Security Stack Sheet #99

Word of the Week

“Virtual Human Layer” 13 lessons

  1. We must treat our employees with empathy and compassion.

A picture containing bird Description automatically generated

  1. The secure thing to do should be the easiest thing to do.
  2. Detection and prevention alone aren’t enough.
  3. Executive teams must invest in security now.
  4. Email is the #1 threat vector.

A picture containing knife, bird Description automatically generated

  1. Security incidents are happening up to 38x more than IT leaders currently estimate.
  2. Phishing is still a big problem.

A picture containing bird Description automatically generated

  1. Security policies don’t stick unless they’re continuously reinforced.
  2. …And policies aren’t effective unless they’re bolstered by technology.
  3. Security needs diversity to thrive.

A picture containing knife, table, bird Description automatically generated

  1. Remote working isn’t temporary.
  2. …And that doesn’t have to be a bad thing.
  3. The Secret? Adapt, adopt, evolve. Repeat.

Link HERE

Word of the Week Special

“Secure the Code, Prevent the Breach”

“Humans are the weakest link in the security chain” also applies to developers, most of whom are often overworked and have to meet strict deadlines. This is where communication sets in. Talk to your developers, let them understand that security is here to help and not make the work even harder, understand their concerns and try to work around them. Security works best when all concerned employees feel as part of a team. Keep your employees happy and your company will strive

Data Breach Cartoons and Comics - funny pictures from CartoonStock

Link HERE

AND

Security Obscurity-7.19_Hiding from the Data Breach

‘Security Obscurity’ is a new sporadic, short-segment series that I am writing which will focus on sobering examples of practicing ‘security through obscurity’ which as a security engineer I come across more frequently than I’d like to admit in my job and in my research. May you find it as entertaining and enlightening as I did writing about it.

The saying “Ignorance is Bliss” is a blatant misnomer. I can see though, where some people might think it is true until something bad they weren’t aware of happens to them and then the bliss dissipates rather quickly… In the digital realm that cyberspace is, however, there are many, many bad actors [cybercriminals] lurking in the shadowy depths of the Internet just looking for dumbasses who either don’t know better, are too lazy, or are unwilling to take the necessary steps to protect their data. Don’t be a sheep…

In terms of cybersecurity, ignorance of all too common cyber threats can not only be dangerous, but it can also be downright devastating to a person or an organization
Link HERE and HERE

Bonus

A person wearing a suit and tie Description automatically generated

If you hang around 5 security people you will… be secure

Link HERE

A screenshot of a cell phone Description automatically generated

I lost the link, you can find on LinkedIn

A screenshot of a cell phone Description automatically generated

Link HERE – thanks to Andi

Marble Computer Chip

A close up of a sign Description automatically generated

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

A picture containing food Description automatically generated

Link HERE

New Mac malware spreads disguised as Flash Player installer via Google search results

A picture containing knife, table Description automatically generated

Link HERE

A picture containing screenshot, text, book, monitor Description automatically generated

Link HERE

Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming

Link HERE

“Powerpoint is a sanctuary for those approaching a breakdown”

Thanks to Ben

Crypto challenge of the week

A picture containing bird, tree, flower Description automatically generated

Link HERE

Hacky Easter Archive

Link HERE

Dates

  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of July 2020 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start

cyber security

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • Flash End-of-Life is December 31, 2020
  • US Government Websites Will be Accessible Through HTTPS Only After September 1

Book of the month

“Gone are the days when it was acceptable for a piece of software to live in its own little silo, disconnected from the outside world. Today, services are expected to be available for programming, mixing, and building into new applications.

Understanding API Security is a selection of chapters from several Manning books that give you some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them.”

Link HERE

Cybersecurity Law, Policy, and Institutions (version 3.0)

eCasebook “Cybersecurity Law, Policy, and Institutions,” on SSRN for free download. It’s a 137-page tour of the policy challenges, legal frameworks, and key actors, suitable for use in a course or independent study. Enjoy! 

Link HERE

Comic of the week

Two Bad Options - Dilbert by Scott Adams

##Some OWASP stuff first

-Preventing XSS in React (Part 3): escape hatches and component parsers

Link HERE

-OWASP Projects Panel

Link HERE

-OWASP SAMM User Day 16 June 2020 presentations

  • OWASP SAMM Update – Bart De Win and Sebastien Deleersnyder
  • The Seven Deadly Sins of SAMM – John Wood
  • Agile Guidance for SAMM – Rob van der Veer
  • SAMM 2.0 Dashboard – Sathish Ashwin
  • OWASP Top 10 Maturity Categories for Security Champions – Lucian Corlan
  • Using OWASP SAMM to kickstart the SSDLC – Lessons learned from real-world projects – Thomas Kerbl
  • OWASP SAMM: Tools of the Trade – John Ellingsworth
  • Lean security: a framework for activities and design factors in DevSecOps – Dennis Verslegers
  • Content Security in Federated Media Cloud Workflows – Ben Schofield
  • Integrating SAMM v2 into Consulting Assessments – Tony Cargile
  • SAMM benchmark – design and user stories – Brian Glas
  • Contributing to SAMM – Patricia Duarte

Link HERE

-DevSecCon Online Event recording

DevSecCon24 Event

Links HERE and HERE and HERE and HERE

-From Developer to Security: Looking at Security from a Developer Lens – Rey Bango

Link HERE

-Container Security: A Five Year Perspective – Justin Cormack

Link HERE

-Securing the Pipeline with Open Source Tools – Michelle Ribeiro

Link HERE

-Security Learns to Sprint: DevSecOps – Tanya Janca

Link HERE

-Secure Your Code — Injections and Logging – Philipp Krenn

Link HERE

-JSON based XSS

The main focus of writing this article is whether XSS happens if the Content-type is set to JSON!!!!!

Link HERE

-Remember: The Deauthentication Attack

Link HERE

Image

Link HERE

-Keynote – Privacy by Design at Covid Safe Paths

Link HERE

-Sense Making With Cynefin Framework By Mario Platt & Phil Huggins

Link HERE

-Lightning Demo – Threatmodel Tool Demos by Steven Wierckx and Mike Goodwin

Link HERE

-OSS USER STORIES FOR ASVS REQUIREMENTS by Mario Platt

Link HERE

-The Art of Code – Dylan Beattie

Link HERE

 

Events

OWASP events HERE

OWASP Virtual AppSec Days

A picture containing knife Description automatically generated
Summer of Security 2020

Link HERE

Hackerone – INCORPORATING PENTESTING IN YOUR OVERALL SECURITY STRATEGY

Link HERE

Serverless Security Strategies: Under the Hood

Link HERE – thanks to Steven

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Poor password practices

A recent study carried out by FICO Consumer Digital Banking, showed only 40% of people in the UK have separate passwords for their financial accounts. The research highlighted that just over 20% of UK citizens only use between 2-5 passwords, which are then re-used for financial accounts

Email accounts targeted in phishing campaign

The NCSC continues to provide support to victims of a widespread phishing campaign targeting a range of organisations in the UK.

The NCSC first raised awareness about this campaign in October last year, stating that automated attacks designed to harvest credentials had been active since at least July 2018 and appeared to be spreading indiscriminately across a broad range of UK sectors

US network outages cause widespread speculation

“DDoS” was trending on Twitter on Monday with internet services and mobile carriers down for people across the US.

Claims that a massive DDoS (Distributed Denial of Service) attack was underway were spread by a supposed Anonymous News Twitter account. Anonymous is a longstanding hacktivist group that has allegedly remerged in 2020

Australia responds to targeting of government and critical infrastructure

This week the Australian Prime Minister announced the country was aware of, and responding to, malicious cyber activity targeting Australian governments and critical assets by a “sophisticated state-based actor”

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 88 – JWT pentesting, API discovery, the present and future of OpenAPI

  • The JSON Web Token Toolkit: a Python script jwt-tool for validating, forging and cracking JWTs.
  • JWT Attack Playbook: A wiki on what JWTs are, how they work, how to test them for vulnerabilities, and common weaknesses and unintended coding errors with them. The wiki is closely related to the jwt_tool.

Link HERE

Incidents & events detail

Prime Minister: Australia is Under State-Sponsored Cyberattack

At a press conference on Friday, June 19, Australian Prime Minister Scott Morrison warned that the country’s public sector is under cyberattack from a state backed actor. The attacks have targeted organizations in a range of sectors including government, private industry, education, health and essential services, and operators of critical infrastructure. Morrison declined to identify the country he believes is responsible for the attacks. A technical advisory from the Australian Signals Directorate (ASD) describes the “tactics, techniques and procedures used to target multiple Australian networks.”


[Pescatore]
Two telling quotes from the ASD alert: (1) “The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor” and (2) “ACSC Recommended Prioritised Mitigations … Prompt patching of internet facing software, operating systems and devices. All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available.” The attacks were sophisticated, but basic security hygiene (patching) would have disabled those attacks. The ASD has shown data on how the “Top 4” basic security hygiene control alone mitigate 85% of sophisticated, targeted cyber attacks.
[Neely]
While attribution is a nice to have, ensuring sufficient security is in place for systems as well as recovery from attacks are critical activities. The ASD/ACSC advisory below provides prioritized mitigations, starting with patching and implementing MFA, followed by their essential 8 controls [www.cyber.gov.au: Essential Eight Explained (PDF)]. Those are common sense changes which will dramatically reduce the attack surface

Links HERE and HERE

‘BlueLeaks’ Exposes Files from Hundreds of Police Departments

Link HERE

Hacker reveals how he cracked a Bitcoin address

Bitcoin developer John Cantrell checked over a trillion combinations of words to unlock the Bitcoin address and take the money. Here’s how

Link HERE

Link HERE

Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies

ESET researchers uncover targeted attacks against high-profile aerospace and military companies

Link HERE

How to exploit the DotNetNuke Cookie Deserialization

Link HERE

Accessories giant Claire’s hacked to steal credit card info

In a new report by cybersecurity firm Sansec, Claire’s website was compromised by attackers who attempted to steal customer’s payment information when purchasing from the site.

This type of compromise is called a MageCart attack and consists of hackers compromising a web site so that they can inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer

Link HERE

Apple accused of ‘hostile’ app fee policies

Link HERE

If you’re going to Germany, be sure you haven’t de-identified your passport photograph

Link HERE

Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found

Link HERE

South African bank to replace 12m cards after employees stole master key

Postbank says employees printed its master key at one of its data centres and then used it to steal $3.2 million

Link HERE

Virtual Hearing – Cybercriminals and Fraudsters: How Bad Actors Are Exploiting Covid 19

According to the Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3), “the number of cybersecurity complaints to the IC3 in the last four months has spiked from 1,000 daily before the pandemic to as many as 4,000 incidents in a day.” These reports in the first four months of the COVID-19 pandemic are near the total reported amount of 2019 complaints. The financial services sector is also under increased duress due to COVID-19 related cyber-criminal activity. A May 2020 survey of financial institutions (FIs) found that 80% of surveyed banks report a yearon-year increase in cyberattacks against the sector surging 238% during the COVID-19 crisis (February-April 2020). The volume of attacks, as reported by many of the largest FIs, moved across the globe towards the U.S. in line with the movement of the virus and has continued to ebb and flow with the undulations of the COVID-19 news cycle

Link HERE

DOM XSS on duckduckgo.com search

Link HERE

The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers

Link HERE

Exploiting Bitdefender Antivirus: RCE from any website

Link HERE

Exfiltrating User’s Private Data Using Google Analytics to Bypass CSP

Link HERE

Report: Facebook Helped the FBI Exploit Vulnerability in a Secure Linux Distro for Child Predator Sting

Link HERE

Research of the week

Pentest as a Service

Impact Report: 2020

A picture containing device Description automatically generated

Link HERE

Featuring – Remote Code Execution Using Impacket

In this post, we are going to discuss how we can connect to Victims machine remotely using Python libraries “Impacket” which you can download from here

Link HERE

CVE-2020-1170 – Microsoft Windows Defender Elevation of Privilege Vulnerability

Here is my writeup about CVE-2020-1170, an elevation of privilege bug in Windows Defender. Finding a vulnerability in a security-oriented product is quite satisfying. Though, there was nothing ground-breaking. It’s quite the opposite actually and I’m surprised nobody else reported it before me

Link HERE – thanks to Andi

Azure responds to COVID-19

A more technical look at how we scaled Azure as the COVID-19 outbreak rapidly pushed demand for cloud services

Link HERE

Last orders at the house of force

I recently reported several vulnerabilities in SANE — an open-source library for interfacing with document scanners. It is used by the Simple Scan application, which ships by default with Ubuntu Desktop. One of the vulnerabilities, CVE-2020-12861 (aka GHSL-2020-080), is a remotely triggerable heap buffer overflow. I thought it would be a great prank to play on my colleagues at the GitHub UK office in Oxford if I could use it to pop a calculator on their desktops. Like me, many of my colleagues in Oxford run Ubuntu. I doubt that many of them use Simple Scan on a regular basis, but that’s easily solved with little bit of social engineering. I planned to post a message like this on our internal #oxford channel:

Have any of you managed to get Ubuntu’s scanning application to work with the printer on the 2nd floor?

Link HERE

Cloud Security and the Shared Responsibility Model with CIS

Link HERE

A National Security Research Agenda for Cybersecurity and Artificial Intelligence

This agenda focuses on the machine learning paradigm of artificial intelligence. It has four components: offense, defense, adversarial learning, and overarching questions

Link HERE

Remember: Exploiting ReDoS

Downing Servers With Evil Regular Expressions

Link HERE

Tool of the week

Credential Dumping Cheatsheet

This cheatsheet is aimed at the Red Teamers to help them understand the fundamentals of Credential Dumping (Sub Technique of Credential Access) with examples

Link HERE

Securing TYPO3 CMS [New Scanner]

Link HERE – thanks to Javan

FuzzGen

FuzzGen, is a tool for automatically synthesizing fuzzers for complex libraries in a given environment. FuzzGen leverages a whole system analysis to infer the library’s interface and synthesizes fuzzers specifically for that library.

FuzzGen is fully automatic can be applied to a wide range of libraries. The, the generated fuzzers leverage LibFuzzer to achieve better code coverage and expose bugs that reside deep in the library.

For more details please refer to our USENIX Security’20 paper

Link HERE

Using Frida For Windows Reverse Engineering

Link HERE

Open Information Security Risk Universe

Link HERE

Pi Zero HoneyPot

Link HERE

Other interesting articles 

##Stop Using If-Else Statements

Write clean, maintainable code without if-else

A picture containing sign, computer Description automatically generated

Link HERE

 

##Linux Privilege Escalation in Four Ways

How overprivileged processes compromise your system

Link HERE

 

##Top 5 Programming Languages for CyberSecurity in 2020

Link HERE

##And finally, Catch Me If You Can: A Rogue Cyber Security Professional

We’ve taken some of the best of all of the worlds in security and aligned it to the CISO mindmap in what needs to be done for detection planning against a rogue cyber security agent. This involves incorporating what your own program weaknesses are and how to exploit them. Only your security team will know where you are most vulnerable.

The primary areas to consider are:

  • Cyber Threat Intel Diamond Model Profile
  • Psychosocial profile indicators (includes sentiment analysis)
  • Resources (available to the rogue actor technical and human)
  • Motives (Usually destruction, sabotage, or data leakage)
  • Existing Skillsets (interpersonal, technical, etc)
  • Kill Chain Analysis (Scenarios for the threat to exploit)

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://www.ehpus.com/post/smtp-injection-in-gsuite

Description: SMTP Injection in Gsuite.

URL: https://research.securitum.com/the-curious-case-of-copy-paste/

Description: The Curious Case of Copy & Paste.

Links HERE and credits to HERE

 

 

1 thought on “Security Stack Sheet #99

  1. Author gravatar
    adhesion 14th August 2020, 23:32

    I reaⅼly like it wһenever people get together
    and share ideas. Great bloց, continue the good work!

Leave a Reply

Your email address will not be published. Required fields are marked *