Word of the Week “Cloud Security Threats for 2021” Persistency Attacks Data Science Tool Attacks Bots Could Infect Cloud Legacy Assets More Kubernetes Compromises Coming Preemptive Defense Links HERE and HERE and HERE and Foundations of a Multi-Cloud Security Strategy HERE
Word of the Week Special Remember: “I’m from Security and I’m here to help” I’ve had engineers tell me “safety/security is NOT my concern, I just design things” I’ve had software folks tell me “all I do is code” I’ve had DBA’s tell me “I just make sure the system works” I’ve had exec’s tell me “it’s not my problem” OR “it’ll never happen to us” Well folks, guess what, that shits stops now. A team of people built a plane A team of people outfitted it with ALL sorts of gizmo’s to make it fly A team of people designed things, built things, coded things and make blinky things work A team of people signed off on it A government agency approved it A leadership team stood behind it And a software flaw killed the very people who relied upon it. Related to HERE and HERE and HERE On trust HERE On phishing HERE AND “Secrets… are the root of cool” Conclusions: Link HERE
Bonus Link HERE Link HERE Link HERE
Crypto challenge of the week HV20.04 Br❤️celet Santa was given a nice bracelet by one of his elves. Little does he know that the secret admirer has hidden a message in the pattern of the bracelet… Hints No internet is required – only the bracelet The message is encoded in binary Violet color is the delimiter Colors have a fixed order Missing colors matter Link HERE
Dates
Sanctions Explorer Link HERE
COVID-19 themed attacks launched from October 1 to December 5, 2020 Link HERE Phishing Campaign Targets COVID Cold Chain An IBM Security X-Force threat intelligence task force “recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain.” British regulators have approved Pfizer’s vaccine; US regulators are scheduled to evaluate Pfizer’s and Moderna’s vaccines next week. Once vaccines are approved, they must be transported at extremely low temperatures, hence the term cold chain for the companies that will provide the specialized refrigeration for vaccine storage and transportation. EU regulators are due to approve this vaccine over the coming weeks. Link HERE
Misusing OSINT to claim election fraud Link HERE
Book of the month Link HERE Remember: AppSec ABCs Link HERE Remember: Cahier de vacances pour la securite numberique Link HERE
Comic of the week AND
##Some OWASP stuff first –Web Security Testing Guide (WSTG) v4.2 In keeping with a continuous delivery mindset, this new minor version adds content as well as improves the existing tests Link HERE –$10000 Facebook SSRF (Bug Bounty) Subdomains Enumeration + File Bruteforcing + Code Review = $10K Blind SSRF The vulnerability could have allowed a malicious user to send internal requests to the Facebook corporate network Link HERE –Announcing the Snyk and Docker Security Guide for Developers Snyk and Docker have partnered to bring developer-centric security, powered by Snyk, to the world’s most popular container developer tools, Docker Desktop and Docker Hub Link HERE –Serving the right recipe for API authentication Compared to a decade ago, the meaning of authentication has changed significantly. Modern applications not only authenticate users but also rely on authentication for API access and inter-service communication. Authentication mechanisms still include passwords, but also rely on API keys, signed JWT tokens, and cryptographic authenticators. With so many options to choose from, making the right choice becomes a difficult challenge. Link HERE –The 2020 State of the Octoverse – Securing the World’s Software
Events OWASP events HERE OPEN Security Mini Summit Link HERE OWASP Israel December 2020
Link HERE Re:Invent 2020 Link HERE Cloud Native Security Day North America 2020 Link HERE
Incidents Global ALERT level BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. Incident data HERE Find your country NCSC Weekly Threat Report
Ransomware disrupts Maryland students It’s been widely reported that more than 115,000 students in the US saw their online classes disrupted following a ransomware attack. The incident, which happened just before Thanksgiving, forced schools in Maryland to remain closed into this week. The Baltimore school district has described it as a “catastrophic attack on our technology system” Phishing attacks focus on online shoppers Cyber criminals are upping their efforts to catch out online shoppers with phishing scams disguised as delivery emails. Researchers at Check Point have reported that there has been a 440% rise in shipping-related phishing emails in the last month, with Europe seeing the biggest increase Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE API Security Issue 112: Vulnerability in Paginator, Microsoft RESTLer, talks on API authentication and JWT security
Link HERE
Incidents & events detail Privilege Escalation in AKS Clusters Default AKS cluster stores admin credentials in Kubernetes ConfigMap Link HERE Aerospace Company Embraer Discloses Cyberattack Brazilian aerospace conglomerate Embraer has disclosed that one of its systems was hit with a cyberattack in November. The incident has been reported to Brazil’s Securities and Exchange Commission Link HERE TrickBot’s Up to New Tricks A new component in the TrickBot botnet/banking Trojan is capable of modifying the Unified Extensible Firmware Interface (UEFI) on targeted computers. This new feature “makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device,” according to researchers at Eclypsium and AdvantIntel Link HERE DarkIRC bot exploits recent Oracle WebLogic vulnerability Link HERE Britain puts a new offensive cyber force at the heart of its defence The National Cyber Force of soldiers and spies has been quietly hacking away, but it must tread carefully Link HERE iOS Flaw Could Have Been Exploited to Take Control of Vulnerable Devices A Google Project Zero researcher has found a bug that could have been exploited to take control of iOS devices without user interaction. Ian Beer found that a memory corruption bug affecting the iOS kernel could be exploited through Wi-Fi to remotely gain control of nearby iOS devices. Apple patched the flaw in May 2020 with iOS 12.4.7, iPadOS & iOS 13.5 and watchOS 5.3.7 & 6.2.5. Link HERE
Research of the week Evilginx-ing into the cloud: How we detected a red team attack in AWS It’s no secret that we’re fans of red team exercises here at Expel. What we love even more, though, is when we get to detect a red team attack in AWS Cloud. Get ready to nerd out with us as we walk you through a really interesting red team exercise we recently spotted in a customer’s AWS cloud environment Link HERE Authentication between microservices using Kubernetes identities Service Account Token Volume projection allows you to associate non-global, time-bound and audience bound service tokens to your Kubernetes workloads Link HERE Whac-A-Mole: Six Years of DNS Spoofing DNS is important in nearly all interactions on the Internet. All large DNS operators use IP anycast, announcing servers in BGP from multiple physical locations to reduce client latency and provide capacity. However, DNS is easy to spoof: third parties intercept and respond to queries for benign or malicious purposes. Spoofing is of particular risk for services using anycast, since service is already announced from multiple origins. In this paper, we describe methods to identify DNS spoofing, infer the mechanism being used, and identify organizations that spoof from historical data. Our methods detect overt spoofing and some covertly-delayed answers, although a very diligent adversarial spoofer can hide. We use these methods to study more than six years of data about root DNS servers from thousands of vantage points. We show that spoofing today is rare, occurring only in about 1.7% of observations. However, the rate of DNS spoofing has more than doubled in less than seven years, and it occurs globally. Finally, we use data from B-Root DNS to validate our methods for spoof detection, showing a true positive rate over 0.96. B-Root confirms that spoofing occurs with both DNS injection and proxies, but proxies account for nearly all spoofing we see Link HERE Exploiting dynamic rendering engines to take control of web apps
Link HERE Top 5 AI Achievements of 2020 AI has made significant progress in 2020, world has celebrated many AL/ML accomplishments in NLP, Computer Vision and Robotics 1. GPT-3 – The Biggest Achievement of NLP: The Language of AI 2. AI-Enabled Healthcare and Drug Discovery 3. Graphics, Animation, Image, and Video Processing 4. Motion and Gestures 5. Processing Power: NVIDIA AI Accomplishment Pros Outstanding AI applications related to healthcare in hospitals AI tools helping special people Smart devices guiding people in solving daily queries High evolution, adaption, and AI-based research Cons AI involved in fake news generation Creating porn fakes from media available on social platforms Autonomous vehicle killing a pedestrian Data biases causing issues in AI applications AI system attacking production facility Link HERE
Tool of the week Link HERE – thanks to A Announcing the Atheris Python Fuzzer Fuzz testing is a well-known technique for uncovering programming errors. Many of these detectable errors have serious security implications. Google has found thousands of security vulnerabilities and other bugs using this technique. Fuzzing is traditionally used on native languages such as C or C++, but last year, we built a new Python fuzzing engine. Today, we’re releasing the Atheris fuzzing engine as open source Link HERE Cloudquery Exposes your cloud configuration and metadata as sql tables, providing powerful analysis and monitoring without writing code Link HERE Kubernetes Audits Introduction Monitoring the security aspects of a system as complex as Kubernetes can get frustrating. Especially when you want simple answers to simple questions (e.g., what happened? when did it happen?). That is exactly where Kubernetes audits come into place Link HERE Untrusted Types Untrusted Types is a Chrome extension that abuses Trusted Types to log DOMXSS sinks. Requires Chrome v85+ Link HERE S3 Objects Check Whitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects. Allows identifying publicly accessible objects, as well as objects accessible for AuthenticatedUsers (by using a secondary profile). A number of tools exist which check permissions on buckets, but due to the complexity of IAM resource policies and ACL combinations, the effective permissions on specific objects is often hard to assess. The tool runs fast as it uses asyncio and aiobotocore Link HERE Utku Sen’s
urlhunter is a recon tool that allows searching on URLs that are exposed via shortener services such as bit.ly and goo.gl. The project is written in Go Link HERE IAMFinder: Open Source Tool to Identify Information Leaked from AWS IAM Reconnaissance Link HERE Remember: Connaisseur An admission controller for Kubernetes that integrates Image Signature Verification into a cluster, as a means to ensure that only valid images are being deployed Link HERE GoogleCloud: Monitor and secure your containers with new Container Threat Detection Link HERE Open-Source Endpoint Detection and Response with CIS Benchmarks, Osquery, Elastic Stack, and TheHive Link HERE
Other interesting articles ##DeepMind’s protein-folding AI has solved a 50-year-old grand challenge of biology AlphaFold can predict the shape of proteins to within the width of an atom. The breakthrough will help scientists design drugs and understand disease Link HERE
##How Eth2.0 mitigates specific PoS (Proof of Stake) attacks In December 2020, ETH2.0 Beacon Chain launched. This Phase 0 launched forms part of a multi-year process that will see ETH1.x transform from a PoW (Proof of Work) to a PoS (Proof of Stake) blockchain. This is an exciting period in Ethland and is the product of years of research of optimal solutions to ensure Ethereum remains secure and decentralized despite a change of consensus mechanism. its been a long held belief that PoW has the most security guarantees unlike, say, PoS Link HERE – thanks to TK
##HOW TO DETECT A HIDDEN CAMERA IN A ROOM Link HERE
##Introducing Amazon Curate (I Wish) There are thousands or even millions of creators putting out great content that nobody is seeing. Amazon Curate is a new product that combines content discovery with content personalization Link HERE
##Why Is Apple’s M1 Chip So Fast? Real-world experience with the new M1 Macs has started ticking in. They are fast. Real fast. But why? What is the magic? Link HERE
##And finally, a practical guide to working remotely with all 16 personality types Experts weigh in on how classic Myers-Briggs personality traits translate to remote work and can be the key to successful collaboration Link HERE AND Welcome to the new Middle Ages Rising inequality, lower mobility, contempt for the poor and widespread celibacy — we’re returning to the past. Today the richest 40 Americans have more wealth than the poorest 185 million Americans. The leading 100 landowners now own 40 million acres of American land, an area the size of New England. There has been a vast increase in American inequality since the mid-20th century, and Europe — though some way behind — is on a similar course. These are among the alarming stats cited by Joel Kotkin’s The Coming of Neo-Feudalism, published earlier this year just as lockdown sped up some of the trends he chronicled: increased tech dominance, rising inequality between rich and poor, not just in wealth but in health, and record levels of loneliness (4,000 Japanese people die alone each week, he cheerfully informs us) Link HERE
##HACKING, TOOLS and FUN – CHECK BELOW! AppSec Ezine Must see URL: https://bit.ly/3lDEFtW (+) Description: Host `docker` binary overwrite from Kata VM. URL: https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html Description: An iOS zero-click radio proximity exploit odyssey Links HERE and HERE and credits to HERE |