Security Stack Sheet #86

Word of the Week

“Secrets in code”

Sensitive data on GitHub

Links HERE and HERE and HERE and HERE and HERE and HERE

Secrets in code tools

An enterprise friendly way of detecting and preventing secrets in code

Link HERE

Repo Supervisor

Scan your code for security misconfiguration, search for passwords and secrets

Link HERE

Other tools

A screenshot of a cell phone Description automatically generated

HERE and HERE and HERE and HERE and HERE and HERE and HERE and HERE and evaluation HERE

Word of the Week Special

“DevSecOps Reference Architecture”

A close up of a map Description automatically generated

Link HERE

 

Bonus

A screen shot of a social media post Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A close up of a logo Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a social media post Description automatically generated

Link HERE

Crypto challenge of the week

KubeCon NA 2019 CTF

We’ll help you create your own Kubernetes environment so you can follow along as we take on the role of two attacking personas looking to make some money and one defending persona working hard to keep the cluster safe and healthy

Link HERE

Avalanche 2 CTF

Avalance 2 CTF - Pentest

Link HERE

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

No alternative text description for this image

Thanks to Naz

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE

A close up of a sign Description automatically generated

  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.

  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Becoming the Hacker

Becoming the Hacker ($31.99 Value) FREE for a Limited Time

Becoming the Hacker will teach you how to approach web penetration testing with an attacker’s mindset. While testing web applications for performance is common, the ever-changing threat landscape makes security testing much more difficult for the defender.

There are many web application tools that claim to provide a complete survey and defence against potential threats, but they must be analysed in line with the security needs of each web application or service. We must understand how an attacker approaches a web application and the implications of breaching its defences

Link HERE

HUMBLE BOOK BUNDLE: CYBERSECURITY 2020 BY WILEY

Link HERE – thanks to Alvin

Shodan Pentesting Guide

Link HERE

Comic of the week

Image result for dilbert cartoon security

##Some OWASP stuff first

-WAF Bypassing with Unicode Compatibility

Unicode Compatibility is a form of Unicode Equivalence which ensures that between characters or sequences of characters which may have distinct visual appearances or behaviours, the same abstract character is represented. For example, 𝕃 is normalized to L. This behaviour could open the door to abuse some weak implementations that performs unicode compatibility after the input is sanitized

Link HERE

-AppSec Podcast – Niels Tanis — 3rd Party Risk in a .NET World

Niels Tanis has a background in .NET development, pen-testing, and security consultancy. He has experience breaking, defending and building secure applications. Neils joins us to continue our .NET conversation from last year. This time around we focus on the 3rd party risk we pull into our applications by using third party libraries in a .NET world

Link HERE

-Rate Limiting for Cyber Protection — >> Is it working (in your org) ?

Important questions, while thinking of rate limiting.

Has it been implemented across all layers of your defenses

Have you adopted the right criterion to define rate limiting rule set

Do your solution support complex rate limiting algorithm and rule sets

Link HERE

-Cloud Security Monitoring at Auth0

Links HERE and HERE

-An Introduction to Lateral Movement across networks

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE – the best Conferences in 2020 HERE

Small Is Beautiful: How to Improve Security by Maintaining Less Code

Link HERE

Securing a Multi-tenant Kubernetes Cluster

Link HERE

Real-World Examples of FaaS

We think there’s a revolution thing going on, which we’re going to refer to as network-based serverless or network-based Functions as a Service, but the idea is you start to forget about where the code runs. You have it all over the world near where end users are, and it just magically gets distributed and executed and scaled without you thinking about it. So Cloudflare is, if you’ve not heard of Cloudfare, we started out as a very large caching/CDN and security service. We’ve built out a very large infrastructure around the world, and we’ve built a platform for running functions written initially in JavaScript, and then any arbitrary language that supports web assembly, so in particular Rust, because that’s got the best web assembly support at the moment, and it runs across our entire network globally

Link HERE

Next one? March 2-6 2020

AppSec California 2020 – ALL VIDEOS

Link HERE

Passwords are NOT what they are CRACKED up to be

Thu, Mar 19, 2020 3:00 PM – 4:00 PM GMT

Link HERE

Zero Trust Principles by NCSC

Network architecture is changing. More services are moving to the cloud, there is a surge in the use of Software as a Service, and users are embracing flexible working on multiple devices in a variety of locations. The traditional network perimeter is disappearing and with it, the value of traditional defences.

In a zero trust architecture, inherent trust is removed from the network. Just because you’re connected to a network doesn’t mean you should be able to access everything on that network. This is commonly seen in breaches; an attacker gains a foothold in a network and is able to move laterally because everything on the network is trusted. In a zero trust architecture, the network is treated as hostile.

However, in order to remove trust from the network, you need to instead gain confidence in the authentication, verification and authorization of users and services. This is achieved by building trust into the user’s identity, their devices, and the services they access

Link HERE

Webinar: Cloud security controls best practice

Tuesday 3 March – 10.00 AM PST

Link HERE

RSA 2020 is coming!

Preview: RSA Keynote Panel on the Most Dangerous New Attack Vectors

If you are coming to RSA, you can see the SANS “Most Dangerous Attacks” keynote (Ed Skoudis, Heather Mahalik, Johannes Ullrich) live on Thursday, February 27, or after the conference on RSA’s website.
* New threats in command and control of compromised systems
* Social engineering SOC analysts through artifacts
* Deep persistence with malware on the USB wire and supply chain attacks
* Mobile: exploits in the chip
* Enterprise perimeters: devastating vulnerabilities in enterprise perimeter security devices from major vendors.
* Localhost API attacks

Link HERE

AND

Coronavirus: IBM Says No to RSA, Facebook Cancels Marketing Meeting, Black Hat Asia Postponed

IBM said it will not attend the RSA Conference in San Francisco next week due to concerns about the coronavirus. RSA Conference executives say the event will go on as planned, from February 23-28. In related stories, Facebook has cancelled a marketing summit that was to have taken place in San Francisco in early March, and the organizers of Black Hat Asia have postponed a conference that was scheduled to be held in late March in Singapore

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Instagram phishing campaign promises presidential money

Russian Instagram users are reportedly being targeted by a phishing campaign under the guise of a non-existent presidential decree.

Cyber criminals are using fake advertisements on Instagram accounts impersonating those of state TV channels. The adverts are crafted to look legitimate and promise upwards of 100,000 rubles (£1,210) to all citizens looking to start up a business

Amazon’s Ring makes authentication step mandatory

Ring, the home security company owned by Amazon, has updated its log in process, adding a verification code step and making it the default setting for all its products.

The change means that users will now have to enter their password and unique six-digit code when they first log in to the app, or haven’t logged in for 30 days

Link HERE – Report Vulns to NCSC HERE

API Security Issue 71 – Vulnerabilities in SoundCloud and Lime e-scooters, NIST Microservices security strategies

Link HERE

Troy Hunt Blog – Issue 179

Link HERE

Incidents & events detail

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I

Link HERE

Criminals target APIs to attack financial services systems

Link HERE

Hackers exploit zero-day in WordPress plugin to create rogue admin accounts

Attacks detected targeting sites running the ThemeREX Addons plugin

Link HERE

CVE-2019-10779: Cross-site scripting in GCHQ Stroom

Link HERE

Fox Kitten – Widespread Iranian Espionage-Offensive Campaign

Link HERE

2,000 UK Government Mobile Devices Reported Missing in Span of One Year
Over the past year, more than 2,000 UK government mobile devices, including smartphones, laptops, and external storage devices, have been reported missing. More than 1,800 of the devices are believed to be encrypted, but even one unencrypted device in the hands of the wrong individual could expose sensitive data. At least eight UK government departments say they have never been audited by the Information Commissioner’s Office (ICO); others reported that their last audit was several years ago.
[Pescatore]
There are about 3M UK central government employees; let’s just assume an average of 1 phone/laptop/storage device per employee, which is probably low. 2,000 lost out of 3M is under .1% – a very low number. I think typical average rates for mobile phone losses per year are in the 4% range. 90% of the lost devices having encryption turned on is strong progress from previous years where this same type of report came out in the UK. Enterprises: how do your loss rates and encrypted device percentages compare to the UK government?
[Neely]
Current guidance for protecting mobile devices: Both iOS and Android (version 6+) support encryption of the device and can be managed by your MDM (mobile device management software). That will require a passcode to access the device; otherwise it is transparent to the user. Make sure the device passcode strength/option is commensurate with the data protected. Additionally, options exist to sandbox applications with further encryption, but investigate the trade-off between security and usability before rolling them out. Include sending a device wipe in your lost-device reporting processes, along with a good definition of what lost means, including duration

Link HERE

Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users

Link HERE

Redcar cyber-attack: Council using pen and paper

Link HERE – thanks to Dave

A group of ex-NSA and Amazon engineers are building a ‘GitHub for data’

Six months ago or thereabouts, a group of engineers and developers with backgrounds from the National Security Agency, Google and Amazon Web Services had an idea.

Data is valuable for helping developers and engineers to build new features and better innovate. But that data is often highly sensitive and out of reach, kept under lock and key by red tape and compliance, which can take weeks to get approval. So, the engineers started Gretel, an early-stage start-up that aims to help developers safely share and collaborate with sensitive data in real time

Link HERE

Citrix Says Hackers Had Access to its Networks for Five Months

Hackers maintained an “intermittent” presence inside Citrix networks for five months, according to a February 10, 2020, letter the company sent to users affected by the breach. Between October 13, 2018 and March 8, 2019, the hackers stole data belonging to employees, contractors, interns, and job candidates. Citrix first learned of the breach in March 2019, when the FBI notified the company that hackers had likely accessed the company’s internal network. The FBI told Citrix that the intruders may have used “password spraying” attacks to gain access.
[Neely]
As Citrix is often deployed at the perimeter to provide a virtual desktop on the corporate network, like VPN servers, it is a prime target of attack, and warrants similar monitoring and security oversight. Be sure to apply Citrix’s recently released patch for CVE-2019-19781.
[Pescatore]
I guess whoever wrote the Citrix letter has never tried to sell a house where the real estate listing said “Termites had intermittent access to the structure…

Link HERE

Extra Layers of Security and Control – Ring introduces 2FA

Link HERE

CVE-2020-0618: RCE in SQL Server Reporting Services (SSRS)

Link HERE

Research of the week

Featuring – The three most effective and dangerous cyberattacks to Azure and countermeasures

Part 1 – attack all the public and private IP addresses in Azure

Link HERE

Bypass Windows 10 User Group Policy (and more) with this One Weird Trick

I‘m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things)

Link HERE

What DNS encryption means for enterprise threat hunters

The dawn of the DNS over HTTPS era is putting business security and SOC teams to the challenge.

In one way, the proliferation of domain name service (DNS) attacks throughout the world has helped to raise awareness about a deep problem in the “plumbing” of the internet. The infrastructure behind the DNS suffers from a lack of built-in security that is putting internet users at risk.

Decades of work on the Domain Name System Security Extensions (DNSSEC) specifications have been ongoing in a concerted effort to find a better way of securing the DNS while keeping it flexible enough for upscaling into enterprise, and even larger, networks. DNSSEC uptake, however, has been sluggish in most countries. Perhaps out of impatience for the incremental successes of DNSSEC, some have begun turning to new methods to secure DNS traffic, such as DNS over TLS (DoT), DNSCryptDNSCurve and, most recently, DNS over HTTPS (DoH)

Link HERE

Exploiting WebSocket [Application Wide XSS / CSRF]

Link HERE

Storing obfuscated secret keys in your iOS app

Link HERE

Protect against technical espionage and prevent your information and premises from compromise, with the assurance that comes from using the world-leading UK NACE

The increasing sophistication of physical, electronic and cyber-attacks can put even the most protected security operations under threat. The highly-trained and globally experienced professionals at UK NACE provide the highest standards of security protection against the threats of physical penetration and technical espionage

Link HERE – thanks to Ben

Analysing ZeroCleare’s Behavior Using a Malware Sandbox

Link HERE

Tool of the week

Top 10 Operating Systems for Ethical Hackers and Penetration Testers (2020 List)

Link HERE

Red Hawk Suite

Link HERE

Needle iOS Application Security Framework

Link HERE

XSLEAKS

A collection of browser-based side channel attack vectors

Link HERE

How to escape from the fuzz

Powerful, open-source fuzzing tools like AFL and libFuzzer make it easy to find bugs automatically. In some cases it’s as simple as pointing an off-the-shelf fuzzer at some software that hasn’t been fuzzed before and it starts emitting ready-made PoCs which you can attach to GitHub issues. This creates a new burden for volunteer-run open source projects, who now find themselves on the receiving end of a seemingly never-ending stream of security vulnerability reports…

Link HERE

How to simulate phishing attacks with the HTTP Request Logger

Link HERE

OSINT Bibliography

OSINT Bibliography Created by Reuser’s Information Services 2019. Very first edition of a OSINT bibliography to be. All documents found in OSINF

Link HERE

Other interesting articles 

##PERILOUS PERIPHERALS: THE HIDDEN DANGERS INSIDE WINDOWS & LINUX COMPUTERS

Unsigned Firmware Creates Perilous Peripherals

In new research, Eclypsium found unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers. We then demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers. Once firmware on any of these components is infected using the issues we describe, the malware stays undetected by any software security controls. Despite previous in-the-wild attacks, peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware

Link HERE

 

##Finding Python ReDoS bugs at scale using Dlint and r2c

Automating regular expression denial-of-service detection

Link HERE

 

##Powerful antibiotic discovered using machine learning for first time

Team at MIT says halicin kills some of the world’s most dangerous strains

Link HERE

##And finally, Work the Least for It

Happy people don’t have to work as hard.

The quality of our decisions is paramount in the modern age, because we’re all leveraged. You can be leveraged through code, community, media, capital, labour and other ways. If you’re smart, you leverage every decision you make. 

If Warren Buffett makes the right decision 85% of the time and his competitors get it right 70% of the time, Buffett will win everything. That’s a source of his strength: good decision making. He makes one or two decisions a year. Most of the time he’s sitting around reading books, thinking, reading S-1s, playing bridge, traveling and golfing.

Obviously, hard work is not the solution. Good decision making and high leverage is the solution

AND

Being Unhappy Is Very Inefficient

A peaceful mind makes better decisions

Links HERE and HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html

Description: WAF Bypassing with Unicode Compatibility.

URL: http://bit.ly/39IdzMS  (+)

Description: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell.

Links HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *