Security Stack Sheet #67

Word of the week

“Lateral movement”

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier

https://res.cloudinary.com/peerlyst/image/upload/c_limit,dpr_auto,f_auto,fl_lossy,h_267.318,q_auto,w_511/v1/post-attachments/1550852272278_vbwamk

Once an organization has a clear view of both sanctioned and unsanctioned east-west traffic in its data center and cloud infrastructure, it can use this information to take active steps to stop lateral movement. An optimal approach includes a mix of both proactive and reactive lateral movement security techniques

micro-segmentation grants visibility and prevention of lateral movement

Link HERE and HERE and HERE and HERE Techniques HERE and HERE

Word of the week special

“Growth hacker”

Sean Ellis, the person who coined the term ‘Growth Hacking’ states, ‘A growth hacker is a person whose true north is growth’. A growth hacker’s primary job entails examining how everything is going to impact the growth of a company

https://qph.fs.quoracdn.net/main-qimg-88060af281b3205ac716e4892b480af7-c

Link HERE

Bonus 

Image

Extended validation

cid:<a href=[email protected]″>

Link HERE

Image

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

Remember: 310BTC Challenge

This is a challenge in which 310 BTC is hidden in the picture shown above. Whoever finds the key to the coins may keep the Bitcoins. This is my first experiment and I will probably launch a few more challenges in the future.

Have fun cracking the code!

cid:image011.png@01D55B65.CACE7450

Link HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

UK’s ICO Publishes New Guidance on Cookies

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE

cid:<a href=[email protected]″>

  • September 2019: PSD2 security mandatory

European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards

Which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication.

PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the PSD2 Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) include new requirements for:

  • strong customer authentication (SCA) for electronic payment transactions.
  • secure communication by the payment service providers

Link HERE

  • November 3rd 2020: Trump’s second term start

NEARLY HALF OF DONALD TRUMP’S TWITTER FOLLOWERS ARE FAKE ACCOUNTS AND BOTS

Donald Trump

Link HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book on the month

Security Engage magazine from Microfocus – August 2019

Link HERE

Comic of the week

 - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP DevSlop on Azure Storage

The team hosted a live Twitter Chat about how to secure web apps hosted in Azure Storage, with guests Burke Holland and Cecil Phillip!

Link HERE and Article HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

Black Hat and Def Con 2019 thoughts – by Marek B.

https://miro.medium.com/max/3840/1*ND7KaK413kFB8D-kPUZpPQ.jpeg

Link HERE – thanks to Marek

Must see – The Inevitable Marriage of DevOps & Security

cid:<a href=[email protected]″>

Link HERE

AND

Cybersecurity conference attendees possibly exposed to IRL virus

Hackers and cybersecurity researchers who attended this year’s annual Black Hat information security conference in Las Vegas found themselves on the receiving end of the wrong kind of security notification. On Thursday, the Southern Nevada Health District issued a warning stating that individuals in Vegas over the course of the conference may have been exposed to measles

Link HERE

44Con London – 11-13 September 2019

Schedule HERE

CyberThreat 2019 by NCSC

CyberThreat 2019

Link HERE – thanks to Ben

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image

Bluetooth vulnerability spotted and patched

A vulnerability in Bluetooth’s wireless standard has been discovered by researchers which could allow attackers to intercept keystrokes, address books, and other sensitive data.

The vulnerability, named ‘Key Negotiation of Bluetooth’, potentially allows attackers to affect the length of encryption keys, even reducing them down to a single digit, making fraudulent access to connected devices much easier

Using Python 2? It’s time to move on

Developers using Python 2 should begin to plan ahead and switch to Python 3 with the former losing its support from 1st January 2020.

As we step into 2020 Python 2 will be left firmly in the past with no more security updates and bug fixes. Continuing to use it would only heighten the risk of vulnerabilities and the NCSC’s advice is to port your code to Python 3 as soon as possible

Link HERE

Troy Hunt newsletter

cid:<a href=[email protected]″>

Link HERE and about Vegas BSides, Black Hat and DEF CON HERE

Incidents & events detail

An In-Depth Look at the Capital One Data Breach

https://miro.medium.com/max/2510/1*JI6tnJdMJntG7xkKHH0ZVA.png

Link HERE

Open Source Ransomware Targets Fortnite Users

The global gaming phenomenon Fortnite has a huge global user base – last reported in March at 250 million gamers – and the just-concluded Fortnite World Cup with its $30 million prize pool and an online viewing audience of over two million has certainly only added to its allure. Over 40 million Fortnite gamers competed in qualifying rounds to get one of the 100 coveted spots in the World Cup and a guaranteed $50,000 payout, plus a shot at the $3 million top prize (won by a 16-year old!). Given the size of the global player pool and the evident motivation to up one’s game, it comes as no surprise that cybercriminals are now targeting Fortnite users by leveraging their competitive zeal.

A new ransomware auto-denominated “Syrk,” built with tools available on the internet, has been found to be masquerading as a game hack tool for Fortnite, basically a cheat which promises to give players an edge in aiming accurately (an aimbot) and knowing the locations of other players (ESP, in the gamer parlance). We expect it to possibly be distributed via an upload to a sharing site and the link posted in Fortnite users in forums

Image

Link HERE

Netflix Discovers Severe Kubernetes HTTP/2 Vulnerabilities

Link HERE

Apple will soon treat online web tracking the same as a security vulnerability

Link HERE

German Chocolate, Frozen Margaritas, the Super Bowl and AppSec

Link HERE

Facebook to stop stalking you off-site – but only if asked

Mark Zuckerberg

Link HERE

Sqreen recently blocked a major ATO attack against ourselves. Here’s how we did it

During the night of June 28th, at 2:40am CET, Sqreen started generating ATO alerts on our Slack instance. The cause of the alerts was one of our Sqreen Playbooksblocking IPs that were attempting (unsuccessfully) to login to many user accounts.

This specific Playbook had a fairly permissive failed login cap, in order to ensure that we didn’t block legitimate users that had forgotten their password. So before triggering the blocking threshold of this Playbook, the attacker(s) had time to try many login attempts.

Once we started getting alerts about the attack, we immediately lowered this threshold to a very aggressive value for the duration of the attack, preferring to block a potential poorly timed forgetful user rather than allowing the attack to continue.

The attacker was sophisticated, and adapted quickly

Link HERE

Bypassing IP Based Blocking with AWS API Gateway

Link HERE

Jenkins RCE PoC or simple pre-auth remote code execution on the Server

https://miro.medium.com/max/2290/1*u4K_wlQLR0PCt7x37zYZaQ.jpeg

Link HERE

Beating the Adversary at Their Own Game!

https://res.cloudinary.com/peerlyst/image/upload/c_limit,dpr_auto,f_auto,fl_lossy,h_467.133,q_auto,w_457/v1/post-attachments/Play_Better_cutkj4

Link HERE

QEMU VM Escape

This post will describe how I exploited CVE-2019-14378, which is a pointer miscalculation in network backend of QEMU. The bug is triggered when large IPv4 fragmented packets are reassembled for processing. It was found by code auditing

Link HERE

VLC vulnerabilities discovered by the Semmle security research team

Link HERE

Sonoma Valley Hospital Website, Email Addresses Hijacked

Hackers hijacked the California provider’s coveted three-letter domain name, forcing Sonoma Hospital to change its URL; ransomware, a new AMCA breach victim, and an email hack complete this week’s breach roundup

Link HERE

Removing Coordinated Inauthentic Behavior From China – by Facebook and Twitter

Link HERE

Backstabbing, Disinformation, and Bad Journalism: The State of the VPN Industry

Link HERE

Top 10 security best practices for MongoDB

https://i2.wp.com/blog.sqreen.com/wp-content/uploads/2019/07/Blog_Mongodb_security_best_pratices.png?fit=820%2C312&ssl=1

Link HERE

The Case for 2FA, Post Rest-client Gem CVE

Link HERE

Beginner’s guide to Zero Days, and why responsible disclosure matters

Link HERE

Research of the week

Featuring – Why Software Remains Insecure

How the benefits of quickly building bad software have so far outweighed the downsides

, Why Software Remains Insecure

There are myriad theories as to why software remains insecure after we’ve spend decades trying to solve the problem. Common reasons include:

  • the lack of will to secure things
  • the lack of vendor liability
  • the use of insecure languages
  • insufficient developer training
  • not enough security products
  • not enough security professionals
  • etc…

Link HERE

Balancing Security and Performance with Web Application Firewalls

  • Security is important, but so is performance.
  • More than half (57%) of organizations use web application firewalls to protect apps in the cloud and on-premises (State of Application Delivery 2018)
  • Scanning an outbound response is one of the last opportunities to detect a breach in progress – and stop it.
  • You can have “too much of a good thing.” Carefully consider how to balance security with performance to optimise both

Link HERE

DejaBlue: Analyzing a RDP Heap Overflow

In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same bug. The vulnerable code exist in both the RDP client and server, making it possible to exploit in either direction

Link HERE

How Secure is your Android Keystore Authentication?

Privileged malware or an attacker with physical access to an Android device is a difficult attack vector to protect against. How would your application maintain security in such a scenario?

This blog post will discuss the Android keystore mechanisms and the difficulties encountered when attempting to implement secure local authentication. By providing an introduction to the AndroidKeystore, it’s API and usage you will be able to understand the common vulnerabilities associated with the keystore as they are discussed. The core of this article will highlight the developed tools which can be used to audit an application’s local authentication. This will conclude with general guidance on secure implementations and an application which can be used as a reference is presented

Link HERE

Hacking Containers and Kubernetes. Exploiting and protecting containers with a few lines of scripting

cid:<a href=[email protected]″>

Link HERE and video HERE

State of Cybersecurity 2019 Report – focus Australia

cid:<a href=[email protected]″>

Link HERE

Tool of the week

DevOps by Google – tools & solutions

Link HERE and State of DevOps 2019 HERE AND

Shifting Security to the Left HERE AND

The Secure DevOps Edge HERE AND

Tough love HERE

2FA bypass tool highlights top business security vulnerabilities

“Modlishka” tool

Link HERE

Reapsaw

A continuous security devsecops tool, which helps in enabling security into CI/CD Pipeline. It supports coverage for multiple programming languages

Link HERE

Threat Intelligence Hunter

An Open source project for threat hunting and Information gathering

Link HERE

Large-Scale-Exploit of GitHub Repository Metadata and Preventive Measures

We suggest multiple preventive measures that should be implemented as soon as possible. We also consider it the duty of both companies like GitHub and well informed software engineers to inform fellow developers about the risk of exposing private email addresses in Git commits published publicly

Link HERE

KeePassXC

KeePass Cross-Platform Community Edition

Link HERE

 

Other interesting articles

##Extended Validation Certificates are (Really, Really) Dead

cid:<a href=[email protected]″>

Almost one year ago now, I declared extended validation certificates dead. The entity name had just been removed from Safari on iOS, it was about to be removed from Safari on Mojave and there were indications that Chrome would remove it from the desktop in the future (they already weren’t displaying it on mobile clients). The only proponents of EV seemed to be those selling it or those who didn’t understand how reliance on the absence of a positive visual indicator was simply never a good idea in the first place

cid:<a href=[email protected]″>

Link HERE

 

##Why you need static and dynamic application security testing in your development workflows

Bolster your code quality with static and dynamic application security testing

Link HERE

 

##The Real Reason I Don’t Have a Security Camera

Security expert Max Eddy doesn’t want creepers spying on him (or his dog) through insecure hardware, but that’s not why he doesn’t have internet-connected cameras in his home

An example of a SAST summary within a GitLab merge request

Link HERE

##And finally, company sues Black Hat conference after getting laughed off stage

cid:<a href=[email protected]″>

Link HERE / https://timeai.io/ – thanks to Mithun

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://appio.dev/vulns/clickjacking-xss-on-google-org/

Description: Clickjacking DOM XSS on Google.org.

URL: https://medium.com/rangeforce/meteor-blind-nosql-injection-29211775cd01

Description: Meteor Blind NoSQL Injection.

URL: https://blog.jse.li/posts/chrome-76-incognito-filesystem-timing/

Description: Detecting incognito mode in Chrome 76 with a timing attack.

Link HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *