Security Stack Sheet #75

Word of the week

“Halloween Big Data”

Cartoon Halloween in Age of Big Data - TeachPrivacy Privacy Training 02 small

Link HERE

KDnuggets Cartoon: Halloween costume for Big Data and its companion

and HERE and HERE and HERE

cid:<a href=[email protected]″>

and HERE

Word of the week special

Cloud Security, or as I like to call it: “Pay us to store your files online, we promise to store them securely!”

Employing Obscurity as an Enhancement to Security

cid:<a href=[email protected]″>

Link HERE

AND

A close up of a person Description automatically generated

Link HERE

Bonus

A close up of a logo Description automatically generated

cid:<a href=[email protected]″>

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Which team are you?

No alternative text description for this image

Link HERE

A close up of a logo Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

The Illustrated Children’s Guide to Kubernetes

A picture containing toy, doll, indoor, wall Description automatically generated

Link HERE – thanks to Alvin

Reimaging visuals for cybersecurity

cid:<a href=[email protected]″>

Links HERE and HERE and HERE

cid:<a href=[email protected]″>

Link HERE

cid:<a href=[email protected]″>

Link HERE

Crypto challenge of the week

ELF x86 – CrackPass

Can you bypass the algorithm?

Link HERE Cool solution HERE

 

Dates

  • May 25th 2019: +1 year of GDPR Live! See incidents section below GDPR Enforcement Tracker Link HERE – thanks to Marius

Leakproof by law: Previewing the 2020 data protection landscape

cid:<a href=[email protected]″>

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE, Qualys will de-grade you HERE
  • 31st of January 2020 – New Year Brexit! Or sooner or later?

A close up of a device Description automatically generated

  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

“Inferno”

In September 2016, Anchor Books released a movie-tie-in edition of Dan Brown’s 2013 best-seller “Inferno,” to accompany Ron Howard’s adaptation of the novel, which came out in theatres last weekend. “Inferno,” the movie, grossed just fifteen million dollars in its first three days, falling below Tyler Perry’s “Boo! A Madea Halloween,” which was in its second weekend, and earning its place as Howard’s fourth consecutive domestic flop. “Inferno,” the book, is the fourth of Brown’s novels featuring Robert Langdon, a professor of “symbology” (an imaginary discipline) and a general charisma vacuum who solves vast historical conspiracies by declaiming his way through the art and history of Western Europe

A close up of a logo Description automatically generated 

Link HERE

Comic of the week

A close up of text on a white background Description automatically generated

Thanks to Mithun

##Some OWASP stuff first

-Why OWASP’s Threat Dragon will change the game on threat modeling

Dragon statue

Link HERE

-OWASP API Security Top 10: Get your dev team up to speed

cid:<a href=[email protected]″>

Link HERE

-Kawaiicon 2019 – Liar, Liar: a first-timer “red-teaming” under unusual restrictions

Link HERE

-Race Condition in Web Applications

cid:<a href=[email protected]″>

Link HERE

-10 Methods to Bypass Cross Site Request Forgery (CSRF)

Link HERE

A picture containing text Description automatically generated

Links HERE and HERE

-EP04: All About OWASP with Sam Stepanyan

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

14-15 November 2019 DevSecCon London

Link HERE

2-5 December 2019 BlackHat London

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A screenshot of a map Description automatically generated

Incident data HERE Find your country

A close up of an umbrella Description automatically generated

Link HERE

NCSC Weekly Threat Report

Provided Image 

Esports tournaments at risk from cyber security threats

Cyber security researchers have warned of the increasing threat to the Esports industry.

This week Trend Micro issued a report, Cheats, Hacks and Cyber attacks, looking at the threats posed to professional online games, tournaments and game companies

Facebook accept ICO fine

An agreement has been reached this week between Facebook and the Information Commissioner’s Office (ICO), related to the Cambridge Analytica scandal.

The penalty of £500,000 has been paid by the social media giant although it does mean that they accept no liability relating to the penalty notice. This conclusion follows an appeal by Facebook against the ICO and then a further appeal from the ICO itself after a tribunal in June

NCSA report highlights breach risk to small business

report issued by the National Cyber Security Alliance (NCSA) in the US has highlighted the risk to small businesses.

The survey worked with more than 1,000 SMEs and reports that 10% went out of business, 25% suffered bankruptcy and a further 37% experienced financial losses. Almost half of those surveyed believe they are a likely target for cyber criminals

Link HERE – Report Vulns to NCSC HERE

API Security Issue 55 – Vulnerabilities in eIDAS and Cisco routers, Instagram API program locked down

Link HERE

Troy Hunt Newsletter 163

Link HERE

Incidents & events detail

NordVPN and TorGuard VPN Breaches: What You Need to Know

NordVPN and TorGuard VPN have suffered security breaches. Here’s what happened and what it means for you

Image result for nordvpn breach

Link HERE

Windows BlueKeep RDP Attacks Are Here, Infecting with Miners

Link HERE

New Google Chrome Security Alert: Update Your Browsers As ‘High Severity’ Zero-Day Exploit Confirmed

Link HERE

Big game hunting: How Ryuk ransomware takes down its imposing targets

Link HERE

Mark Zuckerberg claimed Facebook was founded with political expression in mind. A former Facebook exec called that ‘pretty obviously incorrect.’

Facebook block

Link HERE

AND

How Facebook helps an abusive ex-partner find out your new identity, even after you’ve blocked them

Link HERE

Coalfire CEO Tom McAndrew statement on

“the two Coalfire employees at the center of the Dallas County Courthouse incident on September 11, 2019, have been reduced from felony accusations of Burglary in the third-degree and possession of burglary tools to criminal trespass”

Link HERE – thanks to Gustavo

cid:<a href=[email protected]″>

Link HERE

Johannesburg’s network shut down after second attack in 3 months

Attackers claim to have full control of network and demand $32,000 to give it back

Link HERE

Trojan malware infecting 17 apps on the iOS App store

Link HERE

Five months after returning rental car, man still has remote control

Man can still track vehicle, lock and unlock it, and start and stop its engine

Closeup image of a hand holding a smartphone that is displaying a Ford app.

Link HERE

Research of the week

Featuring – The Curious Case of a Kibana Compromise

The sun rose, coffee was guzzled, and fingers clicked away at keys, making it a typical day at Capsule8 HQ – until it wasn’t. As the Capsule8 team deployed one of our toy target instances (one with exploitable software on it for demo purposes), we noticed alerts firing from components which weren’t part of our normal demo. 

With a penchant for the paranoid (many of us are former black hats, after all), our suspicions flared at this irregularity. Was there exploitable software on this instance beyond that which we pre-installed? Indeed, dear reader, there was

Link HERE

What NIST recommends for cybersecurity and applications

cid:<a href=[email protected]″>

Link HERE

World Quality Report 2019-2020: Quality drives business growth – Challenges encountered in developing applications

 

App dev challenges

 

Link HERE

The state of JavaScript frameworks security report 2019

A screenshot of a cell phone Description automatically generated

Link HERE

Tool of the week

Practical Approaches for Testing and Breaking JWT Authentication

What to Do?

Penetration Testers and Security Researchers

Test your organization’s JWT implementation via jwt-pwn, and report any weaknesses identified.

Developers and Defenders

  • Make sure you’re enforcing the algorithm used in the JWT validator.
  • Disallow unused algorithm (via whitelisting approach).
  • Always verify the JWT header, and verify the JWT “alg” key in the JWT header.
  • Never trust the “none” algorithm for signing.
  • Use a long and extremely difficult to recover secret keys. If the secret key is identified, the entire authentication will be broken.
  • Rotate your signing keys periodically.
  • Don’t expose important client-data in JWT; it can be decoded. If there is sensitive data shared in the payload, any party that obtains the token would be able to see it.
  • Add a claim for “Expiration” to overcome the non-expiration issue in the stateless protocol

Link HERE and tool HERE

Exploit Prediction Scoring System Calculator

EPSS is the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented without specialized tools or software. Below you will find a simple-to-use calculator

cid:<a href=[email protected]″>

Link HERE

More on DNS Archeology (with PowerShell)

Link HERE

Other interesting articles

##How a double-free bug in WhatsApp turns to RCE

In this blog post, I’m going to share about a double-free vulnerability that I discovered in WhatsApp for Android, and how I turned it into an RCE. I informed this to Facebook. Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. Facebook reserved CVE-2019-11932 for this issue.

WhatsApp users, please do update to latest WhatsApp version (2.19.244 or above) to stay safe from this bug

Link HERE and another link HERE

 

##Untitled Goose Game Vulnerability Allows Hackers to Sow Chaos Only a Goose Could Love

A picture containing object Description automatically generated

Link HERE

##And finally, How they hacked NASA?

Image result for nasa hacked

The traditional way of hacking is continued even for the biggest giants in the world such as NASA. There are many groups of hackers who worked together for moneyreputation and revenge to breach NASA and bringing the reputation down and the data. The following narration will show how they performed attack phases and how they have achieved the goal in the 2015/2016 by the group called An0nSec group and what are all the lessons we can learn from this hack after analysing the document which was released by the An0nSec

Hack on NASA claimed by AnonSec

Links HERE and HERE and HERE and HERE and HERE

AND
##Invest in Cyber security and space based services – ESA

cid:<a href=[email protected]″>

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/

Description: A Tale of Exploitation in Spreadsheet File Conversions.

URL: https://www.shielder.it/blog/exploiting-an-old-novnc-xss-cve-2017-18635-in-openstack/

Description: Exploiting an old noVNC XSS (CVE-2017-18635) in OpenStack.

Links HERE and credits to HERE

 

 

 

.

Leave a Reply

Your email address will not be published. Required fields are marked *