Security Stack Sheet #89

Word of the Week

“Cyber cannot fix the humans”

The security challenges of complexity, alert fatigue, knowledge gaps, resource scarcity, and staff burn-out aren’t new.  When you consider them alongside the staggering investments that we’ve made in security, it doesn’t seem right.  Check the record and you’ll see that over the past 8 years ( 2011-2019 ) spending on cybersecurity has more than doubled, but in that time the FBI reports that damage from cybercrime has increased by more than six times.

This imbalance and the appearance of utter futility starts with a lack of empathy

Links HERE and HERE and HERE and HERE and HERE and HERE

Word of the Week Special

The Four (or more) Horsemen Of The “Cyberpocalypse”

John Martin — Preventing a Cyberpocalypse

durer-horsemen

John Martin has owned responsibilities ranging from Software Supply Chain to DevSecOps Security Champions to Cloud Security Monitoring. His career spans the years between Blue-Box MF generators, through the era of automated hacks, and into our modern age of industrialized paranoia. He is a frequent speaker on the topic of commercial software security and a contributor to many SAFECode and CSA efforts. John joins us to discuss the prevention of a cyberpocalypse. You heard it correctly. Now tune in to learn what a cyberpocalypse is and why you need to care about it. We hope you enjoy this conversation with John Martin

Links HERE and HERE and HERE and HERE and a cyber-poem HERE

“COVID-19 Cyber Scams”

How to avoid

Link HERE

Bonus

A picture containing food, indoor, person, table Description automatically generated

Link HERE

A screenshot of a cell phone screen with text Description automatically generated

Link HERE

A screen shot of a person Description automatically generated

Link HERE

Anonymous about Coronavirus

A picture containing window, outdoor, building, person Description automatically generated

Link HERE

A screenshot of a person Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Crypto challenge of the week

Inclusion

A beginner level LFI challenge

Link HERE

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • November 3rd 2020: Trump’s second term start
  • 1st of April 2021 – COVID-19 is finally history? Or sooner? Or later?

Link HERE

AND

Live Coronavirus Map Used to Spread Malware

Links HERE and HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

DoD Enterprise DevSecOps Ask Me Anything Sessions

Link HERE

Cybersecurity Law, Policy, and Institutions (version 3.0) eCaseBook

Link HERE

Comic of the week

Mandatory Blockchain Class - Dilbert by Scott Adams

##Some OWASP stuff first

-Do your Pipelines Remember with James Rabon

Gavin BeEf framework feature

Link HERE

-ZAP SSRF Setup

Some vulnerabilities can only be found by sending payloads that cause a call-back to the tester. One example is XXE vulnerabilities when the XML rendering result is not available to the user. ZAP can find these vulnerabilities that depend on SSRF detection but the target system needs to be able to reach the ZAP call-back endpoint. In many cases the computer running ZAP is behind some kind of NAT and doesn’t have a public IP so it will not receive the expected call-backs and miss some of the existent vulnerabilities

Link HERE

-Pass-the-Hash is still a threat

Pass-the-Hash is a very old technique that was originally published by Paul Ashton in 1997. Despite that Pass-the-Hash exists over more than a decade. It is used a lot in most ransomware attacks, like for example on the University of Maastricht. But why is this still a problem?

Link HERE

-Threat Dragon: OWASP launches desktop version of popular threat modelling tool

The Open Web Application Security Project (OWASP) has released an installable desktop variant of Threat Dragon, its popular threat modelling application.

The free and open source Threat Dragon tool includes system diagramming and a rule engine to automatically determine and rank security threats, suggest mitigations, and implement countermeasures

Link HERE

 

Events

OWASP events HERE

All InfoSec events HERE – the best Conferences in 2020 HERE

No More events for the foreseeable future! OWASP Dublin cancelled HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Coronavirus used as bait by phishers

Several cyber security researchers have uncovered a surge in the number of phishing emails using the coronavirus as a lure.

Cyber criminals have been exploiting the pandemic to steal money or sensitive information through phishing campaigns in several countries

Global network of bots brought down

Cyber security teams from across 35 countries, including Microsoft, have dismantled one of the world’s largest network of bots.

The network, called Necurs, is believed to have infected more than nine million computers worldwide.

A botnet is a network of infected devices, connected to the Internet, used to commit coordinated cyber attacks without their owner’s knowledge

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 74 – Vulnerability in Login with Facebook, API security talks

Link HERE

Incidents & events detail

Dark web drug dealers ‘selling coronavirus masks’ to exploit global pandemic

Link HERE

Vicious Panda: The COVID Campaign

Link HERE

Microsoft discloses wormable flaw after Patch Tuesday announcement

Link HERE

AND

CVE-2020-0796: “Wormable” Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3 (ADV200005)

Links HERE and HERE and PATCH HERE

Avast Disables JavaScript Engine Over Security Concerns

Avast has disabled the JavaScript engine in its antivirus product after it was found to contain a remote code execution vulnerability. Researchers at Google Project Zero say that the emulator, which checks JavaScript code tor malware before it is allowed to execute, “is unsandboxed and has poor mitigation coverage.”

Link HERE

Hackers Spoofing HTTPS Domains to Skim Payment Card Data

Hackers inserted malicious code into a website belonging to a US meat delivery service. The code, which includes a malicious domain, allowed the hackers to intercept customers’ payment information. While the malicious domain has been removed from the company’s website, it has been detected on other companies’ sites

Link HERE

Insecure Whisper

Whisper, the secret-sharing app that called itself the “safest place on the Internet,” left years of users’ most intimate confessions exposed on the Web tied to their age, location and other details, raising alarm among cybersecurity researchers that users could have been unmasked or blackmailed

Link HERE

Luca Todesco teases checkra1n hacks on a T2-equipped MacBook Pro’s Touch Bar

Link HERE

Research of the week

Featuring – Enter Mordor 😈: Pre-recorded Security Events from Simulated Adversarial Techniques 🛡

It is Monday and you want to start your week by learning about a new adversarial technique and build detections around it

Link HERE

How to Turn Your Blue Team ‘Purple’

Flipping Cybersecurity on its Head

Link HERE

Cloud WAF Comparison Using Real-World Attacks

Many teams consider use of Web Application Firewalls (WAFs) as a best practice or a compliance requirement when implementing web applications. All firewalls are used to control and monitor traffic. A WAF is a specific firewall that is designed to identify and prevent attacks from web application traffic. The expectation is that the firewall will prevent command injection attacks, cross-site scripting attacks, protocol violations, and other common attacks against web applications

Link HERE – thanks to Mithun

Human-operated ransomware attacks: A preventable disaster

Human-operated ransomware campaigns pose a significant and growing threat to businesses and represent one of the most impactful trends in cyberattacks today. In these hands-on-keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network

Link HERE

Network Science & Threat Intelligence with Python: Network Analysis of Threat Actors/Malware Strains

You might be asking… what is Network Science and how does it apply to threat intelligence?! Well, of course, I am going to answer this…

Link HERE

Tool of the week

The NCSC are giving away free malware simulators

The NCSC’s Exercise in a Box has a simulator that allows you to mimic a common malware command and control technique. The simulator is just one of several exercises that make up the “Exercise in a Box” that can be downloaded and used for free from the NCSC. The majority of the scenarios are conducted in a tabletop format but this simulator now lets these exercises test technological security controls

Link HERE

Ghostcat Vulnerability Scanner (CVE-2020-1938)

Detect Apache Tomcat servers vulnerable to Ghostcat due to unsecure AJP Connector

Link HERE Detect using Qualys HERE

Distribute Damage

Designed to make Burp evenly distribute load across multiple scanner targets, this extension introduces a per-host throttle and a context menu to trigger scans from. It may also come in useful for avoiding detection

Link HERE

Crescendo: Real Time Event Viewer for macOS

Link HERE

Other interesting articles 

##Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate

Coveware’s Q4 Ransomware Marketplace report aggregates anonymized ransomware data from cases handled and resolved by Coveware’s Incident Response Team, and other Incident Response firms that utilize the Coveware Incident Response Platform to manage their own cases. This report discusses data points like the average ransom amounts, data recovery rates, and ransomware attack vectors. Unlike surveys, which rely on sentiment, this report is created solely from a standardized set of data collected from every case. By aggregating and sharing this data we believe large and small enterprises can better protect themselves from the persistent and ever-evolving ransomware threat

A screenshot of a cell phone Description automatically generated

Link HERE

 

##The Power Of Artificial Intelligence Vs. The Power Of Human Intelligence

The most immediate benefit of artificial intelligence (AI) for business is increasingly clear: it’s a huge opportunity for increased productivity. 

Gartner recently calculated that In 2021, AI augmentation will create >€2.6 trillion of business value and save 6.2 billion man-hours globally and a survey by McKinsey has estimated that AI analytics could add around $13trn, or 16%, to annual global GDP by 2030.

The easiest and fastest way to implement business AI is to add machine learning to existing business processes

Link HERE

 

##And finally, All Management Is Change Management

Change management is having its moment. There’s no shortage of articles, books, and talks on the subject. But many of these indicate that change management is some occult subspecialty of management, something that’s distinct from “managing” itself. This is curious given that, when you think about it, all management is the management of change.

If sales need to be increased, that’s change management. If a merger needs to be implemented, that’s change management. If a new personnel policy needs to be carried out, that’s change management. If the erosion of a market requires a new business model, that’s change management. Costs reduced? Productivity improved? New products developed? Change management

Image result for change management comic

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: http://bit.ly/3cViP2b  (+)

Description: The unexpected Google wide domain check bypass.

URL: https://hackerone.com/reports/737140

Description: Mass account takeovers using HTTP Request Smuggling.

Links HERE and credits to HERE

 

 

 

.

Leave a Reply

Your email address will not be published. Required fields are marked *