Security Stack Sheet #88

Word of the Week

“Chief Automation Officer – CAO”

What is a chief automation officer?

A chief automation officer handles the process automation of an organisation, positioning the right people and technologies across departments

Links HERE and HERE and HERE and HERE

Word of the Week Special

“Root of Trust”: Intel x86 Root of Trust: loss of trust

The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms. The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole

Link HERE

 

Bonus

A close up of a logo Description automatically generated

Will You Put Your Password in a Survey?

Link HERE

Link HERE

A screenshot of a cell phone Description automatically generated

See here:

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Link HERE

Image

Link HERE

Crypto challenge of the week

CAPTEG

Link HERE

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

Browsers to Start Blocking Sites That Use Old TLS Protocols

By the end of this month, most major browsers will be blocking websites that are using TLS 1.0 and TLS 1.1, which date back to 1996 and 2006, respectively. An estimated 850,000 sites still use the outdated protocols. TLS 1.3 was released in 2018. Shortly thereafter, Mozilla, Google, Apple, and Microsoft announced that they would end support for the older versions of TLS in 2020.
[Neely]
Make sure your sites and your business partner sites support TLS 1.2 so these changes will be transparent. Leverage services like SSLReports to check and give you a report on your public facing sites.

Link HERE

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE

Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.

  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?

Cambridge Analytica were the tip of the iceberg

Unravelling the web of manipulation behind Brexit, Trump and the hijacking of democracies around the world

A close up of a map Description automatically generated

Link HERE

  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Not a book – Predicting the Future of the Web Development (2020 and 2025)

Prediction 1: “TypeScript takes over the JS world”

Prediction 2: “WebAssembly is going to expand the web app pie”

Prediction 3: “npm lasts, surviving further problems”

Prediction 4: “JS alternatives stay niche, but age well”

Links HERE and HERE

Comic of the week

Wally Prefers Systems - Dilbert by Scott Adams

##Some OWASP stuff first

-Ten OWASP Commandments

Link HERE

Don’t try to sanitize input. Escape output.

Every so often developers talk about “sanitizing user input” to prevent cross-site scripting attacks. This is well-intentioned, but leads to a false sense of security, and sometimes mangles perfectly good input

Link HERE

-Misconfigurations and Alert Fatigue Require a Modern AppSec Approach

Link HERE

-Browser Exploitation Framework (BeEF) with Gavin Johnson-Lynn

Gavin BeEf framework feature

A person holding a sign posing for the camera Description automatically generated

Link HERE

-Threat Hunting For Cybersecurity M&A Due Diligence

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE – the best Conferences in 2020 HERE

Webinar: How to Prioritize Security Controls for Situational Awareness in AWS

Link HERE
Webcast: Innovative Application Security Testing Techniques for Modern Software Development

Link HERE

Webinar: DJ MITRE: Achieving Harmony in your SOC

Link HERE

Webinar: How to improve security visibility and detection-response operations in AWS

Link HERE

The Social Engineering Village Wrap-up from DEF CON 27

Don’t let her adorable-ness fool you; she’s one mean very nice, green, SE-ing machine

Link HERE and From Introvert to SE, The Journey HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

A screenshot of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Consumers urged to secure internet connected cameras

This week, with support from Which?, we published new consumer advice and guidance on how to secure internet connected cameras in the home

We’re all becoming more reliant on ‘smart’ technology, and things like connected security cameras and baby monitors help make our lives easier. However, insecure default settings can leave devices vulnerable to cyber criminals

Tesco and Boots issue security warnings to customers

Tesco Clubcard and Boots Advantage Card holders have been warned of potential security risks.
Earlier this week, Tesco confirmed new Clubcards would be issued to 600,000 members following unauthorised attempts to access customer accounts. It’s understood criminals had used a database of stolen usernames and passwords, with some attempts reportedly proving successful

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 73 – Up to 75% credential abuse attacks target APIs

Link HERE

Troy Hunt Blog – Issue 181

Link HERE

Exploring Imposter Syndrome through Experience, Education, and Gatekeeping with Lesley Carhart

A top cybersecurity practitioner talks about the importance of culture, continuous learning, and work-life balance in overcoming impostor syndrome

Link HERE

Incidents & events detail

Remember: New Cyber Attack Campaign Leverages the COVID-19 Infodemic – Technical detail

Researchers from Cybaze Yoroi ZLab have spotted a new campaign exploiting the interest in coronavirus (COVID-19) evolution to spread malware

Link HERE

World Health Organization: Scammers are Exploiting Coronavirus Fears

The World Health Organization (WHO) is warning that scammers posing as WHO representatives are trying to trick people into sharing their account access credentials or opening malicious email attachments. Scammers have also been sending email that exploits concerns about COVID-19 to spread malware. Researchers note that more than 4,000 coronavirus-related domains have been registered since the beginning of the year; of those, three percent are considered malicious, and another five percent are suspicious

Image result for coronavirus cyber

Links HERE and HERE and CVSS for Coronavirus HERE

GitHub: We won’t take down any of your content unless we really have to

Microsoft’s open-source code-sharing platform’s latest report places freedom of expression above all else

Link HERE

Ryuk ransomware strikes across the globe
Several reports surfaced over the past week of the Ryuk ransomware being used in attacks over the course of the past year. Notable recent infections include an attack on a Fortune 500 company that specializes in mechanical and electrical construction, a local library system and police department in Florida and a school district in New Mexico. Ryuk primarily spreads through phishing emails and contains a number of capabilities, including credential theft and the downloading of a cryptocurrency miner.
Link HERE

Show me Your Clipboard Data!

Link HERE

Remember from last week:

10 Yr-Old Facebook Bug Allow Hackers to Steal Access Token & Hijack Anyone’s Facebook Account – 55,000$ Bounty Rewarded

Link HERE

UK’s ICO Fines Cathay Pacific Over Data Leak

The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways £500,000 (US $647,000) for a data leak that went undetected for four years. The issue exposed personal data of 9.4 million Cathay Pacific customers between 2014 and 2018. The ICO says that during that time, Cathay Pacific systems were inadequately protected

Link HERE

Panorama: Spying on the Scammers

Link HERE (you need UK IP)

Google to put a muzzle on Android apps accessing location data in the background

Google will also update Android’s location access permission prompt (again)

Link HERE

Intel Chip Flaw is Unfixable

Researchers have found another flaw affecting Intel chips. This one affects most Intel chips manufactured within the last five years. While the flaw is not trivial to exploit and Intel has released mitigations that can lessen the damage from exploits, the issue cannot be fixed without physically replacing the chip. The problem lies in the Converged Security and Management Engine (CSME).
[Neely]
There are no active exploits and exploitation is difficult. Mitigate the risk by applying the updates provided. The flaw impacts the trusted platform module and allows for bypass of their Enhance Privacy ID (EPID) digital rights management and on chip encryption system.
[Pescatore]
When you look at how easily all the levels of servers and PCs running above the CSME level are compromised, for most enterprises worrying about this is like worrying about a meteorite hitting your house when you don’t lock your front doors. However, it does point out that it is always a bad decision to make security an option to turn on after booting up, vs. starting up securely and making it optional to take more risks

Link HERE

670+ Subdomains of Microsoft are Vulnerable to Takeover (Lead to Account Takeover)

Link HERE

Virgin Media’s data incident

Image

Links HERE and HERE

Virgin Media data breach ‘could link customers to pornographic sites’

Link HERE

XSS plugin vulnerabilities plague WordPress users

Link HERE

A new variant of the Cerberus trojan for Android devices can steal user’s Google two-factor authentication passcodes to gain access to secured accounts


Link HERE

“Let’s Encrypt” Removes Deadline for Revoking Certificates Over CCA Code Problem

Last week, certificate authority (CA) Let’s Encrypt discovered a bug in its Certification Authority Authorization (CAA) code. The organization initially set a deadline of March 4 for administrators to replace affected certificates before it would begin revoking those that had not been replaced. On Wednesday, March 4, Let’s Encrypt said it would revoke the 1.7 million certificates it knows have been replaced as well as 445 certificates it has deemed high priority. The has not set a revocation deadline for the remaining certificates, noting that it will “revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users.”

Link HERE

Research of the week

Featuring – The Case for Limiting Your Browser Extensions

Last week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was flagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized code. An investigation determined it was injected by a browser extension installed on the computer of a Blue Shield employee who’d edited the Web site in the past month.

The incident is a reminder that browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. And as we’ll see, it’s not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals

Link HERE

App-Layer Encryption in AWS

Encrypting application data has traditionally been complicated. It runs the risks of being done incorrectly, not being more secure, negatively impacting performance or availability, and even losing access to data. Square has long had encryption infrastructure in our data centres, but we wanted to make encrypting sensitive data self-service, safe, fast, and easy for Cash App services running in the cloud as well. We have been iterating on this design over the last year and now have several services using it in production powering live Cash App features. We thought this would be a good time to share how we did it

Link HERE

CVE-2020-0688 Losing the keys to your kingdom

CVE-2020-0688 or how key reuse led to remote code execution on Exchange servers.

Recently, Microsoft published an advisory for a vulnerability in Exchange Server that was fixed as part of the February 2020 Patch Tuesday. Looking at the description we can guess what it is about:

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

Since it involves deserialization and “unique” keys, my initial guess was that Exchange might be using a hardcoded validation (HMAC) key on default installations, and if that is indeed the case, it should be easy to escalate this issue into a full remote code execution attack

Link HERE

CWE list now includes hardware security weaknesses

Link HERE

A Security Review of SharePoint Site Pages by MDSec

Link HERE

Tool of the week

Public version of PagerDuty’s employee security training courses

PagerDuty Security Training

Link HERE More on PagerDuty and Security HERE

CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis – Introduction to Malware Analysis and Reverse Engineering

Link HERE

The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you

Link HERE

Syhunt Tools

Link HERE

O.MG CABLE

It looks like the real thing. It feels like the real thing, down to the millimeter. It is packed with a web server, 802.11 radio, and way more memory and processing power than the type of cable you would want for just doing demos. That’s because the O.MG Cable is built for covert field-use by Red Teams, with features that enhance remote execution, stealth, forensics evasion, all while being able to quickly and dynamically change your tooling with minimal effort.

O.MG Cable

The O.MG Cable allows you to wirelessly execute almost every feature, and not just creating, saving, or executing payloads. You can wipe the flash clean, convert the O.MG Cable to an innocuous state, “break” the O.MG Cable so it will no longer pass data, and even flash new firmware

Link HERE

Raven – Linkedin Information Gathering Tool for Pentesters

Link HERE

Xencrypt – A PowerShell Script Anti-Virus Evasion Tool

Link HERE

Other interesting articles 

##McAfee CTO Talks Coronavirus, Cybersecurity, and Quantum

Grobman’s keynote made the case that existing cyberdefenses share too many traits with legacy immunology practices. “The point being that infectious disease requires a spectrum of action from sophisticated technology to fundamental, simple basic principles like, as you just heard, washing hands,” he said. “Consider the challenges of some of the most fundamental principles in our world. Are we being aggressive enough in the way that we share threat intelligence? No. We must move beyond the hash and move to higher fidelity threat sharing paradigms.”

And, to make the connection between Ghai’s Typhoid Mary example and cybersecurity: “consider the people who cook the food rather than those who consume it,” with the cooks being the software developers, serving up delicious, and sometimes vulnerability-ridden code to end users.

“For far too long we have failed to hold IT and software makers accountable for cyber hygiene and vulnerabilities. … We need to continue to educate the users, but it is time to invite IT to our story as primary characters acting as the first line of defence”

Link HERE

 

##Emoji to Zero-Day

Latin Homoglyphs in Domains and Subdomains

This vulnerability is similar to an IDN Homograph attack and presents all the same risks. An attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization

Link HERE

 

##…AND THEN THERE WERE SIX

A STORY OF CYBERESPIONAGE INCIDENT RESPONSE BY DART THAT UNCOVERED FIVE ADDITIONAL THREAT ACTORS IN ONE ENVIRONMENT

Link HERE

 

##And finally, THE LAST SCIENTIFIC CALCULATOR?

This week, Al Williams wrote up an article on what might be the last scientific calculator. Back in the day, the fanciest of scientific calculators had not just sin, cos, and tan, but were also programmable so that you could code in frequently used formulae. And the calculator that he reviews is certainly powerful: with a screen, processor, and memory almost rivalling a mid-scale smartphone.

Wait a minute! “Almost”? I have a smartphone in my pocket right now. Why would I want something less powerful, when all that the calculator brings to the table is a bit of software? And that app can even be purchased for $20!

 

I’ll confess. I want a proper desktop calculator from time to time. But why? Sure, I can run calculations on the very computer that I’m using to type right now. And in terms of programming languages, the resources are far superior on my laptop. Unit conversions? Units, or the Interwebs. Heck, I can even type calculations directly into the Unix world’s default editor.

But there’s something nice about the single-purpose device. Maybe it’s the feel of the keys. Maybe it’s because it doesn’t require a context-switch on the computer. Maybe it’s irrational calculator nostalgia. Or maybe it’s an elegant tool from a more civilized age: the user experience is better because the tool is just simpler

Link HERE

AND

How Smart Do You Feel?

It’s time for a little soul-searching, folks. How would you rate yourself in your ability to determine how other people are feeling? How about in adjusting your behaviour to the social environment?  The concept of emotional intelligence (EI) is generally defined as a person’s ability to determine, understand, and respond to the emotional states of one’s self and others

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: http://bit.ly/2xdOLyl  (+)

Description: Exploiting an SSRF – Trials and Tribulations.

URL: https://www.amolbaikar.com/facebook-oauth-framework-vulnerability/

Description: Facebook OAuth Framework Vulnerability.

Links HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *