Word of the week “Ambient Privacy”
Bruce Schneier – For the purposes of this essay, I’ll call it “ambient privacy” — the understanding that there is value in having our everyday interactions with one another remain outside the reach of monitoring, and that the small details of our daily lives should pass by unremembered. What we do at home, work, church, school, or in our leisure time does not belong in a permanent record. Not every conversation needs to be a deposition.
Until recently, ambient privacy was a simple fact of life. Recording something for posterity required making special arrangements, and most of our shared experience of the past was filtered through the attenuating haze of human memory. Even police states like East Germany, where one in seven citizens was an informer, were not able to keep tabs on their entire population. Today computers have given us that power. Authoritarian states like China and Saudi Arabia are using this newfound capacity as a tool of social control. Here in the United States, we’re using it to show ads. But the infrastructure of total surveillance is everywhere the same, and everywhere being deployed at scale.
Ambient privacy is not a property of people, or of their data, but of the world around us. Just like you can’t drop out of the oil economy by refusing to drive a car, you can’t opt out of the surveillance economy by forswearing technology (and for many people, that choice is not an option). While there may be worthy reasons to take your life off the grid, the infrastructure will go up around you whether you use it or not.
Because our laws frame privacy as an individual right, we don’t have a mechanism for deciding whether we want to live in a surveillance society. Congress has remained silent on the matter, with both parties content to watch Silicon Valley make up its own rules. The large tech companies point to our willing use of their services as proof that people don’t really care about their privacy. But this is like arguing that inmates are happy to be in jail because they use the prison library. Confronted with the reality of a monitored world, people make the rational decision to make the best of it.
That is not consent
Word of the week special
“Security Architecture Anti-patterns” – from NCSC
JEDI Cloud from the Pentagon
“Harry Potter techniques in cyber security”
Authentication At Hogwarts: Lessons in Security Usability From the Wizarding World of Harry Potter.
Security usability is a complex topic of critical importance to any computer user which, these days, can be almost anyone. Examples illustrating security usability concepts from a well-known and well-loved literary source like Harry Potter enhance both recognition and retention. Traditionally people have learned life lessons from fables, fairy tales, parables and even urban legends. The ubiquity and popularity of the wizarding world of Harry Potter makes it a highly accessible source to mine for security usability education
Link HERE – thanks to Paddy
Crypto challenge of the week
I speak without a mouth and hear without ears. I have no body, but I come alive with wind. What am I?
GDPR Enforcement Tracker
Link HERE – thanks to Marius
Privacy Periodic Table
Now: TLS1.2 mandatory for proper security
The privacy of the TLS 1.3 protocol
TLS (Transport Layer Security) is a widely deployed protocol that plays a vital role in securing Internet traffic. Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them. In August 2018, a new version of the protocol, TLS 1.3, was standardized by the IETF (Internet Engineering Task Force). TLS 1.3 not only benefits from stronger security guarantees, but aims to protect the identities of the server and client by encrypting messages as soon as possible during the authentication. In this paper, we model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS. We build our privacy models on top of the one defined by Hermans et al. for RFIDs (Radio Frequency Identification Devices) that mostly targets authentication protocols. The enhanced models share similarities to the Bellare-Rogaway AKE (Authenticated Key Exchange) security model and consider adversaries that can compromise both types of participants in the protocol. In particular, modelling session resumption is non-trivial, given that session resumption tickets are essentially a state transmitted from one session to another and such link reveals information on the parties. On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones
HTTPS everywhere HERE
Book on the week/month
8 Books to choose from for your holidays
Enumeration Guide for your OSCP journey
Comic of the week
##Some OWASP stuff first
-NEW OWASP CHEATSHEETS WEBSITE
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics
-OWASP Container Security Verification Standard (CSVS)
The Container Security Verification Standard (CSVS) is a community-effort to establish a framework of security requirements and controls that focus on normalizing the functional and non-functional security controls required when designing, developing and testing container-based solutions with a focus on Docker
-What is Parameter Tampering
Parameter manipulation involves tampering with URL parameters to retrieve information that would otherwise be unavailable to the user. Risks from exploitation depend upon what parameter is being modified, and the method by which it is submitted to the web application server. Parameter manipulation attacks can be used to achieve a number of objectives, including disclosure of files above the web root, extraction of information from a database and execution of arbitrary operating-system level commands. Recommendations include adopting secure programming techniques to ensure that only expected data is accepted by an application
-Tommy Ross — The BSA Framework for Secure Software
Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software. This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within.
The PDF is available on the BSA website HERE
OWASP events HERE
All InfoSec events HERE
OWASP LONDON event at Revolut
Ps: Revolut offices are equipped with a free no name payment card dispenser! Handy!
Remember AppSec TelAviv 23 hours of sec
Link to playlist HERE
The complete Security Events calendar – Peerlyst
Webcast – A BEAST and a POODLE celebrating SWEET32
In last couple of years we have witnessed many SSL/TLS vulnerabilities with various acronyms: POODLE, BEAST, BREACH, CRIME, DROWN, FREAK and SWEET32 – to name some. Almost every time, a snazzy logo and a lot of panic around the vulnerability made us believe that this is the end of secure communication on the Internet.
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Scale of Magecart attacks growing
TrickBot malware develops new email infection capacity
2019 ACD report highlights progress in protecting UK cyberspace
Troy Hunt Weekly update 148
Incidents & events detail
Hacked UK forensic firm pays ransom after malware attack
Largest private provider Eurofins hands over undisclosed fee to regain control of systems
UK Met Police hacked with bizarre tweets and emails posted
Fieldwork Software database leak exposed sensitive SMB records, customer credit card details
vpnMentor cybersecurity researchers said 26GB of data was exposed in the breach. The leak was found as part of vpnMentor’s web scanning project, in which ports are checked and ana-lysed for open databases and the accidental public disclosure of sensitive, corporate data
Defending an Iconic Brand – Wimbledon – Cyber Security in a Distributed Hybrid Cloud Environment
The app everyone is using to make them look old now warns you it’s uploading your picture
Remember this one:
Backdoor found in Ruby library for checking for strong passwords
Cookie-accepting, eval-running backdoor found in popular Ruby library
Google deprecates XSS Auditor for Chrome
Data of ‘nearly all adults’ in Bulgaria stolen
New EvilGnome Backdoor Spies on Linux Users, Steals Their Files
Logitech wireless USB dongles vulnerable to new hijacking flaws
Vulnerabilities found in Logitech’s proprietary Unifying USB dongle technology
Researchers Easily Trick Cylance’s AI-Based Antivirus Into Thinking Malware Is ‘Goodware’
By taking strings from an online gaming program and appending them to malicious files, researchers were able to trick Cylance’s AI-based antivirus engine into thinking programs like WannaCry and other malware are benign
Lenovo Confirms 36TB Data Leak Security Vulnerability
How it works: Visa’s artificial intelligence (A.I.) for payment authorization and fraud detection
Link HERE – thanks to Naz
Research of the week
Featuring – The end of passwords
Adopt modern authentication technologies to provide ease of use without the risk of passwords
AUTOMATING LOCAL DTD DISCOVERY FOR XXE EXPLOITATION
Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files
Investigating sources of PII used in Facebook’s targeted advertising
In this paper, we focus on Facebook and investigate the sources of PII used for its PII-based targeted advertising feature. We develop a novel technique that uses Facebook’s advertiser interface to check whether a given piece of PII can be used to target some Facebook user, and use this technique to study how Facebook’s advertising service obtains users’ PII. We investigate a range of potential sources of PII, finding that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor authentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Facebook to allow advertisers to target users. These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings. Overall, our paper highlights the need for the careful design of usable privacy controls for, and detailed disclosure about, the use of sensitive PII in targeted advertising
Tool of the week
AUTOMATE YOUR ANDROID APP REVERSE
Or hooking for dummies
Advanced Blind XSS payloads
BinaryNinja – Cloud Open Beta Is Live
Link HERE – thanks to TK
Commando VM: The First of Its Kind Windows Offensive Distribution
Kali NetHunter App Store – Public Beta
OWASP Zap chart for Kubernetes
Other interesting articles
##A proactive approach to more secure code
What if we could eliminate an entire class of vulnerabilities before they ever happened?
##Hacking macOS: How to Dump 1Password, KeePassX & LastPass Passwords in Plaintext
Passwords managers rely on the operating system’s clipboard. An attacker can dump the clipboard contents and exfiltrate passwords
##TALE OF A WORMABLE TWITTER XSS
In mid-2018, I found a stored XSS on Twitter in the least likely place you could think of. Yes, right in the tweet! But what makes this XSS so special is that it had the potential to be turned into a fully-fledged XSS worm
##And finally, understanding Random Forest
How the Algorithm Works and Why it Is So Effective
Random forests are a personal favourite of mine. Coming from the world of finance and investments, the holy grail was always to build a bunch of uncorrelated models, each with a positive expected return, and then put them together in a portfolio to earn massive alpha (alpha = market beating returns). Much easier said than done!
Random forest is the data science equivalent of that. Let’s review one last time. What’s a random forest classifier?
The random forest is a classification algorithm consisting of many decisions trees. It uses bagging and feature randomness when building each individual tree to try to create an uncorrelated forest of trees whose prediction by committee is more accurate than that of any individual tree.
What do we need in order for our random forest to make accurate class predictions?
HOW OUR BRAINS DECIDE WHEN TO TRUST
Trust is the enabler of global business — without it, most market transactions would be impossible. It is also a hallmark of high-performing organizations. Employees in high-trust companies are more productive, are more satisfied with their jobs, put in greater discretionary effort, are less likely to search for new jobs, and even are healthier than those working in low-trust companies. Businesses that build trust among their customers are rewarded with greater loyalty and higher sales. And negotiators who build trust with each other are more likely to find value-creating deals.
Despite the primacy of trust in commerce, its neurobiological underpinnings were not well understood until recently. Over the past 20 years, research has revealed why we trust strangers, which leadership behaviors lead to the breakdown of trust, and how insights from neuroscience can help colleagues build trust with each other — and help boost a company’s bottom line
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: RCE via ImageTragick on SEMrush (Triage WTF!).
URL: http://bit.ly/32mecsz (+)
Description: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
Description: U-XSS in OperaMini for iOS Browser.