posterity required making special arrangements, and most of our shared experience of the past was filtered through the attenuating haze of human memory. Even police states like East Germany, where one in seven citizens was an informer, were not able to keep tabs on their entire population. Today computers have given us that power. Authoritarian states like China and Saudi Arabia are using this newfound capacity as a tool of social control. Here in the United States, we’re using it to show ads. But the infrastructure of total surveillance is everywhere the same, and everywhere being deployed at scale. Ambient privacy is not a property of people, or of their data, but of the world around us. Just like you can’t drop out of the oil economy by refusing to drive a car, you can’t opt out of the surveillance economy by forswearing technology (and for many people, that choice is not an option). While there may be worthy reasons to take your life off the grid, the infrastructure will go up around you whether you use it or not. Because our laws frame privacy as an individual right, we don’t have a mechanism for deciding whether we want to live in a surveillance society. Congress has remained silent on the matter, with both parties content to watch Silicon Valley make up its own rules. The large tech companies point to our willing use of their services as proof that people don’t really care about their privacy. But this is like arguing that inmates are happy to be in jail because they use the prison library. Confronted with the reality of a monitored world, people make the rational decision to make the best of it. That is not consent Links HERE and HERE and Ambient Threat – thanks to Paddy
Word of the week special “Security Architecture Anti-patterns” – from NCSC
Link HERE – thanks to Richard / Other links HERE and HERE and HERE and HERE AND JEDI Cloud from the Pentagon Link HERE “Harry Potter techniques in cyber security” Authentication At Hogwarts: Lessons in Security Usability From the Wizarding World of Harry Potter. Security usability is a complex topic of critical importance to any computer user which, these days, can be almost anyone. Examples illustrating security usability concepts from a well-known and well-loved literary source like Harry Potter enhance both recognition and retention. Traditionally people have learned life lessons from fables, fairy tales, parables and even urban legends. The ubiquity and popularity of the wizarding world of Harry Potter makes it a highly accessible source to mine for security usability education Link HERE – thanks to Paddy
Bonus Kerberos Infographic Link HERE Link HERE Link HERE
Crypto challenge of the week I speak without a mouth and hear without ears. I have no body, but I come alive with wind. What am I?
Dates
GDPR Enforcement Tracker Link HERE – thanks to Marius
Link HERE Privacy Periodic Table Link HERE
Link HERE Now: TLS1.2 mandatory for proper security The privacy of the TLS 1.3 protocol TLS (Transport Layer Security) is a widely deployed protocol that plays a vital role in securing Internet traffic. Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them. In August 2018, a new version of the protocol, TLS 1.3, was standardized by the IETF (Internet Engineering Task Force). TLS 1.3 not only benefits from stronger security guarantees, but aims to protect the identities of the server and client by encrypting messages as soon as possible during the authentication. In this paper, we model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS. We build our privacy models on top of the one defined by Hermans et al. for RFIDs (Radio Frequency Identification Devices) that mostly targets authentication protocols. The enhanced models share similarities to the Bellare-Rogaway AKE (Authenticated Key Exchange) security model and consider adversaries that can compromise both types of participants in the protocol. In particular, modelling session resumption is non-trivial, given that session resumption tickets are essentially a state transmitted from one session to another and such link reveals information on the parties. On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones Link HERE HTTPS everywhere HERE
Book on the week/month 8 Books to choose from for your holidays Link HERE Enumeration Guide for your OSCP journey Link HERE plus Prep guide HERE
Comic of the week
##Some OWASP stuff first -NEW OWASP CHEATSHEETS WEBSITE The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics Link HERE -OWASP Container Security Verification Standard (CSVS) The Container Security Verification Standard (CSVS) is a community-effort to establish a framework of security requirements and controls that focus on normalizing the functional and non-functional security controls required when designing, developing and testing container-based solutions with a focus on Docker Link HERE Link HERE Link HERE -What is Parameter Tampering Parameter manipulation involves tampering with URL parameters to retrieve information that would otherwise be unavailable to the user. Risks from exploitation depend upon what parameter is being modified, and the method by which it is submitted to the web application server. Parameter manipulation attacks can be used to achieve a number of objectives, including disclosure of files above the web root, extraction of information from a database and execution of arbitrary operating-system level commands. Recommendations include adopting secure programming techniques to ensure that only expected data is accepted by an application Link HERE -Tommy Ross — The BSA Framework for Secure Software Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software. This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within. If you’d like to comment or collaborate on this document, it is available in the review form at HERE The PDF is available on the BSA website HERE Link HERE
Events OWASP events HERE All InfoSec events HERE OWASP LONDON event at Revolut
Presentation HERE
Ps: Revolut offices are equipped with a free no name payment card dispenser! Handy! Link HERE Remember AppSec TelAviv 23 hours of sec Link to playlist HERE The complete Security Events calendar – Peerlyst Link HERE Webcast – A BEAST and a POODLE celebrating SWEET32 In last couple of years we have witnessed many SSL/TLS vulnerabilities with various acronyms: POODLE, BEAST, BREACH, CRIME, DROWN, FREAK and SWEET32 – to name some. Almost every time, a snazzy logo and a lot of panic around the vulnerability made us believe that this is the end of secure communication on the Internet. However, we are yet to see any real hacks that actually exploited one of the above mentioned vulnerabilities. This presentation will explain how these vulnerabilities work and will comment on their viability for web, mobile and fat client applications Link HERE
Incidents Global ALERT level BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. Incident data HERE Find your country NCSC Weekly Threat Report Scale of Magecart attacks growing The scale of the Magecart web skimming malware, a scam which attempts to harvest payment information via malicious JavaScript, is ‘much larger than previously reported’ according to a new RiskIQ study. Magecart is targeting unprotected AWS S3 buckets, used to store uploaded data including card details. It has reportedly compromised over 17,000 websites since April TrickBot malware develops new email infection capacity A recent report from cyber security company Deep Instinct has revealed that the Trickbot malware has returned with a new variant, ‘TrickBooster’ which attacks individual’s email accounts. TrickBot, a piece of malware circulating since 2016, was designed to access online accounts with the goal of obtaining Personally Identifiable Information (PII) which can be used to facilitate identity fraud 2019 ACD report highlights progress in protecting UK cyberspace The 2019 Active Cyber Defence (ACD) report was released earlier this week showing real progress protecting UK citizens and dissuading criminals. The report, published by the NCSC and its Technical Director Ian Levy, shared impressive figures for 2018 including:
Link HERE Troy Hunt Weekly update 148 Link HERE
Incidents & events detail Hacked UK forensic firm pays ransom after malware attack Largest private provider Eurofins hands over undisclosed fee to regain control of systems Link HERE UK Met Police hacked with bizarre tweets and emails posted Link HERE Fieldwork Software database leak exposed sensitive SMB records, customer credit card details vpnMentor cybersecurity researchers said 26GB of data was exposed in the breach. The leak was found as part of vpnMentor’s web scanning project, in which ports are checked and ana-lysed for open databases and the accidental public disclosure of sensitive, corporate data Link HERE Defending an Iconic Brand – Wimbledon – Cyber Security in a Distributed Hybrid Cloud Environment Link HERE The app everyone is using to make them look old now warns you it’s uploading your picture Link HERE Remember this one: Backdoor found in Ruby library for checking for strong passwords Cookie-accepting, eval-running backdoor found in popular Ruby library Link HERE Google deprecates XSS Auditor for Chrome Link HERE Data of ‘nearly all adults’ in Bulgaria stolen Link HERE New EvilGnome Backdoor Spies on Linux Users, Steals Their Files Link HERE Logitech wireless USB dongles vulnerable to new hijacking flaws Vulnerabilities found in Logitech’s proprietary Unifying USB dongle technology Link HERE and tool HERE – thanks to Sylwester Researchers Easily Trick Cylance’s AI-Based Antivirus Into Thinking Malware Is ‘Goodware’ By taking strings from an online gaming program and appending them to malicious files, researchers were able to trick Cylance’s AI-based antivirus engine into thinking programs like WannaCry and other malware are benign Link HERE Lenovo Confirms 36TB Data Leak Security Vulnerability Link HERE How it works: Visa’s artificial intelligence (A.I.) for payment authorization and fraud detection Link HERE – thanks to Naz
Research of the week Featuring – The end of passwords Adopt modern authentication technologies to provide ease of use without the risk of passwords Link HERE Another link HERE and another HERE Risks of password managers HERE AUTOMATING LOCAL DTD DISCOVERY FOR XXE EXPLOITATION Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files Link HERE Investigating sources of PII used in Facebook’s targeted advertising In this paper, we focus on Facebook and investigate the sources of PII used for its PII-based targeted advertising feature. We develop a novel technique that uses Facebook’s advertiser interface to check whether a given piece of PII can be used to target some Facebook user, and use this technique to study how Facebook’s advertising service obtains users’ PII. We investigate a range of potential sources of PII, finding that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor authentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Facebook to allow advertisers to target users. These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings. Overall, our paper highlights the need for the careful design of usable privacy controls for, and detailed disclosure about, the use of sensitive PII in targeted advertising Link HERE
Tool of the week DEXCALIBUR AUTOMATE YOUR ANDROID APP REVERSE Or hooking for dummies Advanced Blind XSS payloads Link HERE BinaryNinja – Cloud Open Beta Is Live Link HERE – thanks to TK Commando VM: The First of Its Kind Windows Offensive Distribution Link HERE Kali NetHunter App Store – Public Beta Link HERE OWASP Zap chart for Kubernetes Link HERE
Other interesting articles ##A proactive approach to more secure code What if we could eliminate an entire class of vulnerabilities before they ever happened? Link HERE
##Hacking macOS: How to Dump 1Password, KeePassX & LastPass Passwords in Plaintext Passwords managers rely on the operating system’s clipboard. An attacker can dump the clipboard contents and exfiltrate passwords Link HERE
##TALE OF A WORMABLE TWITTER XSS In mid-2018, I found a stored XSS on Twitter in the least likely place you could think of. Yes, right in the tweet! But what makes this XSS so special is that it had the potential to be turned into a fully-fledged XSS worm Link HERE
##And finally, understanding Random Forest How the Algorithm Works and Why it Is So Effective Random forests are a personal favourite of mine. Coming from the world of finance and investments, the holy grail was always to build a bunch of uncorrelated models, each with a positive expected return, and then put them together in a portfolio to earn massive alpha (alpha = market beating returns). Much easier said than done! Random forest is the data science equivalent of that. Let’s review one last time. What’s a random forest classifier? The random forest is a classification algorithm consisting of many decisions trees. It uses bagging and feature randomness when building each individual tree to try to create an uncorrelated forest of trees whose prediction by committee is more accurate than that of any individual tree. What do we need in order for our random forest to make accurate class predictions?
Link HERE AND HOW OUR BRAINS DECIDE WHEN TO TRUST Trust is the enabler of global business — without it, most market transactions would be impossible. It is also a hallmark of high-performing organizations. Employees in high-trust companies are more productive, are more satisfied with their jobs, put in greater discretionary effort, are less likely to search for new jobs, and even are healthier than those working in low-trust companies. Businesses that build trust among their customers are rewarded with greater loyalty and higher sales. And negotiators who build trust with each other are more likely to find value-creating deals. Despite the primacy of trust in commerce, its neurobiological underpinnings were not well understood until recently. Over the past 20 years, research has revealed why we trust strangers, which leadership behaviors lead to the breakdown of trust, and how insights from neuroscience can help colleagues build trust with each other — and help boost a company’s bottom line Link HERE
##HACKING, TOOLS and FUN – CHECK BELOW! AppSec Ezine Must see URL: https://hackerone.com/reports/403417 Description: RCE via ImageTragick on SEMrush (Triage WTF!). URL: http://bit.ly/32mecsz (+) Description: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! URL: https://blog.rakeshmane.com/2019/07/u-xss-in-operamini-for-ios-browser-0-day.html Description: U-XSS in OperaMini for iOS Browser. |
Love watching sunset !