Security Stack Sheet #80

Word of the week

“Security Predictions for 2020”

cid:<a href=[email protected]″>

Complex (these are only small excerpts):

Attackers will outpace incomplete and hurried patches.

Cybercriminals will turn to blockchain platforms for their transactions in the underground.

Banking systems will be in the crosshairs with open banking and ATM malware.

Deepfakes will be the next frontier for enterprise fraud.

Exposed:

Cybercriminals will home in on IoT devices for espionage and extortion.

Critical infrastructures will be plagued by more attacks and production downtimes.

Misconfigured:

Vulnerabilities in container components will be top security concerns for DevOps teams.

Serverless platforms will introduce an attack surface for misconfiguration and vulnerable codes.

User misconfigurations and unsecure third-party involvement will compound risks in cloud platforms.

Defensible:

Predictive and behavioral detection will be crucial against persistent and fileless threats.

Threat intelligence will need to be augmented with security analytics expertise for protection across security layers.

Image result for security predictions 2020

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and perfect stack HERE

Cross-Site Scripting (XSS) Makes Nearly 40% of All Cyber Attacks in 2019

Link HERE

Word of the week special

“Starbucks schmucks”

Starbucks Devs Leave API Key in GitHub Public Repo

Image result for starbucks security comic

Link HERE

“Could you be hacked by your printer?”

Link HERE

 

Bonus

Amazon Takes a Swipe at PayPal’s $4 Billion Acquisition

A screenshot of a cell phone Description automatically generated

Link HERE

A close up of a brick building Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Image

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

HackingLab Challenge – Bacon and eggs

A group of people in a room Description automatically generated

Francis Bacon was an English philosopher anstatesman who serveas Attorney General and as Lord Chancellor of England. His works are credited with developing the scientific method and remained influential through the scientific revolution. Bacon has been called the father of empiricism. 

Hiworks argued for the possibility of scientific knowledge based only upon inductive reasoning and careful observation of events in nature. Most importantlyhe argued science could bachieved by use of a sceptical and methodical approach whereby scientists aim to avoid misleading themselves. Althoughis practical ideas about such a method, the Baconian method, did not have a longlasting influence, thgeneral idea of the importance and possibility of a sceptical methodology makes Bacon the father of the scientific method. This method was a new rhetorical and theoretical framework for science, the practical details of which are still central in debates about science and methodology.

Link HERE

GitHub Security Lab CTF 3: XSS-unsafe jQuery plugins

Link HERE

 

Dates

  • May 25th 2019: +1 year of GDPR Live! See incidents section below GDPR Enforcement Tracker Link HERE – thanks to Marius

CAN THE US-UK CLOUD ACT AGREEMENT BE FIXED?

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE

California’s Tough New Privacy Law and Its Biggest Challenges

Link HERE

  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 31st of January 2020 – New Year Brexit! Or sooner or later?
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • November 3rd 2020: Trump’s second term start

cid:<a href=[email protected]″>

Link HERE

How to Track President Trump

Link HERE

Iran’s ‘Critical’ Cyberattack Threat: This Is What Is Really Happening Right Now

Link HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Universal Radio Hacker: Investigate Wireless Protocols like a Boss

The Universal Radio Hacker (URH) is a tool for analyzing unknown wireless protocols. With the rise of Internet of Things (IoT) such protocols often appear in the wild. Many IoT devices operate on frequencies like 433.92 MHz or 868.3 MHz and use proprietary protocols for communication. Reverse-engineering such protocols can be fascinating (»What does my fridge talk about?«) and reveal serious security leaks, e.g. when bypassing smart alarm systems and door locks.

So how can we join this game? Software Defined Radios (SDR) are the answer for this. Such devices allow sending and receiving on nearly arbitrary frequencies

Link HERE

Comic of the week

Inefficiency - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP API Security Top 10 2019 is out!

cid:<a href=[email protected]″>

Links HERE and HERE

-Secure SDLC

The secure SDLC sits on top of the regular Software Development Lifecycle. A popular one is Microsoft’s SDL (Security Development Lifecycle). According to M$, “The Security Development Lifecycle (SDL) consists of a set of practices that support security assurance and compliance requirements. The SDL helps developers build more secure software by reducing the number and severity of vulnerabilities in software, while reducing development cost.”

Link HERE

-Using ATT&CK for Cyber Threat Intelligence Training

  • What ATT&CK is and why it’s useful for cyber threat intelligence (CTI)
  • How to map to ATT&CK from both finished reporting and raw data
  • Why it’s challenging to store ATT&CK-mapped data and what you should consider when doing that
  • How to perform CTI analysis using ATT&CK-mapped data
  • How to make defensive recommendations based on CTI analysis

Link HERE

AND

Utilizing OSINT in Threat Analytics & Incident Response

Link HERE

-Top Ten Application Security Podcast Episodes of 2019

Link HERE

-The Path Less Traveled: Abusing Kubernetes Defaults

In this live demonstration-filled talk presented at Black Hat USA 2019, Ian Coldwater and Duffie Cooley walk through the Kubernetes control plane before using sigs.k8s.io/kind to show some of the attack surface exposed by a default configuration of Kubernetes. There will be multiple exploits, including cluster takeovers and host escapes

Link HERE and manifests HERE

-Automated security tests with OWASP ZAP

Link HERE

-Code Review 101

How to perform source code review to find vulnerabilities in web applications

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

cid:<a href=[email protected]″>

Link HERE

Top INFOSEC journalists YOU should follow in 2020

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

cid:<a href=[email protected]″>

Link HERE

NCSC Weekly Threat Report

Provided Image 

Travelex New Year’s Eve incident

There has been prominent media coverage this week after foreign exchange company Travelex suffered a ransomware attack on New Year’s Eve.
The company has taken all of its systems offline in a move they said will prevent the spread of the virus further across the network. Travelex have said there had been 
no evidence customer data had been compromised

Security issues in Citrix products reported by researchers

Positive Technologies have reported a security issue that affects Citrix products. The flaw could give attackers an opportunity to search for weaknesses on the internet.

Honeypots run by security researchers have shown potential attackers scanning the internet for potentially vulnerable instances. This may put organisations that are exposing them to the open world at risk of being attacked and compromised

TikTok fix flaws following vulnerability report

TikTok, a video-sharing platform, has acted upon security flaws which were highlighted by researchers at the security firm, Check Point.

A number of issues were spotted by researchers which included the potential to allow hackers access to change privacy settings, steal personal data and add or delete videos. Before the attack, it would have been theoretically possible for hackers to access private personal information that are required to set up an account on the service, such as mobile phone numbers

Link HERE – Report Vulns to NCSC HERE

API Security Issue 65 – Vulnerabilities at Siemens, Cisco, D-Link, OWASP API Security Top 10 2019 out

Link HERE

Link HERE

Troy Hunt weekly update – 173

Link HERE and Article on the last decade HERE

Incidents & events detail

KUBERNETES FAILURE STORIES

A screenshot of a cell phone Description automatically generated

Links HERE and HERE

Critical Remote Code-Execution Bugs Threaten Global Power Plants

Link HERE

Some Thoughts About the Critical Citrix ADC/Gateway Vulnerability (CVE-2019-19781)

Link HERE

Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty

Link HERE

Attackers Terrify Homeowners After Hacking Ring Devices

Link HERE

Dixons Carphone fined £500,000 over serious data breach

The company behind Currys PC World and Carphone Warehouse identified a breach in 2018, originally estimating little over a million people had their personal data compromised.

But the Information’s Commissioner’s Office (ICO) investigation revealed a ‘point of sale’ computer system was compromised as a result of the cyber-attack, exposing the full names, postcodes and email addresses of at least 14 million people.

It found that an attacker installed malware on 5,390 tills at Currys PC World and Dixons Travel stores between July 2017 and April 2018. Personal data was being collected over this nine-month period

Link HERE

Mozilla Patches Critical Vulnerability

Link HERE

Ubuntu whoopsie integer overflow vulnerability (CVE-2019-11484)

Link HERE

“Planned maintenance”? Travelex’s masterclass in how not to respond to a cyberattack

Travelex website error

Link HERE

New Year Honours: UK Government apologises after addresses published

Link HERE

Russia ‘successfully tests’ its unplugged internet

Link HERE

Microsoft Edge (Chromium) – EoP via XSS to Potential RCE

Link HERE

New Orleans declares state of emergency following ransomware attack

Link HERE – thanks to Prash

Hacking the Same-Origin Policy

How attackers bypass the fundamental Internet safeguard to read confidential data

Link HERE

Mass Surveillance, is an (un)Complicated Business

Triaging a massively popular iOS application, with a dark side

cid:<a href=[email protected]″>

“It Seemed Like a Popular App. It’s Secretly a Spy Tool”

Link HERE

Why GOV.UK content should be published in HTML and not PDF

Link HERE

Apple opens public bug bounty program, publishes official rules

Apple opens its previously-closed bug bounty program to all security researchers

Link HERE

Twelve Million Phones, One Dataset, Zero Privacy

EVERY MINUTE OF EVERY DAY, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles

Link HERE

Bearded man robs bank, gifts money, then yells ‘Merry Christmas’

Mugshot of David Oliver

Link HERE

Operating Systems Can be Detected Using Ping Command

Link HERE

Research of the week

Featuring – Security Report: Reverse Engineering of A Breach

A screenshot of a cell phone Description automatically generated

Link HERE and Awesome reverse engineering tools HERE

Monitoring Maturity Model

cid:<a href=[email protected]″>

Link HERE

How to detect the SACK Panic vulnerability with Wireshark

The security team at Pentest-Tools.com has recently performed an in-depth analysis of the SACK Panic vulnerability (which was first disclosed in June 2019) to find out its exploitability against Linux machines. 

Throughout this research, we’ve identified a new method to detect vulnerable servers using Wireshark, the popular network traffic analyser

Link HERE

Exploiting Wi-Fi Stack on Tesla Model S

This article reveals the details of two vulnerabilities and introduces how to exploit these vulnerabilities, which proves that these vulnerabilities can be used by an attacker to hack into the Tesla Model S in-vehicle system remotely through the Wi-Fi

Link HERE

Tool of the week

Burp Suite extension to view and extract data from JSON responses

Link HERE and Top Ten tools HERE

Reminder: Pyre – from Facebook

A performant type-checker for Python 3

Link HERE

The TIDoS Framework – The Offensive Manual Web Application Penetration Testing Framework

Link HERE

CyberScan: Hackers Favourite ToolKit

Link HERE

SQL Injection Payload List

Link HERE

Dagon- advanced hash cracking and manipulation system

Link HERE

Automating Mapping to ATT&CK: The Threat Report ATT&CK Mapper (TRAM) Tool

Link HERE

BUG BOUNTY CHECK LIST BY C1

Link HERE

Other interesting articles

##AWS vs. Azure vs. Google – What’s the Difference from a Cloud Security Standpoint?

Image result for aws azure google

Links HERE and HERE

 

##What broke the bank

A disastrous IT migration corrupted 1.3 billion customer records. The culprit was insufficient testing

Link HERE

AND

Cross-Site Scripting on a big bank’s Payment Gateway

Link HERE

 

##Why Running a Privileged Container in Docker Is a Bad Idea

Link HERE

 

##’I am going to say quiet words in your face just like I did with Trump’: a conversation with the Zuckerbot

Facebook’s Mark Zuckerberg won’t talk to the Guardian. So we fed everything he says into an algorithm, built a Zuckerbot, and interviewed it

A screenshot of a social media post with text and images of food Description automatically generated

Link HERE

##How to Find Hidden Cameras in Your Airbnb, and Anywhere Else

Sharpen your vigilance — or paranoia — with these tricks and tools

Image result for hidden airbnb camera

Links HERE and HERE

 

##FckdEx

In the next 24 months, FedEx will either be acquired or lose an additional 40%+ in value. The likely acquirer is Walmart. The gangster move: a merger with Shopify. 

In July 2017 we predicted, “If Bezos tomorrow said, ‘We see overnight delivery as a huge opportunity,’ the $150 billion of market cap of DHL, FedEx, and UPS would begin leaking to Amazon.” 

cid:<a href=[email protected]″>

Link HERE

 

##And finally, “The Art of Dying”: a valuable message from Bruce Lee about our ego

In his constant search for self-knowledge, Bruce Lee produced a lot of valuable messages that apply not only to martial arts, but to life itself as a whole

A screenshot of a cell phone Description automatically generated

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://alephsecurity.com/2019/12/29/revised-homograph-attacks/

Description: Revised Homograph Attacks.

URL: http://bit.ly/2tnUn78  (+)

Description: Using WebRTC ICE Servers for Port Scanning in Chrome.

Links HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *