Word of the Week
“Cloud Security Threats for 2021”
Data Science Tool Attacks
Bots Could Infect Cloud Legacy Assets
More Kubernetes Compromises Coming
Word of the Week Special
“I’m from Security and I’m here to help”
I’ve had engineers tell me “safety/security is NOT my concern, I just design things”
I’ve had software folks tell me “all I do is code”
I’ve had DBA’s tell me “I just make sure the system works”
I’ve had exec’s tell me “it’s not my problem” OR “it’ll never happen to us”
Well folks, guess what, that shits stops now.
A team of people built a plane
A team of people outfitted it with ALL sorts of gizmo’s to make it fly
A team of people designed things, built things, coded things and make blinky things work
A team of people signed off on it
A government agency approved it
A leadership team stood behind it
And a software flaw killed the very people who relied upon it.
“Secrets… are the root of cool”
Crypto challenge of the week
Santa was given a nice bracelet by one of his elves. Little does he know that the secret admirer has hidden a message in the pattern of the bracelet…
No internet is required – only the bracelet
The message is encoded in binary
Violet color is the delimiter
Colors have a fixed order
Missing colors matter
COVID-19 themed attacks launched from October 1 to December 5, 2020
Phishing Campaign Targets COVID Cold Chain
An IBM Security X-Force threat intelligence task force “recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain.” British regulators have approved Pfizer’s vaccine; US regulators are scheduled to evaluate Pfizer’s and Moderna’s vaccines next week. Once vaccines are approved, they must be transported at extremely low temperatures, hence the term cold chain for the companies that will provide the specialized refrigeration for vaccine storage and transportation. EU regulators are due to approve this vaccine over the coming weeks.
Misusing OSINT to claim election fraud
Book of the month
Remember: AppSec ABCs
Remember: Cahier de vacances pour la securite numberique
Comic of the week
##Some OWASP stuff first
–Web Security Testing Guide (WSTG) v4.2
In keeping with a continuous delivery mindset, this new minor version adds content as well as improves the existing tests
–$10000 Facebook SSRF (Bug Bounty)
Subdomains Enumeration + File Bruteforcing + Code Review = $10K Blind SSRF
The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network
–Announcing the Snyk and Docker Security Guide for Developers
Snyk and Docker have partnered to bring developer-centric security, powered by Snyk, to the world’s most popular container developer tools, Docker Desktop and Docker Hub
–Serving the right recipe for API authentication
Compared to a decade ago, the meaning of authentication has changed significantly. Modern applications not only authenticate users but also rely on authentication for API access and inter-service communication. Authentication mechanisms still include passwords, but also rely on API keys, signed JWT tokens, and cryptographic authenticators. With so many options to choose from, making the right choice becomes a difficult challenge.
–The 2020 State of the Octoverse – Securing the World’s Software
OWASP events HERE
OPEN Security Mini Summit
OWASP Israel December 2020
Cloud Native Security Day North America 2020
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
Ransomware disrupts Maryland students
Phishing attacks focus on online shoppers
API Security Issue 112: Vulnerability in Paginator, Microsoft RESTLer, talks on API authentication and JWT security
Incidents & events detail
Privilege Escalation in AKS Clusters
Default AKS cluster stores admin credentials in Kubernetes ConfigMap
Aerospace Company Embraer Discloses Cyberattack
Brazilian aerospace conglomerate Embraer has disclosed that one of its systems was hit with a cyberattack in November. The incident has been reported to Brazil’s Securities and Exchange Commission
TrickBot’s Up to New Tricks
A new component in the TrickBot botnet/banking Trojan is capable of modifying the Unified Extensible Firmware Interface (UEFI) on targeted computers. This new feature “makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device,” according to researchers at Eclypsium and AdvantIntel
DarkIRC bot exploits recent Oracle WebLogic vulnerability
Britain puts a new offensive cyber force at the heart of its defence
The National Cyber Force of soldiers and spies has been quietly hacking away, but it must tread carefully
iOS Flaw Could Have Been Exploited to Take Control of Vulnerable Devices
A Google Project Zero researcher has found a bug that could have been exploited to take control of iOS devices without user interaction. Ian Beer found that a memory corruption bug affecting the iOS kernel could be exploited through Wi-Fi to remotely gain control of nearby iOS devices. Apple patched the flaw in May 2020 with iOS 12.4.7, iPadOS & iOS 13.5 and watchOS 5.3.7 & 6.2.5.
Research of the week
Evilginx-ing into the cloud: How we detected a red team attack in AWS
It’s no secret that we’re fans of red team exercises here at Expel. What we love even more, though, is when we get to detect a red team attack in AWS Cloud.
Authentication between microservices using Kubernetes identities
Service Account Token Volume projection allows you to associate non-global, time-bound and audience bound service tokens to your Kubernetes workloads
Whac-A-Mole: Six Years of DNS Spoofing
DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see
Exploiting dynamic rendering engines to take control of web apps
Top 5 AI Achievements of 2020
AI has made significant progress in 2020, world has celebrated many AL/ML accomplishments in NLP, Computer Vision and Robotics
2. AI-Enabled Healthcare and Drug Discovery
3. Graphics, Animation, Image, and Video Processing
4. Motion and Gestures
5. Processing Power: NVIDIA AI Accomplishment
Outstanding AI applications related to healthcare in hospitals
AI tools helping special people
Smart devices guiding people in solving daily queries
High evolution, adaption, and AI-based research
AI involved in fake news generation
Creating porn fakes from media available on social platforms
Autonomous vehicle killing a pedestrian
Data biases causing issues in AI applications
AI system attacking production facility
Tool of the week
Link HERE – thanks to A
Announcing the Atheris Python Fuzzer
Fuzz testing is a well-known technique for uncovering programming errors. Many of these detectable errors have serious security implications. Google has found thousands of security vulnerabilities and other bugs using this technique. Fuzzing is traditionally used on native languages such as C or C++, but last year, we built a new Python fuzzing engine. Today, we’re releasing the Atheris fuzzing engine as open source
Exposes your cloud configuration and metadata as sql tables, providing powerful analysis and monitoring without writing code
Kubernetes Audits Introduction
Monitoring the security aspects of a system as complex as Kubernetes can get frustrating. Especially when you want simple answers to simple questions (e.g., what happened? when did it happen?). That is exactly where Kubernetes audits come into place
Untrusted Types is a Chrome extension that abuses Trusted Types to log DOMXSS sinks. Requires Chrome v85+
S3 Objects Check
Whitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects.
Allows identifying publicly accessible objects, as well as objects accessible for AuthenticatedUsers (by using a secondary profile). A number of tools exist which check permissions on buckets, but due to the complexity of IAM resource policies and ACL combinations, the effective permissions on specific objects is often hard to assess. The tool runs fast as it uses asyncio and aiobotocore
urlhunter is a recon tool that allows searching on URLs that are exposed via shortener services such as bit.ly and goo.gl. The project is written in Go
IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance
An admission controller for Kubernetes that integrates Image Signature Verification into a cluster, as a means to ensure that only valid images are being deployed
GoogleCloud: Monitor and secure your containers with new Container Threat Detection
Open-Source Endpoint Detection and Response with CIS Benchmarks, Osquery, Elastic Stack, and TheHive
Other interesting articles
##DeepMind’s protein-folding AI has solved a 50-year-old grand challenge of biology
##How Eth2.0 mitigates specific PoS (Proof of Stake) attacks
In December 2020, ETH2.0 Beacon Chain launched. This Phase 0 launched forms part of a multi-year process that will see ETH1.x transform from a PoW (Proof of Work) to a PoS (Proof of Stake) blockchain.
This is an exciting period in Ethland and is the product of years of research of optimal solutions to ensure Ethereum remains secure and decentralized despite a change of consensus mechanism. its been a long held belief that PoW has the most security guarantees unlike, say, PoS
Link HERE – thanks to TK
##HOW TO DETECT A HIDDEN CAMERA IN A ROOM
##Introducing Amazon Curate (I Wish)
There are thousands or even millions of creators putting out great content that nobody is seeing.
Amazon Curate is a new product that combines content discovery with content personalization
##Why Is Apple’s M1 Chip So Fast?
Real-world experience with the new M1 Macs has started ticking in. They are fast. Real fast. But why? What is the magic?
##And finally, a practical guide to working remotely with all 16 personality types
Experts weigh in on how classic Myers-Briggs personality traits translate to remote work and can be the key to successful collaboration
Welcome to the new Middle Ages
Rising inequality, lower mobility, contempt for the poor and widespread celibacy — we’re returning to the past.
Today the richest 40 Americans have more wealth than the poorest 185 million Americans. The leading 100 landowners now own 40 million acres of American land, an area the size of New England. There has been a vast increase in American inequality since the mid-20th century, and Europe — though some way behind — is on a similar course.
##HACKING, TOOLS and FUN – CHECK BELOW!
URL: https://bit.ly/3lDEFtW (+)
Description: Host `docker` binary overwrite from Kata VM.
Description: An iOS zero-click radio proximity exploit odyssey