Security Stack Sheet #94

Word of the Week

“World Password(less) Day”

World Password Day: We’re moving toward a passwordless infrastructure

A close up of a map Description automatically generated

Links HERE and HERE

“Password validation is garbage”

Why jK8v!ge4D isn’t a good password

A close up of a computer keyboard Description automatically generated

There’s a fundamental issue with password validation.

Take a look at these two passwords:

jK8v!ge4D

greenelephantswithtophats

Which password do you think takes the longest for a computer to crack? And which password do you think is the easiest to remember? The answer to both of these questions is password number 2. Yet people are encouraged to create passwords that look like number 1. People have been taught to write passwords that are difficult for humans to remember, for no real reason.

Let’s talk about that

Links HERE and HERE and HERE

Bonus

A close up of a logo Description automatically generated

A screenshot of a tree Description automatically generated

Link HERE

Crypto challenge of the week

FRANCE CYBERSECURITY CHALLENGE – UN DÉFI QUI RASSEMBLE TOUS LES TALENTS

Link HERE – thanks to Mithun

Hacky Easter Archive

Link HERE

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of June 2020 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start

President Trump on Friday issued an executive order declaring a national emergency over threats to the U.S. power system, taking steps to defend the grid against cyberattacks and foreign interference

Link HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

A picture containing text, sign, photo, man Description automatically generated

Thanks to Petko

Comic of the week

ZenyWay on Twitter: "Why password strength matters...… "

##Some OWASP stuff first

-XSS without HTML: Client-Side Template Injection with AngularJS

Naive use of the extremely popular JavaScript framework AngularJS is exposing numerous websites to Angular Template Injection. This relatively low profile sibling of server-side template injection can be combined with an Angular sandbox escape to launch cross-site scripting (XSS) attacks on otherwise secure sites. Until now, there has been no publicly known sandbox escape affecting Angular 1.3.1+ and 1.4.0+. This post will summarize the core concepts of Angular Template Injection, then show the development of a fresh sandbox escape affecting all modern Angular versions

Link HERE

-Hacking JSON Web Tokens (JWTs)

And how attackers forge tokens and log in as someone else

Link HERE

-From the Implicit flow to PKCE: A look at OAuth 2.0 in SPAs

Link HERE

-Hacking/OSCP cheat sheet

Link HERE

 

Events

OWASP events HERE

The Dark Side of the API Economy

Link HERE

Big or Small, Avoid the Brain Fuse

A close up of a logo Description automatically generated

Link HERE

GitHub Satellite event introducing many new GitHub features

A picture containing drawing Description automatically generated

Link HERE

Managing Penetration Testing Programs and Vulnerability Time to Live with ThreadFix

May 14, 2020

Webinar banner

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A screenshot of a map Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Cyber security warning issued to organisations in UK and USA

Security agencies in the UK and USA have issued advice to organisations involved in the coronavirus response, after it was revealed that they are being targeted by malicious cyber campaigns.

The report, jointly published by the NCSC and the US Cybersecurity and Infrastructure Security Agency (CISA), exposed a large-scale ‘password spraying’ campaign by advanced persistent threat (APT) groups against international healthcare, pharmaceutical, and research organisations

Microsoft flags known issues ahead of May 2020 Update

In a blog post, Microsoft has detailed the known issues with its upcoming Windows 10 May 2020 update. It does say that these will only affect a small group of users and be fixed in future servicing releases

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 82 – Most common GraphQL vulnerabilities, pentesting with Insomnia

Mic Whitehorn-Gillam posted an article on how to use Insomnia and Burp together for REST API penetration testing

Link HERE

Incidents & events detail

Hacker claims to have grabbed 63.2 GB of Microsoft source code from GitHub

Link HERE

The Air Force wants you to hack its satellite in orbit. Yes, really

Link HERE

Snake Ransomware Hits Major European Healthcare Company’s Systems

IT systems belonging to Fresenius, a European healthcare conglomerate, were hit with ransomware earlier this month. The ransomware used in the attack has been identified as Snake, which has recently been used in attacks against a variety of large businesses.
[Murray]
The healthcare industry is a target of choice for extortion attacks. Within the industry, attacks succeed against targets of opportunity. Healthcare enterprises should raise the cost to their attackers high enough not to be targets of opportunity. “Targets of opportunity” are, almost by definition, on the flat part of the security cost curve where one can get a significant reduction in the cost of losses for every dollar spent

Link HERE

Hackers Take Aim at Cross-Site Scripting Flaws in WordPress Sites

The Wordfence Threat Intelligence Team has observed a significant increase in attempted attacks targeting cross-site scripting (XSS) vulnerabilities in WordPress sites over the past 10 days. The number of these attacks is 30 times what Wordfence normally sees. The attacks are likely the work of a single hacking group

Link HERE

German Authorities Charge Alleged Bundestag Hacker

Link HERE

“Psychic Paper”

iOS Vulnerability

Link HERE

Abnormal Attack Stories: Cisco Webex Phishing

Link HERE

Credit card skimmer masquerades as favicon

Malware authors are notorious for their deceptive attempts at staying one step ahead of defenders. As their schemes get exposed, they always need to go back to their bag of tricks to pull out a new one.

Credit card skimmer masquerades as favicon

When it comes to online credit card skimmers, we have already seen a number of evasion techniques, some fairly simple and others more elaborate. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners.

In this latest instance, we observed an old server-side trick combined with the clever use of an icon file to hide a web skimmer. Threat actors registered a new website purporting to offer thousands of images and icons for download, but which in reality has a single purpose: to act as a façade for a credit card skimming operation

Link HERE

Research of the week

Featuring – Putting the “Fun” in “Hash Function”

There are several different methods for securely hashing a password server-side for storage and future authentication. The most common one (a.k.a. the one that FIPS allows you to use, if compliance matters for you) is called PBKDF2. It stands for Password-Based Key Derivation Function #2.

Why #2? It’s got nothing to do with pencils. There was, in fact, a PBKDF1! But PBKDF1 was fatally insecure in a way I find very interesting. This StackOverflow answer is a great explainer on the difference between the two

 

The obvious lesson: Don’t design key derivation functions like PBKDF1

Link HERE

Security Threat Modelling: Are Data Flow Diagrams Enough?

Traditional threat modelling approaches such as Microsoft’s STRIDE rely on Data Flow Diagrams (DFDs) as the main input. As DFDs are constructed from only five distinct model element types, these system models are deliberately kept simple. While this lowers the bar for practical adoption, there are a number of significant drawbacks. In this position paper, we identify and illustrate four key shortcomings of DFD models when used for security threat modelling, related to the inadequate representation of security concepts, data elements, abstraction levels, and deployment information. Based on these shortcomings, we posit the need for a dedicated, integrated language for threat modelling, and discuss the trade-offs that need to be made between the ease of adoption and the level of support for systematic and repeatable threat modelling

Link HERE

Tactical Ten: Behavioural Analytics

Link HERE

Office365 — A Quick Security Review

Link HERE

Tool of the week

GitHub Code Scanning aims to prevent vulnerabilities in open source software

GitHub has made available two new security features for open and private repositories: code scanning (as a GitHub-native experience) and secret scanning

GitHub Code Scanning

Link HERE

Bulwark

An organizational asset and vulnerability management tool

Link HERE

JavaScript Browser Information

A close up of a sign Description automatically generated

Link HERE – thanks to Javan

TrevorC2

A legitimate website (browsable) that tunnels client/server communications for covert command execution

Link HERE

Malwoverview

A first response tool to perform an initial and quick triage in a directory containing malware samples, specific malware sample, suspect URL and domains. Additionally, it allows to download and send samples to main online sandboxes

Link HERE

Other interesting articles 

##GitHub Code-Scanning Tools for Open-Source Projects

GitHub is offering its automated code-scanning tools to open-source projects at no cost. The GitHub Advanced Security Suite includes the Semmle code scanning tool, which GitHub acquired last fall, as well as tools that can scan repositories for data that should not be exposed, like passwords and private keys

Link HERE

 

##Zoom Acquires Keybase in Effort to Improve Security Issues

Video conferencing platform company Zoom has acquired security company Keybase, which will help Zoom implement stronger encryption. The improved encryption service will be available to paid versions of Zoom

Link HERE

 

##Cloud Security Features Don’t Replace the Need for Personnel Security Capabilities

Link HERE

 

##And finally, When Your Freedom Depends on an App

The app Layla was forced to download upon her release, Guardian, is part of the latest wave of surveillance technologies utilized by enforcement agencies to monitor the recently incarcerated or those awaiting trial. Launched in 2015, it’s marketed as a way for agencies to cut down costs and take advantage of the existing tracking technology in smartphones for more seamless and convenient parole. Based on the terms of their supervision, users are prompted to check in with their parole officers at certain intervals by reading a random series of numbers into the app. Guardian then analyses that check-in using a combination of geolocation data and voice or facial recognition…

A picture containing table, man Description automatically generated

Link HERE Overwhelmed? Solution is cognitive reframing? HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.doyensec.com/2020/04/30/polymorphic-images-for-xss.html

Description: Researching Polymorphic Images for XSS on Google Scholar.

URL: https://opnsec.com/2020/05/dom-xss-in-gmail-with-a-little-help-from-chrome/

Description: DOM XSS in Gmail with a little help from Chrome.

URL: https://bit.ly/2SMtvaL  (+)

Description: Stealing Trello token by abusing a cross-iframe XSS on the Butler Plugin.

Links HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *