Security Stack Sheet #95

 

Word of the Week

“House of Cards”

Outdated Software Components

How many? Nine in 10 Applications!

Most apps contain outdated, abandoned open source components

Almost every application uses open-source components and 91% use libraries that are out of date or that have been abandoned altogether

Links HERE and HERE OWASP believes so too HERE or maybe using obsolete software HERE

 

Bonus

A screenshot of a cell phone  Description automatically generated

Link HERE

Image

Link HERE

 

Crypto challenge of the week

Hacky Easter Archive

Link HERE

 

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE

TLS1.3: Two Years On

Link HERE

  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of June 2020 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start

US Accuses China of Cyberattacks Aimed at Stealing COVID-19 Research

Link HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

 

Book of the month

CHILDREN IN CYBER SECURITY RESOURCE GUIDE

Link HERE

Jeff Bezos: The electricity metaphor

Not a book

Link HERE

 

Comic of the week

Point At End Of Slide Deck  - Dilbert by Scott Adams

AND

Dilbert Has To Upgrade Server - Dilbert by Scott Adams

 

##Some OWASP stuff first

-OWASP Top 10 Maturity Categories for Security Champions – new proposed project

You have heard of this term – Security Champions or was it Satellites (that sounds weird..)?

But what are they really? Is it a good idea?

How many companies are doing this?

If you’re convinced it needs to be done, how do you manage a Security Champions programme (at scale)? What methods and tools exist?

Link HERE

-Video: API Hacking for the Actually Pretty Inexperienced hacker

On the latest episode of the OWASP DevSlop show, Katie Paxton-Fear gave a talk on REST API hacking. Her talk focused on the following vulnerabilities from the OWASP API Security Top 10 list:

Link API1:2019 — Broken object level authorization

Link API3:2019 — Excessive data exposure

Link API5:2019 — Broken function level authorization

-A look at OWASP’s top automated threats to web apps

A picture containing bird  Description automatically generated

Link HERE

 

Events

OWASP events HERE

ASC Webinars: CTFs and Bug Bounty Hunting and Their Relation To Professional Work – Ibrahim Mosaad

Link HERE

ASC Webinars: Cybersecurity from Zero to Hero – Mohammad Khreesha

Link HERE

ASC2019 – Human Vs A.I – Offensive Security Modern Combat – Mohamed Gamal

Link HERE

ASC2019 – Cloud applications security challenges – Ayman Al-Rifaei

Link HERE

ASC2019 – Social Engineering Attack: Lessons learned – Mohanned Momani

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]“>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

New survey highlights the state of remote working in the UK

A survey of 2,000 UK SME employees working from home in April has found that only 9% had checked whether their antivirus software had been updated.
The findings from Avast Business also discovered that 18% are working from unprotected devices, and only 26% have access to IT support from their employer

Cyber attacks target organisations supporting COVID-19 response

This week media reported that organisations involved in constructing emergency hospitals during the coronavirus pandemic have been hit by cyber attacks. You can read Interserve’s latest statement here

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 83: India’s COVID-19 tracing app, OAuth2 API attacks

Vulnerability: India’s coronavirus tracing app

Elliot Alderson discovered API flaws in India’s COVID-19 tracking app, Aarogya Setu. In certain regions, the app is mandatory, and not having it installed can lead to fines or even jail time.

The app can tell users how many people who have tested positive for COVID-19, or who have self-assessed to feel unwell, are nearby within the radius of from 500 meters to 10 kilometres. Or at least that is the theory. In practice, attackers can make the app to show them more

Attack scenarios: OAuth Mix-Up, Revisited

Dr. Daniel Fett has published a great detailed document on OAuth mix-up attack scenarios and ways to mitigate them. He covers, for example:

Basic mix-up attack

Mix-up attacks with OAuth metadata

Mix-up attacks with Pushed Authorization Request (PAR) endpoint

Integrity of the Authorization Request with PAR

Link HERE

 

Incidents & events detail

GitLab disclosed on HackerOne: Arbitrary file read via the UploadsRewriter when moving and issue

Link HERE

Ramsay Cyberespionage Toolkit Targets Air-Gapped Networks

Researchers at ESET have found samples of malware that steals information from air-gapped networks. The cyber-espionage toolkit, dubbed Ramsay, appears to be under development; each of the three samples contains new features. Each of the three has been used to conduct attacks through varying attack vectors

Link HERE

Report: Estimated 24,000 Android apps expose user data through Firebase blunders

Link HERE

How Spies Snuck Malware Into the Google Play Store—Again and Again

Malicious Android apps from the so-called PhantomLance campaign targeted hundreds of users, and at least two slipped past Google’s defences

Link HERE

Backtracking MageCart infections

Link HERE

Windows Insiders can now test DNS over HTTPS

Link HERE

Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking

The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019

Link HERE

Used Tesla Components Contain Personal Information

Link HERE

LinkedIn Phish Walk Through

A quick walkthrough of a phishing scam that was propagating via LinkedIn messages

Link HERE

COVID-themed phishing – infocenter

Link HERE – thanks to Syl

Pandemic in geeky way

Links HERE and HERE

 

Research of the week

Featuring – The Continuous Application Security Handbook

Annual per-application security cost?

A screenshot of a cell phone  Description automatically generated

Link HERE

The Dacls RAT …now on macOS!

deconstructing the mac variant of a Lazarus group implant

Link HERE

CISA Lists Top 10 Most Exploited Vulnerabilities

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a list of the 10 vulnerabilities most commonly exploited by foreign hackers between 2016 and 2019. CISA has also listed the vulnerabilities that are most frequently being exploited in 2020. The alert includes a listing of indicators of compromise and mitigations for each of the vulnerabilities. CISA notes that “a concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective.”

U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600.
[Pescatore]
Pay particular attention to the ones listed for 2020 – the vulnerabilities in VPN (and other security) appliances being exploited is something Johannes Ullrich pointed out in the SANS Top New Attack Trends keynote at RSA (www.sans.org: SANS Top New Attacks and Threat Report). The scanning for misconfigured cloud applications is an ongoing issue, but the rush to cloud-based teleconferencing and storage/collaboration apps to support Work From Home has made misconfigurations even more likely.
[Neely]
Note that the vulnerabilities are listed by CVE which are then summarized, such as vulnerabilities in Microsoft OLE. Mitigations start with basic cyber hygiene – timely application of patches and following security configuration guides. Leverage continuous monitoring, including scanning and testing, to verify products remain updated and secure

Link HERE

Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidentsFIN6 activityimplications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

A screenshot of a cell phone  Description automatically generated

Malicious actors have been actively deploying MAZE ransomware since at least May 2019. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise. Multiple actors are involved in MAZE ransomware operations, based on our observations of alleged users in underground forums and distinct tactics, techniques, and procedures across Mandiant incident response engagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from victims who refuse to pay an extortion fee

Link HERE

 

Tool of the week

Top 10 tools for working from home (WFH) securely in 2020-2021

Link HERE

Tools recommended by a security professional

Link HERE

From last week: Microsoft Secure Score for Microsoft 365

Link HERE

Tsurugi Linux

Link HERE

 

Other interesting articles 

##Security and Cryptography Mistakes You Are Probably Doing All The Time

Link HERE

 

##The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet

At 22, he single-handedly put a stop to the worst cyberattack the world had ever seen. Then he was arrested by the FBI. This is his untold story

Link HERE

 

##And finally, the dark web: Not so anonymous after all

The dark web is sometimes portrayed as a mysterious and anonymous environment. Yet, studies in recent years suggest we should perhaps rethink those preconceptions

What is the Dark Web

Links HERE and HERE

 

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://vinothkumar.me/20000-facebook-dom-xss/

Description: This is the story of how I found $20k Facebook DOM XSS.

URL: http://www.missoumsai.com/google-accounts-xss.html

Description: DOM-Based XSS at accounts.google.com by Google Voice Extension.

Links HERE and credits to HERE

 

 

Sage

Sage Business Cloud

Sage

The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.

Leave a Reply

Your email address will not be published. Required fields are marked *