Security Stack Sheet #90

Word of the Week

“Cyber Security Skills Gap”

Useless Certs, Too Few Women, Poor Training

A screenshot of a cell phone Description automatically generated

Link HERE

Word of the Week Special

“What to do after leaking credentials and API keys?”

1. Revoke the secret or credentials
2. (Optional) Permanently delete all evidence of the leak
3. Check access logs for intruders
4. Implement future tools and best practices

Link HERE and Gaining AWS Console Access via API Keys Link HERE

 

Bonus

A close up of a logo Description automatically generated

A screenshot of a social media post Description automatically generated

Thanks to Gavin

A screenshot of a cell phone Description automatically generated

Thanks to Rich

Crypto challenge of the week

Cyber Security Crossword - WordMint

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Links HERE, video HERE and book discussion HERE

Comic of the week

Dogbert In The Cloud - Dilbert by Scott Adams

##Some OWASP stuff first

-Web Application Testing Has Problems: We’ve Been Doing It Wrong

What if much of the web application testing we’ve been doing did not find the vulnerabilities that matter?  What if it didn’t matter when you fixed the crappy code, as it took the same amount of time to fix each different vulnerability, as long as the problems that mattered were fixed before they were exploited?  Would there be a much more efficient use of resources to direct against the vulnerabilities that matter?

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to TK

-Threat Modelling with Questionnaires

Link HERE and a tool – Pythonic framework for TM HERE

 

Events

OWASP events HERE

OWASP Foundation will be holding a Virtual AppSec Days on April 27-29th

Registration will open on MONDAY, April 6

Link HERE

OWASP Newcastle May meetup

This will now be an online only event. The stream will start around 1815.
Link for the steam:
HERE

Link HERE

Deep Thoughts Engineering Speaker Series: John Carmack

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A screenshot of a cell phone Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

New COVID-19 phishing scam spotted

A new phishing campaign pretending to be from a local hospital in the US has been spotted in an unfortunate trend of coronavirus-related scams.
Phishing is when criminals try to convince you to click on links within a scam email or text message, or to give sensitive information away (such as bank details)

Microsoft warns coronavirus-hit hospitals of ransomware threat

Microsoft has warned dozens of hospitals that vulnerabilities in their VPN and network gateway devices are being targeted by human-operated ransomware campaigns, according to a blog post by the firm.
With healthcare providers under huge pressure due to the coronavirus pandemic and with more people using VPNs to work from home, Microsoft took the unprecedented move to alert the organisations to the threat and to strongly advise them to apply security updates

Hotel chain Marriott suffers another serious data breach

Hotel chain Marriott International has suffered its second major data breach in 18 months, exposing personal information belonging to 5.2 million customers.

In an incident notification published on its website, the company said it spotted unusual activity on an app typically used by guests to access services in February, with the login credentials of two Marriott employees found to have accessed “an unexpected amount” of guest data

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 77 – Vulnerabilities in GitLab, OAuth 2.1 draft is out

Link HERE

Incidents & events detail

Zoom admits user data ‘mistakenly’ routed through China

Link HERE

Free Website Pentesting amid COVID-19

Link HERE

Second Anonymous video released on COVID19

Link HERE

Security News This Week: Ransomware Groups Promise Not to Hit Hospitals Amid Pandemic

Link HERE

How Coronavirus is Impacting Cyberspace

Links HERE and HERE and NCSC article HERE

How to Embezzle Money Using Amazon AMIs

Link HERE

Research of the week

Featuring – Attacking Secondary Contexts in Web Applications

Sam Curry’s Kernelcon talk has some great details and examples of how to identify how a web app is doing routing (without source code) and the vulnerabilities that can ensue. Well worth reading if your job is attacking or defending web apps

Link HERE

Analysing WhatsApp Calls with Wireshark, radare2 and Frida

In this article I want to demonstrate how I revealed parts of the WhatsApp VoIP protocol with the help of a jailbroken iOS device and a set of forensic tools. WhatsApp got a lot attention due to security vulnerabilities and hacks. So it is an interesting target for teaching security analysis

Link HERE

UNIX-STYLE APPROACH TO WEB APPLICATION TESTING

Link HERE

Top 10 security items to improve in your AWS account

10 most important security tips

Link HERE and Azure Security Benchmark—90 security and compliance best practices for your workloads in Azure Link HERE

Building a Repeatable and Hardened Vault POC

You don’t need to spend a lot of time and energy to give your HashiCorp Vault deployment production hardening

A screenshot of a cell phone Description automatically generated

Link HERE

Sniffing Authentication References on macOS

Details of a privilege-escalation vulnerability (CVE-2017-7170)

Link HERE

The AI and Human Element Security Sentiment Study

Link HERE

Tool of the week

AWS SCP Best Practices

AWS Service Control Policies (SCPs) are a way of restricting the actions that can be taken in an AWS account so that all IAM users and roles, and even the root user cannot perform them. This feature is part of AWS Organizations, and the SCPs are controlled by the Organization Master account. This article will point out important concepts of SCPs and then provide example SCPs that can be used

Link HERE

RFC 8725

JSON Web Token Best Current Practices

Link HERE

MKIT

A managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster

Link HERE

Remember: gtunnel

A robust tunnelling solution written in golang

Link HERE

LeakLooker GUI — Discover, browse and monitor database/source code leaks

Link HERE

ElectricEye

Continuously monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability. All results will be sent to Security Hub for further aggregation and analysis

Link HERE

Other interesting articles 

##Bug bounty platforms buy researcher silence, violate labour laws, critics say

The promise of crowdsourced cybersecurity, fuelled by “millions of hackers,” turns out to be a pipe dream, despite high-octane marketing from the bug bounty platforms

Link HERE – thanks to Ben

 

##File Upload: A Critical Gap in Web App Security

In this recorded webcast, we cover three types of risks to web applications and how to apply a Zero Trust model to both users and the files they upload and the devices from which these uploaded files originate.  Risks from:

  • Threat actors who submit malicious files to gain access to the organization’s IT infrastructure.
  • User who submit sensitive data in violation of an application’s terms of service.
  • Inadvertent hosting and distributing malicious files uploaded by a threat actor

Link HERE – thanks to Alvin

 

##Fixing the Desktop Linux Security Model

Whonix is a security, privacy and anonymity focused Linux distribution. Recently, we’ve been focusing a lot on important security hardening measures and fixing architectural security issues within the desktop Linux security model. Any Linux distribution can be affected by these issues

Link HERE

 

##And finally, the Coronavirus Could Reshape Global Order

China Is Manoeuvring for International Leadership as the United States Falters

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/791775

Description: Bypass Shopify’s email verification.

URL: https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/

Description: How To Bypass CSP By Hiding JavaScript In A PNG Image.

URL: https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/

Description: Pi-hole Remote Code Execution (CVE-2020-8816).

Links HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *