Security Stack Sheet #68

Word of the week

Remember: “Freedom within a Framework”

Image result for "freedom within a framework" cyber

Links HERE and HERE and HERE

Word of the week special

“Persistent engagement”

The head of the National Security Agency, Army Gen. Paul Nakasone, has a catchphrase: “persistent engagement.”

This covers a broad spectrum of cyber activities at the nation’s largest spy agency. But at its core, it means relentlessly tracking adversaries, and increasingly, taking offensive action against them

A screenshot of a cell phone Description automatically generated

Links HERE and HERE

“Being in equilibrium and being stable” in relation to cyber risk – Paddy McGuiness

Do you know the difference?

No link.

Bonus 

A close up of a logo Description automatically generated

Link HERE

Link HERE

Link HERE

a close up of text on a white background

Link HERE

Image

Link HERE

Crypto challenge of the week

CIA invites public to decode its cryptic first picture on Instagram

CIA

Link HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

GDPR Compliance Has Benefits, But It Doesn’t Ensure Cybersecurity

Link HERE

Top 10 data breaches of 2019 (so far)

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Security Without TLS

Link HERE

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE
  • September 2019: PSD2 security mandatory

European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards

Which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication.

PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the PSD2 Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) include new requirements for:

  • strong customer authentication (SCA) for electronic payment transactions.
  • secure communication by the payment service providers

Link HERE

  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book on the month

Master

Link HERE

Software Architecture Guide

Link HERE

Comic of the week

A close up of text on a white background Description automatically generated

Thanks to Gustavo

##Some OWASP stuff first

-Introduction to Application Security

A screenshot of a cell phone Description automatically generated

Link HERE

-Steve Springett — An insiders checklist for Software Composition Analysis

Link HERE

Link HERE

-How To Prevent DOM-based Cross-site Scripting

DOM-based Cross-site Scripting (DOM XSS) is a particular type of a Cross-site Scripting vulnerability. It uses the Document Object Model (DOM), which is a standard way to represent HTML objects in a hierarchical manner. As with all other Cross-site Scripting (XSS) vulnerabilities, this type of attack also relies on insecure handling of user input on an HTML page. It is particularly common when applications leverage common JavaScript function calls such as document.baseURI to build a part of the page without sanitization.

This type of attack is explained in detail in the following article: DOM XSS: An Explanation of DOM-based Cross-site Scripting. For more information on other types of XSS attacks: reflected XSS and stored XSS, see the following article: Types of XSS: Stored XSS, Reflected XSS, and DOM-based XSS

Link HERE

-Let’s talk about XSS and React – by Jim Manico

Link HERE

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

Hotels.com public talks compilation

Link HERE

Bsides Manchester 2019

A person standing in front of a flat screen television Description automatically generated

Gavin Johnson-Lynn’s presentation and others coming soon

Image

AND

Image

Hack the Zone

17-18 October, 2019, in Bucharest

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

A close up of a map Description automatically generated

Incident trends report (October 2018 – April 2019)

Cyber incident trends in the UK with guidance on how to defend against, and recover from them

Link HERE

A screenshot of a cell phone Description automatically generated

NCSC Weekly Threat Report

Provided Image

Popular VPNs targeted by password stealing hackers

Hackers are actively attempting to steal passwords by taking advantage of servers that have failed to patch two virtual private network (VPN) products.

Users of Fortigate SSL VPN and Pulse Secure are being warned that hackers are attempting to steal passwords, as well as encryption keys and other sensitive data. 

Researchers at the Black Hat security conference in Las Vegas explained that the vulnerabilities could be taken advantage of by sending unpatched servers web requests that contain a special sequence of characters

Apple release a patch to fix jailbreak flaw

Apple has released an update (12.4.1) to fix a jailbreaking vulnerability – one which had previously been fixed back in iOS 12.3.

Jailbreaking allows the user to take more control over their device so, with an iPhone, it could be possible to install apps and access functionality which are otherwise not approved by Apple

Link HERE

Troy Hunt newsletter

A close up of a sign Description automatically generated

Link HERE  

Incidents & events detail

A very deep dive into iOS Exploit chains found in the wild

Security researchers at Google have found evidence of a “sustained effort” to hack iPhones over a period of at least two years.

The attack was said to be carried out using websites which would discreetly implant malicious software to gather contacts, images and other data.

Google’s analysis suggested the booby-trapped websites were said to have been visited thousands of times per week.

…I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1’th potential future dissident. I shan’t get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time

Links HERE and HERE and Emergency PATCH HERE

Twitter C.E.O. Jack Dorsey’s Account Hacked

Illustration for article titled Jack Dorsey's Twitter Account Was Hacked

Links HERE and HERE

‘Is Instagram ready?’ Facebook’s former security chief raises concerns with photo app ahead of 2020

Link HERE

Cybersecurity Firm Imperva Discloses Breach

Earlier today, Imperva told customers that it learned on Aug. 20 about a security incident that exposed sensitive information for some users of Incapsula, the company’s cloud-based Web Application Firewall (WAF) product

Link HERE

New Dragonblood vulnerabilities found in WiFi WPA3 standard

Two new Dragonblood bugs allow attackers to recover passwords from WPA3 WiFi network

Link HERE

Over 11,092 Newly-Disclosed Vulnerabilities Aggregated and Analyzed by RBS

Link HERE

City of London Hit by One Million Cyber-Attacks Per Month

Link HERE

Phishers are Angling for Your Cloud Providers

Link HERE

How to Keep Law Enforcement Out of Your Face ID & Touch ID Devices

If you’re ever faced with a situation of handing over your iPhone to law enforcement, make sure your personal data is protected

Link HERE

BitDefender Confirms Security Flaw In Free Windows Antivirus 2020, Millions At Risk

Link HERE

Two states admit bulk interception practices: why does it matter?

how bulk interception works inforgraphic

Link HERE

Pa$$word Problems

Our collection of dangerous password habits

Link HERE

UK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks

NCSC likens companies continuing to use Python 2 past its EOL to tempting another WannaCry or Equifax incident

Link HERE

Research of the week

Featuring – Stuxnet Malware Analysis

A screenshot of a cell phone Description automatically generated

Link HERE

The Need For Strong Encryption

Why encryption must be unbreakable by everyone, including governments.

***There Currently Is No Solution***

Banning encryption will cause problems, leaving it as it is will cause problems, and a measure in between will also result in problems. There is a legitimate purpose for the government being able to access encrypted data, but there is also a legitimate purpose for hiding information from all entities (e.g. journalists in authoritarian regimes), including the government. As more and more information gets encrypted with ever stronger methods, a time may come when encryption must be regulated. But, I don’t think that time has come just yet

Link HERE

An Attack on the Encryption Scheme of the Moscow Internet Voting System

The next Moscow City Duma elections will be held on September 8th with an option of Internet voting. Some source code of the voting system is posted online for public testing. Pierrick Gaudry recently showed that due to the relatively small length of the key, the encryption scheme could be easily broken. This issue has been fixed in the current version of the voting system. In this note we show that the new implementation of the ElGamal encryption system is not semantically secure. We also demonstrate how this newly found security vulnerability can be potentially used for counting the number of votes cast for a candidate

Image

Link HERE

Reverse Taint Analysis Using Binary Ninja

Link HERE – thanks to TK

SSRF in the Wild

A totally unscientific analysis of those SSRFs found in the wild

Link HERE

Building a more private web – by Google

Link HERE

Tool of the week

Facebook Launches Tool to Let Users Control Data Flow

The new tool is to give clients access to their so-called “off-Facebook activity” — fed back to Facebook with the aim of targeting advertisements — and give them the option of deleting it

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

[Mastering Kali Linux] Chapter 8: Social Engineering

Link HERE

Free IT Security Tools
Test Your Users and Your Network – from KnowBe4

Link HERE

Using Github Pull Request Templates and Checks to Implement Security Checklists

Link HERE

Getting started with IDA Pro

Link HERE

Writing a File Integrity Monitor from scratch

File Integrity Monitoring is an important control that can be implemented to enhance your enterprise’s/asset’s security posture in terms of detective capability. The end goal is for analysts/admins to receive alerts when critical/sensitive files are changed on systems. These can range from application configuration files to operating system configuration files to even source code if necessary. FIMs are also a key control in certain compliance standards and best practices frameworks

Link HERE

Web Application Formal Exploiter

A formal and automated approach to exploit multiple vulnerabilities of web applications

Link HERE

 

Other interesting articles

##Day-1 Skills That Cybersecurity Hiring Managers Are Looking For

A collection of typical tasks and assignments given to information security professionals as part of their job role

Link HERE – thanks to Ben

 

##Open Security: The path to securing Open Source Software

oss fuzz

Link HERE

 

##Attack Work Effort: Transparent Accounting for Software in Modern Companies

Software is famously ‘eating the world’, ie modern companies are increasingly software-driven. 20th century accounting concepts have not kept up

Link HERE

 

##The Myth of Consumer Security

Link HERE

##And finally, the Funniest Hacker Stock Photos 4.0: The Future of Hacking

Hacker

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: http://bit.ly/2KM6v8c  (+)

Description: Attacks on Applications of K-Anonymity — For the Rest of Us.

URL: https://hackerone.com/reports/637194

Description: Bypass of Android biometrics security functionality in Shopify.

Link HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *