Word of the Week “Building Effective security Objectives and Key Results”
Example metrics: time to detection of vulnerabilities, time to remediation, and average vulnerabilities over time. These can all be done by vulnerability type, source, team, etc. Having a well-defined key result makes the impacts of initiatives much clearer. For example, will adding a new SAST or DAST tool reduce time to detection? Prioritize projects based on impact and effort as well as confidence – how likely is this to result in impact? Also consider the cost of delay– a risk that exposes the organization today is higher priority than something that prevents a future problem
Link HERE and video HERE and Watch Loco Moco Security Conference talks HERE AND Ukulele songs from the conference! HERE
Word of the Week Special “More Secure in the Public Cloud” In most circumstances we can do a better job of security in the cloud than we can do on-premises. #1: Security patches can be applied faster #2: It’s easier to deploy security controls at scale #3: You can authorise everything, and implement ‘separation of duties’ more easily And the outcomes
Links HERE – thanks to Ben NCSC recommending the Cloud HERE “Black Friday and Cyber Monday” Stay safe before, during and after peak retail season
Bonus Link HERE Security Mindmap Link HERE Link HERE
Crypto challenge of the week Pickle Rick A Rick and Morty CTF. Help turn Rick back into a human! Link HERE
Dates
Cyberattacks targeting health care must stop Link HERE Have a nice flight w/o Covid Link HERE
Book of the month The Ultimate Guide to Lying Link HERE Threat Modelling Practical Guide to Dev Teams Link HERE SANS book: Practical Guide to Security in the AWS Cloud Link HERE
Comic of the week
##Some OWASP stuff first –The Threat Modelling Manifesto We follow these principles:
Link HERE –CVSS for Dev Teams Penetrations test results (hopefully) contain CVSS scores. Here are some thoughts on how a dev team should look at them Link HERE –Continuous Kubernetes Security Link HERE and How to Maintain Compliance — At the Speed of Kubernetes Link HERE –THE HACKERONE TOP 10 MOST IMPACTFUL AND REWARDED VULNERABILITY TYPES – 2020 EDITION Link HERE –Comprehensive Guide on Password Spraying Attack Link HERE –10 React security best practices Link HERE –Absolute AppSec Ep. #113 – Jacob Salassi – Modelling Threats, Risk Assessments
“You need to dissolve security into development, not bolt it into various places.” Link HERE
Events OWASP events HERE API Specifications Conference (ASC) 2020, September 9-10 Did You Know You Could Use OpenAPI for Security? Mike Jones – (sting3r) former member of Anonymous hacktivist group – The future of cyber Link HERE – thanks to Andi Stu Hirst talks Link HERE The OWASP Newcastle November Meetup
Link HERE HackerOne Security Conference Link HERE and All in 1 comic HERE BSides Singapore Link HERE
Incidents Global ALERT level BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. Incident data HERE Find your country NCSC Weekly Threat Report
Mozilla withdraws Adobe Flash support in January 2021 In September, we issued a blog post about fixing your Flash dependencies before it reaches its end-of-life on 31 December 2020 Capcom warns of potential ransomware impact Video game developer Capcom, well known for series like Street Fighter and Resident Evil, has warned that gamers’ personal information could be affected by a recent ransomware attack against it. It also said that some of its financial information had also been stolen Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE API Security Issue 110: API flaws in Bumble and COVID-KAYA, Forrester on API security, ASC 2020 talks Vulnerability: Bumble Sanjana Sarda from Independent Security Evaluators found multiple vulnerabilities in the APIs behind the Bumble dating app. The app has about 95 million users, so the potential exposure is significant. The found vulnerabilities included, for example:
Link HERE
Incidents & events detail Facebook Messenger Flaw Enabled Spying on Android Callees A critical flaw in Facebook Messenger on Android would let someone start an audio or video call without the victim’s knowledge Link HERE Romanians arrested for running underground malware services Link HERE AWS access keys leak in GitHub repository and some improvements in Amazon reaction Link HERE Nearly Two Dozen AWS APIs Are Vulnerable to Abuse Attackers can conduct identity reconnaissance against an organization at leisure without being detected, Palo Alto Networks says Link HERE DDoS attacks more numerous, diverse, but smaller in Q3 of 2020 John Graham-Cumming, CTO at Cloudflare, believes Covid-19 may have played a role in the fourfold increase since the first quarter. “Willie Sutton famously said he robbed banks because that’s where the money was. The same is true for cyber-attacks,” he told The Daily Swig. “2020 saw a huge increase in online working, learning, and shopping, and so the bad guys and the DDoS attacks followed.” Analysis of traffic at 200 Cloudflare data centers around the world also revealed an explosion of CDP-protocol attacks as well as a rise in ransom-driven (RDDoS) and distributed botnet attacks Link HERE So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks But claims of ‘complete system compromise’ are a little extreme Link HERE Cryptocurrency exchange Liquid suffers security breach, user data exposed Customers advised to change passwords and enable 2FA following hack Link HERE Remember: How I hacked hundreds of companies through their helpdesk Link HERE Fixing leaky logs: how to find a bug and ensure it never returns TL;DR I lay out a case for moving security enforcement into the hands of developers. I show how I and another developer at r2c successfully identified data leakage in our logs, fixed the issue, and prevented it from happening in the future. We did this in a matter of hours, without assistance from our AppSec team Link HERE Facebook pays out $25k bug bounty for chained DOM-based XSS Link HERE NAT Slipstreaming hack tricks firewalls and routers Link HERE OceanLotus: Extending Cyber Espionage Operations Through Fake Websites Link HERE RansomExx ransomware now targets also Linux systems Link HERE Bitcoin: $1bn seized from Silk Road account by US government Link HERE Ryuk Ransomware: Extensive Attack Infrastructure Revealed Link HERE
Research of the week Attacking JSON Web Tokens (JWTs) Forge the token to gain unauthorized access! Link HERE Secure Remote Working 2020 Link HERE 2020 GLOBAL THREAT REPORT Link HERE Announcing the Cloud Native Security White Paper The technology industry has shifted towards patterns of development and deployment that are seen as “cloud native”. Simultaneously, the ecosystem of technologies, products, standards, and solutions is expanding, challenging decision makers to remain abreast of complex designs. The CISO role in particular, has the evolving responsibility of illuminating business value propositions in this dynamic arena. Meanwhile, cloud native patterns have also encouraged changes in consumption models and the adoption of modern workflows (e.g. agile methodologies and DevOps processes) requiring integrated security practices Link HERE
Tool of the week Introducing BloodHound 4.0: The Azure Update BloodHound has been used by attackers and defenders alike to identify and analyze attack paths in on-prem Active Directory environments Link HERE Introducing a mind map for AWS investigations Link HERE webscan webscan is a browser-based network IP scanner and local IP detector Link HERE New Azure Kubernetes Service (AKS) Security Workbook Link HERE Project Lockdown A suite of serverless event-driven auto remediation Cloud Functions designed to react to unsecure resource creations or configurations. Project Lockdown is meant to be deployed in a GCP environment and has the capabilities to monitor and remediate across your entire Organization hierarchy in a matter of seconds Link HERE Amazon S3 Storage Analytics and Insights – Storage Lens Link HERE Use real-time anomaly detection reference patterns to combat fraud Link HERE
Other interesting articles ##The Uncanny Valley of Security (or Why We Might Never Finish Anything) The uncanny value is a famous term in robotics. It is used to describe how we accept robots that don’t attempt to look too human, but, as they approach a near life-like appearance we are repulsed by them. The diagram below illustrates this. Similar issues appear in animation, who remembers Polar Express? Link HERE
##Checks and Balances — Risks vs Mitigations Link HERE – thanks to Alvin
##Learning from AWS (Customer) Security Incidents Link HERE
##Type confusion: discovery, abuse, and protection Type confusion, often combined with use-after-free, is the main attack vector to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Using an object of an incompatible base type instead of a derived type results in type confusion. Attackers have been abusing such type confusion issues to compromise popular software products including Adobe Flash, PHP, Google Chrome, or Firefox, raising critical security concerns. We discuss the details of this vulnerability type and how such vulnerabilities relate to memory corruption. Based on an LLVM-based sanitizer that we developed, we will show how to discover such vulnerabilities in large software through fuzzing and how to protect yourself against this class of bugs Link HERE
##And finally, Artificial consciousness
##HACKING, TOOLS and FUN – CHECK BELOW! AppSec Ezine Must see URL: https://link.medium.com/h9qeqgiCibb Description: Dropbox SSRF (Server Side Request Forgery). URL: https://link.medium.com/x2VUw0mcubb Description: Firefox – How a website could steal all your cookies (CVE-2020–15647). URL: https://nechudav.blogspot.com/2020/11/31k-ssrf-in-google-cloud-monitoring.html Description: 31k$ SSRF in Google Cloud Monitoring led to metadata exposure. Links HERE and HERE and credits to HERE |