Security Stack Sheet #87

Word of the Week

“Surfing attack”

Hacks Siri, Google with ultrasonic waves

Researchers use ultrasound waves vibrating through tables to access cell phones

A screenshot of a cell phone Description automatically generated

Link HERE and paper HERE

Word of the Week Special

“Cloud Snooper”

Attack Bypasses Firewall Security Measures

In the course of investigating a malware infection of cloud infrastructure servers hosted in the Amazon Web Services (AWS) cloud, SophosLabs discovered a sophisticated attack that employed a unique combination of techniques to evade detection and that permits the malware to communicate freely with its command and control (C2) servers through a firewall that should, under normal circumstances, prevent precisely that kind of communication from reaching the infected server.

We have published an in-depth report on the attack, which we have named Cloud Snooper.

Though we discovered the technique in use on AWS, the problem is not an AWS problem per se. It represents a method of piggybacking C2 traffic on a legitimate traffic, such as normal web traffic, in a way that can bypass many, if not most, firewalls.

The complexity of the attack and the use of a bespoke APT (Advanced Persistent Threat) toolset gives us reason to believe that the malware and its operators were an advanced threat actor, possibly nation-state sponsored.

The compromised systems were running both Linux and Windows EC2 instances

Link HERE

 

Bonus

Link HERE

A screenshot of a computer Description automatically generated

Link HERE

Hilarious Signs Spotted at Work

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a computer Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

The Cyber Warrior Wisdom of Master OTW

Hacking is the new martial art of the 21st century. To become a master hacker, you must think strategically and analytically. Master OTW offers some of his strategic wisdom for the novice hacker that every hacker should be armed with before doing battle:

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A sign above a store Description automatically generated

Link HERE

Crypto challenge of the week

EXTORY’s EXTORY

You need to find the correct password

Link HERE and solutions HERE

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

I Know Where Your Cat Lives

Data experiment that visualizes a sample of 1 million public pics of cats on a world map, locating them by the latitude and longitude coordinates embedded in their metadata

Link HERE – thanks to David

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE

CCPA Whiteboard - TeachPrivacy CCPA Training 05b updated medium

Link HERE

  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE

A close up of a logo Description automatically generated

Link HERE

  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.

  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk

Elon Musk destroys his phone regularly due to Data Security Fears

Link HERE

  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

2020 MSSP Buyer’s Guide for SOAR Solutions

An unbiased guide to assessing Security Orchestration, Automation and Response (SOAR) solutions for MSSPs

Link HERE

Comic of the week

Before Or After Firing - Dilbert by Scott Adams

##Some OWASP stuff first

-Basics on commands/tools/info on how to assess the security of mobile applications – Android and iOS

iOS CheatSheet slide 2

Link HERE

-Remember: “Developers – The Lucrative Target for Social Engineers” – Stuart Peck (@cybersecstu)

Developers are a lucrative target for attackers, especially those with public profiles, active on social media, and working on either high profile application and open source projects. The recent attack against an NPM package with malicious code that targeted a popular Bitcoin wallet was subject to a social engineering attack, where the attacker was able to trick the maintainer to hand over ownership, is one of the many examples this is an ever increasing vector This talk looks to explore how exposed some developers are and the impacts this can have either through the supply chain and/or directly to organisations. During this talk will we will demonstrate and discuss:

Open Source Intelligence- recon techniques;

Profiling targets, repos, developer backgrounds, coding style, digital footprint;

Pretext creation – building trust and establishing legitimacy;

Example Vishing calls, phishing emails, and case studies;

What developers can do to challenge and reduce the impact of Social Engineering

Link HERE

-Jeremy Long — It’s dependency check, not checker

Jeremy Long is a principal engineer specializing in securing the SDLC. Jeremy is the founder and project lead for the OWASP dependency-check project; a software composition analysis tool that identifies known vulnerable 3rd party libraries. Jeremy joins us to share the origin story of dependency check, the problems it solves, the number of companies that use it, how to integrate it, and the future of the project

Link HERE

-4 Reasons to Automate Security Testing with AppSec Instrumentation

While the idea of “automation” may seem like a modern concept, it dates back to around 762 B.C. when the concept was first introduced in Homer’s epic battle poem The Iliad.

Fast forward to life in 2020, where we’re battling against different enemies who wield ones and zeros; binary artillery that can bring the strongest fortress to its knees with one crippling onslaught

Link HERE

-A Beginners Guide To DOM Manipulation

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE – the best Conferences in 2020 HERE

FuzzCon 2020

A picture containing outdoor Description automatically generated

Link HERE – thanks to TK

The Linux Foundation and Harvard’s Lab for Innovation Science Release Census for Open Source Software Security

Link HERE – thanks to Alvin Report HERE

RSA 2020

RSA Conference

Must see HERE and HERE and HERE and HERE and HERE and HERE and HERE

Crypto panel HERE

Main link HERE and videos HERE

ALSO

Dell sold its RSA security business, including the popular RSA conference, to a private equity firm for $2 billion

Link HERE

How to prioritize security controls for situational awareness in AWS

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Council confirms ransomware attack

Earlier this week Redcar and Cleveland Borough Council confirmed its IT servers had been affected by a ransomware attack.
The NCSC has been providing support to the council in the wake of this incident and is advising on how to minimise the risk of such an attack occurring in future

Rise in the number of Office 365 phishing scams

Cyber security researchers have uncovered an increase in the number of low-quality phishing scams that aim to trick users into revealing their credentials.
According to a new report from Cofense, there has been a surge in scam attempts using illegitimate and badly created Office 365 credentials update forms

Link HERE – Report Vulns to NCSC HERE

API Security Issue 72 – Vulnerabilities in WordPress ThemeREX Addons and Voatz, Facebook postmortem, JWT talks, OpenAPI Specification 3.0.3

Link HERE

Troy Hunt Blog – Issue 179

Link HERE

Incidents & events detail

Facebook OAuth Framework Vulnerability

I decided to analyze why I always feel insecure while using the “Login with Facebook” feature. Since they used multiple redirect URLs. But finding a vulnerability in Facebook and also having the most talented security researchers, Seem It wasn’t an easy task. That was a very tough and challenging to find a bug in Facebook OAuth.

A close up of a sign Description automatically generated

However, The way I’ve found that was vulnerable for years and years, as per google search and StackOverflow hints almost 9 to 10 years

Link HERE

Attackers probing for vulnerable Microsoft Exchange Servers, is yours one of them?

CVE-2020-0688, a remote code execution bug in Microsoft Exchange Server that has been squashed by Microsoft in early February, is ripe for exploitation and could become a vector for ransomware groups in coming months

Link HERE

A drawing of a face Description automatically generated

If your web server is running on Apache Tomcat, you should immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it.
Yes, that’s possible because all versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 years have been found vulnerable to a new high-severity (CVSS 9.8) ‘file read and inclusion bug‘—which can be exploited in the default configuration.
But it’s more concerning because several proof-of-concept exploits (1234 and more) for this vulnerability have also been surfaced on the Internet, making it easy for anyone to hack into publicly accessible vulnerable web servers

Link HERE

IMP4GT: IMPersonation Attacks in 4G NeTworks

Link HERE

5 Ways Coronavirus Remote Work Can Compromise Your Security

Link HERE

The KidsGuard surveillance app exfiltrated data from targeted devices to an unprotected cloud storage bucket

Link HERE

Chrome Update Addresses 0-day and Other Vulnerabilities

Google’s latest update for the Chrome browser includes fixes for three security issues, one of which is already being actively exploited. All three flaws have been rated high severity. Chrome 80.0.3987.122 is available for Windows, macOS, and Linux.
[Neely]
These flaws are being actively exploited; rapid updates are prudent. I was pleased to find my IT department was already pushing this update when I returned from travel this week

Links HERE and HERE

Israeli Marketing Company Exposes Contacts Database

Data includes Names, Addresses, Email Addresses, Phone Numbers

Link HERE

Let’s Encrypt Has Issued a Billion Certificates

A screenshot of a cell phone Description automatically generated

We issued our billionth certificate on February 27, 2020. We’re going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event. In particular, we want to talk about what has happened since the last time we talked about a big round number of certificates – one hundred million.

One thing that’s different now is that the Web is much more encrypted than it was. In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody

Link HERE

PayPal via Google Pay: Gap in virtual credit cards allows unauthorized debits

For debiting PayPal with Google Pay, criminals may have misused a hole that PayPal has known for a year

A screenshot of a cell phone Description automatically generated

Follow thread

Links HERE and HERE

GAO: Critical Infrastructure Must Adopt NIST Cyber Framework
According to a report from the Government Accountability Office (GAO), federal agencies that have the lead in protecting critical infrastructure sectors (sector specific agencies, or SSAs) have for the most part not taken adequate steps to ensure that the sectors they oversee have adopted the National Institute of Standards and Security’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity. There are nine SSAs overseeing 16 critical infrastructure sectors. Two SSAs have developed strategies for determining framework adoption in their designated sectors; two others have taken steps toward developing methods. Most of the SSAs have encouraged their sectors to adopt the framework. GAO recommends that NIST develop time frames for completing initiatives, and that the SSAs gather and report in improvements made from framework adoption.
[Murray]
This is urgent. While the SANS Top Twenty are more applicable to the scale of many enterprises, the NIST Cyber Framework is essential for large enterprises that are part of the economic or national security infrastructures

Link HERE

The adversaries behind the DoppelPaymer ransomware launched a new site that they say will be used to publish the information and stolen data of victims who do not pay the requested extortion payment

Link HERE

Research of the week

Featuring – Phishing – still a problem, despite all the work

Free NCSC webinar explains how to protect your organisation from scam email campaigns

A wall of fishing lures

Phishing is a threat that most people know about. Emails designed to trick you into clicking a malicious link or divulge passwords and other credentials have become an everyday occurrence. Despite this familiarity, and the multitude of tools and techniques which purport to stop it, phishing remains the number one initial attack vector affecting organisations and individuals.

Unfortunately, there is no silver bullet. Phishing can only be dealt with using multiple complementary measures. This fact leads to some questions: Which measures are most (cost) effective? How should they be implemented? Can they be automated?

Link HERE

The top four Office 365 security pain points

Many novice Office 365 (O365) shops do not know where platform-specific security vulnerabilities lie, or even that they exist. The threats that you are unaware exist do not cause pain until they rise up and bite – then the agony is fierce

Link HERE

Detecting Lateral Movement with WinSCP

RDP is a common way for an attacker to move laterally within an environment. Forensically, when an attacker uses RDP we can use artefacts such as shell bags, link files and jump lists on the remote system to see what was accessed while the attacker was RDPed into the system.
Another way an attacker can access a system remotely is to use a program called WinSCP.  Using
WinSCP, they can browse folders and files on a remote system, copy folder and files back to the system they are currently on, and even search the remote system for files!

Link HERE

Web Browser Privacy: What Do Browsers Say When They Phone Home?

We measure the connections to backend servers made by six browsers: Google Chrome, Mozilla Firefox, Apple Safari, Brave Browser, Microsoft Edge and Yandex Browser, during normal web browsing. Our aim is to assess the privacy risks associated with this back-end data exchange. We find that the browsers split into three distinct groups from this privacy perspective. In the first (most private) group lies Brave, in the second Chrome, Firefox and Safari and in the third (least private) group lie Edge and Yandex

Link HERE

Tool of the week

Mimesis – Fake Data Generator

Link HERE

Analysing WhatsApp Calls with Wireshark, radare2 and Frida

Link HERE

Red Team’s SIEM

Tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations

Link HERE

Kubernetes Security Mindmap

Link HERE

Other interesting articles 

##Securing Firefox with WebAssembly

Protecting the security and privacy of individuals is a central tenet of Mozilla’s mission, and so we constantly endeavor to make our users safer online. With a complex and highly-optimized system like Firefox, memory safety is one of the biggest security challenges. Firefox is mostly written in C and C++. These languages are notoriously difficult to use safely, since any mistake can lead to complete compromise of the program. We work hard to find and eliminate memory hazards, but we’re also evolving the Firefox codebase to address these attack vectors at a deeper level. Thus far, we’ve focused primarily on two techniques:

Link HERE

 

##Micro Frontends

A screenshot of micro frontends on the ThoughtWorks tech radar

Good frontend development is hard. Scaling frontend development so that many teams can work simultaneously on a large and complex product is even harder. In this article we’ll describe a recent trend of breaking up frontend monoliths into many smaller, more manageable pieces, and how this architecture can increase the effectiveness and efficiency of teams working on frontend code. As well as talking about the various benefits and costs, we’ll cover some of the implementation options that are available, and we’ll dive deep into a full example application that demonstrates the technique

Link HERE

 

##Coronavirus will delay China’s digital currency

A Chinese government mouthpiece says that the development of the DC/EP, China’s blockchain project, has been delayed

Link HERE

##And finally, Murdering reality: the spurious spies of fiction

Hollywood lacks the wit and the will to convey the complexities of the secret world.

I recently watched the second season of Amazon’s series Jack Ryan. To be accurate: I managed only the first few episodes. As a career CIA officer, I found the disconnect between my experience running espionage operations and the Hollywood portrayal too fanciful to stomach.

The screen version of the intelligence world displays a perplexing interest in getting a few, small details right while otherwise throwing common sense to the wind. Why hire some ex-intelligence officer to assure that Ryan’s badge looks real and the file folders are the right colour, if the basic story has no connection with reality whatsoever? The handful of people who know what a real burn bag for classified papers looks like will also be those most critical of the show’s other failings

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: http://bit.ly/2uwX4Ei  (+)

Description: AWS Document Signing Security Control Bypass.

URL: http://bit.ly/3abVdnO  (+)

Description: RCE on MS Exchange Server Through Fixed Cryptographic Keys (CVE-2020-0688).

Links HERE and credits to HERE

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *