Word of the week
“Master password” & “2FA or not 2FA, that is the question”
According to the 2017 Verizon Data Breach Report, 81% of breaches are caused by weak or reused passwords. So creating strong passwords is essential (?)
Word of the week special
“The Dr Jekyll and Mr Hyde of Cybersecurity”
“Artificial Personas and Public Discourse”
Presidential campaign season is officially, officially, upon us now, which means it’s time to confront the weird and insidious ways in which technology is warping politics. One of the biggest threats on the horizon: artificial personas are coming, and they’re poised to take over political debate. The risk arises from two separate threads coming together: artificial intelligence-driven text generation and social media chatbots. These computer-generated “people” will drown out actual human discussions on the Internet.
Text-generation software is already good enough to fool most people most of the time. It’s writing news stories, particularly in sports and finance. It’s talking with customers on merchant websites. It’s writing convincing op-eds on topics in the news (though there are limitations). And it’s being used to bulk up “pink-slime journalism” — websites meant to appear like legitimate local news outlets but that publish propaganda instead
“No code development security”
Google acquires AppSheet to bring no-code development to Google Cloud
Thanks to Mithun
Crypto challenge of the week
HackingLab Challenge – SmileNcryptor 4.0
You hacked into the system of very-secure-shopping.com and you found a SQL-Dump with $$-creditcards numbers. As a good hacker you inform the company from which you got the dump. The managers tell you that they don’t worry, because the data is encrypted.
Analyse the “Encryption”-method and try to decrypt the flag.
Hints: CC-Numbers are valid ones, Cyber-Managers often doesn’t know the difference between encoding and encryption
PenTest magazine CTF
jQuery CTF Challenge answers
Book of the month
S**t I Can’t Remember: An Organizer for All Your Passwords and S**t
Comic of the week
##Some OWASP stuff first
-Password Storage Cheat Sheet
-Authentication Cheat Sheet
-Detecting Citrix CVE-2019-19781 with OWASP Nettacker
OWASP events HERE
All InfoSec events HERE
Protecting your Cloud Native & Kubernetes environments from exposure and breach with Cisco Stealthwatch Cloud
Wednesday, January 22nd, 2020 at 1:00 PM EST (18:00:00 UTC)
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Microsoft ends support for Windows 7
Microsoft resolve vulnerability following NSA report
Threat of cyber attacks keeping business leaders up at night
NCSC on the Citrix vulnerability CVE-2019-19781
API Security Issue 66 – Vulnerabilities in TikTok and InfiniteWP Client, AppSecCali 2020
Unsupervised Learning: No. 211
Incidents & events detail
Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781
A Facebook Bug Exposed Anonymous Admins of Pages
A critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to execute arbitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.
The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper WebSocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem. The technical report can be downloaded below
P&N Bank Discloses Breach
Australia’s P&N Bank has disclosed a breach that compromised customer data, including names, account numbers, and account balances. The incident occurred around the second week of December 2019 during a server upgrade. P&N believes that the intruders gained entry through third-party hosting provider
WordPress Plugin Flaws Affect 320,000 Sites
Critical flaws in two WordPress plugins could be exploited to access websites’ administrator accounts without a password. The affected plugins – InfiniteWP Client and WP Time Capsule, run on 300,000 and 20,000 websites, respectively. The developers of both plugins have addressed the issues in updates.
Remember: Chinese hacker group caught bypassing 2FA
Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers
Microsoft Patch Tuesday crypt32.dll Vulnerability Overview
As part of today’s “Patch Tuesday”, Microsoft addressed a critical flaw in the Windows 10 and Windows Server 2016 version of crypt32.dll. Crypt32.dll implements the Windows CryptoAPI, which provides various cryptographic features used by software to verify digital signatures. This flaw was originally discovered by the NSA, but has not been used in attacks yet.
Cryptic Rumblings Ahead of First 2020 Patch Tuesday
Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.
According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates
Proof-of-Concept Exploit Code Released for Critical Cryptographic Flaw in Windows 10
The US National Security Agency (NSA) has deemed a cryptographic flaw it found in Windows 10 so critical that it took the unusual step of disclosing the flaw itself. The flaw could be exploited to spoof code signing certificates. The issue also affects Windows Server 2016 and 2019 and “applications that rely on Windows for trust functionality.” The Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the issue by January 29. Proof-of-concept exploit code for the vulnerability has been released.
New Iranian data wiper malware hits Bapco, Bahrain’s national oil company
Saudi Arabia’s cyber-security agency spots new Dustman data-wiping malware
Apple Denies FBI Request to Unlock Shooter’s iPhone—Again
Ring says it has fired four employees for abusing access to user video
The company said so in a letter to senators
Research of the week
Featuring – Android Mobile App Data Sharing is “Out of Control”
A report from the Norwegian Consumer Council says that the sharing of sensitive information by Android apps is “out of control.” According to analysis of 10 popular Android apps conducted by Mnemonic, the apps share sensitive user data with numerous third-parties. Mnemonic conducted its analyses between June and November 2019. In all, the 10 examined apps sent user data to a total of 135 separate third-party entities that all engage in advertising or behavioral marketing.
Uploading web.config for Fun and Profit 2
This is the second part of my Uploading web.config For Fun and Profit! I wrote the original blog post back in 2014  in which I had described a method to run ASP classic code as well as performing stored XSS attacks only by uploading a web.config file.
In this blog post, as well as focusing on running the web.config file itself, I have covered other techniques that can come in handy when uploading a web.config in an application on IIS. My main goal is to execute code or commands on the server using a web.config file and have added more techniques for stored XSS as well.
The techniques described here have been divided into two major groups depending on whether a web.config file can be uploaded in an application root or in a subfolder/virtual directory. Please see  if you are not familiar with virtual directory and application terms in IIS. Another blog post of mine can also be helpful to identify a virtual directory or an application during a blackbox assessment 
Remember: SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust
The SHA-1 hash function was designed in 1995 and has been widely used during two decades. A theoretical collision attack was first proposed in 2004 [WYY05], but due to its high complexity it was only implemented in practice in 2017, using a large GPU cluster [SBK+17]. More recently, an almost practical chosen-prefix collision attack against SHA-1 has been proposed [LP19]. This more powerful attack allows to build colliding messages with two arbitrary prefixes, which is much more threatening for real protocols. In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 2 61.2 rather than 2 64.7 , and chosen-prefix collisions with a complexity of 2 63.4 rather than 2 67.1 . When renting cheap GPUs, this translates to a cost of 11k US$ for a collision, and 45k US$ for a chosen-prefix collision, within the means of academic researchers. Our actual attack required two months of computations using 900 Nvidia GTX 1060 GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time preparing the attack). Therefore, the same attacks that have been practical on MD5 since 2009 are now practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes and handshake security in secure channel protocols (TLS, SSH). We strongly advise to remove SHA-1 from those type of applications as soon as possible. We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can therefore be transferred to the second key, leading to a forgery. This proves that SHA-1 signatures now offers virtually no security in practice. The legacy branch of GnuPG still uses SHA-1 by default for identity certifications, but after notifying the authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as CVE-2019-14855)
SIM swapping is easy
An Empirical Study of Wireless Carrier Authentication for SIM Swaps
Tool of the week
Citrix ADC (NetScaler) vulnerability tool
We are only disclosing this due to others publishing the exploit code first
Best new gadgets from CES 2020
Other interesting articles
##Coding Education Should Be Integrated into K-8 Curriculum
An educational technology specialist said that coding education should be integrated across the K-8 school curriculum rather than taught as a standalone subject. Students are likely to develop better problem-solving and design skills if they have an application for coding outside of the computer science lab.
##Securing open source: How Google supports the new Kubernetes bug bounty
At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a new bug bounty program for Kubernetes that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved
##And finally, What’s the best security-inspired haiku you can come up with?
It’s a Monday (tomorrow). Need something lighter to think about? Share your security-inspired haiku
What bypassed my firewall?
Spear-phishing the CEO.
##HACKING, TOOLS and FUN – CHECK BELOW!
URL: http://bit.ly/2FBDJUC (+)
Description: The Bug That Exposed Your PayPal Password.
URL: http://bit.ly/2tGKrG0 (+)
Description: Bypass SameSite Cookies Default to Lax and GET CSRF.