Security Stack Sheet #97

Word of the Week

“We still don’t care enough about security”

With many of us stuck inside our homes, a pandemic like COVID-19 is an apt opportunity for hackers to strike. But even as ample awareness takes place, the average consumer doesn’t care about security as much as they should. Why is that? In a word, convenience.

Take Zoom. Remember those few days where almost everyone reported about Zoom’s many security issues? Governments and tech giants publicly banned employees from using the software. Yet, there seems to be no slowdown of Zoom meetings. Even media platforms that reported about Zoom’s security issues continue to use the software publicly. Times like these, convenience is so important. Particularly when it involves technology.

In Zoom’s case, the value offering as a means of convenience far outweighs the cons for the normal user. When you’re trying to make a living amidst a global pandemic, you would want technology to make things easier for you.

But this isn’t unique to Zoom or COVID-19. Even Microsoft Teams, a competitor to Zoom, was vulnerable enough that company data could have been stolen by a simple GIF. One might think that something of that nature will entice users to tread carefully in the online space. Unfortunately, that isn’t the case.

Cybersecurity has long been a concern in the general domain. But cybercrime has been on the rise during the past few years. In a 2019 report, Accenture estimates a whopping $5.2 trillion in cybersecurity-related costs within the next 5 years. The question is, why are we still lagging in addressing cybersecurity? It’s part ignorance, part unawareness, and part unaffordability.

A screenshot of a cell phone Description automatically generated

Cybersecurity is a luxury many small companies can’t afford

Links HERE and HERE and HERE and HERE

Word of the Week Special

“Abandoned Apps”

They May Pose Security Risk to Mobile Devices

Link HERE

AND

2020 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT

A screenshot of a cell phone Description automatically generated

Numbers:

A screenshot of a cell phone Description automatically generated

Link HERE

Bonus

“Sherlocked”

Amazon is very hard to predict; AWS is surprisingly predictable. Companies get sherlocked by AWS largely because they’re trying to build a better AWS, which is fundamentally a losing proposition unless you’re basically Microsoft Azure and nobody else

Link HERE

A picture containing animal, photo, sitting, small Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Covid 19 apps privacy and security issues

A screenshot of a cell phone Description automatically generated

Plus Apple on the same

No alternative text description for this image

Thanks to Naz

Crypto challenge of the week

A screenshot of a cell phone Description automatically generated

Link HERE

Hacky Easter Archive

Link HERE

Dates

  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING!

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of July 2020 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start

Comic Strip of the Day: One may smile, and smile The Daily Cartoonist

  • 2022 – First trip to Mars according to Elon Musk

Elon Musk, SpaceX, and Tesla inspire new comic book series ...

Link HERE and comic HERE

  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Secure, Resilient, and Agile Software Development

Front Cover

With a detailed look at Agile and Scrum software development methodologies, this book explains how security controls need to change in light of an entirely new paradigm on how software is developed. It focuses on ways to educate everyone who has a hand in any software development project with appropriate and practical skills to Build Security In. After covering foundational and fundamental principles for secure application design, this book dives into concepts, techniques, and design goals to meet well-understood acceptance criteria on features an application must implement. It also explains how the design sprint is adapted for proper consideration of security as well as defensive programming techniques. The book concludes with a look at white box application analysis and sprint-based activities to improve the security and quality of software under development

Link HERE

Comic of the week

Should Have Done It Sooner - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP for Data Engineers

Wait.. what? Isn’t OWASP something to do with web applications? That was my first reaction too when, some years ago, I was asked to do an “OWASP top 10 analysis” on a project that had nothing at all to do with web applications. At the time I was able to steer the conversation in more fruitful and useful directions, but the thought stuck with me: is the OWASP “top 10” a useful framework for thinking about security in Data Engineering?

Link HERE

-The Abridged History of Application Security – Jim Manico

Link HERE

-[The Red Team Guide] Chapter 1: Red Teaming and Red Teams Overview

What is Red Team, and where did it come from?

The origins of Red Team are military in origin. It was realised that to better defend there was a need to attack your own defences to find weak points that could then be defended better. This morphed into “War Games” where defenders or friendly forces were denoted as BLUE and the opposing forces were RED

Link HERE

-Six musts for building secure software

1 — Follow a secure code review process

2 — Choose the right libraries and frameworks

3 — Shield your database

4 — Encode and escape to block Cross-Site Scripting Attacks (XSS)

5 — Validate input

6 — Protect your users

Link HERE

-Preventing XSS in React (Part 2): dangerouslySetInnerHTML

Link HERE

-How to Hide Secrets in Strings— Modern Text hiding in JavaScript

Sometimes the best hiding place is the one that’s in plain sight

All Hallows’ Eve — Illustrated by Kaiseir

Link HERE

 

Events

OWASP events HERE

Image

Link HERE and Youtube presentations HERE

A picture containing electronics, table, white, red Description automatically generated

Link HERE

BSidesSLC 2020 – Carlota Sage’s ‘$how Me The Money! (Getting Business Buy-in)’

Link HERE

Conquering the Authentication Challenge of Zero Trust

As an organization’s hybrid-cloud environment continues to expand far and wide beyond their control, the need for a zero-trust model is becoming mandatory. This higher level of digital security morphs identity verification from onetime event to a model where nothing consuming protected information is trusted by default

Link HERE

AWS Online Summit 17th June

A close up of a sign Description automatically generated

Link HERE

 

Incidents

Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Multiple Vulnerabilities identified by Cisco in their ASA and FTD software and routers

Cisco have this week updated an advisory regarding vulnerabilities with their Adaptive Security Appliance (ASA) Software and Firepower Threat Defence (FTD) Software.

The vulnerability could potentially allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system

Remote workers targeted by Office 365 phishing scam

Cyber criminals have been targeting remote workers with a phishing attack that seeks to steal user credentials.

The scam sees attackers send staff an email pretending to be from their organisation’s IT department. It requests users update the VPN configuration used to access the company network while working from home

Major VMware server vulnerability detected

A major VMware code injection vulnerability that left private clouds exposed to malicious actors has been discovered.

Ethical hacking specialists at Citadelo discovered the flaw in April and have highlighted that the vulnerability could have been exploited to perform code execution attacks and take over private clouds

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 6: Vulnerabilities in Sign in with Apple, Qatar’s COVID19 app, GitLab

We have three API vulnerabilities in:

  • Apple’s Sign in with Apple authentication endpoint
  • Qatar’s COVID-19 tracking app
  • GitLab’s Repository Files API

In addition, there’s also a new Burp plugin that automatically handles authentication tokens in API calls

Link HERE

Incidents & events detail

Signal to move away from using phone numbers as user IDs

Signal launches profile PINs, the first step in supporting Signal user accounts that are not tied to phone numbers

Link HERE – thanks to Marc

StrandHogg 2.0 – The ‘evil twin’

New Android Vulnerability Even More Dangerous, With Attacks More Difficult to Detect Than Predecessor

A close up of a logo Description automatically generated

Link HERE

Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers

Link HERE – thanks to Jachar

Ebay is port scanning your laptop, bypassing your firewall from your browser

Link HERE – thanks to Sezer

Zero-day in Sign in with Apple

image

A highly critical #vulnerability affecting Apple’s ‘Sign in with Apple’ feature could have let attackers hack into anyone’s account on 3rd-party service or apps.

For this vulnerability, I was paid $100,000 by Apple under their Apple Security Bounty program

Link HERE

Hacker steals $1,200 worth of Ethereum in under 100 seconds

Malicious bots are scanning GitHub uploads for private crypto keys and seed phrases

Link HERE

Reverse Engineering a 5g ‘Bioshield’

Link HERE – thanks to Naz

NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)

Link HERE

Large Scale WordPress Attack Campaign

Between May 29 and May 31, attackers tried to steal configuration files from more than 1.3 million WordPress websites. The attackers exploited known vulnerabilities in unpatched WordPress plugins and themes. Researchers at WordFence detected and blocked more than 130 million attempted attacks targeting the sites.
[Neely]
WordPress continues to be a popular target for exploitation. Mitigate the risks by ensuring that you’ve enabled WordPress core auto-updates. If you don’t have a plugin that watches and updates plugins and themes automatically, you can enable those updates by adding a filter as per the WordPress Automatic Updates configuration page (wordpress.org: Configuring Automatic Background Updates). WordPress 5.5, when released, makes this easier to enable. Also, even with automatic updates, monitor your site to ensure it is updated and secure

Link HERE

The ransomware that attacks you from inside a virtual machine

SophosLabs published details of a sophisticated new ransomware attack that takes the popular tactic of “living off the land” to a new level.

To ensure their 49 kB Ragnar Locker ransomware ran undisturbed, the crooks behind the attack bought along a 280 MB Windows XP virtual machine to run it in (and a copy of Oracle VirtualBox to run that).

It’s almost funny, but it’s no joke

Link HERE

Hacking Privacy #5.20: Encryption Backdoors in the Name of National Security

Link HERE

A close up of text on a black background Description automatically generated

Link HERE

Zoom Explains Why End-to-End Encryption is for Paying Customers Only

Zoom says that its end-to-end encryption will be available to paying customers only because it will be easier for the company to comply with FBI requests for access to communications data. A Zoom spokesperson said “We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”
[Pescatore]
Zoom first has to get end-to-end encryption working before we spend much time on whether it should be part of a free offering. Other teleconferencing apps that do include end-to-end encryption on free services get revenue by collecting user information as part of offerings to advertisers – a major privacy issue. Others don’t offer it for free either, or only upon submission of a request to support. Businesses evaluating competing offerings should make overall security management tools and security of the application software (especially the client-side agents) more highly weighted criteria than end-to-end encryption for this kind of application.
[Neely]
When considering end-to-end encryption for video conferencing, understand both your data protection requirements and what the given solution provides. Know what and where content is not encrypted. For example, voice traffic over the PSTN is not encrypted until it reaches the entry point for the service. Also, understand who is managing the keys and who can access them. Lastly, look at any tradeoffs of using end-to-end encryption. The key exchange process may disable or impede functions you utilize, such as joining before the meeting host. Beyond encryption, make sure that you also have the other meeting security settings properly configured

Link HERE and Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution HERE

Wallpaper crash explained: Here’s how a simple image can soft-brick phones

Link HERE

Research of the week

Featuring – When it’s not only about a Kubernetes CVE…

Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network (such as link-local or loopback services)

Link HERE

Cyberthreat Defense Report 2020

A picture containing screenshot Description automatically generated

Link HERE

A Computer Spying Method You’ve Probably Never Heard Of

What if someone just around a corner could see what you’re looking at on your computer screen without using a physical or wireless connection and without ever being in your system? It sounds like fiction, and it sounds scary, but it’s based in reality, and it’s been around a long time.

The process is called Van Eck phreaking. Ever heard of it? Not many people have. Van Eck phreaking is the detection of electromagnetic emissions used to spy on what is displayed on a CRT (cathode ray tube) or LCD (liquid-crystal display) monitor as well as the inputs coming from a computer keyboard, a printer, or some other electronic device

Link HERE

What every software engineer should know about OAuth 2.0

  • How OAuth 2.0 works
  • How an application gets an access token
  • How SPA and web server applications deal with OAuth
  • Types of access token and their validation

Link HERE

Monitoring Maturity Model for IT Operations

Level 1: individual component monitoring

Level 2: in-depth monitoring

Level 3: next-gen monitoring

Level 4: artificial intelligence

The Input-Output Diagram

A screenshot of a cell phone Description automatically generated

Link HERE

Analysis of a VBS Malware Dropper

Recently, I was willingly forwarded a phishing email (for science!) which contained a ZIP attachment, requesting the recipient to update their contact information…

Link HERE

An Architectural Risk Analysis of Machine Learning Systems

We are interested in “building security in” to machine learning (ML) systems from a security engineering perspective. This means understanding how ML systems are designed for security, teasing out possible security engineering risks, and making such risks explicit.

We present a basic ARA of a generic ML system, guided by an understanding of standard ML system components and their interactions

Link HERE

Remember: Digital Identity: Call for Evidence and the future of Gov.uk Verify

We want to gather insights and evidence into how government can support improvements in identity verification and support the development and secure use of digital identities and ensure that the potential benefits of this approach are open to all. The evidence we receive will be used to inform policy making and government priorities

A close up of a logo Description automatically generated

Links HERE and HERE and HERE and responses HERE and HERE and HERE and HERE and HERE and HERE – thanks to Klaus-Michael

Tool of the week

Starboard: The Kubernetes-Native Toolkit for Unifying Security

Starboard integrates existing Kubernetes tools, not just from Aqua but also from third-party projects, into the Kubernetes experience. This video shows how Starboard enables results from vulnerability scanners, workload auditors, and configuration benchmark tests to be incorporated into Kubernetes CRDs (Custom Resource Definitions) and from there, accessed through the Kubernetes API. Users familiar with kubectl or with a dashboard tool like Octant can find security risk information at their fingertips

Links HERE and HERE and the wrong questions about Docker and Kubernetes HERE

Using Hydra to Spray User Passwords

How attackers bypass account lockout when brute-forcing passwords

Link HERE

Actionable intelligence sources mindmap

Link HERE

Draw.io libraries for threat modeling diagrams

Example Data Flow Diagram

Link HERE and Scaling up threat modelling HERE and Threat Model Thursday: BIML Machine Learning Risk Framework HERE

 

Using CloudFront to secure your web applications

Link HERE

NoPE Proxy

Link HERE

Free for Devs

Link HERE

Other interesting articles 

##Cloudflare Has a Plan to Change Everything About Cloud Security

It wants to replace corporate VPNs and firewalls with its own networks. That could make it even more of an internet gatekeeper

Link HERE

 

##Remember: Detecting webshells for fun and profit

“My web server is acting up strange, could you take a look?”

Link HERE

 

##Backing Up With Borg

Back up, compress, and encrypt your files

Link HERE

 

##Guardrails on Github

The term “guardrails” has become very popular in the realm of cloud security lately. If you listened to the Masters of Data Podcast I was on today with Jadee Hanson, George Gerchow, and Ben Newton you might have heard term mentioned in conjunction with DevSecOps and automation on cloud platforms. The idea is that you allow people to keep moving forward in their work but set up a mechanism to prevent them from taking unwanted actions as they go

Link HERE

##And finally, Reverse Engineering Encrypted Code Segments

While working on a reverse engineering project, I came across a binary that appeared to be malformed since it couldn’t be disassembled, but when running the executable, it worked. After researching for a bit I was able to discover that parts of the executable were encrypted. What does it mean to encrypt a code segment and why would anyone want to attempt to reverse engineer such a thing?! Well, let’s take a dive into a Windows PE (Portable Executable) file as an example and look into what segments make up a PE program.

Windows uses a paged-based virtual system and having a large code section is easier to maintain within the operating system side of things. Paging is a memory management scheme that eliminates the need for adjacent allocation of physical memory. A physical or virtual memory address is generated by the CPU. An example would be if a Logical Address = 31 bit, then that Logical Address Space = 2³¹ words = 2 G words (1 G = 2³⁰). The mapping from virtual/logical to physical address is done by the Memory Management Unit (MMU) and this mapping is known as paging

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/

Description: Zero-day in Sign in with Apple.

URL: https://medium.com/@win3zz/how-i-made-31500-by-submitting-a-bug-to-facebook-d31bb046e204

Description: How I made $31500 by submitting a bug to Facebook.

Links HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *