Word of the Week
“The new normal” as cyber-spies navigate pandemic
The Covid crisis has reshaped the cyber-threat landscape around the globe.
Intelligence analysts say some of the normally less active states have begun using cyber-espionage more aggressively and they have seen allies target each other for information for the first time. “It’s a free-for-all out there – and with good reason – you don’t want to be the intelligence agency that doesn’t have a good answer for what’s going on,” says John Hultquist, director of threat analysis at Mandiant
Home workers are regarded as particularly vulnerable to cyber attacks
Thanks to Mithun
Crypto challenge of the week
Hacky Easter Archive
[Browsers, Office365, Cisco and many others]
Book of the month
Learn Security Engineering
Security engineering, to me, is the discipline of building secure systems. Ultimately, I hope to learn how to systematically secure anything — whether it’s a computer network or medieval castle.
I tried for several years to read Ross Anderson’s book, and eventually I realized it wasn’t structured correctly for me. This learning path is, and hopefully it is for you, too
Comic of the week
##Some OWASP stuff first
-Open Web Application Security Project (OWASP) – Portland, Oregon Chapter
Mike Goodwin and Jon Gadsden – Threat Dragon is for Threat Modelling. Come Help Build It!
-The State of Secure Software: Past, Present, and Future
-Injection Theory from OWASP
Injection can be complex. The subtleties of data flow, parsers, contexts, capabilities, and escaping are overwhelming even for security specialists. In the following sections we will outline these topics to make it clear how injection can happen in a variety of different technologies
-OWASP Juice Shop intro by Bjorn Kimminich
-SAST 101: The Basics of Static Application Security Testing
-Hash Spraying Attack
As soon as you get your hands on some hashes on a machine, consider leveraging hash spraying to verify local administrators accounts on additional machines as well high-valuable domain administrators accounts
OWASP events HERE
AWS Online Summit 17th June
Link HERE – thanks to Kane
OWASP Virtual AppSec Days
Training: June 23-24,
DevSecCon Online Event
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
New HMRC text message phishing scam targets self-employed
IT services firm hit by Maze ransomware attack
APTs continue to exploit vulnerabilities in several VPN products used worldwide
API Security Issue 87 – Vulnerabilities in Digilocker, Facebook, VMware Cloud Director
Incidents & events detail
Babylon Health admits GP app suffered a data breach
Babylon Health has acknowledged that its GP video appointment app has suffered a data breach.
The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients’ consultations.
A follow-up check by Babylon revealed a small number of further UK users could also see others’ sessions.
The firm said it had since fixed the issue and notified regulators
Fake Black Lives Matter voting campaign spreads Trickbot malware
Unsecured AWS S3 Buckets Infected With Skimmer Code
Analysts Find Fresh Magecart Code and Redirectors to Malvertising Campaign
HSBC moves from 65 relational databases into one global MongoDB database
HSBC Bank is one of the world’s leading financial institutions. It is simplifying its data model by running its applications on MongoDB
Zoom discloses it took down US-based activists’ accounts at China’s behest, says it won’t enforce similar censorship requests going forward
Here’s what that Capital One court decision means for corporate cybersecurity
When a judge ruled last month that Capital One must provide outsiders with a third-party incident response report detailing the circumstances around the bank’s massive data breach, the cybersecurity world took notice.
AMD downplays Ryzen lifespan concerns over motherboard power misreporting
Persistence method using Facebook Messenger desktop app
Remember: Persisting on Pornhub
Gamaredon group grows its game
Active APT group adds cunning remote template injectors for Word and Excel documents; unique Outlook mass-mailing macro
Updated Specification Available for Universal Plug-and-Play Protocol Vulnerability
A flaw in the Universal Plug-and-Play Protocol (UPnP) protocol could be exploited to launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and scan internal ports. Dubbed CallStranger by the researchers who created proof-of-concept exploit code, the issue affects billions of Internet of Things (IoT) devices. An updated specification is available.
The Impending Doom of Expiring Root CAs and Legacy Clients
Honda could be victim of ransomware cyber attack
Japanese car giant confirms IT issue but evidence indicates cyber criminals have targeted the company
Google Chrome team moving away from the words ‘blacklist’ and ‘whitelist’ to be more inclusive
Research of the week
Featuring – Availability Attacks against Neural Networks
Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN to burn more energy, take more time, or both. They affect a wide range of DNN applications, from image recognition to natural language processing (NLP). Adversaries might use these examples for all sorts of mischief — from draining mobile phone batteries, though degrading the machine-vision systems on which self-driving cars rely, to jamming cognitive radar.
So far, our most spectacular results are against NLP systems. By feeding them confusing inputs we can slow them down over 100 times. There are already examples in the real world where people pause or stumble when asked hard questions but we now have a dependable method for generating such examples automatically and at scale. We can also neutralize the performance improvements of accelerators for computer vision tasks, and make them operate on their worst case performance
Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks
A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analysed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities
Security Correlation Then and Now: A Sad Truth About SIEM
Web Applications vulnerabilities and threats: statistics for 2019
Vulnerabilities of various severity levels, by industry
The Bug That Exposed Your PayPal Password
And Credit Card Number Too
A survey of recent iOS kernel exploits
I recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here.
This post summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write. At the end of this post, we will briefly look at iOS kernel exploit mitigations (in both hardware and software) and how they map onto the techniques used in the exploits
Security Analysis of the Democracy Live Online Voting System
Democracy Live’s OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and (optionally) online voting. Three states — Delaware, West Virginia, and New Jersey — recently announced that they will allow certain voters to cast votes online using OmniBallot, but, despite the well established risks of Internet voting, the system has never been the subject of a public, independent security review.
We reverse engineered the client-side portion of OmniBallot, as used in Delaware, in order to detail the system’s operation and analyse its security. We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare
Remember: Actionable threat hunting in AWS
The focus is on the Preparation & Identification aspects of the SANS Incident Response framework
Ebb and Flow: Network Flow Logging as a Staple of Public Cloud Visibility or a Waning Imperative?
Tool of the week
JWT Cracking Tool
“A toolkit for validating, forging and cracking JWTs”
Functionality includes: checking the validity of a token, testing for known exploits, testing the validity of a secret/key file/Public Key/JWKS key, identifying weak keys via a high-speed dictionary attack, forging new token header and payload contents and creating a new signature with the key, timestamp tampering, and more.
The tool wiki also includes a JWT Attack Playbook with excellent details on known types of JWT vulnerabilities/misconfigurations and a repeatable methodology for attacking them
Remember: Automated pentest framework for offensive security experts
Sn1per v8.4 features a completely new active and passive vulnerability scanner called “Sc0pe” which will serve as the backbone of Sn1per’s new vulnerability scan engine. The new framework will make it quick and easy to scan for the latest CVE’s and web vulnerabilities as well as open up a slew of possibilities for users to create and share their own exploits and scanners (Submit your PR’s!)
An open-source, user mode and kernel mode Windows debugger with a focus on using hardware technologies
Application security testing for GraphQL backed applications
CVE-2020-1206 Uninitialized Kernel Memory Read POC
Automating the provisioning of Active Directory labs in Azure
Other interesting articles
##Securing Your GraphQL API from Malicious Queries
With GraphQL you can query exactly what you want whenever you want. That is amazing for working with an API, but also has complex security implications. Instead of asking for legitimate, useful data, a malicious actor could submit an expensive, nested query to overload your server, database, network, or all of these…
##Why Do Developers (Sometimes) Wreak Chaos on Their Own Systems?
High-load systems should be able to withstand sudden failures. That’s where continuous resilience steps in
##What Happened When I Leaked My Server Password on GitHub.com
I deployed a honeypot and ‘accidentally’ leaked a valid SSH username and password into a GitHub repository. This is what happened over the next 24 hours
##Thoughts On Zero Trust
By Petko Petkov
I strongly believe that regardless of our level of technology and security maturity, every decision must be tested by removing all assumptions and thinking in terms of first principles. In other words, before we take an action we must test our assumptions first. Only then, once we face the ultimate and indisputable truth, we are safe to proceed
##And finally, A tool for procedurally generated Chinese landscape painting
Procedurally-generated vector-format infinitely-scrolling Chinese landscape for the browser. Generate your own
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Bypassing LastPass’s “Advanced” YubiKey MFA – A MITM Phishing Attack.
URL: https://bit.ly/30uw2et (+)
Description: Cmd Hijack – a command/argument confusion with path traversal in cmd.exe.