Security Stack Sheet #77

Word of the week

“You build it, you run it, and you secure it”

To truly empower developers to own the security of their own applications, CSOs and CIOs should think about this in a broader sense.

/var/folders/_1/vhfqbsc17kgbq084mx9cwzx80000gn/T/com.microsoft.Outlook/Content.MSO/2EF8580C.tmp

Increasing use of containers and cloud-native tools for enterprise applications introduces disruption to existing security models, in four main ways:

  • Breaking an application down into microservices means there is less central control over the content and update frequency of each part;
  • Packaging into a container happens within the developer workflow;
  • Providing developers with access to native APIs for tools such as Kubernetes increases the blast radius of any action; and
  • Using containers inherently introduces much more third-party (open source) code into a company’s proprietary codebase

Link HERE

AND

The Big Game — but Bob and Alice just don’t trust each other or, in fact, anyone: The Mental Poker Problem

We have created an Internet where trust is required, but it is currently failing as no-one really can be trusted on the Internet. With PKI we have trusted certificate authorities, but can we really trust Verisign to prove ever singly entity that it has signed for? Also, what if Verisign was to have their private key stolen? Whom do we trust then? The method I’ve outlined assumes that you cannot trust anyone

Link HERE

Word of the week special

“Managing Secrets” by Monzo

A close up of a logo Description automatically generated

1. Secrets are encrypted wherever they’re stored

2. It’s impossible to read all the secrets at once, but easy to let services read specific secrets

3. It’s easy to add brand new secrets, and hard to overwrite existing ones.

4. It’s easy to let specific applications read secrets, without a chicken and egg problem.

5. It’s auditable.

6. It’s inspectable

Link HERE

AND “Deserialize My Shorts”

Image result for deserialization meme

Now for both Java and .NET

A screen shot of a person Description automatically generated

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE

 

Bonus

A close up of a logo Description automatically generated

Types of attacks

No alternative text description for this image

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE – read the reaction!

Image

Link HERE

A screenshot of a cell phone Description automatically generated

Thanks to Mithun

A screenshot of a cell phone Description automatically generated

Link HERE

A person posing for a picture Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

Swiss Hacking Challenge

Link HERE

 

Dates

  • May 25th 2019: +1 year of GDPR Live! See incidents section below GDPR Enforcement Tracker Link HERE – thanks to Marius

No alternative text description for this image

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE

Equifax breach facts

Image

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 31st of January 2020 – New Year Brexit! Or sooner or later?

A screenshot of a cell phone Description automatically generated

Link HERE

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • November 3rd 2020: Trump’s second term start

A screenshot of a cell phone Description automatically generated

Link HERE

“People have over pivoted on the Democratic side pushing against this. I actually think in the end limiting the power of political ads is going to hurt Donald Trump’s challenger,”

Says ex-CISO Facebook HERE

  • 2022 – First trip to Mars according to Elon Musk

Starman resting at his Tesla Cybertruck on Mars by Eashan Misra

SpaceX’s Starman resting at his Tesla Cybertruck on Mars by Indian space artist Eashan Misra. More of his art here. According to Elon Musk, the CEO of both Tesla and SpaceX, the pressurized edition of Cybertruck will be capable to drive on Mars

Image result for cybertruck mars

  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Simplified Secure Application Development Guideline

cid:<a href=[email protected]″>

Link HERE

Comic of the week

A drawing of a face Description automatically generated

##Some OWASP stuff first

-OWASP Juice Shop CTF v7

A picture containing outdoor Description automatically generated

Link HERE

-Securing Cascading Style Sheets (CSS) Cheat Sheet

Image

Link HERE

-Building Secure React Applications

Cross-Site Scripting (or client-side JavaScript injection) and other client-side risk are well known technical challenges that web application developers have faced for many years. While frameworks like React provide some automatic defences to stop Cross Site Scripting; React developers still require specialized knowledge to build secure React applications. This presentation will review some of the necessary general purpose Cross Site Scripting defence recommendations as well as present specialized techniques that all React developers who wish to build secure React applications will benefit from

Link HERE

-OWASP Security Shepherd- Session Management Challenge One – Solution – LSB

Link HERE

-Breaking Down the OWASP API Security Top 10 (Part 1)

As a result of a broadening threat landscape and the ever-increasing usage of APIs, the OWASP API Security Top 10 Project was launched. From the start, the project was designed to help organizations, developers, and application security teams become more aware of the risks associated with APIs. This past September, the OWASP API Security Top 10 release candidate (RC) was finalized and published on OWASP

Link HERE

-A Practical Introduction to the Code Analysis Platform Joern

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

How to Build a Threat Hunting Capability in AWS – Webcast – recorded

Link HERE

GitHub Security Lab – Day 2 Keynote – GitHub Universe 2019

Video HERE

BlueHat Seattle 2019 || Keynote, Alex Stamos

/var/folders/_1/vhfqbsc17kgbq084mx9cwzx80000gn/T/com.microsoft.Outlook/Content.MSO/53B342A5.tmp

Link HERE

BlueHat Seattle 2019 || The cake is a lie! Secret world of malware | cheats in video games Link HERE

Playlist with all 24 talks HERE

Red Team Operations with Cobalt Strike (2019)

cid:<a href=[email protected]″>

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

Link HERE

NCSC Weekly Threat Report

Provided Image 

Disney+ accounts hijacked within days of launch

Thousands of subscribers to the recently launched Disney+ online streaming platform have had their accounts hijacked, according to an investigation by cyber security researchers.

Subscribers reported that hackers accessed their accounts and changed the email address and password details, locking them out. Thousands of subscribers’ accounts have been put up for sale on the dark web

Data breach exposes thousands of gamers

A US gaming company has inadvertently leaked the personal information of thousands of online players.

Wizards of the Coast, which publishes games based on science fiction themes, emailed users informing them about the breach. It is thought that names, email addresses and passwords were exposed. Users have been advised to change their passwords

Flaw revealed in Android camera app

Google has acknowledged a now-patched security flaw (CVE-2019-2234) in Android phones that enabled third-party apps to bypass the camera permissions by using storage permissions.

Security researchers were able to design and implement an app which exploited the flaw. The researchers proved that basic storage permissions could be used by attackers to access to the users’ camera, and video, remotely record calls, and use the data location information within photos to locate the phone . This could be done even when the phone was locked with the screen turned off

Link HERE – Report Vulns to NCSC HERE

API Security Issue 58 – Broken Object Level Authorization explained, plus practical tips on API security

Link HERE

Unsupervised Learning: No. 203

danielmiessler

Link HERE

Incidents & events detail

How Attackers Could Hijack Your Android Camera to Spy on You

Link HERE

Google addressed an XSS vulnerability in Gmail, the IT staff at Google defined the vulnerability as “awesome.”

“DOM Clobbering is a legacy feature of web browsers that just keeps causing trouble in many applications. Basically, when you create an element in HTML (for instance ) and then you want wish to reference it from JavaScript, you would usually use a function like document.getElementById(‘username’) or document.querySelector(‘#username’).” the expert wrote. “But these are not the only ways! The legacy way is to just access it via a property of global window object. So window.username is in this case exactly the same as document.getElementById(‘username’)! This behaviour (which is known as DOM Cloberring) can lead to interesting vulnerabilities if the application makes decisions based on existence of certain global variables (imagine: if (window.isAdmin) { … })..”

Links HERE and HERE

Personal And Social Information Of 1.2 Billion People Discovered In Massive Data Leak

Link HERE

The Gift Of “Post Data Breach Optics”

As cyber professionals, our job is to think about preventing breaches. We have controls that have put in place. We measure the efficacy of those controls. And we have a backlog of work that remains to be done.

But how often do you think about what happens post-breach after the exhausted response team has gone home?  By this, I mean the regulators. Depending on your industry and location, you’ll likely have state and/or federal regulators knocking on your door

Link HERE

New JavaScript Skimmer Found on E-Commerce Sites

Visa Security Researchers Say ‘Pipka’ Is Good at Avoiding Detection

Link HERE

Facebook Fizz integer overflow vulnerability (CVE-2019-3560)

Fizz contained a remotely triggerable infinite loop. For more details about the bug, see this blog post. A proof-of-concept exploit is available HERE.

Link HERE

Automated Sensitive Data Leak Detection

Link HERE

New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices

Link HERE

WhatsApp’s Case Against NSO Group Hinges on a Tricky Legal Argument

The Facebook-owned messaging company is taking on a notorious malware vendor in what could be an uphill battle. WhatsApp just took a hard new line against the malware industry, suing notorious Israeli surveillance contractor NSO Group for attacks on more than a thousand of its users

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

XML Signature Validation Bypass in simpleSAMLphp and xmlseclibs

Link HERE

The best signature move: Detecting ransomware without any signatures at all

Link HERE

Disney+ security and service issues: Here’s what we know so far

cid:<a href=[email protected]″>

Link HERE

Docker Patched the Most Severe Copy Vulnerability to Date With CVE-2019-14271

Link HERE

Research of the week

Featuring – NCSC Zero Trust Architecture

Principles to help you design and deploy a zero trust architecture

1. Know your architecture

In the zero trust network model it’s more important than ever to know about your assets.

2. Create a single strong user identity

Your organisation should use a single user directory and create accounts that are linked to individuals.

3. Create a strong device identity

Each device owned by your organisation should be uniquely identifiable in a single device directory.

4. Authenticate everywhere

In a zero trust architecture assume the network is hostile, authenticate all connections.

5. Know the health of your devices and services

The health of devices and services is one of the most important signals used to gain confidence in them.

6. Focus your monitoring on devices and services

Given that devices and services are more exposed to network attack than in traditional architectures it’s important that comprehensive monitoring for attacks is carried out.

7. Set policies according to the value of services or data

The power of a zero trust architecture comes from the access policies you define.

8. Control access to your services and data

Each request to a service should be authorised against a policy.

9. Don’t trust the network, including the local network

In order to remove trust from the network you need to build trust into the devices and services.

10. Choose services designed for zero trust

Prefer services with built-in support for zero trust network architectures.

Link HERE Can zero trust prevent breaches? Maybe, see HERE

My Struggle with Websockets Testing

Until a few months ago, I have only dealt with HTTP(S) endpoints. Then there was an application I was testing which I couldn’t figure out how it communicated to the server even though I am always logging every request with Burp Suite. This has happened to me in the past where I would just move on from the target. But this application is owned by a target I have a good relationship with, so no running from this one

Link HERE

The Wizardry of Elliptic Curve Cryptography

Link HERE

Tool of the week

JSLinux

Run Linux or other Operating Systems in your browser!

Link HERE – thanks to Mithun

Introducing Flan Scan: Cloudflare’s Lightweight Network Vulnerability Scanner

cid:<a href=[email protected]″>

Link HERE

RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients

Link HERE

Jamf Protect

Shows the future for Mac security and everyone should use it

Link HERE

1.1.1.1: Faster & Safer Internet from Cloudflare?

A close up of a sign Description automatically generated

Link HERE

Image

Link HERE

Jupyter Notebooks for BloodHound Analytics and Alternative Visualizations

cid:<a href=[email protected]″>

Link HERE

Best Encryption Protected Messaging Apps

Our lives are closely linked through messaging apps. Therefore, the concern of finding a program which is the safest is a genuine one…

Link HERE

HUBOT(note: it’s prounounced hew-bot)

A CUSTOMIZABLE, LIFE EMBETTERMENT ROBOT

hubot logo

Link HERE

Other interesting articles

##Three approaches to offensive security and how we choose between them by Mike Goodwin @Sage

cid:<a href=[email protected]″>

In most aspects of life, prevention is better than cure. In application security, this means finding potential security problems — known as vulnerabilities — before they are found by attackers. To do this we invest in security at all stages of the Software Development Lifecycle (SDLC) from security training for engineers, through design-time activities like application threat modelling and checking of code using Static Application Security Testing (SAST), amongst other things. All these activities are intended to catch vulnerabilities as early as possible — shifting security to the left as the industry jargon puts it — carried out by builders

Link HERE

 

##An Application Security Program Is More Than Scanning

Link HERE

 

##DevOps Security Is As Disruptive As It Is Uncomfortable

Security is a growing concern among businesses of all sizes. From small outlets to large Enterprise organizations. In looking at how DevOps can make an impact in this area, it’s important to keep in mind what DevOps “is” and what it “isn’t.” DevOps security can be an important focus, but it has to be done the right way

Link HERE

 

##And finally, the missing chief security officer

The most important C-suite position doesn’t even exist at most companies. Here’s why it should

Link HERE and the AppSec CISO HERE and art of Cyber Security HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://fletchto99.dev/2019/november/slack-vulnerability/

Description: Keylogging users via Slack themes.

URL: https://blog.teddykatz.com/2019/11/12/github-actions-dos.html

Description: How I accidentally took down GitHub Actions.

URL: https://terjanq.github.io/Bug-Bounty/Google/cache-attack-06jd2d2mz2r0/index.html

Blog: bit.ly/34U0rSq (+)

Description: Mass XS-Search using Cache Attack.

Links HERE and credits to HERE

 

 

1 thought on “Security Stack Sheet #77

  1. Author gravatar
    techcrunch.com 21st January 2020, 23:15

    Pretty! This was a really wonderful article. Thank you for providing
    this information.

Leave a Reply

Your email address will not be published. Required fields are marked *