Word of the Week
“We still don’t care enough about security”
With many of us stuck inside our homes, a pandemic like COVID-19 is an apt opportunity for hackers to strike. But even as ample awareness takes place, the average consumer doesn’t care about security as much as they should. Why is that? In a word, convenience.
Take Zoom. Remember those few days where almost everyone reported about Zoom’s many security issues? Governments and tech giants publicly banned employees from using the software. Yet, there seems to be no slowdown of Zoom meetings. Even media platforms that reported about Zoom’s security issues continue to use the software publicly. Times like these, convenience is so important. Particularly when it involves technology.
In Zoom’s case, the value offering as a means of convenience far outweighs the cons for the normal user. When you’re trying to make a living amidst a global pandemic, you would want technology to make things easier for you.
But this isn’t unique to Zoom or COVID-19. Even Microsoft Teams, a competitor to Zoom, was vulnerable enough that company data could have been stolen by a simple GIF. One might think that something of that nature will entice users to tread carefully in the online space. Unfortunately, that isn’t the case.
Cybersecurity has long been a concern in the general domain. But cybercrime has been on the rise during the past few years. In a 2019 report, Accenture estimates a whopping $5.2 trillion in cybersecurity-related costs within the next 5 years. The question is, why are we still lagging in addressing cybersecurity? It’s part ignorance, part unawareness, and part unaffordability.
Cybersecurity is a luxury many small companies can’t afford
Word of the Week Special
They May Pose Security Risk to Mobile Devices
2020 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT
Amazon is very hard to predict; AWS is surprisingly predictable. Companies get sherlocked by AWS largely because they’re trying to build a better AWS, which is fundamentally a losing proposition unless you’re basically Microsoft Azure and nobody else
Covid 19 apps privacy and security issues
Plus Apple on the same
Thanks to Naz
Crypto challenge of the week
Hacky Easter Archive
[Browsers, Office365, Cisco and many others]
Book of the month
Secure, Resilient, and Agile Software Development
With a detailed look at Agile and Scrum software development methodologies, this book explains how security controls need to change in light of an entirely new paradigm on how software is developed. It focuses on ways to educate everyone who has a hand in any software development project with appropriate and practical skills to Build Security In. After covering foundational and fundamental principles for secure application design, this book dives into concepts, techniques, and design goals to meet well-understood acceptance criteria on features an application must implement. It also explains how the design sprint is adapted for proper consideration of security as well as defensive programming techniques. The book concludes with a look at white box application analysis and sprint-based activities to improve the security and quality of software under development
Comic of the week
##Some OWASP stuff first
-OWASP for Data Engineers
Wait.. what? Isn’t OWASP something to do with web applications? That was my first reaction too when, some years ago, I was asked to do an “OWASP top 10 analysis” on a project that had nothing at all to do with web applications. At the time I was able to steer the conversation in more fruitful and useful directions, but the thought stuck with me: is the OWASP “top 10” a useful framework for thinking about security in Data Engineering?
-The Abridged History of Application Security – Jim Manico
-[The Red Team Guide] Chapter 1: Red Teaming and Red Teams Overview
What is Red Team, and where did it come from?
The origins of Red Team are military in origin. It was realised that to better defend there was a need to attack your own defences to find weak points that could then be defended better. This morphed into “War Games” where defenders or friendly forces were denoted as BLUE and the opposing forces were RED
-Six musts for building secure software
1 — Follow a secure code review process
2 — Choose the right libraries and frameworks
3 — Shield your database
4 — Encode and escape to block Cross-Site Scripting Attacks (XSS)
5 — Validate input
6 — Protect your users
-Preventing XSS in React (Part 2): dangerouslySetInnerHTML
Sometimes the best hiding place is the one that’s in plain sight
OWASP events HERE
BSidesSLC 2020 – Carlota Sage’s ‘$how Me The Money! (Getting Business Buy-in)’
Conquering the Authentication Challenge of Zero Trust
As an organization’s hybrid-cloud environment continues to expand far and wide beyond their control, the need for a zero-trust model is becoming mandatory. This higher level of digital security morphs identity verification from onetime event to a model where nothing consuming protected information is trusted by default
AWS Online Summit 17th June
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Multiple Vulnerabilities identified by Cisco in their ASA and FTD software and routers
Remote workers targeted by Office 365 phishing scam
Major VMware server vulnerability detected
API Security Issue 6: Vulnerabilities in Sign in with Apple, Qatar’s COVID19 app, GitLab
We have three API vulnerabilities in:
Incidents & events detail
Signal to move away from using phone numbers as user IDs
Signal launches profile PINs, the first step in supporting Signal user accounts that are not tied to phone numbers
Link HERE – thanks to Marc
StrandHogg 2.0 – The ‘evil twin’
New Android Vulnerability Even More Dangerous, With Attacks More Difficult to Detect Than Predecessor
Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers
Link HERE – thanks to Jachar
Ebay is port scanning your laptop, bypassing your firewall from your browser
Link HERE – thanks to Sezer
Zero-day in Sign in with Apple
A highly critical #vulnerability affecting Apple’s ‘Sign in with Apple’ feature could have let attackers hack into anyone’s account on 3rd-party service or apps.
For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program
Hacker steals $1,200 worth of Ethereum in under 100 seconds
Malicious bots are scanning GitHub uploads for private crypto keys and seed phrases
Reverse Engineering a 5g ‘Bioshield’
Link HERE – thanks to Naz
NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)
Large Scale WordPress Attack Campaign
Between May 29 and May 31, attackers tried to steal configuration files from more than 1.3 million WordPress websites. The attackers exploited known vulnerabilities in unpatched WordPress plugins and themes. Researchers at WordFence detected and blocked more than 130 million attempted attacks targeting the sites.
The ransomware that attacks you from inside a virtual machine
To ensure their 49 kB Ragnar Locker ransomware ran undisturbed, the crooks behind the attack bought along a 280 MB Windows XP virtual machine to run it in (and a copy of Oracle VirtualBox to run that).
It’s almost funny, but it’s no joke
Hacking Privacy #5.20: Encryption Backdoors in the Name of National Security
Zoom Explains Why End-to-End Encryption is for Paying Customers Only
Zoom says that its end-to-end encryption will be available to paying customers only because it will be easier for the company to comply with FBI requests for access to communications data. A Zoom spokesperson said “We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”
Wallpaper crash explained: Here’s how a simple image can soft-brick phones
Research of the week
Featuring – When it’s not only about a Kubernetes CVE…
Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network (such as link-local or loopback services)
Cyberthreat Defense Report 2020
A Computer Spying Method You’ve Probably Never Heard Of
What if someone just around a corner could see what you’re looking at on your computer screen without using a physical or wireless connection and without ever being in your system? It sounds like fiction, and it sounds scary, but it’s based in reality, and it’s been around a long time.
The process is called Van Eck phreaking. Ever heard of it? Not many people have. Van Eck phreaking is the detection of electromagnetic emissions used to spy on what is displayed on a CRT (cathode ray tube) or LCD (liquid-crystal display) monitor as well as the inputs coming from a computer keyboard, a printer, or some other electronic device
What every software engineer should know about OAuth 2.0
Monitoring Maturity Model for IT Operations
Level 1: individual component monitoring
Level 2: in-depth monitoring
Level 3: next-gen monitoring
Level 4: artificial intelligence
The Input-Output Diagram
Analysis of a VBS Malware Dropper
Recently, I was willingly forwarded a phishing email (for science!) which contained a ZIP attachment, requesting the recipient to update their contact information…
An Architectural Risk Analysis of Machine Learning Systems
We are interested in “building security in” to machine learning (ML) systems from a security engineering perspective. This means understanding how ML systems are designed for security, teasing out possible security engineering risks, and making such risks explicit.
We present a basic ARA of a generic ML system, guided by an understanding of standard ML system components and their interactions
Remember: Digital Identity: Call for Evidence and the future of Gov.uk Verify
We want to gather insights and evidence into how government can support improvements in identity verification and support the development and secure use of digital identities and ensure that the potential benefits of this approach are open to all. The evidence we receive will be used to inform policy making and government priorities
Tool of the week
Starboard: The Kubernetes-Native Toolkit for Unifying Security
Starboard integrates existing Kubernetes tools, not just from Aqua but also from third-party projects, into the Kubernetes experience. This video shows how Starboard enables results from vulnerability scanners, workload auditors, and configuration benchmark tests to be incorporated into Kubernetes CRDs (Custom Resource Definitions) and from there, accessed through the Kubernetes API. Users familiar with kubectl or with a dashboard tool like Octant can find security risk information at their fingertips
Using Hydra to Spray User Passwords
How attackers bypass account lockout when brute-forcing passwords
Actionable intelligence sources mindmap
Draw.io libraries for threat modeling diagrams
Using CloudFront to secure your web applications
Free for Devs
Other interesting articles
##Cloudflare Has a Plan to Change Everything About Cloud Security
It wants to replace corporate VPNs and firewalls with its own networks. That could make it even more of an internet gatekeeper
##Remember: Detecting webshells for fun and profit
“My web server is acting up strange, could you take a look?”
##Backing Up With Borg
Back up, compress, and encrypt your files
##Guardrails on Github
The term “guardrails” has become very popular in the realm of cloud security lately. If you listened to the Masters of Data Podcast I was on today with Jadee Hanson, George Gerchow, and Ben Newton you might have heard term mentioned in conjunction with DevSecOps and automation on cloud platforms. The idea is that you allow people to keep moving forward in their work but set up a mechanism to prevent them from taking unwanted actions as they go
##And finally, Reverse Engineering Encrypted Code Segments
While working on a reverse engineering project, I came across a binary that appeared to be malformed since it couldn’t be disassembled, but when running the executable, it worked. After researching for a bit I was able to discover that parts of the executable were encrypted. What does it mean to encrypt a code segment and why would anyone want to attempt to reverse engineer such a thing?! Well, let’s take a dive into a Windows PE (Portable Executable) file as an example and look into what segments make up a PE program.
Windows uses a paged-based virtual system and having a large code section is easier to maintain within the operating system side of things. Paging is a memory management scheme that eliminates the need for adjacent allocation of physical memory. A physical or virtual memory address is generated by the CPU. An example would be if a Logical Address = 31 bit, then that Logical Address Space = 2³¹ words = 2 G words (1 G = 2³⁰). The mapping from virtual/logical to physical address is done by the Memory Management Unit (MMU) and this mapping is known as paging
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Zero-day in Sign in with Apple.
Description: How I made $31500 by submitting a bug to Facebook.