Security Stack Sheet #72

Word of the week

“Cyber Security Month – October 2019”

A screenshot of a cell phone Description automatically generated

Link HERE

Word of the week special

“If HttpOnly You Could Still CSRF… Of CORS you can!”

Before we get into the meat and potatoes of this post, we need to take a look at a couple of concepts in appsec. The first one deals with Cross-Origin Resource Sharing (CORS). This is a complex security mechanism that is built into all modern browsers. If you are not familiar with what it is and how it works, you should read this very good article on it. The second concept deals with HttpOnly cookies. If unfamiliar, you can read up on that here

Links HERE and HERE and HERE and HERE

Bonus

A screenshot of a cell phone Description automatically generated

Link HERE

Awareness from Europol

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to Butisec

A screen shot of a person Description automatically generated

Link HERE

A screen shot of a person Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Power over Ethernet

Link HERE

Crypto challenge of the week

European Cyber Security Challenge 2019 – starts 9th of October!

A close up of a sign Description automatically generated

Link HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!

Link HERE

  • Now: TLS1.2 mandatory for proper security

HTTPS everywhere HERE

  • Halloween Brexit! or later or not or bust

A screenshot of a social media post Description automatically generated

  • September 2019: PSD2 security Link HERE
  • November 3rd 2020: Trump’s second term start

Image

  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

52 Influential Cyber Security Bloggers and Speakers

Link HERE Book HERE

Comic of the week

A close up of text on a white background Description automatically generated

Link HERE

##Some OWASP stuff first

-How to secure app pipelines in AWS – 26th September 2019

Link HERE

-The All Things Auth Podcast – Grading How Companies (In)Securely Store Passwords

  • Michal launched Password Storage at BSides Las Vegas in 2016. You can see the slides from his talk here.
  • Bruce K. Marshall is a researcher and consultant dedicated to improving the application of authentication technologies, products, and good practices. He founded PasswordResearch.com to better share the password information he was collecting.
  • You can find Bruce on Twitter @PwdRsch.
  • Michal’s wrote an article titled “Upgrading existing password hashes” that explains how to gracefully migrate passwords hashed with a legacy algorithm to a secure and modern algorithm.
  • To get your website listed in the Password Storage project, check out the FAQ

Link HERE

-Security programs big and small – AppSec Podcast

Ronnie Flathers is a security guy, a pentester, and a researcher. In this conversation, we explore his experiences in building application security programs. He’s had the opportunity to program build inside of companies big and small

Link HERE

-Manual JavaScript Anaylsis Is A Bug

When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

OWASP Amsterdam 2019

A blue and white sign Description automatically generated

Link HERE

Malware Analysis for BEGINNERS at BSIDES Sao Paulo 2019

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A screen shot of a map Description automatically generated

And an Any Run sample HERE

Incident data HERE Find your country

Link HERE

NCSC Weekly Threat Report

Provided Image

Emergency patch issued for Internet Explorer

Microsoft has issued an emergency patch which users should utilise as soon as possible to fix a bug on the Internet Explorer browser.

The vulnerability could allow the browser to be hijacked by attackers with Microsoft confirming that versions 9 to 11 were vulnerable. Users still using Internet Explorer should download and apply the patch as soon as possible.

In one scenario described by Microsoft an attacker could host a website designed to exploit the vulnerability through Internet Explorer and convince users to visit through an email. The attacker could then feasibly install malware, alter data or set up brand new accounts with full user rights

New REvil ransomware attributed to GandCrab Developers

Back in May this year, the developers behind GandCrab Ransomware as a Service (RaaS) announced their “retirement”, after claims they profited more than $2bn since January 2018.

But this week, security researchers at Secureworks say they have discovered links between the thought-to-be-disbanded group and a strain of ransomware dubbed REvil, or Sodinokibi

Link HERE

API Security Issue 51: Gartner releases full report on API security

Link HERE

Incidents & events detail

A screenshot of a cell phone Description automatically generated

Link HERE

Logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up

AND

Just a GIF Image Could Have Hacked Your Android Phone Using WhatsApp

A screen shot of a computer Description automatically generated

Links HERE and HERE

Managing Public Domain Names – by the NCSC

Good practises for the management of public domain names owned by your organisation

Link HERE

AG Barr, Officials to Facebook: Don’t Encrypt Messaging

U.S. Attorney General William Barr is among government officials asking Facebook CEO Mark Zuckerberg to halt or at least delay a plan to add end-to-end encryption to its messaging services in an effort to bolster consumer privacy

Link HERE

Attackers exploit 0-day vulnerability that gives full control of Android phones

Vulnerable phones include 4 Pixel models, devices from Samsung, Motorola, and others

Link HERE

Smart Contract Security Verification Standard

Link HERE

FBI urges hacked orgs to ignore attackers’ ransomware demands

Paying up only encourages them, it claims

Link HERE

Cloudflare, Google Chrome, and Firefox add HTTP/3 support

Next iteration of the HTTP protocol starts making its way into production systems

A close up of a logo Description automatically generated

Link HERE – thanks to Mithun

If your org hasn’t had a security incident in the last year: Good for you, you’re in the minority

C-suite bods quietly ‘fess up to oopsies in survey

Link HERE

Security Firm Comodo Hacked, as vBulletin Exploit Spawns

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Same-Site Cookies By Default

The Chrome team is embarking on a clever and bold plan to change the recipe for cookies. It’s one of the most consequential changes to the web platform in almost a decade, but with any luck, users won’t notice anything has changed.

But if you’re a web developer, you should start testing your sites and services now to help ensure a smooth transition

Link HERE

Remote Code Execution in Firefox beyond memory corruptions

Browsers are complicated enough to have attack surface beyond memory safety issues. This talk will look into injection flaws in the user interface of Mozilla Firefox, which is implemented in JS, HTML, and an XML-dialect called XUL. With an Cross-Site Scripting (XSS) in the user interface attackers can execute arbitrary code in the context of the main browser application process. This allows for cross-platform exploits of high reliability. The talk discusses past vulnerabilities and will also suggest mitigations that benefit Single Page Applications and other platforms that may suffer from DOM-based XSS, like Electron

Link HERE

Thousands of Cloud Computing Servers Could Be Owned With ‘Very Simple’ Attack, Researchers Say

Researches at Skylight Cyber found a vulnerability in OnApp’s cloud computing management platform that could potentially have given attackers root access to thousands of servers

Link HERE

How Paddy Power Betfair Secures 1000+ CI/CD Deployments Daily

Link HERE

Research of the week

Featuring The Product We Deserve

A picture containing text, sign Description automatically generated

Link HERE

Zero Trust Architecture: Draft NIST SP 800-207 Available for Comment

National Institute of Standards and Technology logo

NIST has released Draft Special Publication (SP) 800-207, Zero Trust Architecture. Public comments are due by November 22, 2019

Link HERE and check Good design: force multiplier for Hackers? HERE

Rusty Joomla RCE

During one of our research activities, we discovered an undisclosed PHP Object Injection on Joomla CMS from the release 3.0.0 to the 3.4.6 (releases from 2012 to December 2015) that leads to Remote Code Execution.
A PHP Object Injection was discovered in the wild and patched in the 3.4.5 version (CVE-2015-8562), however, this vulnerability depends also a lot on the PHP release installed becoming not really trusty for all environments

Link HERE

Do We Need Baseline Security for all SQL Data Stores? Nearly 7-in-10 SMBs Do Not Encrypt Their Data At-Rest

Link HERE

Multi-Factor Authentication (MFA)

A light, beginner’s guide to multi-factor authentication

Link HERE

Google claims to have reached quantum supremacy

Link HERE

Tool of the week

New Gartner Magic Quadrant for WAFs

Magic Quadrant for Web Application Firewalls

Link HERE

Hacking AWS with Pacu

Learning from the recent Capital One incident

Link HERE

Polyglot Files: a Hacker’s best friend

And how to hide PHP code in JPEG files.

A graffiti covered wall Description automatically generated

To an image processor, the file is a JPEG image because it contains all the signatures of a valid JPEG file: a Start of Image marker, headers, and an End of Image marker. Most image processors will stop processing the file at this point and will not look beyond the JPEG.

But when used with a Phar stream wrapper phar://, the file seems like something entirely different: it looks like a file with a valid stub section, a valid manifest and some files in the contents section. Therefore, when operating on the file, PHP still performs an unserialize() operation on the Phar file’s metadata. The attacker thus achieves RCE through a successful PHP object injection

Link HERE

Image

Link HERE

TL-BOTS

This collection contains source files, tools, and other components of a vast array of botnet families. The families covered here range from 2014/2015 to the present day

Link HERE

MOBEXLER – a Mobile Application Penetration Testing Platform

Link HERE

USB armory Mk II by F-Secure Foundry – Invest

A tiny, open source USB computer for security applications.

“Can be used… as a Tor Bridge, VPN router, Hardware Security Module (HSM), OpenSSH client and agent for untrusted hosts, portable penetration testing platform, automatically encrypted mass storage device, password manager, digital wallet…”

Link HERE

One XSS cheatsheet to rule them all

Link HERE

PLUS

A screenshot of a cell phone Description automatically generated

Link HERE and XSS magic tricks HERE

 

Other interesting articles

##Cybersecurity for Developers: Cheat Sheet

Software security is conceptually different and therefore not that intuitive compared to general functional requirements, of which we care foremost. Nevertheless, security is a crucial property of software, especially when it comes to the software-controlled machines that can affect the life and health of the customers or the systems that process personal data.

While usually the desired program behaviour is treated as a primary goal, the main concern of security, in contrast, is what a program should not do, in other words, preventing the undesired behaviour

Link HERE

 

##Is Your Boss Spying on You?

Image result for employee monitoring comic

Link HERE and related

Former Yahoo employee admits he hacked 6000 users’ accounts, stole nude photos and videos HERE

 

##How To Align Your Company’s Security Practices With The Human Brain

Link HERE

 

##And finally, How Much Is Your Childs Personal Data Worth?

$10 Is the Answer, According to Hackers on the Dark Web

Link HERE

AND

Being ‘Indistractable’ Will Be the Skill of the Future

How the difference between traction and distraction could transform your productivity

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.ripstech.com/2019/bitbucket-path-traversal-to-rce/

Description: Bitbucket 6.1.1 Path Traversal to RCE (CVE-2019-3397).

URL: https://iwantmore.pizza/posts/cve-2019-10392.html

Description: Yet Another 2k19 Authenticated RCE in Jenkins (CVE-2019-10392).

URL: http://bit.ly/2lWASis  (+)

Description: How two dead accounts allowed REMOTE CRASH of any Instagram Android user.

Link HERE and credits to HERE

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *