Security Stack Sheet #91

Word of the Week

“Deceptively Simple” – Prioritising Security Improvements

In most organizations you are constantly upgrading your security controls. This is for many reasons, including:

  • New threats induce higher risk exposure and require new forms of mitigation
  • New assets or business processes change the risk profile requiring better controls
  • Old controls, or wider mitigation frameworks, may have newly discovered flaws
  • Current controls might be harming organization agility or efficiency in the context of business goals
  • New legal, regulatory or contractual requirements stipulate a new form of control

A screenshot of a cell phone Description automatically generated

Link HERE

Word of the Week Special

“Special times call for special measures”

A picture containing bird Description automatically generated

A thread – Link HERE

 

Bonus

A close up of a logo Description automatically generated

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Image

Link HERE

Image

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A close up of text on a white background Description automatically generated

Link HERE

Crypto challenge of the week

A screenshot of a cell phone Description automatically generated

Link HERE

Hacky Easter Archive

Link HERE

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of June 2020 – Freedom from viruses
  • November 3rd 2020: Trump’s second term start

Image

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Building Secure and Reliable Systems

Book

Links HERE

The Cygenta Cyber Security Activity book – for older kids

Link HERE

Comic of the week

 - Dilbert by Scott Adams

##Some OWASP stuff first

-JavaScript and Friends – OWASP Fundamentals with Bill Sempf

Link HERE

-Trends in mobile application vulnerabilities in the region

Link HERE

-Is ZAP the World’s most Popular Web Scanner?

Link HERE

-OWASP secureCodeBox

The OWASP secureCodeBox Project is a docker based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues

laptop with dashboard

Link HERE – thanks to Javan

-OWASP SKF labs – 50+ examples of vulnerabilities and guides on how to exploit them

Zerocopter’s CTO Riccardo ten Cate and his brother Glenn ten Cate have been working on and donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP

Link HERE

 

Events

OWASP events HERE

OWASP Foundation will be holding a Virtual AppSec Days on April 27-29th

Registration will open on MONDAY, April 6

Link HERE

OWASP Newcastle May meetup

This will now be an online only event. The stream will start around 1815.
Link for the steam:
HERE

Link HERE

GitHub Security Virtual Meetup

Thu, April 23, 2020 4:00 PM – 7:00 PM PDT

Link HERE

OWASP ZAP in Ten: Extended Edition

A close up of a person Description automatically generated

Link HERE

The Many Hats Club Presents Isolation Con

19th of April

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A screenshot of a cell phone Description automatically generated

Incident data HERE Find your country

A screenshot of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

UK and US issue joint report about COVID-19 exploitation

The COVID-19 pandemic is being increasingly exploited by malicious cyber actors and advice has this week been issued by both the UK and the US.

A report, jointly published by the NCSC and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), provides information on exploitation by cyber criminals and advanced persistent threat (APT) groups of COVID-19. It also includes a list of indicators of compromise (IOCs) for detection as well as mitigation advice

Microsoft Exchange admins urged to immediately patch critical flaw

In a blog post this week, cyber security firm Rapid7 revealed that over 350,000 Microsoft Exchange servers exposed on the internet haven’t been patched against the CVE-2020-0688 post-auth remote code execution vulnerability. This comes despite Microsoft issuing a patch for the vulnerability on February 22nd

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 78 – Vulnerabilities in WordPress Rank Math, Tapplock, and TicTocTrack

Link HERE

Incidents & events detail

Cloud backup options for mitigating the threat of ransomware

The increase in cyber attacks related to COVID-19 (and the number of people now home working) means it is more important than ever to ensure your information is backed up securely

Link HERE

THE LOGIC BEHIND RUSSIAN MILITARY CYBER OPERATIONS

What motivates state-sponsored cyber actors

Link HERE

Google removes Android VPN with ‘critical vulnerability’ from Play Store

Link HERE

Cloudflare dumps reCAPTCHA as Google intends to charge for its use

Cloudflare says its moving to hCaptcha, an alternative CAPTCHA service, more private than reCAPTCHA

reCAPTCHA

Link HERE

Foreign Spies Are Targeting Americans on Zoom and Other Video Chat Platforms, U.S. Intel Officials Say

Link HERE

How I hacked worldwide ZOOM users

Link HERE and ZOOMs response HERE and HERE

AND

Move Fast and Roll Your Own Crypto

Quick Look at the Confidentiality of Zoom Meetings

Link HERE

Breaking LastPass: Instant Unlock of the Password Vault

Link HERE

Firefox 75 will respect ‘nosniff’ for Page Loads

Link HERE

Global COVID-19 apps found suffering from flaws, malicious copycats

Link HERE

a close up of text and logo over a white background

Link HERE

Threat Alert: Kinsing Malware Attacks Targeting Container Environments

Link HERE

Research of the week

Featuring – Secure Remote Endpoints from Vulnerabilities in Video Conferencing & Productivity Applications like Zoom

Several security vulnerabilities were reported on Zoom as below:

Zoom leaking data to Facebook – Zoom confirmed that the Facebook SDK for iOS client feature has been removed and is reconfigured for users to log in with Facebook via their browser.

Zoom meeting not end-to-end encrypted – As per this Zoom blog post, Zoom has implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings, including – but not limited to – the video, audio, and chat content of those meetings

Link HERE

Explorations of Trust in AR, VR, and Smart Devices request for proposals

Link HERE

Attack matrix for Kubernetes

Link HERE – thanks to Naz

TPM Genie – Interposer attacks against the trusted platform module serial bus

Link HERE

Extracting TLS keys from an unwilling application

Link HERE

Tool of the week

grep.app

Search across a half million git repos

Link HERE

XSpear – Powerfull XSS Scanning and Parameter analysis tool and gem

Link HERE

National Checklist Program Repository

The National Checklist Program (NCP), defined by the NIST SP 800-70, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications

Link HERE

Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training

A screenshot of a cell phone Description automatically generated

Link HERE

CRYPTOHACK

A fun platform for learning modern cryptography

 

Image of a brain cheering

Link HERE

VulnIQ Security Analyzer, code named Terzi

Link HERE

Protect your workforce from Phishing attacks for FREE

fishbone

Link HERE – thanks to Naz

Other interesting articles 

##How we abused Slack’s TURN servers to gain access to internal services

Link HERE and PoC demo HERE

 

##Cyber jobs deemed essential during pandemic

Link HERE

 

##Having fun with Microsoft Teams

Link HERE – thanks to Mike

 

##Digging into the Privacy Sandbox

The Privacy Sandbox is a series of proposals to satisfy third-party use cases without third-party cookies or other tracking mechanisms

A screenshot of a cell phone Description automatically generated

Link HERE

 

##And finally, the Cold War roots of Putin’s digital-age intelligence strategy

Spying may be the world’s second-oldest profession, but Russian President Vladimir Putin has certainly given it a fresh makeover. To fully grasp what Russia did in the 2016 U.S. presidential election — and hopes to replicate this fall — you need to look back to the end of the Cold War. Putin was a young Soviet KGB officer in Dresden, East Germany, and as the Berlin Wall teetered, he sought guidance from Moscow. The response: “Moscow is silent.”

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://www.ryanpickren.com/webcam-hacking

Description: The story of how I gained unauthorized Camera access on iOS and macOS.

URL: https://blog.mert.ninja/freemarker-ssti-on-lithium-cms/

Description: Limited FreeMarker SSTI to Arbitrary LiQL Query and Manage Lithium CMS.

URL: https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/#executive-summary-tldr

Description: How we abused Slack’s TURN servers to gain access to internal services.

Links HERE and credits to HERE

 

Leave a Reply

Your email address will not be published. Required fields are marked *