Security Stack Sheet #115

 

 Word of the Week

“Cyber Security 2020 in Review”

2020 was a year we will never forget. The year where the words “COVID-19” and “corona” were being said by the entire world in every other sentence. Where takeout food, wearing a mask became the norm. And it wasn’t just the pandemic that caused the world to go into panic mode and uncertainty.

Image

Link HERE

The world experienced a great deal of stress with natural disasters such as the fires in Australia and in California, as well as social and political tensions with the United States being in the epicentre. The social demonstrations following the killing of George Floyd and the presidential election were topics of great discussion and change

Links HERE and HERE and HERE and HERE

AND

“Cyber Trends for 2021”

Graphical user interface, website  Description automatically generated with medium confidence

Links HERE and HERE and HERE and HERE and HERE and Software Development in 2021 and beyond HERE

 

Word of the Week Special

“Lessons from the SolarWinds incident” 

Link HERE – thanks to TK

AND

“Russian Hacking”

Sunburst

As Understanding of Russian Hacking Grows, So Does Alarm

Those behind the widespread intrusion into government and corporate networks exploited seams in U.S. defences and gave away nothing to American monitoring of their systems.

An act of cyberwar is usually not like a bomb, which causes immediate, well-understood damage. Rather, it is more like a cancer – it’s slow to detect, difficult to eradicate, and it causes ongoing and significant damage over a long period of time. Here are five points that cybersecurity experts – the oncologists in the cancer analogy – can make with what’s known so far.

1. The victims were tough nuts to crack

2. This was almost certainly the work of a nation – not criminals

3. The attack exploited trusted third-party software

4. The extent of the damage is unknown

5. The fallout could include real-world harm

We’re not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the world’s supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day won’t help create the safer world in which we all want to live

Links HERE and HERE and HERE and HERE and HERE and Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop HERE and protection HERE and more details HERE and victim companies list HERE

 

Bonus

Graphical user interface, application, Teams  Description automatically generated

Link HERE

Graphical user interface, application  Description automatically generated

Link HERE

Text  Description automatically generated

Link HERE

No alternative text description for this image

Link HERE

A picture containing text, grass, outdoor, person  Description automatically generated

 

Crypto challenge of the week

HV20.06 Twelve steps of Christmas

On the sixth day of Christmas my true love sent to me…

six valid QRs,
five potential scrambles,
four orientation bottom and right,
and the rest has been said previously.

Link HERE and HERE

 

Dates

  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • Sanctions Explorer
  • Link HERE
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) became effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – BrexitDONE

Got Brexit Done': Tory party sells £12 tea towel in celebration | Brexit |  The Guardian

AND

Ben Jennings cartoon 11.01.21

AND

Text  Description automatically generated

  • 1st of July 20201 – Freedom from viruses?

UK jobs could disappear as Covid puts automation on ‘steroids’

Research warns of ‘disastrous double whammy’ for low-paid workers unable to retrain

Link HERE

Hackers accessed vaccine documents in cyber-attack on EMA

Papers relating to Pfizer/BioNTech vaccine reportedly targeted in attack on European Medicines Agency

Link HERE

Reverse Engineering the source code of the BioNTech/Pfizer SARS-CoV-2 Vaccine

First 500 characters of the BNT162b2 mRNA. Source: World Health Organization

The BNT162b2 mRNA vaccine has this digital code at its heart. It is 4284 characters long, so it would fit in a bunch of tweets

Link HERE

  • November 3rd 2020: Trump’s second term start

As Twitter bans Donald Trump's account permanently, it's raining memes  online | Trending News,The Indian Express

Link HERE

 

Martin Rowson 8.1.21

  • 20226 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • December 31st, 2020 Flash End-of-Life
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1

 

Book of the month

LOTS OF FREE BOOKS

Link HERE

On Modelling for Security Engineering as a Submodel of the Digital Twin

Link HERE

3 Cyber Security Books Everyone Should Read In 2021

Link HERE

 

Comic of the week

Audit Blackmail - Dilbert by Scott Adams

 

##Some OWASP stuff first

–How RASPs and WAFs can work together

This is the biggest difference between RASPs and WAFs: WAFs look for suspicious payloads, while RASPs look for exploitation attempts

Link HERE

–A Pentester’s Guide to Code Injection

OWASP defines Code Injection as a general term for any attack type that consists of injecting code that is then interpreted and executed by the application. This type of attack exploits the poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation such as: allowed characters (standard regular expressions classes or custom), data format, amount of expected data

Link HERE

–The Elements of Application Security Testing (With Apologies to Strunk and White)

Link HERE

–Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues

In the cloud, misconfigurations will get you hacked well before zero-days do. According to a report released in 2020, the NSA asserts that misconfiguration of cloud resources is the most prevalent vulnerability in cloud environments. Looking at a few recent data breaches in AWS…

  • The Capital One breach was caused by a firewall left inadvertently open to the Internet, along with an overprivileged EC2 instance role
  • The Los Angeles Times website started mining cryptocurrency in your browser due to a world-writable S3 bucket
  • The Magecart group backdoored Twilio’s SDK which was hosted on a world-writable S3 bucket

Link HERE

Link HERE

–How developers can take the lead on security

Link HERE

–Shifting Threat Modeling Left: Automated Threat Modeling Using Terraform

Link HERE

 

Events

OWASP events HERE

Open Security Summit 2021 logo

Link HERE

ENIGMA

FEB 1–3, 2021

VIRTUAL EVENT

Security and Privacy Ideas That Matter

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Ongoing threat of ransomware

In the last week, the Scottish Environment Protection Agency (SEPA) confirmed it was the victim of an ongoing ransomware attack. The NCSC has been supporting investigations to understand the impact of this incident.

Ransomware is a serious cyber threat. Cyber criminals can often threaten the publication of data if payment is not made.

Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:

  1. there is no guarantee that you will get access to your data or computer
  2. your computer will still be infected
  3. you will be paying criminal groups
  4. you’re more likely to be targeted in the future

Organisations should take steps to protect themselves from the loss of access to their data by ransomware, as well as from the risk of data theft

Fake apps responsible for rise in attacks targeting remote devices

The number of organisations experiencing malware attacks on remote devices has increased over the past year since the COVID-19 global pandemic began, which is detailed in a recent Cloud Security Report by Wandera

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 117: Vulnerabilities in YouTube and Ring Neighbors app, OAuth Mix-Up attacks, Tamper Dev

  1. Vulnerability: YouTube

David Schütz found a clever way to get (limited) access to private YouTube videos via a vulnerable API

  1. Vulnerability: Amazon Ring Neighbours

Amazon’s Ring camera has a companion app called Neighbours. The app allows users to anonymously share footage that they deem suspicious

  1. Standards: OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response

We discussed OAuth 2.0 Mix-Up attacks in issue 83

Link HERE

EP 83: NSA CRYPTOLOGISTS

In this episode we interview two NSA Cryptologists, Marcus J. Carey and Jeff Man. We hear their story of how they got into the NSA and what they did while there

Link HERE

 

Incidents & events detail

Ticketmaster fined $10 million after hack of business rival

“Screen-grab the hell out of the system”

Link HERE

New Golang-based Crypto worm infects Windows and Linux servers

Link HERE

Malwarebytes said it was hacked by the same group who breached SolarWinds

Malwarebytes becomes fourth major security firm targeted by attackers after Microsoft, FireEye, and CrowdStrike

Link HERE

Cloudflare WAF bypass exploits revealed

Link HERE

Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’

Link HERE

PsExec Local Privilege Escalation

Link HERE

T-Mobile suffers its fourth hack in less than three years – still “takes the security of your information very seriously”

Link HERE

CISA releases a PowerShell-based tool to detect malicious activity in Azure, Microsoft 365

Link HERE

Remote Desktop Bugs: Patches That Took Priority in a Pandemic Year

Remote Desktop flaws were a patching priority this year as Microsoft distributed fixes and businesses scrambled to protect remote employees

Link HERE

Security PSA: Ledger Phishing Attacks

Link HERE

No, Cellebrite cannot ‘break Signal encryption.’

Link HERE

CVE-2020-9967 – Apple macOS 6LowPAN Vulnerability

Link HERE

Unsecured Azure blob exposed 500,000+ highly confidential docs from UK firm’s CRM customers

Medical records, insurance claim docs, promotion process feedback… you name it, Probase bared it

Link HERE

GCP OAuth Token Hijacking in Google Cloud – Part 1

If an attacker compromises a Google Cloud Platform (GCP) user’s device, he can easily steal and abuse cached credentials, even if MFA is enabled

Link HERE

 

Research of the week

How we’re helping to reshape the software supply chain ecosystem securely

Although the history of software supply chain attacks is well-documented, each new attack reveals new challenges. The seriousness of the SolarWinds event is deeply concerning but it also highlights the opportunities for government, industry, and other stakeholders to collaborate on best practices and build effective technology that can fundamentally improve the software ecosystem. We will continue to work with a range of stakeholders to address these issues and help lay the foundation for a more secure future

Link HERE

Detection and Hunting of Golden SAML Attack

The SolarWinds software supply chain attack is known to have affected U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat actor since at least March 2020. U.S. authorities now believe that additional initial access vectors other than the SolarWinds platform exist, but these are still being investigated. The US Cybersecurity & Information Security Agency (CISA) expects that removing this threat actor from compromised environments will be highly complex and challenging.

One of the major techniques used by the threat actor as part of the SolarWinds attack, was compromising the Security Assertion Markup Language (SAML) signing certificate, using their Active Directory privileges. CISA explained that “once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs)”[1].

The “Golden SAML” attack technique enables attackers to forge SAML responses and bypass ADFS authentication to access federated services. First reported by CyberArk in 2017, the current attack is the first time that this technique is known to have been used “in the wild”.

To successfully leverage Golden SAML, an attacker must first gain administrative access to the ADFS server and extract the necessary certificate and private key. Once this is accomplished, unauthorized access can be performed from anywhere, without further access to the victim environment

Link HERE

SolarWinds/SunBurst FNV-1a-XOR hash founds analysis

Link HERE

Best Practices for AWS Security – Part 1 with Scott Piper

Link HERE and IaC Security governance program HERE

Security and Risk Management Leaders Primer for 2021

As organizations go full in with digital initiatives, security and risk management leaders must help the business actualize value in an increasingly distributed risk decision-making environment built for real-time adaptability and resilience through risk-based programs

Security and Risk Management Leaders Overview

SRM leaders should:

  • Design an operating model that takes into account the enterprise culture and maturity.
  • Have explicit conversations with senior leadership about their function’s scope and objectives.
  • Assess the effectiveness of not just their immediate teams, but also of the cybersecurity professionals who report directly into the business.
  • Develop and maintain policy as a process, asking for and implementing feedback from those expected to adhere to it.
  • Define and plan the skills, knowledge and capabilities needed most by the enterprise, and assist different parts of the business in bringing them in.
  • Work with senior leadership to define objectives that their programs support.
  • Clearly define scope of responsibilities, focusing on comparative advantage.
  • Help the organization balance the need to facilitate business outcomes against the need to manage risk holistically.
  • Assess and transform SRM programs, as well as themselves, to become digital business enablers.
  • Prioritize building relationships with stakeholders who are in areas of the business, while maintaining relationships with IT stakeholders for efficiency.
  • Assess the enterprise constituencies and craft targeted messages.
  • Recognize that communication alone does not help build the case. Show value and deliver services that help the organization achieve its objectives

Link HERE

Hunting for Bugs in Windows Mini-Filter Drivers

In December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter (WOF) drivers (CVE-2020-17103CVE-2020-17134CVE-2020-17136CVE-2020-17139). These 4 issues were 3 local privilege escalations and a security feature bypass, and they were all present in Windows file system filter drivers. I’ve found a number of issues in filter drivers previously, including 6 in the LUAFV driver which implements UAC file virtualization

Link HERE

 

Tool of the week

No alternative text description for this image

Link HERE

Malvuln

Finding and exploiting vulnerable Malware

Link HERE

Mitigating Obsolete TLS

This repository lists a number of tools, SNORT signatures, and web server configurations to help network owners detect and remediate the use of obsolete TLS

Link HERE

The ultimate OSINT collection

A collection of the very best OSINT related materials, resources, trainings, guides, sites, tool collections, and more

Link HERE

Adidas DevOps maturity framework

adidas C.A.L.M.S.

Link HERE

Leapp

DevTool Desktop App designed to manage and secure Cloud Access in multi-account environments.

The App is designed to work with Cloud Providers APIs, CLIs, and SDKs.

It’s a tool that securely stores your access information in a secure place and generates temporary credential sets to access your Cloud from your local machine

Link HERE

Compliance-as-code and auto-remediation with Cloud Custodian

Link HERE

 

Other interesting articles 

##Drawing good architecture diagrams

Some tips on good diagram drafting and pitfalls to avoid when trying to understand a system in order to secure it

Link HERE

 

##Homomorphic Encryption: The ‘Golden Age’ of Cryptography

The ability to perform complex calculations on encrypted data promises a new level of privacy and data security for companies in the public and private sectors. So when can they get started?

The origins of homomorphic encryption date back to 1978. That’s when a trio of researchers at MIT developed a framework that could compute a single mathematical operation (usually addition or multiplication) under the cover of encryption. The concept gained life in 2009, when Craig Gentry, now a research fellow at the blockchain-focused Algorand Foundation, developed the first fully homomorphic encryption scheme for his doctoral dissertation at Stanford University in 2009

Link HERE

 

##How to organize your security team: The evolution of cybersecurity roles and responsibilities

An image showing each function works as part of a whole security team, within the organization, which is part of a larger security community defending against the same adversaries.

Each function works as part of a whole security team within the organization, which is part of a larger security community defending against the same adversaries

Link HERE

 

##And finally, Covid-19 Ushered in a New Era of Government Surveillance

Government-mandated drone surveillance and location tracking apps could be here to stay

It’s unclear how many of these surveillance programs will outlast the pandemic itself. Events like 9/11 have previously heralded long-standing security measures such as the Patriot Act, which legalized broad categories of government surveillance, as well as the creation of the Department of Homeland Security, which has not only reshaped airports and international travel, but turned U.S. borders into highly surveilled and militarized zones. That means that many of these programs aren’t just stop-gap efforts, but a glimpse of a future in which governments track their citizens’ every move

Link HERE

AND

Maximizing Appreciation of Life

“I enjoy finding patterns in how people pursue meaning, constructing models for how said meaning works, and then creating, discussing, and sharing possible frameworks for improving it.”

Link HERE

 

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/

Description: Hijacking Google Docs Screenshots

URL: https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-1/

More: https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-2/

Description: Deep Dive into Site Isolation

URL: https://github.com/httpvoid/writeups/blob/main/Apple-RCE.md

Description: 0Day RCE in Apple’s Travel Portal.

URL: https://ash-king.co.uk/blog/Shazlocate-abusing-CVE-2019-8791-CVE-2019-8792

Description: How clicking a link can give away your precise location.

URL: https://ysamm.com/?p=510

Description: Bad regex in FB JS SDK leads to account takeovers in sites that included it.

Links HERE and HERE and credits to HERE

 

 

Sage

Sage Business Cloud

Sage

The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.

Leave a Reply

Your email address will not be published. Required fields are marked *