Security Stack Sheet #111

 Word of the Week

“Building Effective security Objectives and Key Results”

  • Define the mission with high-level security objectives: Make sure security objectives make sense outside the security team and make it clear how security supports the organisational mission
  • Create balanced security objectives: Balance things like reducing actual risk vs perceived risk, improving security posture vs reducing development velocity, etc.
  • Think of your security team as a product: Can you ship an MVP of a new security process or tool, and then rapidly learn and iterate based on feedback? Consider developer UX in process and tool changes. Consider sending out Net Promoter Score surveys after threat modelling exercises. Would dev teams recommend your security team to other devs?
  • Launch Darkly uses Jira as the single source of tracking vulnerability information, and they use custom issue types with: type (CWE), severity (CVSS), service and team involved, source, and time introduced, identified, and mitigated.

Example metrics: time to detection of vulnerabilities, time to remediation, and average vulnerabilities over time. These can all be done by vulnerability type, source, team, etc. Having a well-defined key result makes the impacts of initiatives much clearer. For example, will adding a new SAST or DAST tool reduce time to detection? Prioritize projects based on impact and effort as well as confidence – how likely is this to result in impact? Also consider the cost of delay– a risk that exposes the organization today is higher priority than something that prevents a future problem

Free OKR, PPP and KPI manager for small startup teams in Google Sheets | by Alexander Jarvis | Medium

Link HERE and video HERE and Watch Loco Moco Security Conference talks HERE

AND

Ukulele songs from the conference! HERE

 

Word of the Week Special

“More Secure in the Public Cloud”

In most circumstances we can do a better job of security in the cloud than we can do on-premises.

#1: Security patches can be applied faster

#2: It’s easier to deploy security controls at scale

#3: You can authorise everything, and implement ‘separation of duties’ more easily

And the outcomes

Links HERE – thanks to Ben

NCSC recommending the Cloud HERE

“Black Friday and Cyber Monday”

Stay safe before, during and after peak retail season

Links HERE and HERE and HERE

Bonus

Link HERE

Security Mindmap

Link HERE

Link HERE

Crypto challenge of the week

Pickle Rick

A Rick and Morty CTF. Help turn Rick back into a human!

Link HERE

Dates

  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit (properly) Finalised?
  • 1st of July 20201 – Freedom from viruses?

Cyberattacks targeting health care must stop

Link HERE

Have a nice flight w/o Covid

Link HERE

  • November 3rd 2020: Trump’s second term start

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • December 31st, 2020 Flash End-of-Life
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1

Book of the month

The Ultimate Guide to Lying

Link HERE

Threat Modelling Practical Guide to Dev Teams

Link HERE

SANS book: Practical Guide to Security in the AWS Cloud

Link HERE

Comic of the week

Dilbert Not On Mute - Dilbert by Scott Adams

##Some OWASP stuff first

–The Threat Modelling Manifesto

We follow these principles:

  • The best use of threat modelling is to improve the security and privacy of a system through early and frequent analysis.
  • Threat modelling must align with an organization’s development practices and follow design changes in iterations that are each scoped to manageable portions of the system.
  • The outcomes of threat modelling are meaningful when they are of value to stakeholders.
  • Dialog is key to establishing the common understandings that lead to value, while documents record those understandings, and enable measurement

Link HERE

–CVSS for Dev Teams

Penetrations test results (hopefully) contain CVSS scores. Here are some thoughts on how a dev team should look at them

Link HERE

–Continuous Kubernetes Security

Link HERE and How to Maintain Compliance — At the Speed of Kubernetes Link HERE

–THE HACKERONE TOP 10 MOST IMPACTFUL AND REWARDED VULNERABILITY TYPES – 2020 EDITION

Link HERE

–Comprehensive Guide on Password Spraying Attack

Link HERE

–10 React security best practices

Link HERE

–Absolute AppSec Ep. #113 – Jacob Salassi – Modelling Threats, Risk Assessments

  • You’re never going to scale if the security team needs to be involved in threat modelling, it has to be developer-lead.
  • Engineers don’t know what “threat modelling” is. But they’re great at modelling the systems they’re building, so Jacob instead has them “model threats.”
  • In order to get widespread threat modelling adoption, ask yourself: how can we make it as easy and frictionless for developers as possible?
  • Threat modelling is often referred to as “more art than science.” That doesn’t work when you’re trying to get consistent threat modelling quality across many engineers in a large org. Instead, you need to build guardrails, document the process, and streamline it as much as possible so it’s repeatable.
  • Snowflake’s security team has done some neat work in automating parts of threat modelling. As referenced in tl;dr sec 46, they have automation to go from draw.io diagram ➡️ to a set of standard risks you need to handle ➡️ to recommended security controls to ➡️ recommended security unit tests, and more.
  • Jacob has removed as many references to “secure coding standards” internally as possible. Security is not a separate thing, security is inherently a part of building secure, quality software.

“You need to dissolve security into development, not bolt it into various places.”

Link HERE

 

Events

OWASP events HERE

API Specifications Conference (ASC) 2020, September 9-10

Did You Know You Could Use OpenAPI for Security?

Link HERE and All Link HERE

Mike Jones – (sting3r) former member of Anonymous hacktivist group – The future of cyber

Link HERE – thanks to Andi

Stu Hirst talks

Link HERE

The OWASP Newcastle November Meetup

Link HERE

HackerOne Security Conference

Link HERE and All in 1 comic HERE

BSides Singapore

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Mozilla withdraws Adobe Flash support in January 2021

In September, we issued a blog post about fixing your Flash dependencies before it reaches its end-of-life on 31 December 2020

Capcom warns of potential ransomware impact

Video game developer Capcom, well known for series like Street Fighter and Resident Evil, has warned that gamers’ personal information could be affected by a recent ransomware attack against it. It also said that some of its financial information had also been stolen

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 110: API flaws in Bumble and COVID-KAYA, Forrester on API security, ASC 2020 talks

Vulnerability: Bumble

Sanjana Sarda from Independent Security Evaluators found multiple vulnerabilities in the APIs behind the Bumble dating app. The app has about 95 million users, so the potential exposure is significant.

The found vulnerabilities included, for example:

  • Bypassing the limits for premium features and on free accounts, because the limits were only enforced on the UI, not in APIs.
  • Retrieving arbitrary user profiles at arbitrary locations through the user search API.
  • Triangulating the exact location of other users based on the retrieved distance from the arbitrary location mentioned above.
  • Retrieving sensitive information on any user, including personal information, their Facebook interests and likes, and so on.
  • Retrieving a lot of information on a lot of or all users programmatically by using a script, because there was no API rate limiting.
  • Allowing locked accounts still access the APIs.

Link HERE

 

Incidents & events detail

Facebook Messenger Flaw Enabled Spying on Android Callees

A critical flaw in Facebook Messenger on Android would let someone start an audio or video call without the victim’s knowledge

Link HERE

Romanians arrested for running underground malware services

Link HERE

AWS access keys leak in GitHub repository and some improvements in Amazon reaction

Link HERE

Nearly Two Dozen AWS APIs Are Vulnerable to Abuse

Attackers can conduct identity reconnaissance against an organization at leisure without being detected, Palo Alto Networks says

Link HERE

DDoS attacks more numerous, diverse, but smaller in Q3 of 2020

John Graham-Cumming, CTO at Cloudflare, believes Covid-19 may have played a role in the fourfold increase since the first quarter.

“Willie Sutton famously said he robbed banks because that’s where the money was. The same is true for cyber-attacks,” he told The Daily Swig.

“2020 saw a huge increase in online working, learning, and shopping, and so the bad guys and the DDoS attacks followed.”

Analysis of traffic at 200 Cloudflare data centers around the world also revealed an explosion of CDP-protocol attacks as well as a rise in ransom-driven (RDDoS) and distributed botnet attacks

Link HERE

So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks

But claims of ‘complete system compromise’ are a little extreme

Link HERE

Cryptocurrency exchange Liquid suffers security breach, user data exposed

Customers advised to change passwords and enable 2FA following hack

Link HERE

Remember: How I hacked hundreds of companies through their helpdesk

Link HERE

Fixing leaky logs: how to find a bug and ensure it never returns

TL;DR I lay out a case for moving security enforcement into the hands of developers. I show how I and another developer at r2c successfully identified data leakage in our logs, fixed the issue, and prevented it from happening in the future. We did this in a matter of hours, without assistance from our AppSec team

Link HERE

Facebook pays out $25k bug bounty for chained DOM-based XSS

Link HERE

NAT Slipstreaming hack tricks firewalls and routers

Link HERE

OceanLotus: Extending Cyber Espionage Operations Through Fake Websites

Link HERE

RansomExx ransomware now targets also Linux systems

Link HERE

Bitcoin: $1bn seized from Silk Road account by US government

Link HERE

Ryuk Ransomware: Extensive Attack Infrastructure Revealed

Link HERE

Research of the week

Attacking JSON Web Tokens (JWTs)

Forge the token to gain unauthorized access!

Link HERE

Secure Remote Working 2020

Link HERE

2020 GLOBAL THREAT REPORT

Link HERE

Announcing the Cloud Native Security White Paper

The technology industry has shifted towards patterns of development and deployment that are seen as “cloud native”. Simultaneously, the ecosystem of technologies, products, standards, and solutions is expanding, challenging decision makers to remain abreast of complex designs. The CISO role in particular, has the evolving responsibility of illuminating business value propositions in this dynamic arena. Meanwhile, cloud native patterns have also encouraged changes in consumption models and the adoption of modern workflows (e.g. agile methodologies and DevOps processes) requiring integrated security practices

Link HERE

 

Tool of the week

Introducing BloodHound 4.0: The Azure Update

BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments

Link HERE

Introducing a mind map for AWS investigations

Link HERE

webscan

webscan is a browser-based network IP scanner and local IP detector

Link HERE

New Azure Kubernetes Service (AKS) Security Workbook

Link HERE

Project Lockdown

A suite of serverless event-driven auto remediation Cloud Functions designed to react to unsecure resource creations or configurations. Project Lockdown is meant to be deployed in a GCP environment and has the capabilities to monitor and remediate across your entire Organization hierarchy in a matter of seconds

Link HERE

Amazon S3 Storage Analytics and Insights – Storage Lens

Link HERE

Use real-time anomaly detection reference patterns to combat fraud

Link HERE

Other interesting articles 

##The Uncanny Valley of Security (or Why We Might Never Finish Anything)

The uncanny value is a famous term in robotics.  It is used to describe how we accept robots that don’t attempt to look too human, but, as they approach a near life-like appearance we are repulsed by them. The diagram below illustrates this. Similar issues appear in animation, who remembers Polar Express?

Link HERE

 

##Checks and Balances — Risks vs Mitigations

Link HERE – thanks to Alvin

 

##Learning from AWS (Customer) Security Incidents

Link HERE

 

##Type confusion: discovery, abuse, and protection

Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Using an object of an incompatible base type instead of a derived type results in type confusion. Attackers have been abusing such type confusion issues to compromise popular software products including Adobe Flash, PHP, Google Chrome, or Firefox, raising critical security concerns.

We discuss the details of this vulnerability type and how such vulnerabilities relate to memory corruption. Based on an LLVM-based sanitizer that we developed, we will show how to discover such vulnerabilities in large software through fuzzing and how to protect yourself against this class of bugs

Link HERE

 

##And finally, Artificial consciousness

Artificial Intelligence Scoro

Links HERE and HERE and HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://link.medium.com/h9qeqgiCibb  

Description: Dropbox SSRF (Server Side Request Forgery).

URL: https://link.medium.com/x2VUw0mcubb  

Description: Firefox – How a website could steal all your cookies (CVE-2020–15647).

URL: https://nechudav.blogspot.com/2020/11/31k-ssrf-in-google-cloud-monitoring.html

Description: 31k$ SSRF in Google Cloud Monitoring led to metadata exposure.

Links HERE and HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *