Security Stack Sheet #78

Word of the week

“The Holiday Phish”: 39% of Employees Gave Away Their Passwords to This Simulated Phishing Email

cid:<a href=[email protected]″>

Link HERE

Word of the week special

“Crypto Can Be Cracked … Through Walls”

Watch out for those side channels.

The cracking of encryption keys has often involved brute force methods or targeting flaws in its implementation. There is, though, increasing interest in physical side-channel attacks where there is an unintentional information leakage of cryptography information, such as from electromagnetic radiation, power consumption, electric voltage fluctuations, and even sound and thermal variations. Few companies currently protect their devices against side-channel attacks, especially as it would prove costly, and require extensive testing with complex equipment.

Devices too are becoming faster, and, as they do, they are likely to emit an increasing amount of radio and electromagnetic (EM) emissions. A 2GHz processor, for example, is running at the same frequency as our wi-fi signals (2.4 GHz), and often the chips are not protected from emitting radio waves, and that is it a natural by-product of the fast operation of the device. As these high frequencies it is often difficult to stop EM emissions and from these being coupled into nearby wires and into other circuits

cid:<a href=[email protected]″>

Links HERE and HERE and HERE and HERE and HERE

“Digital Footprints and Shadows”

cid:<a href=[email protected]″>

Like it or not, everything we do in the virtual world we loosely call “The Internet” leaves a trace and no matter how hard we try, we cannot truly remove all evidence of our actions. Definitions vary, but a footprint (or Digital Footprint) is essentially the trace we leave as a result of our direct actions – browsing websites, downloading apps, streaming videos, subscribing to content, and using cloud email services such as Gmail

Link HERE

 

Bonus

A close up of a logo Description automatically generated

Connection to the CLOUD

A picture containing floor, indoor, wall, table Description automatically generated

Really simple, done! – thanks to Jinshu

A screenshot of a cell phone Description automatically generated

Link HERE

Not sure what to study for in 2020? Here you go!

Post image

Link HERE – thanks to Naz

A screenshot of a cell phone Description automatically generated

Link HERE

State of the art security for a pentest labs website

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to Prash

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

CTF Challenges – try the challenges!

Link HERE – thanks to Venkat

GitHub Security Lab CTF 3: XSS-unsafe jQuery plugins

Do you want to challenge your vulnerability hunting skills and to quickly learn Semmle CodeQL?

Your mission, should you choose to accept it, is to find variants of jQuery plugins that expose their clients to undocumented XSS (cross-site scripting) vulnerabilities. You will do this by utilizing CodeQL, our simple, yet expressive, code query language. To capture the flag, you’ll need to write a query that finds the unsafely implemented jQuery plugins in Bootstrap, using this step by step guide

Link HERE

HackingLab Christmas Advent Challenge

I got this little image, but it looks like the best part got censored on the way. Even the tiny preview icon looks clearer than this! Maybe they missed something that would let you restore the original content?

A picture containing food Description automatically generated

Link HERE

 

Dates

  • May 25th 2019: +1 year of GDPR Live! See incidents section below GDPR Enforcement Tracker Link HERE – thanks to Marius

EU countries fail to agree on privacy rules governing WhatsApp, Skype

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 31st of January 2020 – New Year Brexit! Or sooner or later?

Image result for general elections comic

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • November 3rd 2020: Trump’s second term start

“It looks like amateur satellite trackers found the secret satellite that Trump tweeted the picture from. It’s evidently an NRO HK-11 model, with what’s essentially a Hubble Telescope pointed towards the Earth”

A person posing for the camera Description automatically generated

Link HERE and HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

The Secure Development Handbook

cid:<a href=[email protected]″>

Link HERE

Peerlyst Community eBook: 32 Influential Malware Research Professionals

Link HERE

Comic of the week

Morning Meetings - Dilbert by Scott Adams

##Some OWASP stuff first

-Android App Reverse Engineering 101

Logo

Link HERE

-When clean code intended to help security can do the opposite

Link HERE

-Research shows reliance on open source components can be risky

Link HERE

-How does Static Code Analysis work – the Fortify flavour

Link HERE

-A Microsoft DevSecOps Static Application Security Testing (SAST) Exercise

Static Application Security Testing (SAST) is a critical DevSecOps practice. As engineering organizations accelerate continuous delivery to impressive levels, it’s important to ensure that continuous security validation keeps up. To do so most effectively requires a multi-dimensional application of static analysis tools. The more customizable the tool, the better you can shape it to your actual security risk

Link HERE

-An Introduction to Buffer Overflow Vulnerability

The art of memory exploitation

cid:<a href=[email protected]″>

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

AWS re:Invent presentations

A picture containing object Description automatically generated

AWS re:Invent 2019 – Keynote with Dr. Werner Vogels

Link HERE

AWS re:Invent 2019: Why you need a ledger database: BMW, DVLA, & Sage discuss use cases

A screenshot of a cell phone Description automatically generated

Link HERE

AWS re:Invent 2019: Top 5 container and Kubernetes best practices

Link HERE

AWS re:Invent 2019: Remote desktop and application streaming with NICE DCV

Link HERE

AWS re:Invent 2019: Application configuration as code

Link HERE

AWS re:Invent 2019: Strong security made simple: Putting all the pieces together

Link HERE

AWS re:Invent 2019: [REPEAT 1] Vulnerability disclosure and response with AWS security

Link HERE

AWS re:Invent 2019: It’s always day zero: Working on open source and security

Link HERE

AWS re:Invent 2019: Prepare for & respond to security incidents in your AWS environment

Link HERE

AWS re:Invent 2019: [REPEAT] Detect network and security anomalies with Traffic Mirroring

Link HERE

AWS re:Invent 2019: Leadership session: AWS security

Link HERE

AWS re:Invent 2019: Life hacks for automating DevSecOps security tasks

Link HERE

AWS re:Invent 2019: [REPEAT] Master your security in the cloud

Link HERE

AWS re:Invent 2019: Protecting you from you: Misconfiguration-caused breaches

Link HERE

AWS re:Invent 2019: Speculation & leakage: Timing side channels & multi-tenant computing

Link HERE

DevSecCon 2019

Image result for devseccon 2019

DevSecCon London 2019 Day 2 Siren Hofvander – Progress, Not Just Motion Security, the Hero’s Journey

Link HERE

All presentations are HERE

Blackhat London 2019

Related image

Keynote: Blue to Red: Traversing the Spectrum by Amanda Rousseau

Link HERE More next week

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

A screenshot of a cell phone Description automatically generated

Link HERE

NCSC Weekly Threat Report

Provided Image 

Consumers prepare for Black Friday & Cyber Monday

The Black Friday and Cyber Monday sales are now upon us with consumers set to be tempted with bargains this weekend and beyond.

However, with the promise of ‘unmissable’ deals there is also an important message for consumers to consider. Ensuring your online accounts are as secure as possible before making the most of those offers is crucial and will help to defend against cyber criminals

T-Mobile breach affects more than a million customers

Over a million T-Mobile customers have been affected following a data breach conducted by a cyber criminal.

The telecoms company confirmed last weekend that the malicious actor had obtained personal data, although financial data and passwords were not stolen.

In its disclosure notice, T-Mobile confirmed it had discovered and shut down the unauthorised access and had reported the incident to authorities

Link HERE – Report Vulns to NCSC HERE

API Security Issue 60 – Microsoft Azure OAuth2 Vulnerability, 5G Threat Landscape, Webinars

Link HERE

Link HERE

Incidents & events detail

The StrandHogg vulnerability

Promon security researchers have found proof of a dangerous Android vulnerability, dubbed ‘StrandHogg’, that allows real-life malware to pose as legitimate apps, with users unaware they are being targeted

cid:<a href=[email protected]″>

Link HERE

Cyber criminal charged with stealing £76m while working for Russian intelligence

Hackers calling themselves ‘Evil Corp’ have been sanctioned by the US Treasury as a criminal indictment against them is unsealed

Link HERE

Evil Corp. Hacking Group Indictments 

US federal prosecutors have indicted Maksim Yakubets and Igor Turashev, who are allegedly members of the hacking group known as Evil Corp. The pair allegedly “led one of the most sophisticated transnational cybercrime syndicates in the world,” according to a US Department of Justice press release

Image result for evilcorp

Links HERE and HERE

Man-in-the-Middle Attack Used to Steal Venture Capital Investment

Hackers used a complex man-in-the-middle attack to steal approximately US $1 million from a Chinese venture capital firm that was supposed to be going to a start-up company in Israel. The hackers set up phony domains and spoofed emails between the companies, even going so far as to cancel a scheduled in-person meeting.
[Neely]
Verify the log retention period and access requirements for your email and related systems prior to an incident, making sure that there are not only at least six months of information but also that sufficient information is captured and your staff will be able to access it when needed. Always use an out-of-band verification process with wire transfers to ensure they are going to the intended recipient

Link HERE

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Exposed private cert key may also be an issue for IBM Aspera.

Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM’s Aspera software.

A screenshot of a cell phone Description automatically generated

Link HERE

New Linux Vulnerability Lets Attackers Hijack VPN Connections

Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams.

They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard

Link HERE

The Evolution of Russia’s Dark Web

Link HERE

Smart refrigerator hack exposes Gmail login credentials

A bonus feature on a smart home product becomes a security liability

Link HERE

French officials say they are still considering a response to a cyber attack on a public hospital, including a possible “hack back.”
Link HERE

A popular website among hackers that sold spying tools was taken down after an international investigation

The British government says the site sold these tools to more than 14,500 people
Link HERE

Popular spyware company Hacking Team is making a comeback under new ownership

With the aim of ensuring their tools aren’t being abused
Link HERE

Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters’ Online Forum

A distributed denial-of-service (DDoS) tool known as the Great Cannon has reportedly been used against the LIHKG social media platform used by protesters in Hong Kong. China’s Great Cannon was first described by Citizen Lab in April 2015

Link HERE

Netflix ‘reactivated’ users without permission

Link HERE

BlackDirect: Microsoft Azure Account Takeover

Over the last few weeks, my team and I have been working on research associated with Microsoft Azure and Microsoft OAuth 2.0.  Over the course of that time, we found a vulnerability that allows for the takeover of Microsoft Azure Accounts.  Affecting specific Microsoft’s OAuth 2.0 applications, this particular vulnerability allows the creation of tokens with the victim’s permissions. This could let a malicious attacker access and control a victim’s account and take actions on their behalf

Link HERE

Custom Malware Development (Establishing A Shell Through the Target’s Browser) – Repurposing @beefproject & AutoIt

cid:<a href=[email protected]″>

Links HERE and HERE

Research of the week

Featuring – Outrageous predictions

Looking into the future is something of a fool’s game, but it remains a useful exercise — helping prepare for what lies ahead by considering the full possible range of economic and political outcomes. This is where Saxo’s annual Outrageous Predictions fit in: not as a forecast for what 2020 will bring, but as an exercise in considering the full extent of what is possible, even if not necessarily probable. Inevitably the outcomes that prove the most disruptive (and therefore outrageous) are those that are a surprise to consensus

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to Naz

Formal Reasoning About the Security of Amazon Web Services

We report on the development and use of formal verification tools within Amazon Web Services (AWS) to increase the security assurance of its cloud infrastructure and to help customers secure themselves. We also discuss some remaining challenges that could inspire future research in the community

Link HERE – thanks to Alvin

Runtime Application Self-Protection (RASP), Investigation of the Effectiveness of a RASP Solution in Protecting Known Vulnerable Target Applications

Year after year, attackers target application-level vulnerabilities. To address these vulnerabilities, application security teams have increasingly focused on shifting left – identifying and fixing vulnerabilities earlier in the software development life cycle. However, at the same time, development and operations teams have been accelerating the pace of software release, moving towards continuous delivery. As software is released more frequently, gaps remain in test coverage leading to the introduction of vulnerabilities in production. To prevent these vulnerabilities from being exploited, it is necessary that applications become self-defending. RASP is a means to quickly make both new and legacy applications self-defending. However, because most applications are custom-coded and therefore unique, RASP is not one-size-fits-all – it must be trialled to ensure that it meets performance and attack protection goals. In addition, RASP integrates with critical applications, whose stakeholders typically span the entire organization. To convince these varied stakeholders, it is necessary to both prove the benefits and show that RASP does not adversely affect application performance or stability. This paper helps organizations that may be evaluating a RASP solution by outlining activities that measure the effectiveness and performance of a RASP solution against a given application portfolio

Link HERE

CertiKOS: A breakthrough toward hacker-resistant operating systems

A team of Yale researchers has unveiled CertiKOS, the world’s first operating system that runs on multi-core processors and shields against cyber attacks, a milestone that the scientists say could lead to a new generation of reliable and secure systems software.

Led by Zhong Shao, professor of computer science at Yale, the researchers developed an operating system that incorporates formal verification to ensure that a program performs precisely as its designers intended — a safeguard that could prevent the hacking of anything from home appliances and Internet of Things (IoT) devices to self-driving cars and digital currency

Links HERE and HERE and HERE

The Frugal Hacker: Hacking on a Shoestring Budget

“Being frugal pretty much comes with the territory as hackers”

Link HERE

Import Address Table (IAT) Hooking

Windows portable executable contains a structure called Import Address Table (IAT)

IAT contains pointers to information that is critical for an executable to do its job:

  • a list of DLLs it depends on for providing the expected functionality
  • a list of function names and their addresses from those DLLs that may be called by the binary at some point

It is possible to hook function pointers specified in the IAT by overwriting the target function’s address with a rogue function address and optionally to execute the originally intended function

Link HERE

Tool of the week

AWS Fraud Detector

Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts. Fraud Detector uses machine learning (ML) and 20 years of fraud detection expertise from AWS and Amazon.com to automatically identify potentially fraudulent activity so you can catch more fraud faster

Link HERE

AWS Detective

Amazon Detective is a new service in Preview that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

Amazon Detective can analyse trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time. With this unified view, you can visualize all the details and context in one place to identify the underlying reasons for the findings, drill down into relevant historical activities, and quickly determine the root cause

Link HERE

AWS CodeGuru

Amazon CodeGuru is a new machine learning service for development teams who want to automate code reviews, identify the most expensive lines of code in their applications, and receive intelligent recommendations on how to fix or improve their code

Link HERE

DNS covert channel implant for Red Teams

WEASEL is a small in-memory implant using Python 3 with no dependencies. The beacon client sends a small amount of identifying information about its host to a DNS zone you control. WEASEL server can task clients to execute pre-baked or arbitrary commands.

WEASEL is a stage 1 payload, meant to be difficult to detect and useful for regaining access when your noisy full-featured stages are caught

Link HERE

Other interesting articles

##Misconceptions: Unrestricted Release of Offensive Security Tools

Uncontrolled distribution of Offensive Security Tools is an unnecessary contribution to real threat actor’s criminal and intelligence network operations

cid:<a href=[email protected]″>

Link HERE

 

##World Quality Report: Shift your focus to QA for an app sec win

The fight to educate developers is far from over, but the majority of application security specialists believe that their companies and developers now have the policy chops and awareness to secure their software. Unfortunately, most development teams’ security tools and controls are failing to meet the need.

As developers look toward 2020, the picture for secure development is one of continued—albeit, slow—progress. The slightest majority—51%—of respondents in the World Quality Report 2019-20 no longer have concerns that there is a “lack of secure data policy guidelines and awareness.” Yet only 41% of application security specialists have the proper controls in place to produce software programs and systems that adequately protect data

Link HERE

 

##Why We Need to Care About AI Sensitivity

Technology reflects, not erases, our biases.

It’s a truth that always bears repeating: computers only know what we program them to know. This basic fact has enabled the false idea that the value-neutral language of code erases the all-too-human qualities of prejudice from the equation. After all, we think of humans as fallible thinkers, prone to unfair judgments and biased decision-making. Machines should, in theory, be better — shouldn’t they?

Link HERE

 

##The Unbelievable Demand for Cybersecurity Workers

By 2021, there will be roughly 3.5 million unfilled cybersecurity jobs across the globe

“If someone has six months to a year of work and when they came in for an interview, they didn’t pee on the rug, they’re going to make in the neighborhood of $85,000.”

Link HERE

 

##And finally, THE FUTURE

No time was wasted. What was destined to be computed has been computed. The future is deterministic in the eye of itself. As a wise antique dealer would tell you, your life might as well have taken the most optimised path in a non-deterministic Turing machine of all life possibilities. What of is the path most optimised in terms? That is the gate to all mystery. Those who seek mystery are forever lost, and so are those who seek the future.

cid:<a href=[email protected]″>

Perchance I am now back on track again to attempt another intersection with something great. With my dear sister this time. All the right pieces are gradually falling into place as they rapidly hot-swap in unfathomable ways. We are as confident we are going to inspire people and positively impact the world as we are skeptical if any of this makes sense. When the fascination for what shall arise has attached itself firmly to the precautionary tales of what shan’t, the prophecies collapse and the Tao remains undefined and truthful to its ontological amusement.

Hence it is said that the future can’t be distinguished from the past

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Description: XSS in GMail’s AMP4Email via DOM Clobbering.

URL: https://ysamm.com/?p=343

Description: Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge.

Links HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *