Security Stack Sheet #79

Word of the week “Security Absolutism”

Last month, Disney launched their new streaming service Disney+; “The best stories in the world, all in one place”, apparently. The service was obviously rather popular because within days the tech (and mainstream) headlines were proclaiming that thousands of hacked Disney+ accounts were already for sale on hacking forums. This is becoming an alarmingly regular pattern with online services, the cause of which was soon confirmed by Disney:

Disney says that there is “no indication” of a security breach on Disney+, and that the source of the problem might be a so-called “credential stuffing” attack, in which hackers obtain passwords and usernames from Dark Web databases, and then use a brute force method to see if those passwords and usernames will work on new sites as well

A screenshot of a cell phone Description automatically generated

Link HERE

Word of the week special “CHRISTMAS SECURITY PREDICTIONS”

Image result for christmas security

FUJITSU REVEALS 12 DAYS OF CHRISTMAS SECURITY PREDICTIONS

1.     A united front for cyber security talent development 

The shortage of cyber security talent will only get worse in 2020 – if we allow it to.

2.     Cloud adoption expands the unknown threat landscape

It will take time for organisations to understand their risk posture as the adoption of cloud services grows.

3.     The Brexit effect

Brexit will have far-reaching cyber security implications for many organisations, in many countries.

4.     SOAR revolution

Security Orchestration, Automation and Response (SOAR) is a real game-changer for cyber security and early adopters will see the benefits in 2020 as the threat landscape continues to expand

5.     Further market fragmentation will frustrate CISOs 

The number of vendors in the cyber security market has been rapidly growing and that will continue in 2020, but this is leading to confusion for organisations.

6.     Artificial Intelligence (AI) will need real security

2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems.

7.     Organisations will need to understand how to make better use of security tools and controls at their disposal

Customers will need to take better advantage of the security measures that they already have available. 

8.     Do you Wannacry again?

The end of support for Windows Server 2008 and Windows 7 will open the door for well-prepared attackers.

9.     Rising the standard for managing identities and access

Federated Authentication, Single Sign-On and Adaptive Multi-Factor will become standard, if not required, practices in 2020.

10.  Extortion phishing on the rise

Taboo lures enhanced phishing and social engineering techniques will prey on user privacy.

11.  Passwords become a thing of the past

We will see increasing adoption of end-to-end password-less access, especially in scenarios where Privileged Access Management (PAM) is required.

12.  Ransomware not so random

As more organisations employ negotiators to work with threat actors, ransomware is likely to decrease next year.

Link HERE

AND

Security for the 2020s: Addressing the Management Problem

Link HERE

 

Bonus

A close up of a logo Description automatically generated

No alternative text description for this image

Link HERE

cid:<a href=[email protected]″>

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Do you need containers?

A screenshot of a social media post Description automatically generated

Thanks to Alvin

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

HackingLab Christmas Advent Challenge

To handle the huge load of parcels Santa introduced this year a parcel tracking system. He didn’t like the black and white barcode, so he invented a more solemn barcode. Unfortunately the common barcode readers can’t read it anymore, it only works with the pimped models santa owns. Can you read the barcode

cid:<a href=[email protected]″>

Link HERE

 

Dates

  • May 25th 2019: +1 year of GDPR Live! See incidents section below GDPR Enforcement Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 31st of January 2020 – New Year Brexit! Or sooner or later?

A screenshot of a computer screen Description automatically generated

Link HERE

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

For your holidays

A black sign with white text Description automatically generated

Link HERE – thanks to Alvin

A screen shot of a person Description automatically generated

Comic of the week

 - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP API Security Top 10: Get your dev team up to speed

Link HERE

-BeerSecOps #04: All About OWASP with Sam Stepanyan (OWASP London Chapter Leader)

Link HERE

-Develop and Publish a Vulnerability Disclosure Policy by U.S. Department of Homeland Security

Link HERE

-Remember: 2019 CWE Top 25 Most Dangerous Software Errors

A screenshot of a cell phone Description automatically generated

Link HERE

-Remember: A security practitioner’s guide to software obsolescence

Link HERE

-Gitlab public bug bounty program

Link HERE

-Rarely Discussed Real Life Application Security Decisions

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

The complete Security Events calendar – Peerlyst

Link HERE

GOTO 2018 – Crossing the River by Feeling the Stones – Simon Wardley

Link HERE

BlackHat 2019 Reverse Engineering WhatsApp Encryption for Chat Manipulation and More

We managed to reverse engineer WhatsApp web source code and successfully decrypted WhatsApp traffic. During the process we translated all WhatsApp web functions to python and created Burpsuite extension that you can use to investigate WhatsApp traffic and extend in order to find vulnerabilities

Link HERE

Evolving for Today’s Security First Mindset

Link HERE

Guarding Against Physical Attacks: The Xbox One Story — Tony Chen, Microsoft

Link HERE

Join a Security group

cid:<a href=[email protected]″>

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

Link HERE

NCSC Weekly Threat Report

Provided Image 

UK government warns charities of cyber security risk

The government has issued a cyber security alert to charities warning them of a spike in the number of criminals trying to access and change the private information of staff.

The Charity Commission has received several reports from charities that have been targeted by fraudsters impersonating HR staff members, specifically attempting to change employees bank details. In all cases, the request was made through an email

Concerns about smart toys published by Which?

With Christmas shopping well underway, this week consumer association Which? revealed it had found “serious security flaws” in some children’s smart toys.

Working with cyber security specialists, Which? raised concerns about some connected toys sold by major retailers, claiming that they lacked basic cyber security measures and were vulnerable to attack

Link HERE – Report Vulns to NCSC HERE

API Security Issue 61 – Exposed patient records, vulnerabilities at Airtel and Kaspersky

Link HERE

cid:<a href=[email protected]″>

Link HERE

Incidents & events detail

FaceApp may pose ‘counterintelligence threat’ says FBI

Link HERE

Two Computer Programmers Plead Guilty in Connection with Operating Two of the Biggest Illegal Movie and Television Show Streaming Services in the United States

Link HERE

Stolen hard drives had payroll data for 29,000 Facebook workers

Link HERE

CVE-2019-12750: Symantec Endpoint Protection Local Privilege Escalation – Part 2

Link HERE

Think of data as the new uranium rather than the new oil – and treat it like it’s toxic

Link HERE

Sprint contractor exposed a ton of cell phone bills stored in Amazon’s cloud

Another leaky bucket data breach…

Link HERE

The world increasingly relies on open source — here’s how to control its risks

Link HERE

1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Link HERE

Gartner Says the Future of Network Security Lies with SASE

Network Security SASE (secure access service edge)

Link HERE

Scientists create quantum states in everyday electronics

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Facebook’s political ad problem, explained by an expert

“I think Facebook is the most afraid”: an interview with former Facebook security executive Alex Stamos

Link HERE

HackerOne breach lets outside hacker read customers’ private bug reports

Link HERE

SPILLING LOCAL FILES VIA XXE WHEN HTTP OOB FAILS

Link HERE

Research of the week

Featuring – Cybersecurity Reference Architecture: Security for a Hybrid Enterprise from Microsoft

The Microsoft Cybersecurity Reference Architecture (aka.ms/MCRA) describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures and capabilities. 

We have seen this document used for several purposes by our customers and internal teams (beyond a geeky wall decoration to shock and impress your cubicle neighbours :-)

A screenshot of a computer Description automatically generated

Links HERE and HERE

Whoopsie-daisy: Chaining accidental features of Ubuntu’s crash reporter to get LPE

This post is an overview of five vulnerabilities that I found in Ubuntu’s crash reporting system: CVE-2019-7307CVE-2019-11476CVE-2019-11481CVE-2019-11484CVE-2019-15790. Two of those vulnerabilities, CVE-2019-11476 and CVE-2019-11481, are low-severity local denial-of-service of vulnerabilities, but the remaining three are significantly more serious. When chained together, these vulnerabilities allow a local unprivileged attacker to read arbitrary files on the system

Link HERE

Control mapping of the NIST SP 800-53 R4 blueprint sample

The following article details how the Azure Blueprints NIST SP 800-53 R4 blueprint sample maps to the NIST SP 800-53 R4 controls

Link HERE

2019 Global Threat Report – via CrowdStrike

A screenshot of a cell phone Description automatically generated

Link HERE

SockPuppet: A Walkthrough of a Kernel Exploit for iOS 12.4

I have a somewhat unique opportunity in this writeup to highlight my experience as an iOS research newcomer. Many high quality iOS kernel exploitation writeups have been published, but those often feature weaker initial primitives combined with lots of cleverness, so it’s hard to tell which iOS internals were specific to the exploit and which are generic techniques.

In this post, we’ll look at CVE-2019-8605, a vulnerability in the iOS kernel and macOS for five years and how to exploit it to achieve arbitrary kernel read/write. This issue affected XNU as early as 2013, and was reported by me to Apple on March 2019. It was then patched in iOS 12.3 in May 2019 and I released the complete details including the exploit for iOS for analysis, named “SockPuppet,” in July 2019. It was then discovered that this issue regressed in iOS 12.4 and was later patched in iOS 12.4.1 in late August 2019

Link HERE

AND

Calling Local Windows RPC Servers from .NET

Link HERE

Tool of the week

Turbo Intruder: Embracing the billion-request attack

Turbo Intruder

Automated web application attacks are terminally limited by the number of HTTP requests they can send. It’s impossible to know how many hacks have gone off the rails because you didn’t quite manage to bruteforce a password, missed a race condition, or failed to find a crucial folder.

In this presentation I introduce, demo and distribute Turbo Intruder – a research grade open source Burp Suite extension built from scratch with speed in mind. I also discuss the underlying HTTP abuse that enables it to go so fast, so you can attain similar speeds in any tools you happen to write

Link HERE

Security Game – ThreatGEN: Red vs. Blue

cid:<a href=[email protected]″>

Link HERE – thanks to Naz

Trivy

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

Link HERE

cid:<a href=[email protected]″>

Link HERE

CORStest – A Simple CORS Misconfiguration Scanner

Link HERE

Other interesting articles

##How can you save money on running your HTTP(S) API on Amazon Web Services (AWS)

The data collection API is fairly simple in principle: games send events to us as JSON objects through HTTP POST requests, and we send a short response and take the event from there. Clients either use one of our SDKs or invoke our REST API directly

Link HERE

 

##Remember: The VPN Industry Is on the Cusp of a Major Breakthrough

The WireGuard protocol is intended to be the future of VPNs, promising better speeds and security. We tested NordVPN’s implementation, and WireGuard appears set to deliver on its promises

/var/folders/_1/vhfqbsc17kgbq084mx9cwzx80000gn/T/com.microsoft.Outlook/Content.MSO/51E39554.tmp

Links HERE and HERE

AND

The VPN is dying, long live zero trust

The traditional VPN is being replaced by a smarter, safer approach to network security that treats everyone as equally untrusted

Link HERE

 

##What to expect at the ISO certification audit: What the auditor can and cannot do

A screenshot of a cell phone Description automatically generated

Link HERE

 

##And finally, Fantastic Security Breaches and Where to Find and Defend against Them

Of Worms and Vulnerabilities. Three notable cherry-picks in 10 minutes.

cid:<a href=[email protected]″>

Links HERE and HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hipotermia.pw/bb/http-desync-idor

Description: HTTP Request Smuggling or HTTP Desync + IDOR.

URL: https://amonitoring.ru/article/origin_lpe_disclosure/

Description: Local EoP in EA Windows Origin Client (CVE-2019-19247 & CVE-2019-19248).

Links HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *