Security Stack Sheet #73

Word of the week

“Security Super Heroes”

Image result for cyber security superheroRansomware Apocalypse Poster

Security Awareness Training Poster Security Awareness Training Poster

  • Your C-Suite is a key point of vulnerability, protect it
  • An executive assistant is a privileged user
  • Your ‘super users’ may not be senior staff

Links HERE and HERE and HERE (this article costs – a lot)

“Cyber Security Month – October 2019”

A screenshot of a cell phone Description automatically generated

Links HERE and HERE

Word of the week special

“If only you could see what I’ve seen through your eyes…”

eyes

Stalker attacks Japanese pop singer – after tracking her down using reflection in her eyes

Link HERE

“Copycat software” – BEWARE!

Copycat coders create ‘vulnerable’ apps

Link HERE

Comment! Andrew Yang proposes that your digital data be considered personal property

Link HERE

Bonus

A close up of a logo Description automatically generated

cid:<a href=[email protected]″>

Link HERE and recent Ransomware attacks HERE

A body of water Description automatically generated

Thanks to Andi

A screenshot of a cell phone Description automatically generated

Link HERE

A close up of a flower Description automatically generated

Link HERE

A close up of a logo Description automatically generated

Link HERE

Image

A screenshot of a computer Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

Image

Link HERE

 

Dates

  • May 25th 2019: 1 year of GDPR Live! See incidents section below GDPR Enforcement Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • Halloween Brexit! or later or not or bust

A close up of a sign Description automatically generated

  • September 2019: PSD2 security Link HERE
  • November 3rd 2020: Trump’s second term start

A screenshot of a cell phone Description automatically generated

  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

book cover

I write essays because I enjoy it. It’s fun, and I’m good at it. I like the exposure. Having an essay published in a popular and influential newspaper or magazine is a good way to get new readers. And having to explain something to a general audience in 1,200 words is a good way for me to crystallize my own thinking. That’s not all: I also write because it’s important. I consider myself a technologist. Technology is complicated. It requires expertise to understand. Technological systems are full of nonlinear effects, emergent properties, and wicked problems. In the broader context of how we use technology, they are complex socio-technical systems. These socio-technical systems are also full of even-more-complex nonlinear effects, emergent properties, and wicked problems. Understanding all this is hard: it requires understanding both the underlying technology and the broader social context. Explaining any of this to a popular audience is even harder. But it’s something that technologists need to do. We need to do it because understanding it matters

Link HERE

Permanent Record by Edward Snowden

Link HERE

Comic of the week

Oldie, but true frequent occurrence today!

cid:<a href=[email protected]″>

AND

A screenshot of a cell phone Description automatically generated

##Some OWASP stuff first

-Prototype Pollution in Kibana @OWASP Poland Day

A picture containing indoor Description automatically generated

Link HERE

cid:<a href=[email protected]″>

Link HERE

-Angular and the OWASP top 10 | Philippe De Ryck

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Keynote: A DevSecOps Tale of Business, Engineering, and People – James Wickett

Link HERE

OWASP London event 24th of October 2019

  • “The Good, The Bad and The Ugly of Responsible Disclosure” – Chrissy Morgan

So what has a JQuery bug that affected thousands of websites with one of the highest starred GitHub repos with 7,800 forks, a Domain Name Registrar vulnerability which allowed for full access to domain owner details (post GDPR) and data protection flaws within Microsoft’s Office365 all have in common? … Answer: Responsible Disclosure. This talk will feature disclosure on each of the bugs and others, the circumstances around these when reporting, to highlight the problems security researchers face today when trying to do the right thing and to raise awareness of the security flaws so we are better protected.

  • “Making Fact-Based Security & Risk Decisions (using OWASP Security bot & Data Science)” – Dinis Cruz

The way to create a modern and empowering security organisation, that both protects and empowers/enables the business, is to view the entire company and security ecosystem as a graph (where nodes are the multiple players and edges are the hyperlinked connections between them). This presentation will show real-world examples on how to use tools such as Jira, Slack, Jupyter notebooks, Lambda functions , Wardley Maps and OSBost to map and automate vulnerability and incident management workflows and ultimately empower the decision-makers by providing fact-based risk matrices and dashboards. This is the full version of the lightning talk presented at September 19th OWASP London meetup

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

Link HERE

NCSC Weekly Threat Report

Provided Image

Twitter apologises following misuse of user details

The ‘unintentional’ use of user email addresses and phone numbers for targeted advertising has prompted an apology from Twitter.

Twitter has confirmed that third party advertisers could have targeted certain users using these details, which have been provided for security purposes, without the user’s permission. A statement from Twitter revealed they could not determine how many users had been affected

Thousands of retailers affected by hack

Retailers, including the official Sesame Street store, have been targeted by a hack that can steal credit card details.

Malicious code known as JavaScript Cookie has been found in e-commerce software provided by Volusion. The code is designed to copy details of credit cards from customers which can then be used by cyber criminals. This method, also known as ‘web skimming’, can be hard to spot, but a researcher at security firm Check Point had noticed the issue when browsing the Sesame Street online store

Links HERE and HERE

API Security Issue 52 – NIST Zero Trust Architecture Guidelines

This week, Kubernetes API server was found vulnerable to the Billion laughs attack, NIST has opened their Zero Trust Architecture guidelines for commenting, and VS Code OpenAPI extension got an update with API Contract Security Audit built-in

Link HERE

Incidents & events detail

Sudo Flaw Lets Linux Users Run Commands As Root Even When They’re Restricted

cid:<a href=[email protected]″>

Sudo versions prior to 1.8.28 are affected

cid:<a href=[email protected]″>

How to Exploit this Bug? Just Sudo User ID -1 or 4294967295

A screenshot of a cell phone Description automatically generated

Links HERE and HERE

Critical Unpatched Zero-day Vulnerability found in Android OS

This is an era of cybersecurity attacks targeting Smartphones with the hiking in vulnerabilities in the operating systems like Android. Maddie Stone, a member of Google’s team project Zero, have discovered a critical unpatched ‘zero-day vulnerability’ (tracked as CVE-2019-2215) affecting the android operating system

Link HERE

COMpfun successor Reductor infects files on the fly to compromise TLS traffic – by Kaspersky

Link HERE

WordPress sites hacked through defunct Rich Reviews plugin

An estimated 16,000 websites are believed to be running a vulnerable and no-longer-maintained WordPress plugin that can be exploited to dis-play pop-up ads and redirect visitors to webpages containing p0rn, scams, and – worst of all – malware designed to infect users’ computers

Link HERE

A pervert Yahoo employee hacked 6,000 accounts using internal system

Link HERE

A close up of a logo Description automatically generated

Link HERE

We asked a hacker to try and steal a CNN tech reporter’s data. Here’s what happened

A person posing for a photo Description automatically generated

Link HERE

European Airport Systems Infected With Monero-Mining Malware

More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018.

The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems

Link HERE

The FBI Warns That Multifactor Authentication Is Not as Secure as You Think

Hackers are getting smarter! – no Turkish delight!

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Muhstik Ransomware Victim Hacks Back, Releases Decryption Keys

A victim of the Muhstik Ransomware has hacked back against his attackers and released close to 3,000 decryption keys for victims along with a free decryptor to get their files back

Link HERE

An AI App That ‘Undressed’ Women Shows How Deepfakes Harm the Most Vulnerable

DeepNude has now been taken offline, but it won’t be the last time such technology is used to target vulnerable populations

Link HERE

Kubernetes ‘Billion Laughs’ Vulnerability Is No Laughing Matter

cid:<a href=[email protected]″>

Link HERE

Vulnerability Spotlight: Multiple remote code execution bugs in NitroPDF

Link HERE

Darknet hosting provider in underground NATO bunker busted

Link HERE

The most common types of Account Take Over ATO attacks

Link HERE

China’s New Cybersecurity Program: NO Place to Hide

China cybersecurity lawyers export control

Link HERE

New Microsoft NTLM Flaws May Allow Full Domain Compromise

Link HERE

Deliveroo customers keep getting hacked using the same old trick

Want to stuff your face? Don’t get caught out by credential stuffing

Link HERE

Research of the week

Featuring Insider Threat Report

cid:<a href=[email protected]″>

Key findings include:

  • 73% of organizations confirm insider attacks are becoming more frequent
  • 68% feel extremely to moderately vulnerable to insider attacks
  • 39% identified cloud storage and file sharing apps as the most vulnerable to insider attacks
  • 54% see insider attacks as harder to detect compared to external cyber attacks
  • 56% believe detecting insider attacks has become significantly to somewhat harder since migrating to the cloud

cid:<a href=[email protected]″>

Link HERE

Reminder: Container, Orchestration, and Microservice Security

A screenshot of a cell phone Description automatically generated

Link HERE – Thanks to Prash

Risk Management for Agile & Ecosystems

cid:<a href=[email protected]″>

Link HERE

Evaluating Fuzz Testing

Fuzz testing has enjoyed great success at discovering security critical bugs in real software. Recently, researchers have devoted significant effort to devising new fuzzing techniques, strategies, and algorithms. Such new ideas are primarily evaluated experimentally so an important question is: What experimental setup is needed to produce trustworthy results? We surveyed the recent research literature and assessed the experimental evaluations carried out by 32 fuzzing papers. We found problems in every evaluation we considered. We then performed our own extensive experimental evaluation using an existing fuzzer. Our results showed that the general problems we found in existing experimental evaluations can indeed translate to actual wrong or misleading assessments. We conclude with some guidelines that we hope will help improve experimental evaluations of fuzz testing algorithms, making reported results more robust

Link HERE

How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits

We significantly reduce the cost of factoring integers and computing discrete logarithms over finite fields on a quantum computer by combining techniques from Griffiths-Niu 1996, Zalka 2006, Fowler 2012, Ekerå-Håstad 2017, Ekerå 2017, Ekerå 2018, Gidney-Fowler 2019, Gidney 2019. We estimate the approximate cost of our construction using plausible physical assumptions for large-scale superconducting qubit platforms: a planar grid of qubits with nearest-neighbor connectivity, a characteristic physical gate error rate of 10−3, a surface code cycle time of 1 microsecond, and a reaction time of 10 micro-seconds. We account for factors that are normally ignored such as noise, the need to make repeated attempts, and the spacetime layout of the computation. When factoring 2048 bit RSA integers, our construction’s spacetime volume is a hundredfold less than comparable estimates from earlier works (Fowler et al. 2012, Gheorghiu et al. 2019). In the abstract circuit model (which ignores overheads from distillation, routing, and error correction) our construction uses 3n+0.002nlgn logical qubits, 0.3n3+0.0005n3lgn Toffolis, and 500n2+n2lgn measurement depth to factor n-bit RSA integers. We quantify the cryptographic implications of our work, both for RSA and for schemes based on the DLP in finite fields

Links HERE and HERE

Tool of the week

Best practice rules for Amazon Web Services

cid:<a href=[email protected]″>

Link HERE

XSS Cheat Sheet from the creators of Burp

This XSS cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the event, tag or browser and a proof of concept is included for every vector

Link HERE

AND XS-Leak: Leaking IDs using focus

Cross site leaks showing a picture of pipes leaking code

Link HERE

cid:<a href=[email protected]″>

Link HERE

Where does Chrome store passwords?

Link HERE

Alexa-style Chatbot Could Let People ‘Talk’ to Dead Relatives

Link HERE

Uh oh! Convolutional neural network for analyzing pentest screenshots

Eyeballer is meant for large-scope network penetration tests where you need to find “interesting” targets from a huge set of web-based hosts. Go ahead and use your favourite screenshotting tool like normal (EyeWitness or GoWitness) and then run them through Eyeballer to tell you what’s likely to contain vulnerabilities, and what isn’t

Link HERE

Other interesting articles

##Why to choose Rust as your next programming language

Microsoft’s decision to investigate Rust (and other languages) began due to the fact that roughly 70% of Common Vulnerabilities and Exposures (CVEs) in Microsoft products were related to memory safety issues in C and C++. When it was discovered that most of the affected codebases could not be effectively rewritten in C# because of performance concerns, the search began. Rust was viewed as the only possible candidate to replace C++. It was similar enough that not everything had to be reworked, but it has a differentiator that makes it measurably better than the current alternative: being able to eliminate nearly 70% of Microsoft’s most serious security vulnerabilities

Link HERE

 

##Autonomy and the death of CVEs?

Is the manual process of reporting bugs holding back the advent of automated tools?

Link HERE

 

##Cracking My First Password

My daughter’s employer emailed her a tax form as an encrypted PDF file. The email read, “The password to open this document is your date of birth in this format MMDDYYYY and the last 4 digits of your SS number.” I opened the document and entered the password as indicated.

But it didn’t work

A screenshot of a cell phone Description automatically generated

Link HERE and Cracking RSA HERE

AND Ken Thompson’s Unix password

Link HERE

AND Lxd Privilege Escalation

Link HERE

##A rejoinder to a rejoinder

cid:<a href=[email protected]″>

I am back to square one, as the emerging geo-strategic taxonomy relies on THIS VERY delineation.

Cyber operations, offensive toolchains and exploitation are three different things. Geo-strategy lives in the first, mechanised warfare in the second, and the political economy of proliferation in the third

Link HERE

 

##And finally, The Cheating Scandal Rocking the Poker World

How a Twitch-streamed no-limit hold’em player found himself at the heart of one of the most fascinating gambling controversies in years

cid:<a href=[email protected]″>

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://nathandavison.com/blog/haproxy-http-request-smuggling

Description: HAProxy HTTP request smuggling.

URL: https://frederik-braun.com/firefox-ui-xss-leading-to-rce.html

Description: Remote Code Execution in Firefox beyond memory corruptions.

Links HERE and HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *