Word of the week
“WAF-on much better than WAF-off”
Thanks to JuanMi
Report: Most Organizations Are Dissatisfied With Their Web Application Firewalls (WAFs) HERE
Intro to WAFs HERE
WAF Market – Key Drivers HERE
Word of the week special
“We’re just asking – what’s the world coming to?”
Google bans family cafe for “offensive content” for posting photo of British dish, faggots and peas
Crypto challenge of the week
GDPR Enforcement Tracker
Link HERE – thanks to Marius
HTTPS everywhere HERE
Surely No-one Uses SSL v2.0 on their Web site? Yes … millions still do!
PSD2 legislation will not fully come into full gear in every European country in September 2019
<![if !supportLists]>· <![endif]>France has just postponed the application to 2022 (here from Banque de France, with approval there from the European Bank Authority); it’s not crystal clear but also seen in the French Financial press
<![if !supportLists]>· <![endif]>UK has done the same but with an 18 months delay (here from the Financial Conduct Authority)
<![if !supportLists]>· <![endif]>Germany similar situation… No source available.
Thanks to Christophe.
European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards
Which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication.
PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the PSD2 Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) include new requirements for:
Book of the month
Security books and courses
Comic of the week
##Some OWASP stuff first
-OWASP API Security Project
-145: Apple and Google willy wave while home assistants spy – DoH!
Apple is furious with Google over iPhone hacking attacks against Uyghur Muslims in China, DNS-over-HTTPS is good for privacy but makes ISPs angry, and concern over digital assistants listening to our private moments continues to rise.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by web security journalist John Leyden
-AppSec DC 2019 Presentation of OWASP ASVS
OWASP events HERE
All InfoSec events HERE
The complete Security Events calendar – Peerlyst
OWASP London event 19th of September
Hack the Zone
17-18 October, 2019, in Bucharest
BSidesManchester 2019 videos
BSidesMCR 2019: From Builder To Breaker – Gavin Johnson-Lynn
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Wikipedia suffers intermittent issues following DoS attack
More than a million IoT radio devices affected by backdoor vulnerability
Troy Hunt newsletter
Incidents & events detail
Simjacker – Next Generation Spying Over Mobile
Today we are announcing the existence of the vulnerability and associated exploits that we call Simjacker. We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance. Other than the impact on its victims, from our analysis, Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. It represents a considerable escalation in the skillset and abilities of attackers seeking to exploit mobile networks
NY Payroll Company Vanishes With $35 Million
MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo
Link HERE – thanks to Alvin
Google to Experiment ‘DNS over HTTPS’ (DoH) Feature in Chrome 78
‘Ban all watches from exams to stop cheating’
Remember: Researchers Bypass Apple FaceID Using Biometrics ‘Achilles Heel’
California passes law that bans default passwords in connected devices
September 2019 Patch Tuesday: Microsoft plugs two actively exploited zero-days
CVE-2019-1214 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver. CVE-2019-1215 is an elevation of privilege vulnerability in the Winsock IFS Driver (ws2ifsl.sys).
“Both flaws exist due to improper handling of objects in memory by the respective drivers,” says Satnam Narang, senior research engineer at Tenable, and points out that attackers must first gain access to a system before taking advantage of them
The spy in your wallet: Credit cards have a privacy problem
In a privacy experiment, we bought one banana with the new Apple Card — and another with the Amazon Prime Rewards Visa from Chase. Here’s who tracked, mined and shared our data
Google collects face data now. Here’s what it means and how to opt out
The new Face Match technology isn’t everywhere yet, but it’s always looking. Find out what’s happening with your face data and what you can do to stop it
Researchers Created AI That Hides Your Emotions From Other AI
As smart speaker makers such as Amazon improve emotion-detecting AI, researchers are coming up with ways to protect our privacy
Research of the week
Featuring Chaos Engineering
New Approaches To Security
Link HERE – thanks to TK
PAPER: Does insurance have a future in governing cybersecurity?
Cyber insurance could achieve public policy goals for cybersecurity with private-sector means. Insurers assess organizational security postures, prescribe security procedures and controls, and provide post-incident services. We evaluate how such mechanisms impact security, identify market dynamics restricting their effectiveness, and sketch out possible futures for cyber insurance as governance
Moving the Encryption Policy Conversation Forward Encryption Working Group
There will be no single approach for requests for lawful access that can be applied to every technology or means of communication. More work is necessary, such as that initiated in this paper, to separate the debate into its component parts, examine risks and benefits in greater granularity, and seek better data to inform the debate. Based on our attempt to do this for one particular area, the working group believes that some forms of access to encrypted information, such as access to data at rest on mobile phones, should be further discussed. If we cannot have a constructive dialogue in that easiest of cases, then there is likely none to be had with respect to any of the other areas. Other forms of access to encrypted information, including encrypted data-in-motion, may not offer an achievable balance of risk vs. benefit, and as such are not worth pursuing and should not be the subject of policy changes, at least for now. We believe that to be productive, any approach must separate the issue into its component parts
Link HERE – thanks to Naz
“Billion Laughs” — An example of chaining XXE (XML External Entity) to DOS (Denial of Service) and SSRF (Request Forgery)
Kernel Panic: Inside the World’s Worst Cyberattacks
The misuse of technology is the digital age’s darkest danger. Bad actors, emboldened by our inability to properly secure crucial systems and networks, are launching increasingly sophisticated attacks. No system is safe.
Tool of the week
This Smartphone App Can Quickly Detect Invisible Gas Pump Card Skimmers
Other interesting articles
##Capture the Flag events and eSports
Looking at what is popular with smaller niche crowds can give greater insight into the “next thing”. This natural selection of attention can inspire an evolution of methods and practices. Capture the Flag Events (CTFs) and electronic Sports (eSports) are good examples of a relatively new trend. I’ve had the chance to be front row with each in the past years and can say they both have vivid partisans. Spoiler alert! My conclusion is that CTFs are intrinsically an eSport with the attribute of having a strong educational value
##How Visiting a Trusted Site Could Infect Your Employees
The Artful and Dangerous Dynamics of Watering Hole Attacks
##The Secret Hacker Code
##And finally, How the world will change as computers spread into everyday objects
Predicting the consequences of any technology is hard—especially one as universal as computing. The advent of the consumer internet, 25 years ago, was met with starry-eyed optimism. These days it is the internet’s defects, from monopoly power to corporate snooping and online radicalisation, that dominate the headlines. The trick with the IOT, as with anything, will be to maximise the benefits while minimising the harms. That will not be easy. But the people thinking about how to do it have the advantage of having lived through the first internet revolution—which should give them some idea of what to expect
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Password theft login.newrelic.com via Request Smuggling.
Description: HTML to PDF converter bug leads to RCE in Facebook server.
Description: GitLab’s GitHub integration is vulnerable to SSRF vulnerability.