Word of the Week
Modern and Medieval Mass Surveillance – “Identify, Correlate, Discriminate”
Word of the Week Special
Governments are the frenemies of society on hacking.
Smart, unscrupulous players are exploiting the vulnerabilities of our digital devices
UK police deny responsibility for poster urging parents to report kids for using Kali Linux
Updated: Using Discord, too, is apparently a warning sign that your child is turning into a naughty hacker
Link HERE – thanks to Mithun
Translation not needed
Crypto challenge of the week
This Sculpture Holds a Decades-Old C.I.A. Mystery. And Now, Another Clue
[Browsers, Office365, Cisco and many others]
Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.
Pentagon requests $15.4B for Space Force
Book of the month
Comic of the week
##Some OWASP stuff first
OpenSource Application Security Management
The leading application vulnerability management tool built for DevOps and continuous security integration.
-Thick Client Penetration Testing Methodology
Thick client pentesting involves both local and server-side processing and often uses proprietary protocols for communication.
-How to Use OWASP Amass: An Extensive Tutorial
OWASP events HERE
How to leverage endpoint detection and response (EDR) in AWS investigations
NDC London 2020 – Write-up
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Ransomware attack brings down college IT
A college in Scotland fell victim to an apparent ransomware attack last week with the incident bringing down its IT systems.
Attackers using the Coronavirus as a phishing trap
API Security Issue 70: Vulnerabilities in Twitter, Likud, Iowa caucus apps, two API security talks
Troy Hunt Blog – Issue 178
Incidents & events detail
The intelligence coup of the century
For decades, the CIA read the encrypted communications.
The Swiss cryptography firm Crypto AG sold equipment to governments and militaries around the world for decades after World War II. They were owned by the CIA:
But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.
This isn’t really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans. What is new is the formerly classified documents describing the details:
The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.
The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations’ gullibility for years, taking their money and stealing their secrets.
The operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history
Exfiltrating Data from Air-Gapped Computers Using Screen Brightness
PayPal fraud scam cost UK users £1 million in last quarter
Compensation confidentiality in tech… or not?
Checkmarx Research: SoundCloud API Security Advisory
Recently, the Checkmarx Security Research team investigated the online music platform SoundCloud. According to their website, “As the world’s largest music and audio platform, SoundCloud lets people discover and enjoy the greatest selection of music from the most diverse creator community on earth.”
Intel Discovers Security Flaw in CSME Firmware
The flaw means vulnerability to privilege escalation, denial of service and information disclosure
500 Chrome Extensions Caught Stealing Private Data of 1.7 Million Users
Malware Threats on Macs Outpace Windows For First Time Ever
Average tenure of a CISO is just 26 months due to high stress and burnout
Report: The vast majority of interviewed CISO executives (88%) report high levels of stress, a third report stress-caused physical health issues, half report mental health issues
440M records found online in unprotected database belonging to Estée Lauder
Internet’s safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can’t open a safe
Online security process stalled by offline security screw-up
Research of the week
Featuring – Forging SWIFT MT Payment Messages for fun and pr… research!
With a bit of research and support we were able to demonstrate a proof of concept for introducing a fraudulent payment message to move £0.5M from one account to another, by manually forging a raw SWIFT MT103 message, and leveraging specific system trust relationships to do the hard work for us!
Escaping the Chrome Sandbox with RIDL
Vulnerabilities that leak cross process memory can be exploited to escape the Chrome sandbox. An attacker is still required to compromise the renderer prior to mounting this attack. To protect against attacks on affected CPUs make sure your microcode is up to date and disable hyper-threading (HT).
Blind SSRF exploitation
Mitigations are attack surface, too
This blog post discusses a bug leading to memory corruption in Samsung’s Android kernel (specifically the kernel of the Galaxy A50, A505FN – I haven’t looked at Samsung’s kernels for other devices). I will describe the bug and how I wrote a (very unreliable) exploit for it. I will also describe how a second vulnerability, which had long been fixed in the upstream kernel, the upstream stable releases, and the Android common kernel, but not in Samsung’s kernel, aided in its exploitation
Reanimating Kernel Protectors
Until recently, to compromise an entire system during runtime attackers found and exploited kernel vulnerabilities. This allowed them to perform a variety of actions; executing malicious code in the context of the kernel, modify kernel data structures to elevate privileges, access protected data, etc. Various mitigations have been introduced to protect against such actions and hypervisors have also been utilized, apart from their traditional usage for virtualization support, towards this goal. In the Android ecosystem this has been facilitated by ARM virtualization extensions, which allowed vendors/OEMs to implement their own protection functionalities/logic
Link HERE – thanks to Alvin
Ghost in the shell: Investigating web shell attacks
Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.
DART’s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbtstat.exe, and eventually move laterally using PsExec
Principled Artificial Intelligence
Mapping Consensus in Ethical and Rightsbased Approaches to Principles for AI
Dopamine and temporal difference learning: A fruitful relationship between neuroscience and AI
Attacking Driverless Cars with Projected Images
The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems (ADASs) and autopilots of semi/fully autonomous cars to validate their virtual perception regarding the physical environment surrounding the car with a third party, has been exploited in various attacks suggested by researchers. Since the application of these attacks comes with a cost (exposure of the attacker’s identity), the delicate exposure vs. application balance has held, and attacks of this kind have not yet been encountered in the wild. In this paper, we investigate a new perceptual challenge that causes the ADASs and autopilots of semi/fully autonomous to consider depthless objects (phantoms) as real. We show how attackers can exploit this perceptual challenge to apply phantom attacks and change the abovementioned balance, without the need to physically approach the attack scene, by projecting a phantom via a drone equipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces the Internet and is located near roads. We show that the car industry has not considered this type of attack by demonstrating the attack on today’s most advanced ADAS and autopilot technologies: Mobileye 630 PRO and the Tesla Model X, HW 2.5; our experiments show that when presented with various phantoms, a car’s ADAS or autopilot considers the phantoms as real objects, causing these systems to trigger the brakes, steer into the lane of oncoming traffic, and issue notifications about fake road signs. In order to mitigate this attack, we present a model that analyzes a detected object’s context, surface, and reflected light, which is capable of detecting phantoms with 0.99 AUC. Finally, we explain why the deployment of vehicular communication systems might reduce attackers’ opportunities to apply phantom attacks but won’t eliminate them
Tool of the week
Nray – Distributed Port Scanner
Pytm – A Pythonic Framework For Threat Modelling
Hashcracker – Python Hash Cracker
Supported hashing algorithms: SHA512, SHA256, SHA384, SHA1, MD5
Polymorphic Linux? What does it fix?
Even when expanded out to all vulnerabilities, memory-based vulnerabilities still represent approximately half of all vulnerabilities since 1999
Planning to become OSCP Certified? Check this: OSCPRepo
Find domains and subdomains related to a given domain
Link HERE – thanks to Kane
Analyzing WhatsApp Calls with Wireshark, radare2 and Frida
A dashboard showing live data and statistics from the ZMQ feeds of one or more MISP instances. The dashboard can be used as a real-time situational awareness tool to gather threat intelligence information. The misp-dashboard includes a gamification tool to show the contributions of each organisation and how they are ranked over time. The dashboard can be used for SOCs (Security Operation Centers), security teams or during cyber exercises to keep track of what is being processed on your various MISP instances
Other interesting articles
##These 20 ‘Hackers’ Helped Shape The Cybersecurity Landscape Forever
Best Hackers in the World
##Deep Dive into Real-World Kubernetes Threats
On Saturday, February 1st, I gave my talk titled “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” at Shmoocon 2020. I’m following up with this post that goes into more details than I could cover in 50 minutes. This will re-iterate the points I attempted to make, walk through the demo, and provide resources for more information
##Top Ten New Open Source Security Vulnerabilities in 2019 – Have you patched against these?
##And finally, BBC ideas…
What exactly is Déjà vu?
NYC Parks Are Using a Designer’s ‘Tree Font’ to Plant Secret Messages with Real Trees
##HACKING, TOOLS and FUN – CHECK BELOW!
URL: http://bit.ly/2vy4YxC (+)
Description: CSS data exfiltration in Firefox via a single injection point.
Description: Exploiting Netgear’s Routerlogin.com.