Word of the Week
“World Password(less) Day”
World Password Day: We’re moving toward a passwordless infrastructure
“Password validation is garbage”
Why jK8v!ge4D isn’t a good password
There’s a fundamental issue with password validation.
Take a look at these two passwords:
Which password do you think takes the longest for a computer to crack? And which password do you think is the easiest to remember? The answer to both of these questions is password number 2. Yet people are encouraged to create passwords that look like number 1. People have been taught to write passwords that are difficult for humans to remember, for no real reason.
Let’s talk about that
Crypto challenge of the week
FRANCE CYBERSECURITY CHALLENGE – UN DÉFI QUI RASSEMBLE TOUS LES TALENTS
Link HERE – thanks to Mithun
Hacky Easter Archive
[Browsers, Office365, Cisco and many others]
President Trump on Friday issued an executive order declaring a national emergency over threats to the U.S. power system, taking steps to defend the grid against cyberattacks and foreign interference
Book of the month
Thanks to Petko
Comic of the week
##Some OWASP stuff first
-XSS without HTML: Client-Side Template Injection with AngularJS
-Hacking JSON Web Tokens (JWTs)
And how attackers forge tokens and log in as someone else
-From the Implicit flow to PKCE: A look at OAuth 2.0 in SPAs
-Hacking/OSCP cheat sheet
OWASP events HERE
The Dark Side of the API Economy
Big or Small, Avoid the Brain Fuse
GitHub Satellite event introducing many new GitHub features
Managing Penetration Testing Programs and Vulnerability Time to Live with ThreadFix
May 14, 2020
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Cyber security warning issued to organisations in UK and USA
Microsoft flags known issues ahead of May 2020 Update
API Security Issue 82 – Most common GraphQL vulnerabilities, pentesting with Insomnia
Mic Whitehorn-Gillam posted an article on how to use Insomnia and Burp together for REST API penetration testing
Incidents & events detail
Hacker claims to have grabbed 63.2 GB of Microsoft source code from GitHub
The Air Force wants you to hack its satellite in orbit. Yes, really
Snake Ransomware Hits Major European Healthcare Company’s Systems
IT systems belonging to Fresenius, a European healthcare conglomerate, were hit with ransomware earlier this month. The ransomware used in the attack has been identified as Snake, which has recently been used in attacks against a variety of large businesses.
Hackers Take Aim at Cross-Site Scripting Flaws in WordPress Sites
The Wordfence Threat Intelligence Team has observed a significant increase in attempted attacks targeting cross-site scripting (XSS) vulnerabilities in WordPress sites over the past 10 days. The number of these attacks is 30 times what Wordfence normally sees. The attacks are likely the work of a single hacking group
German Authorities Charge Alleged Bundestag Hacker
Abnormal Attack Stories: Cisco Webex Phishing
Credit card skimmer masquerades as favicon
Malware authors are notorious for their deceptive attempts at staying one step ahead of defenders. As their schemes get exposed, they always need to go back to their bag of tricks to pull out a new one.
When it comes to online credit card skimmers, we have already seen a number of evasion techniques, some fairly simple and others more elaborate. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners.
Research of the week
Featuring – Putting the “Fun” in “Hash Function”
There are several different methods for securely hashing a password server-side for storage and future authentication. The most common one (a.k.a. the one that FIPS allows you to use, if compliance matters for you) is called PBKDF2. It stands for Password-Based Key Derivation Function #2.
Why #2? It’s got nothing to do with pencils. There was, in fact, a PBKDF1! But PBKDF1 was fatally insecure in a way I find very interesting. This StackOverflow answer is a great explainer on the difference between the two
The obvious lesson: Don’t design key derivation functions like PBKDF1
Security Threat Modelling: Are Data Flow Diagrams Enough?
Traditional threat modelling approaches such as Microsoft’s STRIDE rely on Data Flow Diagrams (DFDs) as the main input. As DFDs are constructed from only five distinct model element types, these system models are deliberately kept simple. While this lowers the bar for practical adoption, there are a number of significant drawbacks. In this position paper, we identify and illustrate four key shortcomings of DFD models when used for security threat modelling, related to the inadequate representation of security concepts, data elements, abstraction levels, and deployment information. Based on these shortcomings, we posit the need for a dedicated, integrated language for threat modelling, and discuss the trade-offs that need to be made between the ease of adoption and the level of support for systematic and repeatable threat modelling
Tactical Ten: Behavioural Analytics
Office365 — A Quick Security Review
Tool of the week
GitHub Code Scanning aims to prevent vulnerabilities in open source software
An organizational asset and vulnerability management tool
Link HERE – thanks to Javan
A legitimate website (browsable) that tunnels client/server communications for covert command execution
A first response tool to perform an initial and quick triage in a directory containing malware samples, specific malware sample, suspect URL and domains. Additionally, it allows to download and send samples to main online sandboxes
Other interesting articles
##GitHub Code-Scanning Tools for Open-Source Projects
GitHub is offering its automated code-scanning tools to open-source projects at no cost. The GitHub Advanced Security Suite includes the Semmle code scanning tool, which GitHub acquired last fall, as well as tools that can scan repositories for data that should not be exposed, like passwords and private keys
##Zoom Acquires Keybase in Effort to Improve Security Issues
Video conferencing platform company Zoom has acquired security company Keybase, which will help Zoom implement stronger encryption. The improved encryption service will be available to paid versions of Zoom
##Cloud Security Features Don’t Replace the Need for Personnel Security Capabilities
##And finally, When Your Freedom Depends on an App
The app Layla was forced to download upon her release, Guardian, is part of the latest wave of surveillance technologies utilized by enforcement agencies to monitor the recently incarcerated or those awaiting trial. Launched in 2015, it’s marketed as a way for agencies to cut down costs and take advantage of the existing tracking technology in smartphones for more seamless and convenient parole. Based on the terms of their supervision, users are prompted to check in with their parole officers at certain intervals by reading a random series of numbers into the app. Guardian then analyses that check-in using a combination of geolocation data and voice or facial recognition…
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Researching Polymorphic Images for XSS on Google Scholar.
Description: DOM XSS in Gmail with a little help from Chrome.
URL: https://bit.ly/2SMtvaL (+)
Description: Stealing Trello token by abusing a cross-iframe XSS on the Butler Plugin.