Security Stack Sheet #93

 

Word of the Week

“Honeysploit: Exploiting the Exploiters“

Winnie the Pooh image by Disneyclips.com

Lessons learnt:

Everyone please never assume the code you’re using is trusted!

Link HERE Another security researcher posted his perspective as a victim of this honeypot HERE

 

Contact Tracing Technology Raises Concerns”

Several groups have expressed concerns about privacy issues in contact tracing apps, which are being developed to let people know if they have come in contact with someone who has COVID-19. The Electronic Frontier Foundation (EFF) is concerned that COVID-19 contact tracing technology being developed by Apple and Google could be used by malicious actors to gather private information. In the UK, scientists and researchers have signed a joint statement expressing concerns about the NHS’s plans to use a content tracing app, saying that the technology should be analyzed by experts in privacy and security. And in Australia, security experts who examined the COVIDSafe app say that it presents privacy and security issues.

Opinions from SANS:
[Pescatore]
Any app used for something as critical as infection contract tracing needs to be bulletproof – written with security as a top priority and thoroughly reviewed and tested by experts. But there will need to be some individual privacy trade-offs accepted to make gains in reopening economies while limiting new outbreaks.
[Neely]
A Washington Post study found that 3 of 5 Americans say they are unwilling or unable to use the infection alert system under development by Apple and Google, which may impede or undermine the mission of these applications. Without verifiable claims of proper privacy and security handling, wide-spread adoption may be impossible. www.washingtonpost.com: Most Americans are not willing or able to use an app tracking coronavirus infections. That’s a problem for Big Tech’s plan to slow the pandemic.
[Paller]
When people are concerned for the health of their families, they make compromises in other priorities. If using a tracing app will allow them to keep their families safe, my guess is that a vast majority of people will accept some lessening of their privacy

Links HERE and HERE and HERE

 

Word of the Week Special

“Beware of the GIF”

Account Takeover Vulnerability in Microsoft Teams

  • As more and more business is conducted from remote locations, attackers are focusing their efforts on exploiting the key technologies – like Zoom and Microsoft Teams – that companies and their employees depend on to stay connected.
  • We found that by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.

  • Since users wouldn’t have to share the GIF – just see it – to be impacted, vulnerabilities like this have the ability to spread automatically.
  • This vulnerability would have affected every user who uses the Teams desktop or web browser version.
  • CyberArk worked with Microsoft Security Research Center under Coordinated Vulnerability Disclosure after finding the account takeover vulnerability and a fix was quickly issued

Mitigation & Response
We worked with Microsoft Security Research Centre under Coordinated Vulnerability Disclosure after finding the account takeover vulnerability.  Microsoft quickly deleted the misconfigured DNS records of the two subdomains, that were exposed and could be taken over.  In addition, Microsoft has pushed more mitigations during the course of time and are continuing to develop more security features to prevent similar flaws in the future

Disclosure Timeline

23/03/20 — Vulnerability reported to Microsoft.

23/03/20 – Microsoft corrected misconfigured DNS records.

20/04/20 — Microsoft issued a patch

Link HERE

Google on “how to avoid Covid risks”

Helping you avoid COVID-19 online security risks

Link HERE

 

Bonus

A close up of a logo  Description automatically generated

A screenshot of a cell phone  Description automatically generated

A close up of a logo  Description automatically generated

Link HERE – thanks to Estevan

Link HERE

 

Crypto challenge of the week

You are given one hour to hide a USB stick. It has to be hidden inside your house and cannot be placed in a room designed for storage. After one hour 10 detectives are given 3 hours to search for the USB stick. Where will you hide it?

Link HERE

Hacky Easter Archive

Solve this one

Image

Link HERE

Image

Link HERE

 

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of June 2020 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start
  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

 

Book of the month

The Black Swan, Second Edition: The Impact of the Highly Improbable: With a new section: "On Robustness and Fragility" cover art

Link HERE – thanks to Petko AND is Covid19 a Black Swan? Link HERE

Free online course on Getting Started with OAuth and OpenID Connect

Link HERE

 

Comic of the week

Alice Borrows Stapler - Dilbert by Scott Adams

 

##Some OWASP stuff first

-Remember: OWASP Web Security Testing Guide v4.1

OWASP Consortium Updated Web Security Testing Guide - Prog.world

Link HERE

-Secure code review: 8 security code review best practices

Secure code review: 8 security code review best practices cheat sheet

Link HERE

-Latest GitHub Security Virtual Meetup

  • Andrea Brancaleoni – InQL: GraphQL security testing made easy!
  • Stefan Edwards and Robert Tonic – Go-ing for an evening stroll
  • Alyssa Miller – Security In the User Story, DevSecOps Compatible Threat Modeling
  • Neil Matatall – Managing content security policy and samesite cookies

Link to Videos and Slides HERE

-New course on Pluralsight:

Secure Coding: Preventing Broken Access Control

By Gavin Johnson-Lynn

Learn how to protect your code from access control issues. You will gain an understanding of how an attacker might find and attack those vulnerabilities before building defences into your code

Link HERE

-Bookmark: Useful Application Security Resources

Link HERE

 

Events

OWASP events HERE

OWASP Foundation will be holding a Virtual AppSec Days on April 27-29th

Registration will open on MONDAY, April 6

Link HERE

OWASP Newcastle May meetup

This will now be an online only event. The stream will start around 1815 Tuesday 5th of May.
Link for the steam:
HERE

Link HERE

The State of AppSec in Government – Featuring Sandy Carielli, Forrester Research

Link HERE

Zero Trust Security…. The evolution of Trusted Identities

Almost every security breach includes users as a target, source, or associated party. Organizations need to come to an understanding (quickly) that there cannot be, under any circumstances, an interruption or degradation of the user experience for internal users or customers. This is a critical element to the organization’s success. To do so, security teams will need to make security invisible and assume that everyone or every thing is not trusted until proven otherwise.
As a result, Zero Trust security is the new benchmark that organizations are setting their sights on. However, depending on who is talking about it, there is a significant difference in what constitutes a Zero Trust architecture. In turn, this creates a level of confusion in the market. Zero Trust workforce initiatives need to begin by focusing on identity, access, and data.
In this discussion, we will cover where Zero Trust is today and what we believe Zero Trust will become in the future—Adaptive Trust

Link HERE

Gordon Corera Russians Among Us

DryCleanerCast a podcast about Espionage, Terrorism & GeoPolitics

Link HERE

Security Journey: "Threat Modeling: Uncover Vulnerabilities Without Looking at Code"

Link to register HERE

Leaders in AppSec event

A screenshot of a social media post  Description automatically generated

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]“>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map  Description automatically generated

Incident data HERE Find your country

A screenshot of a cell phone  Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Suspicious email reporting service launched to counter phishing campaigns

We know that cyber criminals are exploiting coronavirus fears and using the pandemic as bait in phishing attacks, but the public have been fighting back.
Earlier this week, the NCSC announced the launch of the Suspicious Email Reporting Service (SERS), in partnership with the City of London Police. It offers an opportunity to report suspicious emails directly to the NCSC. By doing so, reporters are helping to bring down malicious campaigns and it has already had good success

Millions of fitness app users exposed after data breach

It has been reported that a firm behind a fitness app has unintentionally leaked data, including personal information, of millions of customers.

Kinomap, which specialises in indoor training, had inadvertently left its database exposed online, which meant that the records of 42 million users from 80 countries were viewable for at least one month

Nintendo Switch owners urged to turn on 2FA following a spate of account hacks

Several Twitter users have reported they’ve lost money after hackers hijacked their Nintendo accounts

Google issues Chrome update to fix high-rated security vulnerabilities

In a notice published this week, Google announced that it’s issuing a new update to its Chrome browser. This update will include security fixes for two high-rated vulnerabilities

Vulnerability affecting Sophos product discovered

Cyber security company Sophos have reported that its XG Firewall product has been subject to an SQL injection attack.
Hackers took advantage of this previously unknown vulnerability to insert malicious code into a back-end database to gain unauthorised access

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 81 – Vulnerabilities in Microsoft Teams, Auth0, smart home hubs

Link HERE

 

Incidents & events detail

Coronavirus Dark Web Scams: From infected blood to ventilators

Selling COVID-19 infected blood

And

Pushing an MP3 file that supposedly kills Coronavirus

Pushing an MP3 file that supposedly kills Coronavirus

Link HERE

267 million Facebook profiles sold for $600 on the dark web

Link HERE

Fraud & hacking guides are the most sold item on dark web

Link HERE

Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage

Link HERE

Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months

Tracking the cryptocurrency paid by victims finds that, even with a low rate of pay-out, the scheme netted a cool half million for the various groups involved

Link HERE

Symlink race bugs discovered in 28 antivirus products

Most products have patched, researchers said, without naming the ones who skipped

Link HERE

You’ve Got (0-click) Mail!

Link HERE

Microsoft Warns of Malware in Pirated Movie Files

Bootlegged movies on some torrent sites have been found to contain malware, according to a warning from Microsoft. The attack appears to be primarily targeting users in Spain, Mexico, and South America. The malware tries to install cryptocurrency mining software on infected devices

Link HERE

 

Research of the week

Featuring – Modern Security Risk

A screenshot of a video game  Description automatically generated

-Calibrated Estimation

Accuracy (Calibration) beats precision (Discrimination). Both are good to have.

-Risk Universe

There is a risk that causes that causes

-Tolerance Curve

Avoid forcing stakeholders to do maths in their head. Avoid qualitative descriptors, they are interpreted differently by different people

-Quantitative Analysis

Likelihood, minimal harm and maximal harm estimates. Standard Monte Carlo simulation run tens of thousands of times and combined

Link HERE

Wild Temporary Tokens and Where to Find Them – AWS Edition

We showed how an attacker could convert a temporary token into a long-term token, how they can “hide” their activity trail and actions in the compromised AWS environment, and how this can be very challenging for the security team to address. This attack technique is very stealthy and hard to detect – imagine how long an attacker can have access to your account while you might not even notice anything.

However, this technique is just one example of a much bigger problem of managing the temporary tokens in cloud environments. Temporary tokens sometimes get less attention and monitoring than a permanent one, which is a great place for an attacker to take advantage.

Observing and early detection of misconfigured roles could eventually prevent attackers who managed to get access to achieve their goals. I encourage you to run SkyWrapper and get a better view of the temporary tokens that exist in your environment, detect the privileged ones, and handle the ones that are marked as suspicious. You will be surprised to see how many temporary tokens you have in your account

Link HERE

The Extended AWS Security Ramp-Up Guide by NCC

On November 25th, AWS released the Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance. The Security Ramp-Up is a curated list of educational AWS resources. The goal is “to teach in-demand cloud skills and real-world knowledge that you can rely on to keep up with cloud security, governance, and compliance developments and grow your career.” The Ramp-Up is an excellent document, that describes a logical progression in first-party training resources, from the official Overview of Amazon Web Services through the AWS Certified Specialty – Security exam, and beyond

Link HERE

Behind the Screen: An insight into Context’s testing data

One of our Context Account Managers, Alexander Roxon, took a closer look at Context’s 2019 penetration testing data sets and caught up with some of our Consultants to get their view on the findings

Link HERE

Understanding Hardware-enforced Stack Protection

Link HERE

 

Tool of the week

Script to automate, when possible, the passive reconnaissance performed on a website prior to an assessment

Link HERE

SkyWrapper

Helps to discover suspicious creation forms and uses of temporary tokens in AWS

Link HERE

List of Python (and other) Security Scripts

Link HERE and Top 5 Python Best Practices HERE

Google Hacking

Uses advanced search operators (Google Dorks) to find juicy information about target websites

Link HERE

 

Other interesting articles 

##It’s not black and white

The NCSC now uses ‘allow list’ and ‘deny list’ in place of ‘whitelist’ and ‘blacklist’.

Link HERE – thanks to Ben

 

##Diaries of a SOC Manager: Building a SOC Ep 1

"We want you to build a SOC"

Link HERE

 

##Randori raises $20 million to spot cyberattacks with AI

Link HERE

 

##Why do you need API security for your sales CRM?

Third party integrations are vital for a good customer experience. But have you wondered if they are secure?

Link HERE

 

##When the going gets tough, the tough get learning

I saw a meme the other week that said something to the effect of “Your grandparents were called to fight overseas in the trenches. You’re being asked to sit on your couch. You can do this.” True, no one’s shooting at us, but we’re battling a different kind of war. The health crisis is frightening, and it’s taking thousands of lives. A single cough can create anxiety. And the economic impact of having to shelter in place and watch business grind to a halt is unlike anything we’ve ever experienced

Link HERE

 

##And finally, Becoming Virtually Untraceable- “eps9.0_syst3m_da3m0n5.dat”

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War.

Adopt an Adversarial Mindset to Avoid Victimization

Link HERE

 

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.cm2.pw/xssi-exploiting-the-unexploitable/

Description: XSSI – Exploiting the unexploitable.

URL: https://hackerone.com/reports/541169

Description: GitLab::UrlBlocker validation bypass leading to full SSRF.

URL: https://stazot.com/prestashop-csrf-to-rce-article/

Description: Critical CSRF to RCE bug chain in Prestashop v1.7.6.4 and below.

URL: https://www.shielder.it/blog/1-click-rce-on-keybase/

Description: 1-click RCE on Keybase.

URL: https://bit.ly/3bRPzIF  (+)

Description: Abusing HTTP Path Normalization and Cache Poisoning for profit.

URL: https://hackerone.com/reports/827052

Description: Arbitrary file read via the UploadsRewriter when moving and issue.

Links HERE and credits to HERE

 

 

Sage

Sage Business Cloud

Sage

The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.

Leave a Reply

Your email address will not be published. Required fields are marked *