Security Stack Sheet #84

Word of the Week

“Coronavirus Cybersecurity Preparedness”

The recent Coronavirus (2019-nCoV) outbreak has brought the topic of an epidemic or pandemic impacting businesses from the hypothetical to the possible. With 25,000 infections and counting, it would be a good time to consider the business and cyber impacts of an illness such as this. The primary risks fall into two categories: (1) fraud and other ways criminals take advantage of situations like this, such as fake donation sites, malware and fake news, and (2) business continuity preparedness measures such as remote access capacity review, understanding limitations of biometric authentication, supply chain considerations, emergency communication plan, and plans for business shutdown if appropriate.
[Ullrich]
Fraud and malware related to the Coronavirus is currently seen in Asia. Catastrophic events tend to be used for fraud as news focuses on them and in the US, impeachment and primaries have dominated the news. Expect more virus-related fraud as news media pay more attention to it. And please let us know if you see anything via our contact form: isc.sans.edu/contact.html

[Neely]
The Coronavirus introduces an illness which does not yet have a cure, and is resulting in, sometimes unexpected, quarantine and other restrictions which can have a direct business impact. Johannes Ullrich does an excellent job of summarizing things to consider and revisit in your DR plans in the ISC diary entry

Links HERE and HERE and HERE and HERE and HERE

Word of the Week Special

“JavaScript Libraries Are Almost Never Updated Once Installed” & “Defensive Javascript”

AND

A close up of a map Description automatically generated

Links HERE and HERE and a Tool JScrambler HERE

 

Bonus

A screenshot of text Description automatically generated

Link HERE

A castle on top of a building Description automatically generated

Link HERE

A picture containing ground, outdoor Description automatically generated

Link HERE

Link HERE

a picture of a comic strip

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screen shot of a computer Description automatically generated

Slot Machines vs Election Software

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a social media post with text and a black background Description automatically generated

Link HERE

A close up of a map Description automatically generated

Thanks to Alvin

Crypto challenge of the week

2020 Alan Turing Cryptography Competition open

The University of Manchester

Link HERE

 

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

La CNIL publie un guide RGPD pour les développeurs (in French)

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE

CCPA Questions and Answers

Link HERE

  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.

  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • November 3rd 2020: Trump’s second term start

A close up of a logo Description automatically generated

Link HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Link HERE – thanks to Naz

Comic of the week

Vendor Not Performing - Dilbert by Scott Adams

##Some OWASP stuff first

-Why can’t we build secure software?

A picture containing text Description automatically generated

Link HERE

-AppSec in a Minute – Why AppSec is Getting so Much Attention

Link HERE

-Application-Security-Engineer-Interview-Questions

Link HERE

-DOM-based vulnerabilities

Fundamentally, DOM-based vulnerabilities arise when a website passes data from a source to a sink, which then handles the data in an unsafe way in the context of the client’s session

Link HERE

-The Secure Developer podcast – Ep. #43, Combatting Security Burnout with Stu Hirst of Just Eat

Link HERE

-0Days for Dummies

A close up of a sign Description automatically generated

Link HERE

-Remember: The OWASP top 10 Proactive Controls

A screenshot of a cell phone Description automatically generated

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE – the best Conferences in 2020 HERE

Link HERE

AppSec Cali Welcome Address, Opening Note and Closing Note

Links HERE and HERE and HERE

Live Webinar | Application Security for Modern Dev

Link HERE

Webinar – Detecting and Defending Against Server-Side Request Forgery

Link HERE

The State of Software Security

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

A screenshot of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Report claims human error is major cause of UK breaches

Showing just how tempting it can be to think that complex problems have a single, ‘simple’ cause: Cybsafe announced that 90% of data breaches in the UK are caused by human error.

The report has analysed data from breaches reported to the Information Commissioner’s Office (ICO) in 2019. Their findings report that nine out of ten of the 2,376 breaches report to the ICO were due to “mistakes by users”. Phishing was named as the main cause of breaches which was 45% of all the reports to the ICO

Code repository used to host and distribute malware

It is being reported that the code repository platform, Bitbucket, is being used by cyber criminals to host and distribute malware in a number of campaigns.

Criminals have been delivering an “unprecedented number of malware” via Bitbucket according to a report by Cybereason researchers. The malicious repositories mentioned in the linked blog post were deactivated within a few hours following communication between the researchers and Bitbucket.

Cybereason report that attackers create and cycle different accounts, which are then frequently updated to avoid detection..

Users that have downloaded cracked versions of commercial software like Microsoft Office and Adobe photoshop may have been affected

Link HERE – Report Vulns to NCSC HERE

API Security Issue 69: Vulnerabilities in Azure Stack and Cisco TelePresence, API fuzzing

Link HERE

Troy Hunt Blog – Issue 177

Link HERE

Unsupervised Learning 214

London Facial Recognition, Coalfire Freedom, NYT Reporter Spyware, Avast Sells Customer Data, Google’s Bounty Program, Kali 2020, Harvard Chemist Espionage, Technology News, Human News, Ideas Trends & Analysis, Discovery, Recommendations, and the Weekly Aphorism…

Link HERE

Incidents & events detail

Team Viewer security  fail!

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to Marius

TrickBot Now Steals Windows Active Directory Credentials

Link HERE

Facebook’s Twitter account compromised, hacker group claims credit

Link HERE

Apple fined for slowing down old iPhones

Link HERE

CVE-2019-12180 – ReadyAPI & SoapUI command execution via malicous project file

Link HERE

Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root

Link HERE

Teens have figured out how to mess with Instagram’s tracking algorithm

Teenagers are using group accounts to flood Instagram with random user data that can’t be tied to a single person

Link HERE

Twitter security hole allowed state-sponsored hackers to match phone numbers to usernames

Link HERE

Huawei-owned company injects backdoor into their chips activated by TCP commands

Link HERE

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

A pair of security workers at a prominent cybersecurity company are contracted by the state of Iowa to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

They are arrested in the course of doing their jobs. The charges still have not been dropped, despite admissions by the state of a miscommunication with county authorities.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts to test voting facilities in advance of the 2020 presidential election may put security professionals at risk

Links HERE and Charges dropped HERE – thanks to Naz

This WhatsApp Bug Could Have Let Attackers Access Files On Your PCs

Link HERE

I Opened My Connection To SSH Attacks, And These Were The Requests I Saw

Link HERE

Research of the week

Featuring – How to play the Elevation of Privilege threat modelling card game?

Mark and Adam demonstrate how to play the game with worked examples. We loved how this part of their talk drew on their years of experience of putting games to work. They showed how games can resolve problems in scenarios where other kinds of collaboration don’t work as effectively

Link HERE

Top Attacks Against Service Providers 2017-2019

Brute force attacks against service providers reported to the F5 SIRT from 2017 through 2019

Link HERE

Etat des menaces de rançons par l’ANSSI (in French)

L’année 2018 a vu la multiplication d’attaques par rançongiciel impactant des entreprises et institutions dans le monde entier, et elles dépassent désormais en nombre celles impactant les particuliers. Ces codes malveillants représentent actuellement la menace informatique la plus sérieuse pour les entreprises et institutions par le nombre d’attaques quotidiennes et leur impact potentiel sur la continuité d’activité. Sur les très nombreuses attaques de ce type en France, l’ANSSI a traité 69 incidents en 2019 sur son périmètre

A picture containing screenshot Description automatically generated

Link HERE

Introduction to mobile network intrusions from a mobile phone

With the introduction of the packet service, mobile user equipment (UE) are able to use the IP communication protocol. Without the right routing and filtering of UE communications, some sensitive assets on the operator’s infrastructure could be exposed, such as core network services.

Mobile operators are generally aware of this kind of attack vector and apply the right mechanisms to avoid any risk from the subscriber context. Nevertheless, those mechanisms are different from an operator to another and their effectiveness varies

Link HERE

All the Ways Google Tracks You—And How to Stop It

Google knows more about you than you might think. Here’s how to keep it from tracking your location, web browsing, and more

google pin drops

Link HERE and Google Maps HACK – A guy carted 99 phones around to create traffic jams on Google Maps HERE

Tool of the week

Bots on Twitter – tool

Image

Link HERE

Collection of information from honeypots

A screenshot of a cell phone Description automatically generated

Link HERE

and Slides HERE

Emotet detection tool for Windows OS

Link HERE – thanks to Marius

A guide for amateurs pen testers and a collection of hacking tools, resources and references to practice ethical hacking, pen testing and web security

Link HERE

Fortify on Demand Container scanning

Link HERE

Other interesting articles 

##Simple Remote Code Execution Vulnerability Examples for Beginners

Especially when I talk with newbie security researchers/bug bounty hunters, they always make me feel as not thinking theirselves capable of finding Remote Code Execution vulnerabilities because they are super-complex. Because of this misconception, these people are actually not trying to find any of them or stop looking after some time. I think maybe the reason behind it is most of the examples/write-ups are really super complex bugs leading to the RCE from several different root causes with chaining one to another. While I am always impressed by these well-written write-ups & new ways of exploitations, I still continue to look for the easy ones too when hunting. Due to this, I decided to share some of the real world examples that I found on the Synack targets for a while, which were actually low-hanging-fruits and could be found/exploited by anyone. Just a few different tricks may actually exploit a vulnerability which seems not-exploitable at first

Link HERE

 

##Skeletons In The Closet: $2 Billion Cybersecurity Firm Darktrace Haunted By Characters From HP’s Failed Autonomy Deal

Former Darktrace board member Sushovan Hussain (above) is appealing a five-year prison sentence for his role in the disastrous HP Autonomy deal

Link HERE

 

##Software supply chain risk and SCA — part one

Developers no longer write every single line of code that goes into your applications or products. Software is produced using building blocks; existing open-source and third-party components, built upon to create something new. This new approach enables organizations to build software quickly by reusing components that already exist.

The software supply chain is relatively new, evolving into a “thing” in the last five to seven years. The general idea of the supply chain has existed since the beginning of modern manufacturing. Think about a car; a car has a very diverse supply chain. Some parts come from the tire manufacturer, and others from a spark plug manufacturer. The automaker assembles all these component pieces to produce a car

Link HERE

AND

48% see security a major constraint on the ability to deliver software quickly

Link HERE – thanks to Mithun

##And finally, How can we harness human bias to have a more positive impact on cybersecurity awareness?

It’s been encouraging to see, in recent years, that more and more CISOs and security teams understand that security can’t be solved with technology alone. I understand the tendency to want to “fix” security with a piece of shiny kit, because if that worked it would be simple and very comforting. Unfortunately, security is not simply about technology, it’s about how people engage with technology, and for this we need to focus on people at least as much as we focus on tech

Image result for human bias

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: http://bit.ly/2SmJ7Rn  (+)

Description: Hijacking shared report links in Google Data Studio.

URL: https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/

Description: WhatsApp Desktop Platform Multiple Vulnerabilities (CVE-2019-18426).

URL: https://techblog.mediaservice.net/2020/01/ok-google-bypass-the-authentication/

Description: OK Google – Bypass the authentication!

Links HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *