Security Stack Sheet #65

Word of the week

“Car Hacking is Real”

84% of automotive engineers worry their systems aren’t keeping pace with advancing threats

cid:<a href=[email protected]″>

Links HERE and HERE and HERE

Bonus 

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

WOW

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

The worlds worst BOTNET countries

Image

Link HERE

Crypto challenge of the week

Post image

Link HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

Talk about unintended consequences: GDPR is an identity thief’s dream ticket to Europeans’ data

Revenge plan morphs into data leak discovery

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Image

Link HERE and HTTP is plain text HERE

AND

Verifying SSL/TLS configuration by SANS

Link HERE

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE

Kenya’s Homa Bay: Fart pushes Speaker to suspend debate

A pictogram of a person farting.

A heated debate about market stalls was disrupted by a foul smell and furious finger-pointing at a Kenyan regional assembly on Wednesday, local reports say.

“Honourable Speaker, one of us has polluted the air and I know who it is,” Julius Gaya reportedly told Homa Bay county assembly.

But the member he accused of farting is said to have replied:

“I am not the one. I cannot do such a thing in front of my colleagues.”

Link HERE

  • September 2019: PSD2 security mandatory
  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book on the month

Paged Out!

Is a new experimental (one article == one page) free magazine about programming (especially programming tricks!), hackingsecurity hacking, retro computers, modern computers, electronics, demoscene, and other similar topics.

It’s made by the community for the community – the project is led by Gynvael Coldwind with multiple folks helping. And it’s not-for-profit (though in time we hope it will be self-sustained) – this means that the issues will always be free to download, share and print

cid:<a href=[email protected]″>

Links HERE and HERE

 

Comic of the week

Working From Home - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP Threat Modeling and Online Dating presentation @DianaInitiative2019

cid:<a href=[email protected]″>

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

BlackHat USA 2019 – 3-8 August

cid:<a href=[email protected]″>

Keynote: Every Security Team is a Software Team Now by Dino Dai Zovi

Link HERE

Remember:

cid:<a href=[email protected]″>

Other shots – thanks to Marek

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

cid:<a href=[email protected]″>

Link to schedule and presentations HERE

DEFCON 27 – more on this next week

Link HERE

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

cid:<a href=[email protected]″>

NCSC Weekly Threat Report

Provided Image

University students at risk of phishing attacks

University students are at risk from phishing scams because many top universities are not following best practices to block fraudulent emails, according to research by Proofpoint.

The security firm found that 65% of the UK’s top 20 universities were not using any form of an industry-recommended email authentication tool. Whilst 35% had published a DMARC record, only one university in the top 20 was using the recommended level of DMARC protection

Companies overlooking the importance of cloud security

Cyber security firm Symantec has published its first Cloud Security Threat Report. The report suggests that that many companies are not focused on the fastest growing threats when it comes to cloud computing security.

The company polled 1,250 IT decision-makers in 11 countries. Key findings include: 

  • 73% of firms had cloud incidents due to immature security
  • 63% of security incidents have occurred in the cloud in the past 12 months
  • 69% of survey respondents think their data is likely already on the dark web for sale

Link HERE

 

Incidents & events detail

Researchers Find 23 Million Stolen Cards For Sale

Researchers have found over 23 million stolen credit and debit cards up for sale on the dark web, with US consumers by far the biggest hit.

Nearly two out of every three stolen cards on the sites trawled by Sixgill were issued in the US, amounting to more than 15 million. The next biggest hit country was the UK, which accounted for over 7%

Link HERE

Capital One’s breach was inevitable, because we did nothing after Equifax

https://miro.medium.com/max/1400/1*xsvNodLvodsjeOxKf5Eppw.jpeg

Tech details

https://miro.medium.com/max/1400/1*7N6TAJwT2FhhPIHtjc-3mg.png

Links HERE and HERE and HERE

AND

What I learned at Capital One

This post is long overdue and may not have ever been written had it not been for the recent news on the Capital One breach. I’ve had so many inbounds on being part of the security team and everyone wanting to know what happened. I had to sit down and write this up

Link HERE

Escaping the Chrome Sandbox via an IndexedDB Race Condition

Exploitation of a race condition in the IndexedDB implementation of Chrome, demonstrating a full sandbox escape

Link HERE

Facebook Libra Might Never Launch, Company Concedes in SEC Disclosure

Link HERE

cid:<a href=[email protected]″>

Link HERE

Steam Windows Client Local Privilege Escalation 0day

Link HERE

Canon DSLR Camera Infected with Ransomware Over the Air

Link HERE – thanks to Mithun

What do Uber, Volkswagen and Zenefits have in common? They all used hidden code to break the law

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Group s** app leaks locations, pics and personal details. Identifies users in White House and Supreme Court

https://www.pentestpartners.com/content/uploads/2019/08/nofun-app.png?x38147

Where are they?

https://www.pentestpartners.com/content/uploads/2017/07/hello-300x191.png?x38147

Link HERE

Responding to Firefox 0-days in the wild

Image

Link HERE – thanks to TK

Cisco ‘Knowingly’ Sold Hackable Video Surveillance System to U.S. Government

Link HERE – thanks to Christophe and “why it’s important to listen to people who would like to report vulnerabilities in your services / software / products”

Galaxy Leapfrogging: Pwning the Galaxy S8

Link HERE

Apple Confirms $1 Million Reward For Anyone Who Can Hack An iPhone

$1 million for an iPhone hack

The full $1 million will go to researchers who can find a hack of the kernel—the core of iOS—with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a “network attack requiring no user interaction.” There’s also a 50% bonus for hackers who can find weaknesses in software before it’s released

Link HERE

WhatsApp Hack Attack Can Change Your Messages

In this photo illustration a WhatsApp logo seen displayed on...

During a briefing at the annual Black Hat security conference in Las Vegas on August 7, researchers from Israeli security company Check Point revealed how Facebook-owned WhatsApp could be hacked to change the text of a message and the identity of the sender. If that sounds worrying enough, these vulnerabilities were revealed to WhatsApp last year but remain exploitable today

Links HERE and HERE

Microsoft Confirms New Windows CPU Attack Vulnerability, Advises All Users To Update Now

Link HERE

Remember:

Monero security flaw could’ve seen XMR stolen from cryptocurrency exchanges

https://cdn0.tnwcdn.com/wp-content/blogs.dir/1/files/2019/07/Screenshot-2019-07-04-at-19.49.42.png

Links HERE and disclosed HackerOne report HERE AND related KYC issue in Binance HERE

Research of the week

Featuring – How to Get Infected With Malware

Computers these days work so smoothly, using them can be plain boring. Want some excitement? Throw off the shackles of your security software and get your system infected with malware! Our tongue-in-cheek guide can show you how

Link HERE and the purpose of Ransomware HERE

The Fully Remote Attack Surface of the iPhone

While there have been several rumours and reports of fully remote vulnerabilities affecting the iPhone being used by attackers in the last couple of years, limited information is available about the technical details of these vulnerabilities, as well as the underlying attack surface they occur in. I investigated the remote, interaction-less attack surface of the iPhone, and found several serious vulnerabilities.

Vulnerabilities are considered ‘remote’ when the attacker does not require any physical or network proximity to the target to be able to use the vulnerability. Remote vulnerabilities are described as ‘fully remote’, ‘interaction-less’ or ‘zero click’ when they do not require any physical interaction from the target to be exploited, and work in real time. I focused on the attack surfaces of the iPhone that can be reached remotely, do not require any user interaction and immediately process input.

There are several attack surfaces of the iPhone that have these qualities, including SMS, MMS, VVM, Email and iMessage

Link HERE and Video HERE and How Security is iMessage HERE

The Six Pillars of DevSecOps

Achieving Reflexive Security Through Integration of Security, Development and Operations

  • Pillar 1 Collective Responsibility
  • Pillar 2 Collaboration and Integration
  • Pillar 3 Pragmatic Implementation
  • Pillar 4 Bridging Compliance and Development
  • Pillar 5 Automation
  • Pillar 6 Measure, Monitor, Report and Action

Link HERE – thanks to Naz

VULNERABILITY FOCUS: JAVA

Image result for java security

Attention, fellow AppSec comrades! This blog post shines a spotlight on open source vulnerabilities in the Java universe. In particular, it has come to our awareness that the jackson-databind serialisation library, which parses Java objects to JSON and vice versa, has taken big hits over the past few weeks. To better enlighten our readers, we took an in-depth look into the origins of its (de)serialisation flaws.

  • CVE-2019-12384 A flaw in the serialisation process of FasterXML jackson-databind 2.x before 2.9.9.1  could lead to remote code execution. Read why
  • CVE-2019-14379 Hackers could exploit an invalid object-class for pre-2.9.9.2 versions of jackson-databind to gain remote access and control Read why

Link HERE

cid:<a href=[email protected]″>

Link HERE

NoLimitSecu - MENSPSIT - 512

Link HERE – in French

Tool of the week

Cwtch

Privacy Preserving Infrastructure for Asynchronous, Decentralized, Multi-Party, and Metadata Resistant Applications

https://openprivacy.ca/images/cwtch-logo-back.png

Cwtch (a Welsh word roughly translating to “a hug that creates a safe place”) is a decentralized, privacy-preserving, asynchronous multi-party messaging protocol that can be used to build metadata resistant applications

Link HERE

Credential Scanner (CredScan)

https://secdevtools.azurewebsites.net/img/ms.jpg

A tool developed and maintained by Microsoft to identify credential leaks such as those in source code and configuration files. Some of the commonly found types of credentials are default passwords, SQL connection strings and Certificates with private keys.

The CredScan build task is included in the Microsoft Security Code Analysis Extension. This page has the steps needed to configure & run the build task as part of your build definition

Link HERE

WhiteSource Bolt for GitHub

A FREE app, which continuously scans all your repos, detects vulnerabilities in open source components and provides fixes. It supports both private and public repositories

Link HERE

Microsoft Security Risk Detection

Security Risk Detection is Microsoft’s unique fuzz testing service for finding security critical bugs in software. Security Risk Detection helps customers quickly adopt practices and technology battle-tested over the last 15 years at Microsoft

Link HERE

Remember: Secure DevOps Kit for Azure

https://devopskitwebsiteep.azureedge.net/media/CarouselImages/CarouselImage01.jpg

Link HERE

The service worker hiding in your browser

New tool easily backdoors vulnerable websites

https://portswigger.net/cms/images/8d/3a/940f3dad0d5f-article-190807-ghost-browser-body.jpg

Link HERE

BURP HTTP Request Smuggling

https://4.bp.blogspot.com/-Rt09IFXZ8fk/XUFt_mHiy7I/AAAAAAAAAtM/V8s8zWrMO38p1ZPB3roCswHz8ZJ1gZ5uACK4BGAYYCw/s1600/HTTP%2Brequest%2Bsmuggling%2Bvulnerability.png

https://portswigger.net/cms/images/f4/b3/753498a08488-article-request-smuggling-article.png

Link HERE and blog post HERE

Open Sourcing the Kubernetes Security Audit

Link HERE

 

Other interesting articles

##Is Your Serverless Application Secure?

In the past few months, I’ve hosted several sessions on serverless securityfor serverless developers and DevOps folks. What I’ve realized during these sessions is that there are quite a few inaccurate assumptions that developers are making

Link HERE

 

##A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response

Earlier this year, I reached out to Check Point researcher Eyal Itkin, who had published multiple flaws in several Remote Desktop Protocol (RDP) clients, including a vulnerability in mstsc.exe, the built-in RDP client application in Windows. While there were no active exploits detected in the wild, it was important for me and my team at Microsoft to analyze the vulnerability, do further variant analysis and investigations, and build defenses, including cloud-based post-breach detection in addition to the operating system fix.

The cross-company collaboration that followed was especially critical in this case, because the attack technique is quite tricky to detect. The vulnerability exists in the shared clipboard mechanism. Unlike other RDP vulnerabilities that could allow an attacker to connect to target machines using the RDP protocol, in this case, an attacker would wait for a user to connect to a compromised machine, and then start the attack through the vulnerability. RDP anomaly detection wouldn’t be useful, because exploit behavior doesn’t stand out as unusual.

The vulnerability, called Poisoned RDP vulnerability and designated as CVE-2019-0887, has been fixed, but it serves as a good case study for industry collaboration leading to better and speedier response to security issues. In this blog, we’ll share an overview of the vulnerability and how we worked with Check Point to build the defenses using Windows telemetry

Link HERE

 

##Common application security challenges & how to overcome them

Application security challenges lie not only in the threats and application vulnerabilities themselves, but also in the processes and approaches taken within the organization to manage application security. A closer look at some of the top application security challenges from both a threat standpoint and a business management view can help you avoid some of the most common pitfalls.

As more organizations take an agile approach to application development, new versions of apps are released quickly, making security not only more important, but also more challenging. It should come as no surprise then that spending on application security solutions is expected to reach $7.1 billion by 2023, as compared to $2.8 billion in 2017. 

Make sure you get the maximum benefit out of the money you invest in AppSec security by arming yourself with knowledge of the most common threats and internal missteps

Link HERE and World Class AppSec HERE

 

##And finally, how the US, EU and China compete to set industry standards

There is a first-mover advantage for whoever writes the new rules for the digital economy

cid:<a href=[email protected]″>

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://ardern.io/2019/06/20/payload-bxss/

Description: Advanced Blind XSS Payloads.

URL: http://bit.ly/2GtDPyi  (+)

Description: Pwning child company to get access to ParentCompany’s Slack Team.

Link HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *