Word of the Week
“Top Security predictions for 2021”
Word of the Week Special
A moment of reckoning: the need for a strong and global cybersecurity response
The final weeks of a challenging year have proven even more difficult with the recent exposure of the world’s latest serious nation-state cyberattack. This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning.
It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.
The evolving threats
The past 12 months have produced a watershed year with evolving cybersecurity threats on three eye-opening fronts.
The first is the continuing rise in the determination and sophistication of nation-state attacks.
All this is changing because of a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.
There is a third and final sobering development worth noting from what has obviously been a challenging year. This comes from the intersection between cyberattacks and COVID-19 itself
The vast majority of these victims are US government agencies, such as:
The US Treasury Department
The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
The Department of Health’s National Institutes of Health (NIH)
The Cybersecurity and Infrastructure Agency (CISA)
The Department of Homeland Security (DHS)
The US Department of State
The National Nuclear Security Administration (NNSA)
The US Department of Energy (DOE)
Three US states
City of Austin
“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks. The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged”
“Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.”
“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging”
Analysing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
Link HERE – thanks to G
Crypto challenge of the week
HV20.18 Santa’s lost home – HARD
Santa has forgotten his password and can no longer access his data. While trying to read the hard disk from another computer he also destroyed an important file. To avoid further damage he made a backup of his home partition. Can you help him recover the data.
Hints: It’s not rock-science, it’s station-science!, Use default options
Hackers accessed vaccine documents in cyber-attack on EMA
Papers relating to Pfizer/BioNTech vaccine reportedly targeted in attack on European Medicines Agency
Book of the month
Supporting Delivery of Resilient Software, or “The Jenga View of Threat Modelling” by Adam Shostack
Comic of the week
##Some OWASP stuff first
–The Threat Modelling Manifesto – Part 2
–ZAP 2.10.0 – The 10 Year Anniversary Release
As you hopefully already know ZAP was released on September 6th 2010.
ZAP 2.10.0 has just been released and is now available to download via the Downloads page so we’re treating this as a belated 10 year anniversary release!
–Defence in Depth: Why You Need DAST, SAST, SCA, and Pen Testing
–How Password Hashing Algorithms Work and Why You Never Ever Write Your Own
–Building Security In Maturity Model (BSIMM) compared to Software Assurance Maturity Model (SAMM)
“The BSIMM is not a traditional maturity model where a set of activities are repeated at multiple levels of depth and breadth—do something at level 1, do it more at level 2, do it better at level 3, and so on. Instead, the BSIMM comprises a set of unique activities, with activity levels used only to distinguish the relative frequency with which the activities are observed in organizations.
For SAMM, each of the security practices has three defined maturity levels and an implicit starting point at zero. They generally represent:
–Portable Data exFiltration: XSS for PDFs
–Demystifying the Server Side
Cross-site leaks (aka XS-Leaks, XSLeaks) are a class of vulnerabilities derived from side-channels 1 built into the web platform. They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms 2 to infer information about the user. One way of looking at XS-Leaks is to highlight their similarity with cross-site request forgery (CSRF 3) techniques, with the main difference being that instead of allowing other websites to perform actions on behalf of a user, XS-Leaks can be used to infer information about a user
OWASP events HERE
Root Causes 136: 2020 Lookback – Quantum Safe Certificates
Link HERE – thanks to A
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
NSA urging VMWare patch action
Leading cyber security firm reports attacks
Guidance issued as SolarWinds compromised
Spotify reset passwords following data breach
API Security Issue 114: SolarWinds and PickPoint breaches, GitHub Code Scanning review, GraphQL security
Incidents & events detail
Zero-day exploit used to hack iPhones of Al Jazeera employees
The Great iPwn
Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit
CVE-2020-28360: npm private-ip SSRF Bypass (IP Phone Home)
NSA warns of cloud attacks on authentication mechanisms
Hacking group’s new malware abuses Google and Facebook services
Starbucks Mobile Platform Vulnerability Could Lead To Remote Code Execution
How I hacked Facebook: Part One
Former Cisco engineer sentenced to prison for deleting 16k Webex accounts
Former Cisco engineer accessed Cisco’s AWS accounts, and deleted 456 virtual machines, which resulted in the loss of 16k Webex accounts
“Important, Spoofing” – zero-click, wormable, cross-platform remote code execution in Microsoft Teams
Reported critical remote code execution bugs in Microsoft Teams, August 31st, 2020
Microsoft rates them “Important, Spoofing” – one of the lowest in-scope ratings possible, September 30, 2020
A new joke is born, immediately
Microsoft refuses to discuss impact in detail, final decision made on November 19th, 2020
“As for the CVE part, it’s currently Microsoft’s policy to not issue CVEs on products that automatically updates without user’s interaction.”, November 30, 2020
The bugs have been fixed since the end of October, 2020
Research of the week
Security Control Mappings: A Bridge to Threat-Informed Defense
Today, the Center for Threat-Informed Defense (Center) is releasing a set of mappings between MITRE ATT&CK® and NIST Special Publication 800–53 with supporting documentation and resources. These mappings provide a critically important resource for organizations to assess their security control coverage against real-world threats as described in the ATT&CK knowledge base and provide a foundation for integrating ATT&CK-based threat information into the risk management process
Privilege Management Program – Governance
I can’t recall having seen an overview of a systematized privilege management program. There are lots of great articles on specific authorization management techniques and guidance for identity/access management configuration on-premise and in the cloud. There is also a lot of technical guidance for the implementation of specific policy enforcement mechanisms, but not much on overall enterprise-wide access governance. So, here’s a short post that might be useful
A Primer for Policymakers on Machine Learning Cybersecurity
Machine learning systems’ vulnerabilities are pervasive. Hackers and adversaries can easily exploit them. As such, managing the risks is too large a task for the technology community to handle alone. In this primer, Andrew Lohn writes that policymakers must understand the threats well enough to assess the dangers that the United States, its military and intelligence services, and its civilians face when they use machine learning
Results of the 2020 AWS Container Security Survey
Overall, we notice a positive trend in terms of good practices concerning container security. Almost all key areas, from scanning to policies enjoy positive adoption rate changes compared to 2019. Two things stand out:
There seems to be a decrease of uptake around supply chain management; further investigations are necessary to reveal the underlying reason, that is, if it is related to the survey question or if there’s a deeper underlying reason for this.
The adoption rate for signing container images has not changed and remains around 10% (same as in 2019). We would expect that with the work around Notary 2 this to change in 2021; we’re contributing to the upstream efforts and looking forward to see this topic receiving more attention.
Native ECR scanning got 62 responses, followed by using open source Clair in a self-managed setup (21 responses), and open source Trivy self-managed (18). What stands out compared to 2019 is that the number of people responding that they do not (yet) scan their container images dropped from 38% to 24.8%, that’s good progress!
While still some 70% say they do not (yet) scan their containers at runtime, that is, in the context of their container orchestrator such as ECS or EKS, we see some positive trends compared to 2019. First, the number of people not scanning decreased from 83% to 70%, and second, we see CNCF Falco (27 responses), Twistlock (10 responses for each Prisma Cloud and Twistlock Defender), as well as Aqua Security (7 responses) gaining traction
What we can see in above responses is that AWS Secrets Manager is leading (78 responses), followed by HashiCorp Vault (59 responses), and AWS Parameter Store (41 responses). The percentage of folks who say they do not encrypt sensitive data decreased slightly from 11% last year to 9.7% this year
Helping Reach a Zero Trust Network Using an Istio Service Mesh
Monitoring & securing AWS with Microsoft
Security Kill Chain Stages in a 100K+ Daily Container Environment with Falco
Deep Dive into Site Isolation (Part 1)
Back in 2018, Chrome enabled Site Isolation by default, which mitigates attacks such as UXSS and Spectre. At the time, I was actively participating in the Chrome Vulnerability Reward Program, and I was able to find 10+ bugs in Site Isolation, resulting in $32k rewards
Tool of the week
Keeping your GitHub Actions and workflows secure: Preventing pwn requests
How to setup a Canarytoken and receive incident alerts on Azure Sentinel
Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
How to choose the right API Gateway auth method
Cloudflare’s privacy-first Web Analytics is now available for everyone
Other interesting articles
##Security Ratings: Love, Loathe or Live With Them?
Security ratings services tend to be loved or loathed. Loved if you consume them and it makes your job easier, especially if you have no other method of assessing the security of organizations that you need to review. Loathed if you’re on the receiving end and have to continuously respond to questions on your rating and deal with the potential inaccuracies. Or, perhaps, you live with them and get some marginal benefit but mostly just tolerate their existence
##Applying DevSecOps to your software supply chain
Applying DevSecOps means you can have a better understanding of what’s in your supply chain. By using DevSecOps, it should be simpler to manage your dependencies, with a change to a manifest or lockfile easily updating a single artifact in use across multiple teams, and automation of your CI/CD pipeline ensuring that changes developers make quickly end up in production
##Analysis of the RECON/Attack Surface Management Space
##7 Security Tips for Gamers
Gamers can expect to be prime targets over the holidays as COVID-19 rages on. Here’s some advice on how to keep hackers at bay
##And finally, The smarter you are, the harder this is
Making methodical decisions can lead to higher-quality outcomes, but the smarter you are, the harder it is to do, according to former poker champ-turned-corporate advisor Annie Duke. “Smart people tend to rely on their intuition more,” says Duke. But she believes trusting your gut is a precarious way to make choices, especially for those who’ve experienced a streak of luck and expect future success. “People in general don’t do enough reflecting on their own decision processes,” says Duke. “They don’t think about the range of potential outcomes, and they definitely don’t look back on their past decisions objectively.”
Can too many brainy people be a dangerous thing?
Some academics argue that unhappy elites lead to political instability.
…enlightened elites can prevent the emergence of political instability in more effective ways. In the early 20th century American reformers raised inheritance taxes to prevent the emergence of a hereditary aristocracy, and engaged in massive trust-busting. Modernising urban-planning systems could lower housing costs, and deregulating labour markets would help create good jobs for “excess” elites. Mr Turchin’s analysis of the structural forces governing societies is an intriguing explanation of political unrest. But cliodynamics need not be destiny
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Portable Data exFiltration: XSS for PDFs.
Description: Privilege Escalation in Postgresql (CVE-2020-25695).