Security Stack Sheet #81

Word of the week

“Master password” & “2FA or not 2FA, that is the question”

According to the 2017 Verizon Data Breach Report, 81% of breaches are caused by weak or reused passwords. So creating strong passwords is essential (?)

A screenshot of a cell phone Description automatically generated

Links HERE and HERE and HERE and HERE and HERE and HERE and alternatives to passwords HERE and Secure Remember Me (?) HERE

Push notifications are the future of multi-factor authentication (?) HERE Pros and cons HERE Most secure (?) HERE Exploited? HERE

Word of the week special

“The Dr Jekyll and Mr Hyde of Cybersecurity”

cid:<a href=[email protected]″>

Link HERE

“Artificial Personas and Public Discourse”

Presidential campaign season is officially, officially, upon us now, which means it’s time to confront the weird and insidious ways in which technology is warping politics. One of the biggest threats on the horizon: artificial personas are coming, and they’re poised to take over political debate. The risk arises from two separate threads coming together: artificial intelligence-driven text generation and social media chatbots. These computer-generated “people” will drown out actual human discussions on the Internet.

Text-generation software is already good enough to fool most people most of the time. It’s writing news stories, particularly in sports and finance. It’s talking with customers on merchant websites. It’s writing convincing op-eds on topics in the news (though there are limitations). And it’s being used to bulk up “pink-slime journalism” — websites meant to appear like legitimate local news outlets but that publish propaganda instead

Link HERE

“No code development security”

Google acquires AppSheet to bring no-code development to Google Cloud

Links HERE and HERE and Security HERE

 

Bonus

A screen shot of a cat Description automatically generated

Link HERE

A picture containing text, man Description automatically generated

Thanks to Mithun

A cat sitting on top of a sign Description automatically generated

Link HERE

Crypto challenge of the week

HackingLab Challenge – SmileNcryptor 4.0

You hacked into the system of very-secure-shopping.com and you found a SQL-Dump with $$-creditcards numbers. As a good hacker you inform the company from which you got the dump. The managers tell you that they don’t worry, because the data is encrypted.

Analyse the “Encryption”-method and try to decrypt the flag.

Dump-File: dump.zip

Hints: CC-Numbers are valid ones, Cyber-Managers often doesn’t know the difference between encoding and encryption

Link HERE

PenTest magazine CTF

cid:<a href=[email protected]″>

Link HERE

jQuery CTF Challenge answers

Link HERE

 

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 31st of January 2020 – New Year Brexit! Or sooner or later?
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • November 3rd 2020: Trump’s second term start

Image result for trump cyber comic

  • 2022 – First trip to Mars according to Elon Musk
  • 2024 – Back to the Moon according to Trump and NASA

Image result for trump nasa back to the moon comic

Book of the month

S**t I Can’t Remember: An Organizer for All Your Passwords and S**t

Link HERE

Comic of the week

 - Dilbert by Scott Adams

##Some OWASP stuff first

-Password Storage Cheat Sheet

Link HERE

-Authentication Cheat Sheet

Link HERE

-Detecting Citrix CVE-2019-19781 with OWASP Nettacker

Link HERE and more tech detail HERE and HERE Video explaining the issue HERE

 

Events

OWASP events HERE

All InfoSec events HERE

Protecting your Cloud Native & Kubernetes environments from exposure and breach with Cisco Stealthwatch Cloud

Wednesday, January 22nd, 2020 at 1:00 PM EST (18:00:00 UTC)

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Microsoft ends support for Windows 7

Support for Windows 7 ended this week which means that security or software updates will no longer be provided by Microsoft.

Windows 7 will continue to run however it will be more vulnerable to viruses and malware. The best way to remain secure is to use the latest operating system available

Microsoft resolve vulnerability following NSA report

The US National Security Agency (NSA) identified a vulnerability in Windows 10 this week which could have been exploited by hackers.

The flaw, which was reported to Microsoft by the NSA, existed in a core component of Windows known as crypr32.dll and could allow an attacker to undermine how the program verifies cryptographic trust and enable remote code execution

Threat of cyber attacks keeping business leaders up at night

The threat of hackers and cyber attacks have moved to the top of business leaders’ worry lists, as revealed by a new survey from Allianz Global Corporate & Specialty (AGCS).

The survey of 2,718 executives across 102 countries, highlighted that cyber incidents have topped the poll for the first time ever. It was listed by 39% of respondents as their biggest concern. Just seven years ago, cyber incidents ranked 15th on the list with 6% choosing it

NCSC on the Citrix vulnerability CVE-2019-19781

Link HERE

Link HERE – Report Vulns to NCSC HERE

API Security Issue 66 – Vulnerabilities in TikTok and InfiniteWP Client, AppSecCali 2020

Link HERE

Unsupervised Learning: No. 211

Link HERE

Incidents & events detail

Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

Link HERE Activity HERE

A Facebook Bug Exposed Anonymous Admins of Pages

A bad code update allowed anyone to easily reveal which accounts posted to Facebook Pages—including celebrities and politicians—for several hours

Link HERE

Cable Haunt

cid:<a href=[email protected]″>

A critical vulnerability found in cable modems from various manufacturers across the world. The vulnerability enables remote attackers to execute arbitrary code on your modem, indirectly through an endpoint on the modem. Your cable modem is in charge of the internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participation in botnets.

The vulnerable endpoint is exposed to the local network, but can be reached remotely due to improper WebSocket usage. Through malicious communication with this endpoint, a buffer overflow can be exploited to gain control of the modem. The technical report can be downloaded below

Link HERE

P&N Bank Discloses Breach

Australia’s P&N Bank has disclosed a breach that compromised customer data, including names, account numbers, and account balances. The incident occurred around the second week of December 2019 during a server upgrade. P&N believes that the intruders gained entry through third-party hosting provider

Link HERE

WordPress Plugin Flaws Affect 320,000 Sites

Critical flaws in two WordPress plugins could be exploited to access websites’ administrator accounts without a password. The affected plugins – InfiniteWP Client and WP Time Capsule, run on 300,000 and 20,000 websites, respectively. The developers of both plugins have addressed the issues in updates.
[Ullrich]
WordPress just can’t get its act together. There are two ways to run WordPress: Either you run it at WordPress.com and pay, or you don’t run it. WordPress’s business model is based on the fact that the only way to run its product securely is if you let them manage it for you.
[Neely]
Automating plugin updates for CMS systems prevents more problems than it creates. Coupled with incremental backups which permit easy roll-back, the risks are largely mitigated. Reviewing and removing unused plugins regularly is also prudent

Link HERE

Remember: Chinese hacker group caught bypassing 2FA

Chinese state-sponsored group APT20 has been busy hacking government entities and managed service providers

Link HERE

Microsoft Patch Tuesday crypt32.dll Vulnerability Overview

As part of today’s “Patch Tuesday”, Microsoft addressed a critical flaw in the Windows 10 and Windows Server 2016 version of crypt32.dll. Crypt32.dll implements the Windows CryptoAPI, which provides various cryptographic features used by software to verify digital signatures. This flaw was originally discovered by the NSA, but has not been used in attacks yet.

In this webcast, you will learn more about the nature of the vulnerability, how it could be exploited, and current recommendations to implement the patches as efficiently as possible

Link HERE

AND

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates

Link HERE

AND

Proof-of-Concept Exploit Code Released for Critical Cryptographic Flaw in Windows 10

The US National Security Agency (NSA) has deemed a cryptographic flaw it found in Windows 10 so critical that it took the unusual step of disclosing the flaw itself. The flaw could be exploited to spoof code signing certificates. The issue also affects Windows Server 2016 and 2019 and “applications that rely on Windows for trust functionality.” The Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the issue by January 29. Proof-of-concept exploit code for the vulnerability has been released.
[Ullrich]
SANS created a test site at https://curveballtest.com. The site also offers a benign executable that was signed with an exploit signature. Use it to test your defenses. Many end point protection products and even Chrome have added rules to detect bad signatures, possibly protecting you even if you are not yet patched

Links HERE and HERE and HERE

New Iranian data wiper malware hits Bapco, Bahrain’s national oil company

Saudi Arabia’s cyber-security agency spots new Dustman data-wiping malware

Link HERE

Apple Denies FBI Request to Unlock Shooter’s iPhone—Again

Link HERE

Ring says it has fired four employees for abusing access to user video

The company said so in a letter to senators

Link HERE

Research of the week

Featuring – Android Mobile App Data Sharing is “Out of Control”

A report from the Norwegian Consumer Council says that the sharing of sensitive information by Android apps is “out of control.” According to analysis of 10 popular Android apps conducted by Mnemonic, the apps share sensitive user data with numerous third-parties. Mnemonic conducted its analyses between June and November 2019. In all, the 10 examined apps sent user data to a total of 135 separate third-party entities that all engage in advertising or behavioral marketing.
[Ullrich]
At the same time, users are complaining that the latest iOS release from Apple is “too noisy” with its location tracking alerts. In the end, many people just want things to work and don’t care who they are sharing what information with.
[Neely]
For many applications, enabling access to sensitive data is needed for desired functionality. Even so, in current Android operating systems, you can now review application privileges and ensure that you’ve not granted extra permissions in the heat of installing a new app. While reading the privacy/data sharing agreements is a good way to find out where a given application will share data, providers need to make sure they are short, easy to understand, and quick to read so users will look at the

Link HERE

Uploading web.config for Fun and Profit 2

This is the second part of my Uploading web.config For Fun and Profit! I wrote the original blog post back in 2014 [1] in which I had described a method to run ASP classic code as well as performing stored XSS attacks only by uploading a web.config file.

In this blog post, as well as focusing on running the web.config file itself, I have covered other techniques that can come in handy when uploading a web.config in an application on IIS. My main goal is to execute code or commands on the server using a web.config file and have added more techniques for stored XSS as well.

The techniques described here have been divided into two major groups depending on whether a web.config file can be uploaded in an application root or in a subfolder/virtual directory. Please see [2] if you are not familiar with virtual directory and application terms in IIS. Another blog post of mine can also be helpful to identify a virtual directory or an application during a blackbox assessment [3]

Link HERE

Remember: SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

The SHA-1 hash function was designed in 1995 and has been widely used during two decades. A theoretical collision attack was first proposed in 2004 [WYY05], but due to its high complexity it was only implemented in practice in 2017, using a large GPU cluster [SBK+17]. More recently, an almost practical chosen-prefix collision attack against SHA-1 has been proposed [LP19]. This more powerful attack allows to build colliding messages with two arbitrary prefixes, which is much more threatening for real protocols. In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 2 61.2 rather than 2 64.7 , and chosen-prefix collisions with a complexity of 2 63.4 rather than 2 67.1 . When renting cheap GPUs, this translates to a cost of 11k US$ for a collision, and 45k US$ for a chosen-prefix collision, within the means of academic researchers. Our actual attack required two months of computations using 900 Nvidia GTX 1060 GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time preparing the attack). Therefore, the same attacks that have been practical on MD5 since 2009 are now practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes and handshake security in secure channel protocols (TLS, SSH). We strongly advise to remove SHA-1 from those type of applications as soon as possible. We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can therefore be transferred to the second key, leading to a forgery. This proves that SHA-1 signatures now offers virtually no security in practice. The legacy branch of GnuPG still uses SHA-1 by default for identity certifications, but after notifying the authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as CVE-2019-14855)

Links HERE and HERE

SIM swapping is easy

An Empirical Study of Wireless Carrier Authentication for SIM Swaps

Link HERE

Tool of the week

Citrix ADC (NetScaler) vulnerability tool

We are only disclosing this due to others publishing the exploit code first

Link HERE

Best new gadgets from CES 2020

A screenshot of a cell phone Description automatically generated

Link HERE

Other interesting articles 

##Coding Education Should Be Integrated into K-8 Curriculum

An educational technology specialist said that coding education should be integrated across the K-8 school curriculum rather than taught as a standalone subject. Students are likely to develop better problem-solving and design skills if they have an application for coding outside of the computer science lab.
[Murray]
While it is good for people to know how to code, our problem is not a shortage of coders but one of quality code. Currently we have too much porous code written by amateurs

Link HERE

 

##Securing open source: How Google supports the new Kubernetes bug bounty

At Google, we care deeply about the security of open-source projects, as they’re such a critical part of our infrastructure—and indeed everyone’s. Today, the Cloud-Native Computing Foundation (CNCF) announced a new bug bounty program for Kubernetes that we helped create and get up and running. Here’s a brief overview of the program, other ways we help secure open-source projects and information on how you can get involved

Link HERE

 

##And finally, What’s the best security-inspired haiku you can come up with?

It’s a Monday (tomorrow). Need something lighter to think about? Share your security-inspired haiku

Cryptowall invades.

What bypassed my firewall?

Spear-phishing the CEO.

cid:<a href=[email protected]″>

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: http://bit.ly/2FBDJUC (+)

Description: The Bug That Exposed Your PayPal Password.

URL: http://bit.ly/2tGKrG0 (+)

Description: Bypass SameSite Cookies Default to Lax and GET CSRF.

Links HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *