Word of the Week
Hacks Siri, Google with ultrasonic waves
Researchers use ultrasound waves vibrating through tables to access cell phones
Word of the Week Special
Attack Bypasses Firewall Security Measures
In the course of investigating a malware infection of cloud infrastructure servers hosted in the Amazon Web Services (AWS) cloud, SophosLabs discovered a sophisticated attack that employed a unique combination of techniques to evade detection and that permits the malware to communicate freely with its command and control (C2) servers through a firewall that should, under normal circumstances, prevent precisely that kind of communication from reaching the infected server.
We have published an in-depth report on the attack, which we have named Cloud Snooper.
Though we discovered the technique in use on AWS, the problem is not an AWS problem per se. It represents a method of piggybacking C2 traffic on a legitimate traffic, such as normal web traffic, in a way that can bypass many, if not most, firewalls.
The complexity of the attack and the use of a bespoke APT (Advanced Persistent Threat) toolset gives us reason to believe that the malware and its operators were an advanced threat actor, possibly nation-state sponsored.
The compromised systems were running both Linux and Windows EC2 instances
Hilarious Signs Spotted at Work
The Cyber Warrior Wisdom of Master OTW
Hacking is the new martial art of the 21st century. To become a master hacker, you must think strategically and analytically. Master OTW offers some of his strategic wisdom for the novice hacker that every hacker should be armed with before doing battle:
Crypto challenge of the week
You need to find the correct password
I Know Where Your Cat Lives
Data experiment that visualizes a sample of 1 million public pics of cats on a world map, locating them by the latitude and longitude coordinates embedded in their metadata
Link HERE – thanks to David
[Browsers, Office365, Cisco and many others]
Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.
Elon Musk destroys his phone regularly due to Data Security Fears
Book of the month
2020 MSSP Buyer’s Guide for SOAR Solutions
An unbiased guide to assessing Security Orchestration, Automation and Response (SOAR) solutions for MSSPs
Comic of the week
##Some OWASP stuff first
-Basics on commands/tools/info on how to assess the security of mobile applications – Android and iOS
-Remember: “Developers – The Lucrative Target for Social Engineers” – Stuart Peck (@cybersecstu)
Developers are a lucrative target for attackers, especially those with public profiles, active on social media, and working on either high profile application and open source projects. The recent attack against an NPM package with malicious code that targeted a popular Bitcoin wallet was subject to a social engineering attack, where the attacker was able to trick the maintainer to hand over ownership, is one of the many examples this is an ever increasing vector This talk looks to explore how exposed some developers are and the impacts this can have either through the supply chain and/or directly to organisations. During this talk will we will demonstrate and discuss:
Open Source Intelligence- recon techniques;
Profiling targets, repos, developer backgrounds, coding style, digital footprint;
Pretext creation – building trust and establishing legitimacy;
Example Vishing calls, phishing emails, and case studies;
What developers can do to challenge and reduce the impact of Social Engineering
-Jeremy Long — It’s dependency check, not checker
Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project
-4 Reasons to Automate Security Testing with AppSec Instrumentation
While the idea of “automation” may seem like a modern concept, it dates back to around 762 B.C. when the concept was first introduced in Homer’s epic battle poem The Iliad.
Fast forward to life in 2020, where we’re battling against different enemies who wield ones and zeros; binary artillery that can bring the strongest fortress to its knees with one crippling onslaught
-A Beginners Guide To DOM Manipulation
OWASP events HERE
Link HERE – thanks to TK
The Linux Foundation and Harvard’s Lab for Innovation Science Release Census for Open Source Software Security
Crypto panel HERE
Dell sold its RSA security business, including the popular RSA conference, to a private equity firm for $2 billion
How to prioritize security controls for situational awareness in AWS
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Council confirms ransomware attack
Rise in the number of Office 365 phishing scams
API Security Issue 72 – Vulnerabilities in WordPress ThemeREX Addons and Voatz, Facebook postmortem, JWT talks, OpenAPI Specification 3.0.3
Troy Hunt Blog – Issue 179
Incidents & events detail
Facebook OAuth Framework Vulnerability
Attackers probing for vulnerable Microsoft Exchange Servers, is yours one of them?
CVE-2020-0688, a remote code execution bug in Microsoft Exchange Server that has been squashed by Microsoft in early February, is ripe for exploitation and could become a vector for ransomware groups in coming months
If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it.
IMP4GT: IMPersonation Attacks in 4G NeTworks
5 Ways Coronavirus Remote Work Can Compromise Your Security
The KidsGuard surveillance app exfiltrated data from targeted devices to an unprotected cloud storage bucket
Chrome Update Addresses 0-day and Other Vulnerabilities
Google’s latest update for the Chrome browser includes fixes for three security issues, one of which is already being actively exploited. All three flaws have been rated high severity. Chrome 80.0.3987.122 is available for Windows, macOS, and Linux.
Israeli Marketing Company Exposes Contacts Database
Data includes Names, Addresses, Email Addresses, Phone Numbers
Let’s Encrypt Has Issued a Billion Certificates
We issued our billionth certificate on February 27, 2020. We’re going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event. In particular, we want to talk about what has happened since the last time we talked about a big round number of certificates – one hundred million.
One thing that’s different now is that the Web is much more encrypted than it was. In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody
PayPal via Google Pay: Gap in virtual credit cards allows unauthorized debits
For debiting PayPal with Google Pay, criminals may have misused a hole that PayPal has known for a year
GAO: Critical Infrastructure Must Adopt NIST Cyber Framework
The adversaries behind the DoppelPaymer ransomware launched a new site that they say will be used to publish the information and stolen data of victims who do not pay the requested extortion payment
Research of the week
Featuring – Phishing – still a problem, despite all the work
Free NCSC webinar explains how to protect your organisation from scam email campaigns
Phishing is a threat that most people know about. Emails designed to trick you into clicking a malicious link or divulge passwords and other credentials have become an everyday occurrence. Despite this familiarity, and the multitude of tools and techniques which purport to stop it, phishing remains the number one initial attack vector affecting organisations and individuals.
The top four Office 365 security pain points
Detecting Lateral Movement with WinSCP
RDP is a common way for an attacker to move laterally within an environment. Forensically, when an attacker uses RDP we can use artefacts such as shell bags, link files and jump lists on the remote system to see what was accessed while the attacker was RDPed into the system.
Web Browser Privacy: What Do Browsers Say When They Phone Home?
We measure the connections to backend servers made by six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser, during normal web browsing. Our aim is to assess the privacy risks associated with this back-end data exchange. We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex
Tool of the week
Mimesis – Fake Data Generator
Analysing WhatsApp Calls with Wireshark, radare2 and Frida
Red Team’s SIEM
Tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations
Kubernetes Security Mindmap
Other interesting articles
##Securing Firefox with WebAssembly
Protecting the security and privacy of individuals is a central tenet of Mozilla’s mission, and so we constantly endeavor to make our users safer online. With a complex and highly-optimized system like Firefox, memory safety is one of the biggest security challenges. Firefox is mostly written in C and C++. These languages are notoriously difficult to use safely, since any mistake can lead to complete compromise of the program. We work hard to find and eliminate memory hazards, but we’re also evolving the Firefox codebase to address these attack vectors at a deeper level. Thus far, we’ve focused primarily on two techniques:
Good frontend development is hard. Scaling frontend development so that many teams can work simultaneously on a large and complex product is even harder. In this article we’ll describe a recent trend of breaking up frontend monoliths into many smaller, more manageable pieces, and how this architecture can increase the effectiveness and efficiency of teams working on frontend code. As well as talking about the various benefits and costs, we’ll cover some of the implementation options that are available, and we’ll dive deep into a full example application that demonstrates the technique
##Coronavirus will delay China’s digital currency
A Chinese government mouthpiece says that the development of the DC/EP, China’s blockchain project, has been delayed
##And finally, Murdering reality: the spurious spies of fiction
Hollywood lacks the wit and the will to convey the complexities of the secret world.
I recently watched the second season of Amazon’s series Jack Ryan. To be accurate: I managed only the first few episodes. As a career CIA officer, I found the disconnect between my experience running espionage operations and the Hollywood portrayal too fanciful to stomach.
The screen version of the intelligence world displays a perplexing interest in getting a few, small details right while otherwise throwing common sense to the wind. Why hire some ex-intelligence officer to assure that Ryan’s badge looks real and the file folders are the right colour, if the basic story has no connection with reality whatsoever? The handful of people who know what a real burn bag for classified papers looks like will also be those most critical of the show’s other failings
##HACKING, TOOLS and FUN – CHECK BELOW!
URL: http://bit.ly/2uwX4Ei (+)
Description: AWS Document Signing Security Control Bypass.
URL: http://bit.ly/3abVdnO (+)
Description: RCE on MS Exchange Server Through Fixed Cryptographic Keys (CVE-2020-0688).