Security Stack Sheet #64

Word of the week

“Doxxing” and “getting doxxed”

Doxxing is a research-based work where doxxers use different mediums to collect personal information of the target. The means of collecting information mostly include online sources. There is a lot of data stored on the internet about each person. This includes the information shared on social media platforms and frequently visited sites

swatutistic

Links HERE and HERE and HERE

Bonus 

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Image

Link HERE – thanks to Mike

AntiVirus Recommendations for Marriage

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

https://simonsingh.net/wp-content/uploads/2010/11/267.jpg

Link HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

cid:<a href=[email protected]″>

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE
  • September 2019: PSD2 security mandatory
  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk

Book on the week/month

Collection of links to security stuff

The books are HERE

Selection

The Circle

Synopsis: Facebook-like company tries to record, store and make public all information, both public and private “for the greater good”. But how good is a world where a single company has a monopoly on all information

Link HERE and Other useful AppSec learning resources HERE

 

Comic of the week

When Can You Meet - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP Threat Model Cookbook

Currently the landscape of threat modeling is limited to a few books and methodologies that are widely accessible and in some cases open source. However, there’s a lack of openly available content that is beyond just a blanket examples for existing methodologies. For instance, you could read a timeless awesome book, but the few complete examples the book is providing are outdated due to technology changing rapidly while threat model methodologies changes in a slower pace.

This project is scoped in such a way that the only outcomes of what we produce are examples. You could infer your own methodologies using examples as component for your own toolbox of techniques. You could also simply follow an prescriptive and well defined method and refer to this project deliverable to give you examples on similar techniques

Link HERE

-Introduction to AppSec Slides

cid:<a href=[email protected]″>

Link HERE

-Angular and the OWASP Top 10 by Philippe De Ryck

The OWASP top 10 is one of the most influential security documents of all time. A couple of years ago, these 10 security issues impacted almost every web application. However, today, the web application landscape has scattered. Monoliths have become frontends, backends, and third-party APIs. As a result, it has become harder to figure out which security measures belong where. Overall, security has gotten a lot more complicated. In this talk, we explore the relationship between the OWASP top 10 and Angular applications. We will see how some issues are barely relevant in an Angular world. We will discover that Angular addresses some issues out of the box. Moreover, we will learn which issues require the most attention in an Angular application

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

Image

Link HERE

BlackHat USA 2019 – 3-8 August

cid:<a href=[email protected]″>

See this one: HTTP Desync Attacks: Smashing into the Cell Next Door

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

cid:<a href=[email protected]″>

NCSC Weekly Threat Report

Provided Image

Google highlights vulnerabilities found in iMessage

Five flaws in Apple’s iMessage software could make devices vulnerable to attack according to bug-hunters at Google.

In one example, the researchers commented that the only way to rescue a targeted iPhone would be to delete all the data from it whilst another highlighted issue could see files being copied from a devicewithout the owner actually doing anything to aid the hack.

Apple released fixes last week that would protect devices from these flaws. Recovering devices affected will result in all data being wiped.

A sixth flaw was also reported to Apple by the bug-hunters which, at the time of writing, has not yet been rectified.

Symantec report a revival in extortion scam emails

Symantec has revealed that they blocked almost 300 million extortion scam emails in the first five months of 2019, with a visible peak in a two-week period in February.

The surge was not associated with one particular scam, although sextortion emails are seen frequently by the company. Other variations include: 

  • English language: Plaintext, no URL in body
  • Bomb threat theme
  • Using PNG and JPEG images: Email has a PNG or JPEG attachment, which contains the Bitcoin wallet address
  • Using PDF attachment: Coin wallet address present in the PDF
  • Use of SegWit Bitcoin address

Celebrity Twitter accounts compromised

The past week has seen two high profile Twitter accounts ‘hacked’ in order to send out offensive and extreme content.

Actress Jessica Alba’s account was used to send out anti-Semitic and homophobic content and comedy stuntman Steve-O’s Twitter account sent racist and other offensive tweets. They both join the list of celebrities, politicians and organisations who have had their social media accounts compromised

Link HERE

 

Incidents & events detail

Massive data breach hits Capital One, affecting more than 100 million customers

[Neely]
If the suspect had not reached out on social media it is unlikely she’d have been apprehended. While waiting for a perpetrator to make a mistake is an investigative option, it is better to ensure your active defence and detection mechanisms are performing. Regularly verify you can not only detect unauthorized accesses, often referred to as purple team exercises, but also that your boundary protection settings are as intended

cid:<a href=[email protected]″>

According to a source with direct knowledge of the breach investigation, the problem stemmed in part from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services (AWS).

Known as “ModSecurity,” this WAF is deployed along with the open-source Apache Web server to provide protections against several classes of vulnerabilities that attackers most commonly use to compromise the security of Web-based applications.

The misconfiguration of the WAF allowed the intruder to trick the firewall into relaying requests to a key back-end resource on the AWS platform. This resource, known as the “metadata” service, is responsible for handing out temporary information to a cloud server, including current credentials sent from a security service to access any resource in the cloud to which that server has access.

In AWS, exactly what those credentials can be used for hinges on the permissions assigned to the resource that is requesting them. In Capital One’s case, the misconfigured WAF for whatever reason was assigned too many permissions, i.e. it was allowed to list all of the files in any buckets of data, and to read the contents of each of those files.

The type of vulnerability exploited by the intruder in the Capital One hack is a well-known method called a “Server Side Request Forgery” (SSRF) attack, in which a server (in this case, CapOne’s WAF) can be tricked into running commands that it should never have been permitted to run, including those that allow it to talk to the metadata service

Links HERE and HERE and HERE and HERE

Google reveals fistful of flaws in Apple’s iMessage app

A team of bug-hunters at Google have shared details of five flaws in Apple’s iMessage software that could make its devices vulnerable to attack. In one case, the researchers said the vulnerability was so severe that the only way to rescue a targeted iPhone would be to delete all the data off it. Another example, they said, could be used to copy files off a device without requiring the owner to do anything to aid the hack

Link HERE

How to get your Equifax money and stay safe doing it

Link HERE

Cybersecurity: Malware lingers in SMBs for an average of 800 days before discovery

Link HERE

How to Lock Down Your iPhone

Inside the Nitty Gritty iOS Preferences Everyone Should Know

Link HERE

Kubernetes Pod Escape Using Log Mounts

Link HERE

Remember: XSS Filter Evasion

Link HERE

WARNING: Pre-Auth Takeover of OXID eShops

RIPS detected a highly critical vulnerability in the OXID eShop software that allows unauthenticated attackers to takeover an eShop remotely in less than a few seconds – all on default configurations. A second vulnerability in the administration panel can then be exploited to gain remote code execution on the server. We highly recommend to update to the latest version

Link HERE

Cisco Agrees to $8.6 Million Settlement After Selling Agencies Insecure Tech

The company’s video surveillance manager, which was used by the Pentagon, DHS, NASA and others, contained vulnerabilities that would let hackers view, modify and disable video feeds at government facilities

Link HERE

GitHub Restricting Access For Developers In US Sanctioned Countries

GitHub has confirmed that it has begun blocking developers in countries that are under US trade sanctions from accessing private repositories and GitHub Marketplace. Developers are finding that their access to their GitHub accounts has been “restricted.” One developer in Crimea found that he was prevented from accessing his GitHub hosted site, existing private repositories and from creating new private repositories. GitHub is imposing the restrictions based on users’ IP addresses and payment histories. Countries facing US trade sanctions include the Crimea region of Ukraine, Cuba, Iran, North Korea, and Syria

Link HERE

Remotely Stole Files Through iMessage on iOS 12.3.1 (CVE-2019-8646 by natashenka) – VIDEO

Link HERE

Hackers can bypass £30 limit on Visa contactless cards, study finds

Design flaws discovered in Visa’s payments system for contactless cards could allow criminals to steal hundreds in a single tap

LAS VEGAS, NV - OCTOBER 23: Guests tap to pay using contactless cards to support releif efforts during the Visa ID Intelligence launch party at Money 20/20 on October 23, 2017 in Las Vegas, Nevada. (Photo by Isaac Brekken/Getty Images for VISA Inc)

Links HERE and HERE

Australia Has A Serious Crypto Problem

Link HERE

Research of the week

Featuring – How SAML 2.0 Authentication Works

SAML login

Link HERE

2018 Application Security Statistics Report

The Evolution of the Secure Software Lifecycle

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Understanding Docker container escapes

Link HERE

BEGINNER’S GUIDE to Ransomware Detection and Prevention

More than 4,000 ransomware attacks have occurred every day since the beginning of 2016

cybersecurity statistics for 2019

Link HERE and Cyber Security Statistics 2019 HERE

 

Tool of the week

cid:<a href=[email protected]″>

Link HERE

Security Testing Plugin for Maven & Gradle

Link HERE

WRITE JS WITH ONLY 5 DIFFERENT CHARACTERS: $+=[]

Link HERE

 

Other interesting articles

##Threat Modelling for Web Developers

https://continuumsecurity.net/wp-content/uploads/2019/07/Threat-modeling.png

Link HERE

 

##5 TIPS FOR AN EFFECTIVE APPSEC TESTING STRATEGY

1. Inform and Shape Your Security Testing with Threat Modeling

2. Automate with a Grain of Salt

3. Invest in Manual Testing

4. Vulnerability Management is Essential

5. Develop Metrics

  • Mean Time to Detection – How long does it take to discover vulnerabilities in your software?
  • Mean Time to Resolve – How long does it take to fix the vulnerabilities you discover?
  • Asset coverage – What assets do you have? How many are covered thoroughly through automated and manual testing processes?
  • Number of high/critical vulnerabilities open – How many major vulnerabilities are currently not fixed? This metric can be grouped based on business unit or application to discover possible areas of focus.
  • Vulnerability acceptance – How many vulnerabilities are not being fixed and why? This number should be as low as possible and should be revisited often (at least once per year) to make sure the vulnerability still can’t be fixed

Link HERE

 

##Underscoring the “private” in private key

Link HERE

 

##Open source security: 4 metrics that matter to app sec teams

1. Indicators of good project management

2. Mean time to update the project

3. Mean time to remediate in your organization

4. Measuring secure coding ability

Link HERE

 

##And finally, Secrets Management in a Cloud Agnostic World
Stop us if you’ve heard this one before. Secrets management is hard and, in the days of tools like Trufflehog, finding secrets in public repositories is easy: just point and click. So it was a day-1 initiative of Cruise’s Security team to ensure we have secrets management as a primary consideration for application and service owners during our software development lifecycle. Before we examine the specifics of what that looks like, we should take a moment to consider some of the challenges that every organization and individual faces when storing secrets

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://thezerohack.com/hack-any-instagram

Description: How I Could Have Hacked Any Instagram Account.

URL: https://medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f

Description: Remote Code Execution (RCE) in Jira (CVE-2019–11581).

Link HERE and credits to HERE

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *