Security Stack Sheet #82

Word of the week

“Code obfuscation”

Don Yang obfuscated C source code spells his name

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and tool HERE and in OWASP top 10 mobile HERE and HackerOne finding HERE

Word of the week special

“DevSecOps Trenches” – Lessons learned

Though the security teams may have different names at different companies (e.g. AppSec vs ProdSec), they tend to have the same core responsibilities: developer security training, threat modelling and architecture reviews, triaging bug bounty reports, internal pen testing, and building security-relevant services, infrastructure, and secure-by-default libraries

A screenshot of text Description automatically generated

Link HERE and State of the Union HERE

AND

“Data Driven Bug Bounty”

The core health metrics of an effective bug bounty program are: the time it takes to first respond to a researcher, time to triage, time to bounty, and time to resolution. Time to response and time to bounty are overall the most important

Link HERE and Automating bug finding in practice HERE

 

Bonus

A close up of a logo Description automatically generated

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Word of 2020 – “Awakening”

Link HERE – thanks to Mithun

A close up of text on a white background Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Page from the book – the Phoenix Project – thanks to Prash

Crypto challenge of the week

Bet you can’t solve this Google interview question

Breaking tough problems into small pieces

A picture containing transport Description automatically generated

Link HERE

Try Hack Me – Binex and Daily Bugle!

Link HERE

 

Dates

  • New Year 2020

Security Concerns for 2020 — Some Dude Says

Link HERE

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE! Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 31st of January 2020 – New Year Brexit! Or sooner or later?
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • November 3rd 2020: Trump’s second term start

“Meghan Markle will run for US President” predicts PR expert

Link HERE

  • 2022 – First trip to Mars according to Elon Musk

A close up of a sign Description automatically generated

Link HERE

  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Serverless Security Protect

Functions Using the CLAD Security Model

Link HERE – thanks to Alvin

Comic of the week

Master Engineer - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP wiki – Our Website Migration Journey

A screenshot of a cell phone Description automatically generated

Link HERE

-OWASP Threat Model Cookbook Project

This project is about creating and publishing threat model examples

Links HERE and HERE

-The security phoenix – from the ashes of DEV-OPS Appsec California 2020

Link HERE

-OWASP Nettacker by Sam Stepanyan

Link HERE

-Top 10 Python security best practices

Link HERE

-Finding Your First Bug: Cross-Site Request Forgery (CSRF)

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

S4x20: A write-up

This year, I attended the S4 conference in Miami South Beach for the second time. It is a great event, one of the very few cybersecurity events focused on ICS

Link HERE

What I Learned Watching All 44 AppSec Cali 2019 Talks

Link HERE

Search for security in videos

Link HERE

Designing a Secure Microservices Architecture

Tuesday, January 28th, 2020 at 3:30 PM EST (20:30:00 UTC)

Link HERE

Hardening Kubernetes clusters – playlist

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Citrix roll out new patches for ADC and Gateway vulnerability

Last week we issued an alert detailing the exploitation of a critical vulnerability, CV-2019-19781, in the Citrix Application Delivery Controller (ADC) and Citrix Gateway.

Citrix initially issued mitigation advice, and are due to roll out patches for the vulnerability which you will find on their website. When they are live we will also link directly from here in the Threat Report

Time spent recovering from ransomware attacks on the increase

recent report into ransomware, by cyber security company Covewar, suggests that the average length of time organisations spend recovering from a ransomware attack has increased from 12 to 16 days.

Attackers are also increasing the amount they demand, the report notes that the average payment has doubled in the last 6 months

Zero-day vulnerability warning from Microsoft

Microsoft has confirmed that a zero-day vulnerability affecting Internet Explorer is being exploited by attackers.

Zero-day refers to recently discovered vulnerabilities (or bugs), not yet known to vendors or antivirus companies, that attackers can exploit.

The security advisory (ADV200001) issued by Microsoft confirms the vulnerability is found in the scripting engine of Internet Explorer across all version of Windows. If exploited it could give an attacker the same rights as the user and allow them to take control of the system

Link HERE – Report Vulns to NCSC HERE

API Security Issue 67: RFC for OAuth 2.0 Token Exchange, JWT Webinar

Link HERE

Troy Hunt Blog – Issue 175

Link HERE

Incidents & events detail

Rogers’ internal passwords and source code found open on GitHub

Link HERE

Top takes: A Facebook drama in three acts

An exclusive report, in collaboration with Der Spiegel, reveals a network of fake accounts building fake lifetimes in fake ways

Link HERE

Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear

It’s got a name and logo so it’s serious, you guys

Links HERE and HERE

Hackers target unpatched Citrix servers to deploy ransomware

REvil ransomware gang has been spotted abusing Citrix bug to infect victims

Link HERE and HERE and fixes HERE

FBI Seizes Website Suspected Of Selling Access To Billions Of Pieces Of Stolen Data

Link HERE

Equifax Settles Class-Action Breach Lawsuit for $380.5M

Link HERE

NSA: Microsoft Releases Patch to Fix Latest Windows 10 Vulnerability

Link HERE

LastPass stores passwords so securely, not even its users can access them

Login management service sulks in days-long TITSUP* for some

Link HERE

Call to Reform UK’s Computer Misuse Act

The CLRNN has published a report calling for the UK government to update the Computer Misuse Act (CMA) which was enacted in 1990. CLRNN says that the law’s vague definition of “unauthorized access” does not go far enough to protect the activity of legitimate security researchers. Furthermore, the law’s definition of “computer” does not take into account the growth of the Internet of Things and mobile devices. CLRNN has also proposed changes that would bring the law up to date.
[Neely]
The CMA was enacted to fill gaps in existing legislation rather than be a comprehensive computer crime law and was based on relevant issues from 1990. While the computer crime legislation and supporting policy, such as the CMA, are designed to be technology-independent for long term relevance and applicability, they need to include a plan for review and update as technology, risks and tactics evolve.
[Murray]
We have both of these problems in our own Computer Fraud and Abuse Act. Both laws were passed when most computer systems were private and most “authorized” use was by insiders. We have known about these problems in these laws for a decade. While drafting the necessary changes is difficult, it is, nonetheless, about time​

Link HERE

Saudi Arabia denies hacking Jeff Bezos’ phone

Link HERE

EFS Ransomware

Link HERE

Cyber-security salaries soar as firms scrabble to lock up data

Link HERE

Research of the week

Featuring – Remote code execution, cross-site scripting, and denial of service vulnerabilities account for 2/3 of known vulnerabilities in .NET ecosystem

This report is split into three posts:

Link HERE

Facebook’s Coordinated Inauthentic Behavior – An OSINT Analysis

Key Takeaways

  • A lot of the information shared by social media companies is still incomplete or missing.
  • Further transparency on processes and data is required to increase visibility and awareness of campaigns.
  • Elections have been a key focus of CIB campaigns.
  • CIBs are also currently used in conflict-affected & politically vulnerable countries (e.g. Northern & Eastern Africa), although under-reported by media outlets.
  • The data collected on Facebook’s CIBs is available on GitHub.
  • A similar study for Twitter is on its way

Link HERE

BONNES PRATIQUES À L’USAGE DES PROFESSIONNELS EN DÉPLACEMENT (French)

AND

AGILITÉ ET SÉCURITÉ NUMÉRIQUES : MÉTHODE ET OUTILS À L’USAGE DES ÉQUIPES PROJET (French)

Passeport - 9 bonnes pratiques

Links HERE and HERE and doc HERE and HERE

NIST PRIVACY FRAMEWORK: A TOOL FOR IMPROVING PRIVACY THROUGH ENTERPRISE RISK MANAGEMENT

Following a transparent, consensus-based process including both private and public stakeholders to produce this voluntary tool, the National Institute of Standards and Technology (NIST) is publishing this Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework), to enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy. The Privacy Framework can support organizations in:

-Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole

-Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment

-Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators

Link HERE

Tool of the week

Remember: Exploit Prediction Scoring System (EPSS)

Links HERE and HERE and the tool HERE

Tool Release – Enumerating Docker Registries with go-pillage-registries

Link HERE

A Beginner’s Guide to OSINT Investigation with Maltego

Link HERE

Remember: Awesome hacking

A collection of awesome lists for hackers, pentesters & security researchers

Link HERE

Microsoft Security Code Analysis – a tool that seamlessly empowers customers to enable security controls in your CI/CD pipeline

Link HERE

Azure Services Overview

Overview of Azure services by categories

Link HERE

TOP 20 tools every Blue Teamer should have in 2020

Link HERE

DeepBlueCLI

PowerShell Module for Threat Hunting via Windows Event Logs

Link HERE

Other interesting articles 

##Real-World Threat Modelling – by Mike Goodwin

5 Pragmatic Tips from Someone Who Has Experienced the Pain and the Pleasure of Threat Modelling

Link HERE

 

##A Risky Future?

I am a certified AWS Developer, AWS Systems Architect, Agile Project Manager, Trainer, and lifelong business consultant. This provides me with a broad view and a specific ability to build enterprise systems on a range of platforms. My recent focus has been Python, Javascript / Node.js where there are lots of vulnerabilities. This is about where we are now and the changes we can see coming

Link HERE

 

##The state we’re in

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to Ben

 

##(in)Secure Development – Why some product teams are great and others aren’t…

Hero's Journey

Fun fact: many of the most popular stories have the same structure, ranging from ancient Greek texts to most fantasy books to movies like The Matrix

Link HERE

 

##And finally, The Secretive Company That Might End Privacy as We Know It

A little-known start-up helps law enforcement match photos of unknown people to their online images — and “might lead to a dystopian future or something,” a backer says.

Until recently, Hoan Ton-That’s greatest hits included an obscure iPhone game and an app that let people put Donald Trump’s distinctive yellow hair on their own photos.

Then Mr. Ton-That — an Australian techie and onetime model — did something momentous: He invented a tool that could end your ability to walk down the street anonymously, and provided it to hundreds of law enforcement agencies, ranging from local cops in Florida to the F.B.I. and the Department of Homeland Security.

His tiny company, Clearview AI, devised a groundbreaking facial recognition app

Links HERE and HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.isec.pl/all-is-xss-that-comes-to-the-net/

Description: All is XSS that comes to the .NET.

URL: http://bit.ly/2FRi1fo  (+)

Description: Busting Cisco’s Beans :: Hardcoding Your Way to Hell.

Links HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *