Security Stack Sheet #100

Word of the Week

“The Internet is too unsafe: We need more hackers”

A picture containing person, indoor, boy, table Description automatically generated

Link HERE and HERE and HERE and HERE and HERE and CyberFirst HERE

Word of the Week Special

“Help me, help you” – Kane Cutler

@Dynamo 20 NE

Help Me To Help You GIFs | Tenor

Link HERE

AND

Growing “positive security cultures”

If your security culture isn’t improving naturally, here’s what you can do about it

Link HERE – thanks to Sophia

Bonus

A close up of a logo Description automatically generated

A picture containing knife Description automatically generated

No alt text provided for this image

Link HERE

Counts of APIs by AWS service

Grouped by the categories in the web console. It’s interesting seeing how “large” some categories of the AWS ecosystem are that you may not have much knowledge of

Image

Link HERE

Reducing bias in your hiring process

Image

Link HERE – thanks to TK

A screenshot of a cell phone Description automatically generated

Link HERE

A picture containing drawing Description automatically generated

Link HERE

A screen shot of a person Description automatically generated

Link HERE

Link HERE

A picture containing drawing Description automatically generated

Link HERE – read the thread!

Crypto challenge of the week

BLK_BOX

Hi, I’m BLK_BOX. 

HMGCC created me to help find some seriously talented humans – the incredible minds that will develop the next generation of comms systems and tech solutions, no less. It sounds exciting, because it is

Link HERE

Dates

  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

GDPR Data Breach Notifications Rise by 66% Across Europe

Link HERE

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?

Image

Link HERE

  • 1st of July 20201 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start

This Is Normal

We like to believe we live in a skewed reality. What if we don’t?

Link HERE

  • 2022 – First trip to Mars according to Elon Musk

A picture containing player, drawing Description automatically generated

  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • Flash End-of-Life is December 31, 2020
  • US Government Websites Will be Accessible Through HTTPS Only After September 1

Book of the month

“API Security in Action shows you how to create secure web APIs that you can confidently share with your business partners and expose for public usage. Security expert Neil Madden takes you under the hood of modern API security concepts, including token-based authentication for flexible multi-user security, bootstrapping a secure environment in a Kubernetes microservices architecture, and using lightweight cryptography to secure an IoT device.”

Link HERE

Great and FREE e-books

Link HERE – thanks to Naz

Comic of the week

Quarantine Before Date - Dilbert by Scott Adams

##Some OWASP stuff first

A close up of a sign Description automatically generated

The SCVS is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain

Link HERE

-Worcester DEFCON Group presentations

Max Kamper – Introduction To Linux Heap Exploitation

Andy Pannell – 50 Million Downloads And All I Got Was Malware

Toast – AI On Edge Devices

Ian Thornton-Trump – Black Market Data

Link HERE

-About Insecure deserialization

Insecure deserialization infographic

Link HERE

-The Theory of Secure Software

Secure software does what it’s supposed to do, and nothing else

Link HERE

-Remember: Stealing JWTs in localStorage via XSS

Link HERE

-Using Malicious Azure Apps to Infiltrate a Microsoft 365 Tenant

Link HERE

-Inside Microsoft Threat Protection: Attack modelling for finding and stopping lateral movement

A picture containing clock Description automatically generated

Link HERE

 

Events

OWASP events HERE

OWASP Virtual AppSec Days

A picture containing knife Description automatically generated
Summer of Security 2020

Link HERE

A picture containing clock Description automatically generated

Link HERE

Hacker Days: iOS Application Vulnerabilities and how to find them

Link HERE

Serverless Security Workshop by AWS

In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. We will cover AWS services and features you can leverage to improve the security of a serverless applications

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A picture containing accessory, map, umbrella Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Unauthorised Data Sharing

A survey from data discovery and auditing software vendor Netwrix has revealed that inappropriate data sharing continues to be a problem for companies and businesses. The research shows that whilst most companies store their data in designated secure storage, there is still a risk of it leaking into insecure areas

HMRC phishing scam targets passport information

phishing scam designed to steal personal and financial details from self-employed workers is now trying to capture passport information from victims.

Details from a threat report in June explain how people are informed via SMS that they may be eligible for a tax refund. They are then redirected to a fake web page that looks like the official HMRC site

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 90 – Twitter API data security incident, Google Analytics APIs used with skimmers

  • HTTP headers can play an important role in API security, like the case with Twitter API shows. The header  cache-control:no-store  had not been set on the API, which meant that the data that this API returned to the web page was stored in the browser cache.
  • Attackers use skimmers on e-commerce sites to inject their code (for example, JavaScript) to intercept credit card information on purchases. This is the first leg of the journey: attackers still need a way to ship that stolen data to their servers, and lots of sites are using Content Security Policy (CSP) to prevent that. With CSP, site owners effectively prohibit any API calls outside of their own. Sounds good, right?

Link HERE

Incidents & events detail

Starbucks API flaw exposes almost 100 million customer accounts

Sam Curry found an API vulnerability at Starbucks that exposed almost 100 million customer records. In his detailed write-up, Curry walks us through how he went about finding the issue:

  • He found that the web page for buying gift cards used a REST API behind the scenes.
  • He noticed that the API was actually acting as a proxy and routing calls to internal backend APIs.
  • He found a combination of \.. and \. segments that fooled the web application firewall (WAF) rules and allowed him to traverse API paths.
  • He and Justin Gardner then used Burp Intruder and a dictionary list to discover the available endpoints.
  • He located /search/v1/accounts,  a Microsoft Graph endpoint that gave him access to the records of almost 100 million Starbucks customers.

Starbucks has already fixed this vulnerability. Curry’s entertaining post provides not only the details of the vulnerability itself, but also a brilliant account on how a researcher approaches finding one

Link HERE

A screenshot of a cell phone Description automatically generated

Link HERE

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

We found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot

Link HERE – thanks to Jachar

Misconfigured Kubeflow workloads are a security risk

Azure Security Center (ASC) monitors and defends thousands of Kubernetes clusters running on top of AKS. Azure Security Center regularly searches for and research for new attack vectors against Kubernetes workloads. We recently published a blog post about a large scale campaign against Kubernetes clusters that abused exposed Kubernetes dashboards for deploying cryptocurrency miners

Link HERE

Remember: Magento Exploitation! — From Customer to Server User Access

Link HERE

The Security Risks of Contactless Payment

Link HERE

Privilege Escalation Via Cron

Exploiting Misconfigured Cron Permissions To Gain Root Access

Link HERE

The more cybersecurity tools an enterprise deploys, the less effective their defence is

New research highlights how throwing money indiscriminately at security doesn’t guarantee results

Link HERE

Google Researchers Find Design Flaw in Avast Antivirus

Link HERE

Journalist’s phone hacked by new ‘invisible’ technique: All he had to do was visit one website. Any website

Link HERE – thanks to Joce

Infamous Magecart Attack Hits Government Websites of 8 U.S. Cities

Link HERE

Crooks abuse Google Analytics to conceal theft of payment card data

Ecommerce site’s “blind trust” makes the service a perfect place to dump data

Link HERE

Two Factor Auth

List of sites with Two Factor Auth support which includes SMS, email, phone calls, hardware, and software

Link HERE

Research of the week

Validating Kubernetes YAML for best practice and policies

The article compares six static tools to validate and score Kubernetes YAML files for best practices and compliance

Link HERE

Accreditation Models for Secure Cloud Adoption by AWS

Decentralized, Centralized and Hybrid Models

Accreditation is essentially a risk management decision that the authorizing government or company will have to make based on the results of the assessments performed on the cloud service provider. An accreditation program is the set of international standards, certifications, and accreditations used, independent of the organizational model chosen

Link HERE

Container Vulnerability Scanning Fun

This post will look a bit at how assessing vulnerabilities of container images for outdated operating system packages is handled and some things to be aware of. We’ll exclude Windows container images to keep things (relatively) straightforward and stick to operating system level vulnerabilities

Link HERE

ACCESS KEYS IN AWS LAMBDA

Link HERE

How to perform OSINT with Shodan

Link HERE

The Forrester Wave™: Web Application Firewalls, Q1 2020

A screenshot of a cell phone Description automatically generated

Link HERE

API SECURITY

A screenshot of a cell phone Description automatically generated

Link HERE

The Current State of Kubernetes Threat Modelling

Link HERE

The Secret Lives of Data

Raft – Understandable Distributed Consensus

Link HERE

System hardening in Android 11 by Google

Link HERE AND a possible replacement to Android – Fuchsia HERE

 

Tool of the week

BBVA APICheck

The Spanish bank BBVA has Innovation Security Labs team which maintains a set of open-source API Security tools called APICheck.

The toolset includes, for example:

  • Replay HTTP requests
  • acurl
  • APICheck proxy
  • JWT token validator (just released)
  • Sensitive data detector
  • Send data to a proxy server

Link HERE

API security extensions for VS Code, Azure DevOps, Azure Kubernetes Services

  • Visual Studio Code (VS Code)
  • Azure DevOps pipelines (Azure Pipelines)
  • Azure Kubernetes Service (AKS)

Link HERE

Aardvark

Aardvark Logo

Multi-account AWS IAM Access Advisor API (and caching layer)

Link HERE

Regula

A tool that evaluates Terraform infrastructure-as-code for potential AWS, Azure, and Google Cloud security misconfigurations and compliance violations prior to deployment

Regula diagram

Link HERE

AWS CloudFormation Guard

This repo contains source code for the following tools:

  • CloudFormation Guard A CLI tool that checks AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax
  • CloudFormation Guard Lambda is the AWS Lambda version of CloudFormation Guard
  • CloudFormation Guard Rulegen automatically generates CloudFormation Guard rules from existing CloudFormation templates

Link HERE

macOS Big Sur: The End of OS X

Big Sur is officially macOS 11.0

Link HERE

A picture containing bottle Description automatically generated

Link HERE and Tools for cloud examination HERE

Cloud Pentest Cheat sheets

This repository contains a collection of cheat sheets I have put together for tools related to pentesting organizations that leverage cloud providers

Link HERE – thanks to Naz

How to build a CI/CD pipeline for container vulnerability scanning with Trivy and AWS Security Hub

Link HERE

Browsertunnel

A tool for exfiltrating data from the browser using the DNS protocol. It achieves this by abusing dns-prefetch, a feature intended to reduce the perceived latency of websites by doing DNS lookups in the background for specified domains. DNS traffic does not appear in the browser’s debugging tools, is not blocked by a page’s Content Security Policy (CSP), and is often not inspected by corporate firewalls or proxies, making it an ideal medium for smuggling data in constrained scenarios

Link HERE

Other interesting articles 

##A Simple Manifesto for Leading Security and Risk Teams

I’ve been using variants of these principles for many years in many contexts, both for security and broader risk management teams. I have found it a useful set of meta-goals to help lead various scales of organizations. Hopefully you will find some of them useful

Link HERE

 

##How to Encrypt a Document Stored on Google Drive

Google Drive may not let you encrypt individual Google Docs, but there are still ways to protect your security and privacy. Here’s how to keep your Docs from prying eyes

Link HERE

 

##Remember: AI Security and Adversarial Machine Learning 101

Artificial intelligence (AI) hits the headlines with increasing frequency. New technology products persistently include AI. It also touches the area of Cybersecurity giving attackers and defenders greater opportunities to achieve their goals. I’ve already published some ideas of using machine learning for Cybersecurity solutions as well as implementing ML techniques to improve hackers’ attacks. It seems AI works on both sides of the counter, so there’s no way to definitively say if AI is good or evil. Today I’m going to throw some cold water on everything

Link HERE

 

##I, CISO

1. A CISO may not damage their organization or, through inaction, allow their organization to come to harm.

2. A CISO must implement security controls found in established risk management frameworks except where such controls would conflict with the First Precept.

3. A CISO must develop and mentor their security program & teams as long as this growth is aligned to support the First or Second Precepts.

4. A CISO must evangelize the value of his/her security program for the company; creating an educated security-aware business culture as long it does not interfere with the First, Second, or Third Precepts.

5. A CISO must understand their organization’s business operations and its critical assets to efficiently manage its risk and support it in times of crisis.

6. A CISO must collaborate with their peers and give back to the cyber community at large as long as this involvement does not interfere with the First, Second, or Third Precepts.

Link HERE

 

##Remember: How Much Are People Paying For Your Identity on the Dark Web?

Link HERE

##And finally, The Varieties Of Human Work

The early ergonomists were right. The analysis of work cannot be limited to work as prescribed in procedures etc (le travail prescrit), nor to the observation of work actually done (le travail réalisé). Similarly, it cannot be limited to work as we imagine it, nor work as people talk about it. Only by considering all four of these varieties of human work can we hope to understand what’s going on

Link HERE

AND

Are You Cyberpunk Enough Now to Unplug from the Mainstream?

A person posing for the camera Description automatically generated

Link HERE

AND

Physicists Have Reversed Time on The Smallest Scale Using a Quantum Computer

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://hackerone.com/reports/833080

Description: Slack RCE – Low user-assist.

URL: https://cturt.github.io/freedvdboot.html

Description: FreeDVDBoot – Hacking the PlayStation 2 through its DVD player.

Links HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *