Security Stack Sheet #70

Word of the week

“WAF-on much better than WAF-off”

Thanks to JuanMi

Report: Most Organizations Are Dissatisfied With Their Web Application Firewalls (WAFs) HERE

A screenshot of a cell phone on a table Description automatically generated

Intro to WAFs HERE

Image result for waf gartner

Trends for WAFs HERE and the Cost of Web Attacks HERE

A screenshot of a cell phone Description automatically generated

WAF Market – Key Drivers HERE

Word of the week special

“We’re just asking – what’s the world coming to?”

Google bans family cafe for “offensive content” for posting photo of British dish, faggots and peas

Link HERE

Bonus

A picture containing indoor, person, building Description automatically generated

A close up of a sign Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A close up of a sign Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A close up of a sign Description automatically generatedA black sign with white text Description automatically generated

Links HERE and HERE

Image

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

A screenshot of a cell phone Description automatically generated

Link HERE Prepare yourself from HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

  • Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

Surely No-one Uses SSL v2.0 on their Web site? Yes … millions still do!

Link HERE

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE
  • September 2019: PSD2 security mandatory

PSD2 legislation will not fully come into full gear in every European country in September 2019

<![if !supportLists]>·         <![endif]>France has just postponed the application to 2022 (here from Banque de France, with approval there from the European Bank Authority); it’s not crystal clear but also seen in the French Financial press

<![if !supportLists]>·         <![endif]>UK has done the same but with an 18 months delay (here from the Financial Conduct Authority)

<![if !supportLists]>·         <![endif]>Germany similar situation… No source available.

Thanks to Christophe.

A screenshot of text Description automatically generated

European payment services providers are in full gear to meet the September 2019 effective date for PSD2 technical standards

Which includes the use of Qualified TLS and eSeal signing certificates for secure online authentication and communication.

PSD2 covers many facets of the electronic payments market, but notably introduces enhanced privacy and online security measures to be implemented by all Payment Service Providers (PSPs), including banks. Coming into effect in September 2019, the PSD2 Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) include new requirements for:

  • strong customer authentication (SCA) for electronic payment transactions.
  • secure communication by the payment service providers

Link HERE

  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Security books and courses

Link HERE

Comic of the week

Spelling Crypto Wrong - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP API Security Project

A screenshot of a cell phone Description automatically generated

Link HERE

-145: Apple and Google willy wave while home assistants spy – DoH!

A close up of a sign Description automatically generated

Apple is furious with Google over iPhone hacking attacks against Uyghur Muslims in China, DNS-over-HTTPS is good for privacy but makes ISPs angry, and concern over digital assistants listening to our private moments continues to rise.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by web security journalist John Leyden

Link HERE

-AppSec DC 2019 Presentation of OWASP ASVS

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

OWASP London event 19th of September

  • “Hack the World & Galaxy with OSINT” – Chris Kubecka
  • Lightning Talk – “Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions” – Dinis Cruz
  • “Common API Security Pitfalls” – Philippe De Ryck

Link HERE

Hack the Zone

17-18 October, 2019, in Bucharest

Link HERE

A close up of a sign Description automatically generated

Link HERE

BSidesManchester 2019 videos

A picture containing text, object Description automatically generated

Link HERE

AND

BSidesMCR 2019: From Builder To Breaker – Gavin Johnson-Lynn

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image

Wikipedia suffers intermittent issues following DoS attack

Wikipedia was sporadically inaccessible in Europe and the Middle East last weekend following a suspected denial of service (DoS) attack.

The referencing site experienced intermittent issues in the early hours of Saturday morning (7th September) which would have made it unavailable for many users.

Wikimedia, the parent company of Wikipedia, confirmed that the site had been hit by a “malicious attack that has taken it offline in several countries for intermittent periods.”

More than a million IoT radio devices affected by backdoor vulnerability

Vulnerabilities have been uncovered in Telestar Digital GmbH Internet of Things (IoT) radio devices that could allow attackers to hijack systems remotely.

The vulnerabilities were found by researcher Benjamin Kunz, of Vulnerability Lab, when an anomaly was spotted on a private server.

The first (CVE-2019-13473) covers a weak password vulnerability within an undocumented telnet service presented by the device. This is vulnerable to brute force attacks, which could give the attacker root access to the device’s underlying Linux operating system

Link HERE

Troy Hunt newsletter

A close up of a sign Description automatically generated

Link HERE

Incidents & events detail

Simjacker – Next Generation Spying Over Mobile

A stop sign Description automatically generated

Today we are announcing the existence of the vulnerability and associated exploits that we call Simjacker.  We believe this vulnerability has been exploited for at least the last 2 years by a highly sophisticated threat actor in multiple countries, primarily for the purposes of surveillance. Other than the impact on its victims, from our analysis, Simjacker and its associated exploits is a huge jump in complexity and sophistication compared to attacks previously seen over mobile core networks. It represents a considerable escalation in the skillset and abilities of attackers seeking to exploit mobile networks

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

NY Payroll Company Vanishes With $35 Million

MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company’s CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo

Link HERE – thanks to Alvin

Google to Experiment ‘DNS over HTTPS’ (DoH) Feature in Chrome 78

Link HERE

‘Ban all watches from exams to stop cheating’

Link HERE

Remember: Researchers Bypass Apple FaceID Using Biometrics ‘Achilles Heel’

Link HERE

California passes law that bans default passwords in connected devices

Link HERE

September 2019 Patch Tuesday: Microsoft plugs two actively exploited zero-days

CVE-2019-1214 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver. CVE-2019-1215 is an elevation of privilege vulnerability in the Winsock IFS Driver (ws2ifsl.sys).

“Both flaws exist due to improper handling of objects in memory by the respective drivers,” says Satnam Narang, senior research engineer at Tenable, and points out that attackers must first gain access to a system before taking advantage of them

Link HERE

The spy in your wallet: Credit cards have a privacy problem

In a privacy experiment, we bought one banana with the new Apple Card — and another with the Amazon Prime Rewards Visa from Chase. Here’s who tracked, mined and shared our data

Link HERE

Google collects face data now. Here’s what it means and how to opt out

The new Face Match technology isn’t everywhere yet, but it’s always looking. Find out what’s happening with your face data and what you can do to stop it

Link HERE

Researchers Created AI That Hides Your Emotions From Other AI

As smart speaker makers such as Amazon improve emotion-detecting AI, researchers are coming up with ways to protect our privacy

Link HERE

Research of the week

Featuring Chaos Engineering

New Approaches To Security

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to TK

PAPER: Does insurance have a future in governing cybersecurity?

Cyber insurance could achieve public policy goals for cybersecurity with private-sector means. Insurers assess organizational security postures, prescribe security procedures and controls, and provide post-incident services. We evaluate how such mechanisms impact security, identify market dynamics restricting their effectiveness, and sketch out possible futures for cyber insurance as governance

Link HERE

Moving the Encryption Policy Conversation Forward Encryption Working Group

There will be no single approach for requests for lawful access that can be applied to every technology or means of communication. More work is necessary, such as that initiated in this paper, to separate the debate into its component parts, examine risks and benefits in greater granularity, and seek better data to inform the debate. Based on our attempt to do this for one particular area, the working group believes that some forms of access to encrypted information, such as access to data at rest on mobile phones, should be further discussed. If we cannot have a constructive dialogue in that easiest of cases, then there is likely none to be had with respect to any of the other areas. Other forms of access to encrypted information, including encrypted data-in-motion, may not offer an achievable balance of risk vs. benefit, and as such are not worth pursuing and should not be the subject of policy changes, at least for now. We believe that to be productive, any approach must separate the issue into its component parts

Link HERE – thanks to Naz

“Billion Laughs” — An example of chaining XXE (XML External Entity) to DOS (Denial of Service) and SSRF (Request Forgery)

Link HERE and what is CSRF HERE

Kernel Panic: Inside the World’s Worst Cyberattacks

The misuse of technology is the digital age’s darkest danger. Bad actors, emboldened by our inability to properly secure crucial systems and networks, are launching increasingly sophisticated attacks. No system is safe.

In the new original video series Kernel Panic, Mashable and PCMag dive deep into the worst cybersecurity breaches of all time. The premiere episode, embedded above, takes viewers back to the very beginning: the ground breaking malware known as the Morris Worm

Link HERE

Tool of the week

This Smartphone App Can Quickly Detect Invisible Gas Pump Card Skimmers

Link HERE

 

Other interesting articles

##Capture the Flag events and eSports

Looking at what is popular with smaller niche crowds can give greater insight into the “next thing”. This natural selection of attention can inspire an evolution of methods and practices. Capture the Flag Events (CTFs) and electronic Sports (eSports) are good examples of a relatively new trend. I’ve had the chance to be front row with each in the past years and can say they both have vivid partisans. Spoiler alert! My conclusion is that CTFs are intrinsically an eSport with the attribute of having a strong educational value

Link HERE

 

##How Visiting a Trusted Site Could Infect Your Employees

The Artful and Dangerous Dynamics of Watering Hole Attacks

A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole attack

Link HERE

 

##The Secret Hacker Code

Link HERE

##And finally, How the world will change as computers spread into everyday objects

Predicting the consequences of any technology is hard—especially one as universal as computing. The advent of the consumer internet, 25 years ago, was met with starry-eyed optimism. These days it is the internet’s defects, from monopoly power to corporate snooping and online radicalisation, that dominate the headlines. The trick with the IOT, as with anything, will be to maximise the benefits while minimising the harms. That will not be easy. But the people thinking about how to do it have the advantage of having lived through the first internet revolution—which should give them some idea of what to expect

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/498052

Description: Password theft login.newrelic.com via Request Smuggling.

URL: https://ysamm.com/?p=280

Description: HTML to PDF converter bug leads to RCE in Facebook server.

URL: https://hackerone.com/reports/446593

Description: GitLab’s GitHub integration is vulnerable to SSRF vulnerability.

Link HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *