Word of the week
Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier
Once an organization has a clear view of both sanctioned and unsanctioned east-west traffic in its data center and cloud infrastructure, it can use this information to take active steps to stop lateral movement. An optimal approach includes a mix of both proactive and reactive lateral movement security techniques
Word of the week special
Sean Ellis, the person who coined the term ‘Growth Hacking’ states, ‘A growth hacker is a person whose true north is growth’. A growth hacker’s primary job entails examining how everything is going to impact the growth of a company
Crypto challenge of the week
Remember: 310BTC Challenge
This is a challenge in which 310 BTC is hidden in the picture shown above. Whoever finds the key to the coins may keep the Bitcoins. This is my first experiment and I will probably launch a few more challenges in the future.
GDPR Enforcement Tracker
Link HERE – thanks to Marius
UK’s ICO Publishes New Guidance on Cookies
Now: TLS1.2 mandatory for proper security
HTTPS everywhere HERE
European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards
Which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication.
PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the PSD2 Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) include new requirements for:
NEARLY HALF OF DONALD TRUMP’S TWITTER FOLLOWERS ARE FAKE ACCOUNTS AND BOTS
Book on the month
Security Engage magazine from Microfocus – August 2019
Comic of the week
##Some OWASP stuff first
-OWASP DevSlop on Azure Storage
The team hosted a live Twitter Chat about how to secure web apps hosted in Azure Storage, with guests Burke Holland and Cecil Phillip!
OWASP events HERE
All InfoSec events HERE
The complete Security Events calendar – Peerlyst
Black Hat and Def Con 2019 thoughts – by Marek B.
Link HERE – thanks to Marek
Must see – The Inevitable Marriage of DevOps & Security
Cybersecurity conference attendees possibly exposed to IRL virus
Hackers and cybersecurity researchers who attended this year’s annual Black Hat information security conference in Las Vegas found themselves on the receiving end of the wrong kind of security notification. On Thursday, the Southern Nevada Health District issued a warning stating that individuals in Vegas over the course of the conference may have been exposed to measles
44Con London – 11-13 September 2019
CyberThreat 2019 by NCSC
Link HERE – thanks to Ben
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Bluetooth vulnerability spotted and patched
A vulnerability in Bluetooth’s wireless standard has been discovered by researchers which could allow attackers to intercept keystrokes, address books, and other sensitive data.
Using Python 2? It’s time to move on
Troy Hunt newsletter
Incidents & events detail
An In-Depth Look at the Capital One Data Breach
Open Source Ransomware Targets Fortnite Users
The global gaming phenomenon Fortnite has a huge global user base – last reported in March at 250 million gamers – and the just-concluded Fortnite World Cup with its $30 million prize pool and an online viewing audience of over two million has certainly only added to its allure. Over 40 million Fortnite gamers competed in qualifying rounds to get one of the 100 coveted spots in the World Cup and a guaranteed $50,000 payout, plus a shot at the $3 million top prize (won by a 16-year old!). Given the size of the global player pool and the evident motivation to up one’s game, it comes as no surprise that cybercriminals are now targeting Fortnite users by leveraging their competitive zeal.
A new ransomware auto-denominated “Syrk,” built with tools available on the internet, has been found to be masquerading as a game hack tool for Fortnite, basically a cheat which promises to give players an edge in aiming accurately (an aimbot) and knowing the locations of other players (ESP, in the gamer parlance). We expect it to possibly be distributed via an upload to a sharing site and the link posted in Fortnite users in forums
Netflix Discovers Severe Kubernetes HTTP/2 Vulnerabilities
Apple will soon treat online web tracking the same as a security vulnerability
German Chocolate, Frozen Margaritas, the Super Bowl and AppSec
Facebook to stop stalking you off-site – but only if asked
Sqreen recently blocked a major ATO attack against ourselves. Here’s how we did it
During the night of June 28th, at 2:40am CET, Sqreen started generating ATO alerts on our Slack instance. The cause of the alerts was one of our Sqreen Playbooksblocking IPs that were attempting (unsuccessfully) to login to many user accounts.
Bypassing IP Based Blocking with AWS API Gateway
Jenkins RCE PoC or simple pre-auth remote code execution on the Server
Beating the Adversary at Their Own Game!
QEMU VM Escape
This post will describe how I exploited CVE-2019-14378, which is a pointer miscalculation in network backend of QEMU. The bug is triggered when large IPv4 fragmented packets are reassembled for processing. It was found by code auditing
VLC vulnerabilities discovered by the Semmle security research team
Sonoma Valley Hospital Website, Email Addresses Hijacked
Hackers hijacked the California provider’s coveted three-letter domain name, forcing Sonoma Hospital to change its URL; ransomware, a new AMCA breach victim, and an email hack complete this week’s breach roundup
Removing Coordinated Inauthentic Behavior From China – by Facebook and Twitter
Backstabbing, Disinformation, and Bad Journalism: The State of the VPN Industry
Top 10 security best practices for MongoDB
The Case for 2FA, Post Rest-client Gem CVE
Beginner’s guide to Zero Days, and why responsible disclosure matters
Research of the week
Featuring – Why Software Remains Insecure
How the benefits of quickly building bad software have so far outweighed the downsides
There are myriad theories as to why software remains insecure after we’ve spend decades trying to solve the problem. Common reasons include:
Balancing Security and Performance with Web Application Firewalls
DejaBlue: Analyzing a RDP Heap Overflow
In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same bug. The vulnerable code exist in both the RDP client and server, making it possible to exploit in either direction
How Secure is your Android Keystore Authentication?
Privileged malware or an attacker with physical access to an Android device is a difficult attack vector to protect against. How would your application maintain security in such a scenario?
This blog post will discuss the Android keystore mechanisms and the difficulties encountered when attempting to implement secure local authentication. By providing an introduction to the AndroidKeystore, it’s API and usage you will be able to understand the common vulnerabilities associated with the keystore as they are discussed. The core of this article will highlight the developed tools which can be used to audit an application’s local authentication. This will conclude with general guidance on secure implementations and an application which can be used as a reference is presented
Hacking Containers and Kubernetes. Exploiting and protecting containers with a few lines of scripting
State of Cybersecurity 2019 Report – focus Australia
Tool of the week
DevOps by Google – tools & solutions
Shifting Security to the Left HERE AND
The Secure DevOps Edge HERE AND
Tough love HERE
2FA bypass tool highlights top business security vulnerabilities
A continuous security devsecops tool, which helps in enabling security into CI/CD Pipeline. It supports coverage for multiple programming languages
Threat Intelligence Hunter
An Open source project for threat hunting and Information gathering
Large-Scale-Exploit of GitHub Repository Metadata and Preventive Measures
We suggest multiple preventive measures that should be implemented as soon as possible. We also consider it the duty of both companies like GitHub and well informed software engineers to inform fellow developers about the risk of exposing private email addresses in Git commits published publicly
KeePass Cross-Platform Community Edition
Other interesting articles
##Extended Validation Certificates are (Really, Really) Dead
Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren’t displaying it on mobile clients). The only proponents of EV seemed to be those selling it or those who didn’t understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place
##Why you need static and dynamic application security testing in your development workflows
Bolster your code quality with static and dynamic application security testing
##The Real Reason I Don’t Have a Security Camera
Security expert Max Eddy doesn’t want creepers spying on him (or his dog) through insecure hardware, but that’s not why he doesn’t have internet-connected cameras in his home
##And finally, company sues Black Hat conference after getting laughed off stage
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Clickjacking DOM XSS on Google.org.
Description: Meteor Blind NoSQL Injection.
Description: Detecting incognito mode in Chrome 76 with a timing attack.