Word of the Week
“Honeysploit: Exploiting the Exploiters“
Everyone please never assume the code you’re using is trusted!
“Contact Tracing Technology Raises Concerns”
Several groups have expressed concerns about privacy issues in contact tracing apps, which are being developed to let people know if they have come in contact with someone who has COVID-19. The Electronic Frontier Foundation (EFF) is concerned that COVID-19 contact tracing technology being developed by Apple and Google could be used by malicious actors to gather private information. In the UK, scientists and researchers have signed a joint statement expressing concerns about the NHS’s plans to use a content tracing app, saying that the technology should be analyzed by experts in privacy and security. And in Australia, security experts who examined the COVIDSafe app say that it presents privacy and security issues.
Opinions from SANS:
Word of the Week Special
“Beware of the GIF”
Account Takeover Vulnerability in Microsoft Teams
Mitigation & Response
Google on “how to avoid Covid risks”
Link HERE – thanks to Estevan
Crypto challenge of the week
You are given one hour to hide a USB stick. It has to be hidden inside your house and cannot be placed in a room designed for storage. After one hour 10 detectives are given 3 hours to search for the USB stick. Where will you hide it?
Hacky Easter Archive
Solve this one
[Browsers, Office365, Cisco and many others]
Book of the month
Free online course on Getting Started with OAuth and OpenID Connect
Comic of the week
##Some OWASP stuff first
-Remember: OWASP Web Security Testing Guide v4.1
-Secure code review: 8 security code review best practices
-Latest GitHub Security Virtual Meetup
Link to Videos and Slides HERE
-New course on Pluralsight:
Secure Coding: Preventing Broken Access Control
By Gavin Johnson-Lynn
Learn how to protect your code from access control issues. You will gain an understanding of how an attacker might find and attack those vulnerabilities before building defences into your code
-Bookmark: Useful Application Security Resources
OWASP events HERE
OWASP Foundation will be holding a Virtual AppSec Days on April 27-29th
Registration will open on MONDAY, April 6
OWASP Newcastle May meetup
This will now be an online only event. The stream will start around 1815 Tuesday 5th of May.
The State of AppSec in Government – Featuring Sandy Carielli, Forrester Research
Zero Trust Security…. The evolution of Trusted Identities
Almost every security breach includes users as a target, source, or associated party. Organizations need to come to an understanding (quickly) that there cannot be, under any circumstances, an interruption or degradation of the user experience for internal users or customers. This is a critical element to the organization’s success. To do so, security teams will need to make security invisible and assume that everyone or every thing is not trusted until proven otherwise.
Gordon Corera Russians Among Us
DryCleanerCast a podcast about Espionage, Terrorism & GeoPolitics
Security Journey: “Threat Modeling: Uncover Vulnerabilities Without Looking at Code”
Link to register HERE
Leaders in AppSec event
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Suspicious email reporting service launched to counter phishing campaigns
Millions of fitness app users exposed after data breach
Nintendo Switch owners urged to turn on 2FA following a spate of account hacks
Google issues Chrome update to fix high-rated security vulnerabilities
Vulnerability affecting Sophos product discovered
API Security Issue 81 – Vulnerabilities in Microsoft Teams, Auth0, smart home hubs
Incidents & events detail
Coronavirus Dark Web Scams: From infected blood to ventilators
Pushing an MP3 file that supposedly kills Coronavirus
267 million Facebook profiles sold for $600 on the dark web
Fraud & hacking guides are the most sold item on dark web
Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage
Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months
Tracking the cryptocurrency paid by victims finds that, even with a low rate of pay-out, the scheme netted a cool half million for the various groups involved
Symlink race bugs discovered in 28 antivirus products
Most products have patched, researchers said, without naming the ones who skipped
You’ve Got (0-click) Mail!
Microsoft Warns of Malware in Pirated Movie Files
Bootlegged movies on some torrent sites have been found to contain malware, according to a warning from Microsoft. The attack appears to be primarily targeting users in Spain, Mexico, and South America. The malware tries to install cryptocurrency mining software on infected devices
Research of the week
Featuring – Modern Security Risk
Accuracy (Calibration) beats precision (Discrimination). Both are good to have.
There is a risk that causes that causes
Avoid forcing stakeholders to do maths in their head. Avoid qualitative descriptors, they are interpreted differently by different people
Likelihood, minimal harm and maximal harm estimates. Standard Monte Carlo simulation run tens of thousands of times and combined
Wild Temporary Tokens and Where to Find Them – AWS Edition
We showed how an attacker could convert a temporary token into a long-term token, how they can “hide” their activity trail and actions in the compromised AWS environment, and how this can be very challenging for the security team to address. This attack technique is very stealthy and hard to detect – imagine how long an attacker can have access to your account while you might not even notice anything.
However, this technique is just one example of a much bigger problem of managing the temporary tokens in cloud environments. Temporary tokens sometimes get less attention and monitoring than a permanent one, which is a great place for an attacker to take advantage.
The Extended AWS Security Ramp-Up Guide by NCC
On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is “to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow your career.” The Ramp-Up is an excellent document, that describes a logical progression in first-party training resources, from the official Overview of Amazon Web Services through the AWS Certified Specialty – Security exam, and beyond
Behind the Screen: An insight into Context’s testing data
Understanding Hardware-enforced Stack Protection
Tool of the week
Script to automate, when possible, the passive reconnaissance performed on a website prior to an assessment
Helps to discover suspicious creation forms and uses of temporary tokens in AWS
List of Python (and other) Security Scripts
Uses advanced search operators (Google Dorks) to find juicy information about target websites
Other interesting articles
##It’s not black and white
The NCSC now uses ‘allow list’ and ‘deny list’ in place of ‘whitelist’ and ‘blacklist’.
Link HERE – thanks to Ben
##Diaries of a SOC Manager: Building a SOC Ep 1
“We want you to build a SOC”
##Randori raises $20 million to spot cyberattacks with AI
##Why do you need API security for your sales CRM?
Third party integrations are vital for a good customer experience. But have you wondered if they are secure?
##When the going gets tough, the tough get learning
I saw a meme the other week that said something to the effect of “Your grandparents were called to fight overseas in the trenches. You’re being asked to sit on your couch. You can do this.” True, no one’s shooting at us, but we’re battling a different kind of war. The health crisis is frightening, and it’s taking thousands of lives. A single cough can create anxiety. And the economic impact of having to shelter in place and watch business grind to a halt is unlike anything we’ve ever experienced
##And finally, Becoming Virtually Untraceable- “eps9.0_syst3m_da3m0n5.dat”
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War.
Adopt an Adversarial Mindset to Avoid Victimization
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: XSSI – Exploiting the unexploitable.
Description: GitLab::UrlBlocker validation bypass leading to full SSRF.
Description: Critical CSRF to RCE bug chain in Prestashop v18.104.22.168 and below.
Description: 1-click RCE on Keybase.
URL: https://bit.ly/3bRPzIF (+)
Description: Abusing HTTP Path Normalization and Cache Poisoning for profit.
Description: Arbitrary file read via the UploadsRewriter when moving and issue.