Word of the Week
“COVID-19 Government Mobile Apps”
Iran, Colombia, and Italy Put Citizens at Risk with COVID-19 Government Mobile Apps
BEWARE OF FAKE APPS! CHECK THE CREATOR & TRUSTED SOURCES THOROUGHLY!
Also Apple and Google Team Up to ‘Contact Trace’ the Coronavirus
Bruce Schneier’s opinion:
To me, the real problems aren’t around privacy and security. The efficacy of any app-based contact tracing is still unproven. A “contact” from the point of view of an app isn’t the same as an epidemiological contact. And the ratio of infections to contacts is high. We would have to deal with the false positives (being close to someone else, but separated by a partition or other barrier) and the false negatives (not being close to someone else, but contracting the disease through a mutually touched object). And without cheap, fast, and accurate testing, the information from any of these apps isn’t very useful. So I agree with Ross that this is primarily an exercise in that false syllogism: Something must be done. This is something. Therefore, we must do it. It’s techies proposing tech solutions to what is primarily a social problem.
As long as 1) every contact does not result in an infection, and 2) a large percentage of people with the disease are asymptomatic and don’t realize they have it, I can’t see how this sort of app is valuable. If we had cheap, fast, and accurate testing for everyone on demand…maybe. But I still don’t think so.
Several countries have begun floating the idea of an “immunity passport,” which would certify that someone is immune to COVID-19. Not only does the idea raise a number of security and privacy issues, but there are still unknowns about immunity to this particular virus.
Link HERE – thread
Crypto challenge of the week
Hacky Easter Archive
[Browsers, Office365, Cisco and many others]
Book of the month
Hakin9 magazine Vol 11 No 8
Protecting Your Web Applications
Solutions and Strategies to Combat Cybersecurity Threats
The rise of cloud computing, use of open source technologies, new data-processing requirements, complexity of web applications, and an increase in the overall sophistication of attackers have combined to create an extremely challenging environment for IT security leadership. Given how critical websites, applications, and online services have become to supporting revenue and productivity, there is nothing more important for your business than ensuring that your digital assets are available and protected at all times. Consider the impact of cyberthreats on your business: customer loss, brand reputation damage or permanent loss of revenue, and team culture demise. In this report, we examine the increasing cyberthreat landscape and take a detailed look at the major threat patterns businesses and security professionals currently experience. We explain how attackers have become so successful and offer remedies to prevent attacks and fix existing vulnerabilities. And, finally, we look at current and emerging trends in efforts to move to cloud-based security, out‐ sourced services, and third-party hosting options
Comic of the week
##Some OWASP stuff first
-How To Start A Career in Application Security
Learn from global experts how to launch your AppSec career. What are the careers in Application Security? What is required for an AppSec career? What are the certifications required? We will discuss, what works for these experts, what they have seen has worked for friends. All areas that can help a fresher make an entry in the Application Security domain or for those who are already in can understand how to grow and mature like a pro!
-Mark Merkow — Secure, Resilient, and Agile Software Development
Mark will discuss how application security and Agile software development methodology fit together
-Remember: OWASP OpenSAMM v2.0
How mature are your software security practices?
-How to Write Insecure Code
The idea for this article comes from Roedy Green’s How to write unmaintainable code. You may find the one page version more readable. Actually, making your code unmaintainable is a great first step towards making it insecure and there are some great ideas in this article, particularly the section on camouflage
OWASP events HERE
OWASP Foundation will be holding a Virtual AppSec Days on April 27-29th
Registration will open on MONDAY, April 6
OWASP Newcastle May meetup
This will now be an online only event. The stream will start around 1815.
Isolation Con on Twitch – check below!
Application Security For Developers – Learning Defence by Offense
Join the Webinar: Tuesday 21st April,12:00 – 13:00pm BST
Join Rohit Salecha, Black Hat Trainer, and accredited Pen Tester, from NotSoSecure, discuss as web application vulnerabilities are on the rise, why it’s essential that developers are educated in response to the growing risk
Maintaining Secure Development Practices in a WFH Environment
Thursday, April 23 at 8:00am PDT |11:00am EDT | 16:00 BST
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Bumper “Patch Tuesday” releases from Microsoft
Amongst the 113 security updates in the April release from Microsoft were patches for 3 zero-day vulnerabilities. This follows a similarly large release of 115 fixes in March
US issues North Korean cyber threat warning
Hackers claim to hold European energy giant EDP to ransom
API Security Issue 79 – 1.4 million doctor records scraped using API
Unprotected APIs have allowed hackers to compile to put on sale a list of 1.4 million of US doctors, and GitLab has published details on the API vulnerability they recently fixed. We also have a recording of a recent API security conference talk, and an announcement of an upcoming training on OAuth and OpenID Connect
Incidents & events detail
Zoom Brings in Help to Address Security Issues
Zoom is calling in experts to help it address security and privacy concerns. With millions of people working at home during the COVID-19 epidemic, Zoom’s popularity has ballooned. It has also been subjected to greater scrutiny by both hackers and security experts, who have unearthed a number of security and privacy issues. The company has hired numerous security consultants, many of whom are former privacy and security experts from other high-profile tech companies. (Please note that the WSJ story is behind a paywall.)
Facebook Wanted NSO Spyware to Monitor Users, NSO CEO Claims
In a court-filed declaration, NSO Group’s CEO says Facebook tried to buy an Apple spying tool in 2017
FBI Releases Guidance on Defending Against VTC Hijacking and Zoom-bombing
Rush to adopt online learning under COVID-19 exposes schools to cyberattacks
Russian telco Rostelecom hijacks traffic for IT giants, including Google, Amazon and Facebook
Exclusive: Amazon deploys thermal cameras at warehouses to scan for fevers faster
COVID-19’s impact on Tor
We had to let go of 13 great people who helped make Tor available to millions of people around the world. We will move forward with a core team of 22 people, and remain dedicated to continuing our work on Tor Browser and the Tor software ecosystem
OVER 460 VULNERABILITIES RESOLVED IN TENTH BUG BOUNTY CHALLENGE WITH U.S. DEPARTMENT OF DEFENSE
CVE-2020-1027 | Windows Kernel Elevation of Privilege Vulnerability
Google Removes Malicious Chrome Extensions From Web Store
Google has pulled nearly 50 malicious extensions from the Chrome Web Store. These bad apps were pretending to be legitimate cryptocurrency wallet apps, but actually stole cryptowallet keys and other sensitive information.
TikTok users beware: Hackers could swap your videos with their own
Report: Massive Data Leak Exposes US Energy Sector to Cyberattack
Date discovered: 10th March 2020
Date vendors contacted: 16th March and 2nd April 2020
Date of contact attempt with AWS: 18th and 30th March 2020
Date of Response: 8th April 2020
Date of Action: 8th April 2020
PoetRAT Uses Covid-19 Lures To Attack Azerbajian
Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository
Research of the week
Featuring – Data Exfiltration over DNS Queries via Morse Code
Surprising, this technique is very old (over 20 years), but it is still very effective nowadays.
Probably, you’ll ask why don’t we just upload the compromised files to a cloud storage or directly transfer them via protocols like HTTP, FTP, SSH, Telnet and so on. In order to do exfiltration over the protocols mentioned above, the target machine must initiate a network connection and that will be easily noticed by any basic firewall or monitoring tool.
DNS Exfiltration does not require an active network connection in order to send data over Internet, so basically, it will bypass (almost!) all basic security tools, unless you have an advanced solution in place that analyses outbound DNS queries
New Stealth Magecart Attack Bypasses Payment Services Using Iframes
PCI compliant payment services hosted within an iframe are not immune from Magecart attacks. Website owners are still responsible for any stolen personally identifiable information (PII) or resulting fines. The PerimeterX research team has uncovered a novel technique for bypassing hosted fields iframe protection, which enables Magecart attackers to skim credit card data while allowing successful payment transactions. This stealthy attack technique gives no indication of compromise to the user or the website admin, enabling the skimming to persist on checkout pages for a long time. The users don’t suspect any malicious activity since the transaction succeeds as expected. In this blog post we examine an active use of this technique that targets websites using the popular payment provider Braintree, a subsidiary of PayPal.
Our research team has been actively tracking Inter, a popular digital skimming toolkit used to launch Magecart attacks. Inter is widely known for being sold as a complete digital skimming kit and its ability to easily adapt to many checkout pages on e-commerce sites
ANALYZING THE RACCOON STEALER
An infostealer is a type of malware that is focused on gathering sensitive and conditional information from the compromised system. While this information is often related to the user’s credentials, they have also been known to seek out financial data and personal information. The research performed by CyberArk Labs focused on the methods and techniques that a typical infostealer leverages for stealing sensitive user data and information. Additionally, we wanted to better understand what clients (a.k.a. cybercriminals) are able to retrieve with a low price infostealer such as Raccoon
Remember: Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs
I personally love Zones, Jails, and VMs and I think they all have a particular use case. The confusion with containers primarily lies in assuming they fulfill the same use case as the others; which they do not. Containers allow for a flexibility and control that is not possible with Jails, Zones, or VMs. And THAT IS A FEATURE
Tool of the week
Simple CLI tool for the generation of bind and reverse shells in multiple languages
Automate Security Testing with ZAP and GitHub Actions
Is BGP safe yet? No. – from Cloudflare
Test your ISP
Other interesting articles
##Why is ransomware still a thing? One-in-three polled netizens say they would cave to extortion demands
American young adults are easiest marks for criminals, study reckons
##The Challenge of Software Liability
Liability for insecure software is already a reality. The question is whether Congress will step in to give it shape and a coherent legal structure. Broadly speaking, Congress could do this in one of two ways. It could create a legal framework for claims brought by private citizens or state attorneys general. Or it could delegate the regulation of software security to an agency like the Federal Trade Commission (FTC)
Link HERE – thanks to TK
##And finally, how to devise Strategy Under times of Uncertainty
What makes for a good strategy in highly uncertain business environments? Some executives seek to shape the future with high-stakes bets
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: XSS fun with animated SVG.
Description: How I Reverse Engineered the LastPass CLI Tool.