Security Stack Sheet #112

 Word of the Week

“Black Friday and Cyber Monday”

Black Friday retail cybersecurity

1. Watch out for fake websites

2. Only use secure sites

3. Use a credit card for shopping online

4. Beware of phishing emails

5. Avoid deals that are too good to be true 

6. Use strong passwords / passphrases and 2 factor authentication

7. Watch out for social media scams

8. Avoid Public Wi-Fi to go shopping – if you can go out of course

9. Ensure all your software is up to date  

10. Monitor bank statements for fraudulent activity

AND for retailers

1. Magecart/E-skimming

2. Third-party vendors

3. The increased danger of open-source software vulnerabilities

4. And all the others…

Links HERE and HERE and HERE and HERE and HERE and HERE

 

Word of the Week Special

“Rootless containers”

Rootless containers refers to the ability for an unprivileged user to create, run and otherwise manage containers. This term also includes the variety of tooling around containers that can also be run as an unprivileged user.

“Unprivileged user” in this context refers to a user who does not have any administrative rights, and is “not in the good graces of the administrator” (in other words, they do not have the ability to ask for more privileges to be granted to them, or for software packages to be installed).

Pros:

  • Can mitigate potential container-breakout vulnerabilities (Not a panacea, of course)
  • Friendly to shared machines, especially in HPC environments

Links HERE and HERE and HERE and HERE

Bonus

Graphical user interface, text Description automatically generated

Link HERE

Graphical user interface, text, application, chat or text message Description automatically generated

Link HERE

A thread…

Text Description automatically generated

Link HERE

Crypto challenge of the week

HV20.(-1) Twelve steps of Christmas

A picture containing qr code Description automatically generated

On the third day of Christmas my true love sent to me…

three caesar salads,
two to (the) six arguments,
one quick response

Link HERE

Dates

  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit (properly) Finalised?
  • 1st of July 20201 – Freedom from viruses?

Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca 

No alternative text description for this image

Link HERE and HERE

AND

Travelers Are Buying Fake COVID-19 Test Results on the Black Market
Link HERE

Artificial intelligence model detects asymptomatic Covid-19 infections through cellphone-recorded coughs

Results might provide a convenient screening tool for people who may not suspect they are infected

Link HERE

  • November 3rd 2020: Trump’s second term start

Media Sauce: #Trumpistan — where to find the real and unreal news on Trump

The U.S. Divorce Rate Has Hit a 50-Year Low

Link HERE

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • December 31st, 2020 Flash End-of-Life
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1

Book of the month

Remember: Amusing Ourselves to Death

Link HERE

AND

“It is difficult to get a man to understand something when his salary depends upon his not understanding it.”
~ Upton Sinclair

Making Sense

Link HERE

Link HERE

Comic of the week

Working At Home Benefits - Dilbert by Scott Adams

##Some OWASP stuff first

–State of Software Security v11: Key Takeaways for Developers

We recently released volume 11 of our annual State of Software Security (SOSS) report, which analyzes the security activity and history of applications Veracode scanned during a one-year period. Giving us a view of the full lifecycle of applications, that data tells us which languages and vulnerabilities to keep an eye on, and how factors like scanning frequency can impact your remediation time.

This year’s report also explores the idea of nature vs. nurture when remediating flaws and improving security. In other words, which security factors do developers like you have control over, and which are completely out of your hands? You likely have no control over the size of your organization and even the size of your application (“nature”), but you can “nurture” factors like frequency and scanning via API to improve security efforts

Remediate Faster

Link HERE

 

 

–EP. #81, EXPOSING THE SOURMINT SCANDAL WITH DANNY GRANDER

In episode 81 of The Secure Developer, Guy Podjarny is joined by Danny Grander, Co-founder and Chief Security Officer at Snyk, to discuss SourMint – a malicious SDK that has been integrated into popular apps, seeing a total of 1.2 billion downloads per month. This was before it was exposed by the Snyk research team! Here, we summarize the scandal and unpack exactly what SourMint is, with details on how it tracks Android and iOS user behaviour while allowing for remote command execution. Guy and Danny also reflect on the challenge of protecting people who are using old versions of apps that still have malicious SDK integrated into them

Link HERE

A close up of a sign Description automatically generated

Link HERE

–When Security Controls Lead to Security Issues

The job of security professionals is to protect customers’ assets and, even more, today, customers’ data. The security landscape is full of solutions that help to improve security by detecting (and blocking) threats knocking on the organizations’ doors. Sometimes, such solutions have side effects that go to the opposite direction and make customers more vulnerable to attacks.

Here is a perfect example of security control that could lead to a critical issue

Link HERE

–Augmenting Penetration Testing with Lightweight Static Analysis

Link HERE

 

Events

OWASP events HERE

SEC4DEV

Security for Software Developers

22-23 Feb´21 – 2-Day Bootcamps
24-25 Feb´21 – Conference

Link HERE

Text Description automatically generated

Link HERE

A day in the life of a Tech Security Engineer – by Amazon

Tuesday, 8th of December 2020
5-6 PM (BST) / 6-7 PM (CEST)

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

MobileIron remote code execution vulnerability is a target

The NCSC has issued an alert on the MobileIron remote code execution vulnerability (CVE-2020-15505) being exploited by nation states and criminal groups.

In the US, the Cybersecurity and Infrastructure Security Agency (CISA) released an alert (AA20-283A) noting chaining of newer and legacy vulnerabilities by threat actors

Black Friday Consumer Risks

New research states that 84% of consumers are willing to share their personal details during Black Friday sales in a bid to save money.

The research shows that majority of shoppers are willing to send personal data such as email addresses and telephone numbers to take advantage of bargains they receive or see online. As many people have experienced additional financial strain due to the COVID-19 pandemic, the desire to save money has increased significantly and criminals are, therefore, more likely to exploit these desires

Manchester United suffer cyber attack

Manchester United Football Club disclosed that they had been subjected to a cyber attack last week.

In a statement, Manchester United said they were not aware of any impact upon personal data for fans and customers

Privacy of British athletes targeted by criminals

The private pictures of four female British athletes have been posted online following a cyber attack targeting sport stars and celebrities.  

One of the incidents included private images being stolen from iCloud and the process has begun to remove these from the dark net. Accessing and leaking someone’s personal data is utterly reprehensible

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 111: API vulnerabilities in AWS, Tesla Backup Gateway, Twitter

  • Vulnerability: AWS Resource-Based Policy APIs

Researchers at Unit42 found that 22 APIs across 16 different AWS services can be exploited to leak Identity and Access Management (IAM) users and roles

  • Vulnerability: Tesla Backup Gateway APIs

Derek Abdine has looked into API security in Tesla Backup Gateways, which are part of the Powerwall and Powerpack systems. Gateways determine when to charge the batteries, when to send the power back to the power grid, and what combination of solar, battery, and grid energy to use to power the house

  • Vulnerability: Twitter Fleets

Twitter Fleets are the newly launched ephemeral media posts that are supposed to disappear after 24 hours.

However, a researcher found out that the APIs behind the feature allow access to older fleets

Link HERE

 

Incidents & events detail

New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service

NAT Slipstreaming to Bypass Firewall

Link HERE

Office 365 phishing abuses Oracle and Amazon cloud services

Link HERE

Alexa, Disarm the Victim’s Home Security System

Researchers who last year hacked popular voice assistants with laser pointers take their work to the next level

Link HERE

2FA bypass in cPanel potentially exposes tens of millions of websites to hack

Link HERE

Tesla Bluetooth Vulnerability Could be Exploited to Steal Model X Vehicles

The keyless entry system for Tesla Model X automobiles is vulnerable to a Bluetooth attack that could be exploited to steal a Model X. The attack involves a flaw in the firmware update process for Tesla Model X key fobs. Telsa will start pushing out over-the-air updates for the affected key fobs this week.
[Neely]
This attack leverages vulnerabilities in the key fob firmware update, the target vehicle’s VIN, as well as the use of an electronic control unit salvaged from another Model X to accomplish, making the attack rig a bit bulky. Updates are being released for both the in-vehicle systems and the key fob firmware.
[Pescatore]
Keyless entry on cars is, to me, like digital watches – what seems like a cool use of technology turns out to be a downgrade in capabilities and safety. There is a good reason why ATM machines still require a physical card to be inserted, not just a PIN entered.
[Murray]
Keyless entry systems are all about the eternal trade-off between convenience and security. For security, prefer keyless entry based upon mobiles to those based on tokens or “fobs.”

Link HERE

Luxottica data breach exposes 820K EyeMed, LensCrafters patients

Link HERE

$25,000 GitHub pages RCE via YAML file – Bug Bounty Reports Explained

Link HERE and other bug bounty reports explained HERE

Microsoft says it’s time for you to stop using SMS and voice calls for multi-factor authentication

Link HERE

Romanian Police Arrest Malware Purveyors

Police in Romania have arrested two individuals in connection with three online services that are designed to help malware evade detection by antivirus software. The investigators also took down relevant servers in Romania, Norway, and the US.
[Honan and Murray]
Congratulations to all those involved in this operation. It is heartening to see the increasing numbers of successful international operations against cybercriminals

Link HERE

Gift card hack exposed – you pay, they play

Link HERE

Chinese hacking competition cracks Chrome, ESXi, Windows 10, iOS 14, Galaxy 20, Qemu, and more

VMware warns of incoming security fix after attackers get root on host

Graphical user interface, text, application Description automatically generated

Link HERE

GoDaddy Employees Tricked Into Changing DNS Settings for Cryptocurrency Domains

Attackers used social engineering to trick employees at domain name registrar GoDaddy into transferring control of several cryptocurrency-related domains. The bad actors managed to gain access to some Liquid.com customer data. NiceHash noticed traffic was being redirected. The company froze customer accounts for 24 hours while it ensured that the domain settings were returned to normal.
[Honan]
Your organisation’s domain name is a key asset and should be appropriately protected. Ask your registrar about getting a registry lock or domain lock service for your domain to make unauthorized changes more difficult.

Link HERE

UK cyber security agency aiding Manchester United after cyber attack - Manchester Evening News

Link HERE

2FA bypass in cPanel potentially exposes tens of millions of websites to hack

Link HERE

Research of the week

Architecture of a ransomware

Last couple of months we’ve seen a rise in ransomware related incidents, mostly due to the increase of remote work because of COVID-19. Nevertheless, not all ransomware works in the same way, and in order to have a better incident response in the event of a successful attack, we should have a good understanding of its inner workings. This can hopefully help you to reverse the encryption mechanism of the ransomware, or at least prevent further infection

Link HERE

Mitre ATT&CK® Mappings for Amazon GuardDuty

GuardDuty operates on three data sources: CloudTrail, VPC flow logs (netflow), and DNS logs. Thus it doesn’t have a lot of visibility, which makes sense when we consider the Shared Responsibility model. Additionally, many GuardDuty Findings are anomaly detections rather than categorical detections. Modelling some of these GuardDuty Findings into Mitre ATT&CK can be a bit of a square peg in a round hole so it’s not a perfect science by any means. I clearly diverged with AWS on some of their own mappings as you’ll see Persistence Findings mapped to Discovery and so forth

Mapping

Link HERE

Zero Trust architectures: An AWS perspective

Our mission at Amazon Web Services (AWS) is to innovate on behalf of our customers so they have less and less work to do when building, deploying, and rapidly iterating on secure systems. From a security perspective, our customers seek answers to the ongoing question What are the optimal patterns to ensure the right level of confidentiality, integrity, and availability of my systems and data while increasing speed and agility? Increasingly, customers are asking specifically about how security architectural patterns that fall under the banner of Zero Trust architecture or Zero Trust networking might help answer this question.

Given the surge in interest in technology that uses the Zero Trust label, as well as the variety of concepts and models that come under the Zero Trust umbrella, we’d like to provide our perspective. We’ll share our definition and guiding principles for Zero Trust, and then explore the larger subdomains that have emerged under that banner. We’ll also talk about how AWS has woven these principles into the fabric of the AWS cloud since its earliest days, as well as into many recent developments. Finally, we’ll review how AWS can help you on your own Zero Trust journey, focusing on the underlying security objectives that matter most to our customers. Technological approaches rise and fall, but underlying security objectives tend to be relatively stable over time. (A good summary of some of those can be found in the Design Principles of the AWS Well-Architected Framework)

Link HERE

Industrial Traffic Collection: Understanding the implications of Deploying visibility without impacting production

Due to the critical nature of industrial environments and the lifetime of deployed assets, many organizations do not have complete knowledge of what assets are operating in the environment and what communications are involved. With the continuous move to IP based communications for controls equipment, Cybersecurity continues to increase in importance and is a priority for many executives. Industrial controls are unique because they are interfacing with the real world, which has implications on human safety and the ability of an organization to maintain operations. Unfortunately, the criticality of these devices and the lack of robust network functions on many often requires the use of passive solutions to gather information. This paper will focus on outlining the potential impact of collecting network traffic, discussing the functions available on networking equipment to enable it, identifying possible deployment architectures and the pros and cons of each, and explaining a methodology to calculate the potential impacts

Link HERE

 

Tool of the week

InfoSec Black Friday Deals 2020

All the deals for InfoSec related software/tools this Black Friday / Cyber Monday

Link HERE

Hashicorp Vault Policy Masterclass

Link HERE

Code Signing, a Trust and Integrity Control for AWS Lambda

Link HERE

Risk Analysis

One of the foundational areas of The Open Group Security Forum is risk analysis—specifically, quantitative risk analysis and the Open FAIR™ Body of Knowledge. Over the years, the Security Forum has updated The Open Group Risk Analysis (O-RA) Standard and The Open Group Risk Taxonomy (O-RT) Standard and published numerous supporting documents to aid both new and experienced risk analysts. Among these publications are the Open FAIR™ Risk Analysis Process Guide, the Open FAIR™ Risk Analysis Tool, and “cookbooks” demonstrating how Open FAIR fits within other risk assessment frameworks

Link HERE

AWS Control Tower By Example

Link HERE

Themis provides strong, usable cryptography for busy people

Themis provides strong, usable cryptography for busy people

General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), Android (Java, Kotlin), desktop Java, С/С++, Node.js, Python, Ruby, PHP, Go, Rust, WASM.

Perfect fit for multi-platform apps. Hides cryptographic details. Made by cryptographers for developers

Link HERE

Awesome Azure Security Awesome

A curated list of awesome Microsoft Azure Security tools, guides, blogs, and other resources.

Link HERE

CrowdSec

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain

Link HERE

Other interesting articles 

##Scenario Planning – The Best Technique You Might Not Be Using

Scenario planning is one of the most underutilized techniques in security. Which is surprising given how effective it is in [good] corporate strategic planning and enterprise risk management. In its simplest form it provides a narrative structure to discuss potential future events (good and bad) and to project what reasonable steps should then be taken. This includes what early signals or triggers to watch out for that might indicate such a scenario is starting to happen

Link HERE

AND

Simple Rules of (InfoSec) Career Success – Updated

Over the years I’ve noted the behaviours I’ve seen from consistently successful people. In this context I define success as a balance of getting worthwhile results for their customers, increasing their span of influence for the wider good and being highly regarded as coaches for improving the lives of their teams. Naturally, all of these behaviours are markers of success in any role, and this could be a much longer list – but, in my experience, these are the ones I’ve observed make the most difference consistently

Link HERE

 

##How world wide web inventor Tim Berners-Lee plans to break Big Tech’s chokehold on your personal data

Solid is an idea and company started by Tim Berners-Lee, the inventor of the world wide web. The idea is that you put all your data into a Solid Pod, and then you give granular access to that data to others. So rather than your data being owned and controlled by various corporations, you’d have it all yourself and you’d just give access to groups that provide you functionality

Link HERE

 

##Cloudflare says in 10 years cybersecurity will be more like a ‘water filtration system’

Cloud-based solutions will screen out attackers before they can do much damage

Link HERE

 

##And finally, Blackbeard, Crew Were Pawns In Failed Coup

Popular culture’s embrace of the adventure and romance of piracy has hidden the true reasons for Blackbeard’s demise at Ocracoke.

After many years of research and study, my analysis is that Blackbeard was merely a pawn in the midst of a failed political coup and his wrongful death — but not murder — was the result of an illegal incursion into the proprietary colony of North Carolina by her disdainful neighbour, the royal colony of Virginia

Link HERE

AND

Study helps explain why motivation to learn declines with age

Research on mice suggests aging affects a brain circuit critical for learning to make some types of decisions
Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://www.rcesecurity.com/2020/11/Smuggling-an-un-exploitable-xss/

Description: Smuggling an (Un)exploitable XSSPermalink.

URL: https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

Description: ImageMagick – Shell injection via PDF password.

Links HERE and HERE and credits to HERE

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *