Word of the Week
“In-app protection & self-defending applications”
Self-defending applications become crucial as modern architectures migrate software logic to the client side. Security and risk management leaders must take due care in protecting their application clients to avoid turning a promising software design trend into a security failure.
In-app protection instils self-defending capabilities into client-side applications. It includes application shielding, client-side runtime application self-protection (RASP) and anti-malware techniques, and is well-suited to provide a zero-trust approach to applications.
In-app protection has experienced adoption in consumer mobile apps, especially in financial services, and online retail and media. The proliferation of smart clients and dynamically loaded content on front ends will further expand adoption of the technology.
Awareness of the technology and urgency to adopt it is low outside the security department in mainstream organizations. While line-of-business executives recognize its fraud detection and customer experience improvement benefits, developers rarely feel their applications could be attack targets.
Word of the Week Special
“Verizon Data Breach Investigation Report 2020”
Web Application Attacks Double from 2019: Verizon DBIR
Verizon’s annual data breach report shows most attackers are external, money remains their top motivator, and web applications and unsecured cloud storage are hot targets
Top Actor varieties in breaches
Top discovery methods in Error breaches
Top data varieties compromised in Phishing breaches
Crypto challenge of the week
OSCE Exam Practice – Parts I to V
Hacky Easter Archive
[Browsers, Office365, Cisco and many others]
Moving the Internet to TLS 1.3, asap
You do know that WPA-2 is fundamentally flawed? And you know that some versions of TLS are weak from a security point-of-view?
Imagine that a new building material had been created which was stronger than all previous ones? Or where it was found that a previous building material had flaws? Civil engineers would be really pushing it out. But with TLS 1.3 and WPA 3? Where the great voice of the cybersecurity industry pushing forward to fix the flaws of the past? A little quiet, perhaps?
Coronavirus: Five things a Covid-19 symptom-tracking app tells us
Book of the month
Remember – thanks to TK
Please Google for it
Link HERE – thanks to Petko
Comic of the week
##Some OWASP stuff first
-9 Secure Code Review Best Practices For Your Web Application
Here are some questions you should consider while conducting a secure code review:
-Håkon Olsen – Security in development: how automated security testing drives good practice
-Medical Device Threat Modelling
This whitepaper describes threat modelling in the context of creating secure medical device systems. International regulators as well as customers are expecting Medical Device Manufacturers to deliver proactively secured devices. This is in part a question of technology, but equally a question of security engineering best practices applied during the product development lifecycle. This includes applying a mature Cybersecurity Risk Assessment methodologies during the Risk Management process. One powerful technique available to engineers is threat modelling, as we will discuss in this whitepaper
OWASP events HERE
Reduce API Security Risks with Automated and Continuous API Scanning
Covid-19 webinar: Securing DevOps in cloud environments
We recognise the crucial role DevOps plays during these challenging times and how important it is to maintain a ‘business as usual’ approach, however, how can we ensure these issues don’t impact our cloud environments and put the Software Development Lifecycles (SDLC) at risk?
Trond Klevstuen & Stein Morten Rustad – From on-premise to multi tenant cloud – 3 years in “hell”
SANS ISC Channel on YouTube
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Older versions of the QTS operating system vulnerable
Advice issued following EasyJet cyber incident
API Security Issue 84 – Unprotected APIs at Google Firebase, leaky Arkansas PUA portal
Vulnerability: Google Firebase
Incidents & events detail
EasyJet admits data of nine million hacked
EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers.
It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”
Researchers Disclosed 5 Windows Zero-Day Bugs That Allow Hackers to Escalate System Privileges
Link HERE – thanks to Jachar
‘Flight risk’ employees involved in 60% of insider cybersecurity incidents
The majority of staff planning their exit also take sensitive information with them, research suggests
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
What is up on Port 62234?
Working From Home? Don’t View P0rn on Your Corporate VPN
Facebook New Messenger Warnings are Based on Metadata
A Joint Analysis Reveals APT Group Spying Activities
Several so-called “malware testing services” are offering to fix flaws in adversaries’ code, shoring up any vulnerabilities researchers may use to inspect the malware
Research of the week
Featuring – Stealing Secrets from Developers using Websockets
A couple of articles have hit the sites recently about websites abusing websocket functionality to port-scan user’s computers’
Panaseer 2020 Financial Services Security Metrics Report
And the interesting one
The Many Kinds of Creepware Used for Interpersonal Attacks
Abstract—Technology increasingly facilitates interpersonal attacks such as stalking, abuse, and other forms of harassment. While prior studies have examined the ecosystem of software designed for stalking, there exists an unstudied, larger landscape of apps—what we call creepware—used for interpersonal attacks. In this paper, we initiate a study of creepware using access to a dataset detailing the mobile apps installed on over 50 million Android devices. We develop a new algorithm, CreepRank, that uses the principle of guilt by association to help surface previously unknown examples of creepware, which we then characterize through a combination of quantitative and qualitative methods. We discovered apps used for harassment, impersonation, fraud, information theft, concealment, and even apps that purport to defend victims against such threats. As a result of our work, the Google Play Store has already removed hundreds of apps for policy violations. More broadly, our findings and techniques improve understanding of the creepware ecosystem, and will inform future efforts that aim to mitigate interpersonal attacks
Link HERE – thanks to Naz
Tool of the week
This tool will help you understand how input is transformed on a system, which can help you craft better payloads
semgrep is an open-source tool for lightweight static analysis using a familiar syntax
Other interesting articles
##Safely navigating the COVID-19 cyber-threat landscape
Ben Aung, Global Chief Information Security Officer at Sage, describes how businesses with staff working from home should be protecting themselves from cyber-threats during the pandemic
##The mobile security threats to be aware of in 2020
With the technological advancements of the modern world has come the emergence of unscrupulous characters looking to take advantage of them. Security threats are a constant, especially when it comes to mobile phones. It’s a real problem
##My high-quality idiot-proof recording setup
Good audio for virtual presentations is absolutely critical. Even before the new world of 2020, I was delivering remote training and recording videos, so I invested in a decent audio setup
##And finally, what if the next large-scale hack involved your vehicle instead of your security camera?
But my vehicle doesn’t connect to the internet….Are you sure?
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: RCE in Google Cloud Deployment Manager.
Description: jQuery 3.5.0 Security Fix (CVE-2020-11022/CVE-2020-11023).