Word of the Week
“Chief Automation Officer – CAO”
What is a chief automation officer?
A chief automation officer handles the process automation of an organisation, positioning the right people and technologies across departments
Word of the Week Special
“Root of Trust”: Intel x86 Root of Trust: loss of trust
The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality. A vulnerability has been found in the ROM of the Intel Converged Security and Management Engine (CSME). This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms. The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole
Will You Put Your Password in a Survey?
Crypto challenge of the week
[Browsers, Office365, Cisco and many others]
Browsers to Start Blocking Sites That Use Old TLS Protocols
By the end of this month, most major browsers will be blocking websites that are using TLS 1.0 and TLS 1.1, which date back to 1996 and 2006, respectively. An estimated 850,000 sites still use the outdated protocols. TLS 1.3 was released in 2018. Shortly thereafter, Mozilla, Google, Apple, and Microsoft announced that they would end support for the older versions of TLS in 2020.
Update 1/31/2020: The grade change is now live on www.ssllabs.com. Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.
Cambridge Analytica were the tip of the iceberg
Book of the month
Not a book – Predicting the Future of the Web Development (2020 and 2025)
Prediction 1: “TypeScript takes over the JS world”
Prediction 2: “WebAssembly is going to expand the web app pie”
Prediction 3: “npm lasts, surviving further problems”
Prediction 4: “JS alternatives stay niche, but age well”
Comic of the week
##Some OWASP stuff first
-Ten OWASP Commandments
Every so often developers talk about “sanitizing user input” to prevent cross-site scripting attacks. This is well-intentioned, but leads to a false sense of security, and sometimes mangles perfectly good input
-Misconfigurations and Alert Fatigue Require a Modern AppSec Approach
-Browser Exploitation Framework (BeEF) with Gavin Johnson-Lynn
-Threat Hunting For Cybersecurity M&A Due Diligence
OWASP events HERE
Webinar: How to Prioritize Security Controls for Situational Awareness in AWS
Webinar: DJ MITRE: Achieving Harmony in your SOC
Webinar: How to improve security visibility and detection-response operations in AWS
The Social Engineering Village Wrap-up from DEF CON 27
Don’t let her adorable-ness fool you; she’s one
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Consumers urged to secure internet connected cameras
Tesco and Boots issue security warnings to customers
API Security Issue 73 – Up to 75% credential abuse attacks target APIs
Troy Hunt Blog – Issue 181
Exploring Imposter Syndrome through Experience, Education, and Gatekeeping with Lesley Carhart
A top cybersecurity practitioner talks about the importance of culture, continuous learning, and work-life balance in overcoming impostor syndrome
Incidents & events detail
Remember: New Cyber Attack Campaign Leverages the COVID-19 Infodemic – Technical detail
Researchers from Cybaze Yoroi ZLab have spotted a new campaign exploiting the interest in coronavirus (COVID-19) evolution to spread malware
World Health Organization: Scammers are Exploiting Coronavirus Fears
The World Health Organization (WHO) is warning that scammers posing as WHO representatives are trying to trick people into sharing their account access credentials or opening malicious email attachments. Scammers have also been sending email that exploits concerns about COVID-19 to spread malware. Researchers note that more than 4,000 coronavirus-related domains have been registered since the beginning of the year; of those, three percent are considered malicious, and another five percent are suspicious
GitHub: We won’t take down any of your content unless we really have to
Microsoft’s open-source code-sharing platform’s latest report places freedom of expression above all else
Ryuk ransomware strikes across the globe
Show me Your Clipboard Data!
Remember from last week:
10 Yr-Old Facebook Bug Allow Hackers to Steal Access Token & Hijack Anyone’s Facebook Account – 55,000$ Bounty Rewarded
UK’s ICO Fines Cathay Pacific Over Data Leak
The UK’s Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways £500,000 (US $647,000) for a data leak that went undetected for four years. The issue exposed personal data of 9.4 million Cathay Pacific customers between 2014 and 2018. The ICO says that during that time, Cathay Pacific systems were inadequately protected
Panorama: Spying on the Scammers
Link HERE (you need UK IP)
Google to put a muzzle on Android apps accessing location data in the background
Google will also update Android’s location access permission prompt (again)
Intel Chip Flaw is Unfixable
Researchers have found another flaw affecting Intel chips. This one affects most Intel chips manufactured within the last five years. While the flaw is not trivial to exploit and Intel has released mitigations that can lessen the damage from exploits, the issue cannot be fixed without physically replacing the chip. The problem lies in the Converged Security and Management Engine (CSME).
670+ Subdomains of Microsoft are Vulnerable to Takeover (Lead to Account Takeover)
Virgin Media’s data incident
Virgin Media data breach ‘could link customers to pornographic sites’
XSS plugin vulnerabilities plague WordPress users
A new variant of the Cerberus trojan for Android devices can steal user’s Google two-factor authentication passcodes to gain access to secured accounts
“Let’s Encrypt” Removes Deadline for Revoking Certificates Over CCA Code Problem
Last week, certificate authority (CA) Let’s Encrypt discovered a bug in its Certification Authority Authorization (CAA) code. The organization initially set a deadline of March 4 for administrators to replace affected certificates before it would begin revoking those that had not been replaced. On Wednesday, March 4, Let’s Encrypt said it would revoke the 1.7 million certificates it knows have been replaced as well as 445 certificates it has deemed high priority. The has not set a revocation deadline for the remaining certificates, noting that it will “revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users.”
Research of the week
Featuring – The Case for Limiting Your Browser Extensions
Last week, KrebsOnSecurity reported to health insurance provider Blue Shield of California that its Web site was flagged by multiple security products as serving malicious content. Blue Shield quickly removed the unauthorized code. An investigation determined it was injected by a browser extension installed on the computer of a Blue Shield employee who’d edited the Web site in the past month.
The incident is a reminder that browser extensions — however useful or fun they may seem when you install them — typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. And as we’ll see, it’s not uncommon for extension makers to sell or lease their user base to shady advertising firms, or in some cases abandon them to outright cybercriminals
App-Layer Encryption in AWS
Encrypting application data has traditionally been complicated. It runs the risks of being done incorrectly, not being more secure, negatively impacting performance or availability, and even losing access to data. Square has long had encryption infrastructure in our data centres, but we wanted to make encrypting sensitive data self-service, safe, fast, and easy for Cash App services running in the cloud as well. We have been iterating on this design over the last year and now have several services using it in production powering live Cash App features. We thought this would be a good time to share how we did it
CVE-2020-0688 Losing the keys to your kingdom
CVE-2020-0688 or how key reuse led to remote code execution on Exchange servers.
Recently, Microsoft published an advisory for a vulnerability in Exchange Server that was fixed as part of the February 2020 Patch Tuesday. Looking at the description we can guess what it is about:
CWE list now includes hardware security weaknesses
A Security Review of SharePoint Site Pages by MDSec
Tool of the week
Public version of PagerDuty’s employee security training courses
CS6038/CS5138 Malware Analysis, UC
Course content for UC Malware Analysis – Introduction to Malware Analysis and Reverse Engineering
The Social Engineering Framework
It looks like the real thing. It feels like the real thing, down to the millimeter. It is packed with a web server, 802.11 radio, and way more memory and processing power than the type of cable you would want for just doing demos. That’s because the O.MG Cable is built for covert field-use by Red Teams, with features that enhance remote execution, stealth, forensics evasion, all while being able to quickly and dynamically change your tooling with minimal effort.
The O.MG Cable allows you to wirelessly execute almost every feature, and not just creating, saving, or executing payloads. You can wipe the flash clean, convert the O.MG Cable to an innocuous state, “break” the O.MG Cable so it will no longer pass data, and even flash new firmware
Raven – Linkedin Information Gathering Tool for Pentesters
Xencrypt – A PowerShell Script Anti-Virus Evasion Tool
Other interesting articles
##McAfee CTO Talks Coronavirus, Cybersecurity, and Quantum
Grobman’s keynote made the case that existing cyberdefenses share too many traits with legacy immunology practices. “The point being that infectious disease requires a spectrum of action from sophisticated technology to fundamental, simple basic principles like, as you just heard, washing hands,” he said. “Consider the challenges of some of the most fundamental principles in our world. Are we being aggressive enough in the way that we share threat intelligence? No. We must move beyond the hash and move to higher fidelity threat sharing paradigms.”
And, to make the connection between Ghai’s Typhoid Mary example and cybersecurity: “consider the people who cook the food rather than those who consume it,” with the cooks being the software developers, serving up delicious, and sometimes vulnerability-ridden code to end users.
“For far too long we have failed to hold IT and software makers accountable for cyber hygiene and vulnerabilities. … We need to continue to educate the users, but it is time to invite IT to our story as primary characters acting as the first line of defence”
##Emoji to Zero-Day
Latin Homoglyphs in Domains and Subdomains
This vulnerability is similar to an IDN Homograph attack and presents all the same risks. An attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization
##…AND THEN THERE WERE SIX
A STORY OF CYBERESPIONAGE INCIDENT RESPONSE BY DART THAT UNCOVERED FIVE ADDITIONAL THREAT ACTORS IN ONE ENVIRONMENT
##And finally, THE LAST SCIENTIFIC CALCULATOR?
This week, Al Williams wrote up an article on what might be the last scientific calculator. Back in the day, the fanciest of scientific calculators had not just sin, cos, and tan, but were also programmable so that you could code in frequently used formulae. And the calculator that he reviews is certainly powerful: with a screen, processor, and memory almost rivalling a mid-scale smartphone.
Wait a minute! “Almost”? I have a smartphone in my pocket right now. Why would I want something less powerful, when all that the calculator brings to the table is a bit of software? And that app can even be purchased for $20!
I’ll confess. I want a proper desktop calculator from time to time. But why? Sure, I can run calculations on the very computer that I’m using to type right now. And in terms of programming languages, the resources are far superior on my laptop. Unit conversions? Units, or the Interwebs. Heck, I can even type calculations directly into the Unix world’s default editor.
But there’s something nice about the single-purpose device. Maybe it’s the feel of the keys. Maybe it’s because it doesn’t require a context-switch on the computer. Maybe it’s irrational calculator nostalgia. Or maybe it’s an elegant tool from a more civilized age: the user experience is better because the tool is just simpler
How Smart Do You Feel?
It’s time for a little soul-searching, folks. How would you rate yourself in your ability to determine how other people are feeling? How about in adjusting your behaviour to the social environment? The concept of emotional intelligence (EI) is generally defined as a person’s ability to determine, understand, and respond to the emotional states of one’s self and others
##HACKING, TOOLS and FUN – CHECK BELOW!
URL: http://bit.ly/2xdOLyl (+)
Description: Exploiting an SSRF – Trials and Tribulations.
Description: Facebook OAuth Framework Vulnerability.