Word of the Week “Inverse Privacy” An item of your personal information is inversely private if some party has access to it but you do not. Inverse privacy is ubiquitous. Each interaction you have with commercial and other institutions generates inversely private data. The inverse privacy problem is unjustified inaccessibility of your inversely private data to you. Elsewhere a subset of these authors determined that the problem has a market-based solution that provides consumers with large amounts of their personal data to be mined and processed to benefit them. Here we sketch a particular solution. Your personal data splits into four buckets: · directly private, that which you have access to but nobody else does; · inversely private, that which some party has access to but you do not; · partially private, that which you and a few other parties have access to; · public AND Top 10 Technology Trends Impacting DevOps
Word of the Week Special “The Githubification of InfoSec” A community-based approach in infosec can speed learning for defenders. Attack knowledge curated in the MITRE ATT&CK™ framework, detection definitions expressed in Sigma rules, and repeatable analysis written in Jupyter notebooks form a stackable set of practices. They connect knowledge to analytics to analysis. If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization Link HERE “Dependency Confusion” Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies Bonus Link HERE – thanks to Andi Link HERE Link HERE Link HERE Crypto challenge of the week HV20.12 Wiener waltz Introduction During their yearly season opening party our super-smart elves developed an improved usage of the well known RSA crypto algorithm. Under the “Green IT” initiative they decided to save computing horsepower (or rather reindeer power?) on their side. To achieve this they chose a pretty large private exponent, around 1/4 of the length of the modulus – impossible to guess. The reduction of 75% should save a lot of computing effort while still being safe. Shouldn’t it? Mission Your SIGINT team captured some communication containing key exchange and encrypted data. Can you recover the original message? Link HERE Dates
Link HERE
Security Concerns and Risks Related To Bitcoin Link HERE
The throne behind the power: from Putin’s toilet brush to Trump’s golden bowl Link HERE China’s Military-Civil Fusion Strategy: What to Expect in the Next Five Years Link HERE
Book of the month Emerging Architectures for Modern Data Infrastructure Data Hubs, Data Lakes and Data Warehouses: How They Are Different and Why They Are Better Together Comic of the week ##Some OWASP stuff first –OWASP Top-10 2021. Statistics-based proposal Link HERE –AppSec Bites Part 3: Has the New Virtual Reality Created Opportunities for AppSec? Link HERE –Threat modelling without a diagram Link HERE –Who corrupted the data! Get a fast and precise answer with the taint In vulnerability analysis, a frequent question that needs answering is: “who corrupted this data?” Data flow tainting provides a unique way to answer this question. This article presents REVEN Taint Engine and gets under the hood Link HERE –Finding More IDORs – Tips And Tricks Link HERE
Events OWASP events HERE OWASP London virtual event 4th of March 2021 “Teaching the OWASP Top 10 to Beginning Developers” – Olivia Liddell “Finding Your Next Bug: GraphQL Hacking” – Katie Paxton-Fear Link HERE OWASP Nettacker Project @OWASP Kiev Link HERE GOOGLE CLOUD – Security Talks 2021 Link HERE and Cloud Security Podcast by Google OWASP Newcastle – February 2021 -Enforcing Code & Security Standards with Semgrep -Wham bam, thank you scam! Link HERE
Incidents Global ALERT level BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. Incident data HERE Find your country NCSC Weekly Threat Report
VMware Security Updates VMware have released security updates to address a remote code execution vulnerability and a server side request forgery vulnerability affecting VMWare vCenter Server and Client (CVE-2021-21972 and VE-2021-21973). In addition, a security update is available to address a heap overflow vulnerability affecting ESXi OpenSLP (CVE-2021-21974) Cyber security software vendor shines a light on APT vulnerabilities of choice In a new blog post published this week, Check Point Software Technologies claims that a Chinese-affiliated attack group cloned and actively used an American cyber offensive tool Large numbers of CNI organisations impacted by cyber attacks in the past year A recent report has shown that many organisations within the UK CNI sector have been the target of a cyber attack in the past year, and highlights the potential risks of organisational use of legacy infrastructure connecting to corporate networks and the internet Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE API Security Issue 122: API issues at Clubhouse and healthcare apps, scope-based recon, OAS v3.1.0
Clubhouse is an audio-only social network app for iPhone. Last Sunday, it had a data spill incident in which one of the users started streaming multiple rooms from their own website. This breaks Clubhouse’s terms of service and customer expectations: conversations are only supposed to be accessible live and only to the users in that particular room.
Approov has published security research by Alissa Knight on 30 popular medical healthcare apps. It is estimated that together these apps have 23 million users. The findings of the research are pretty dismal:
Reconnaissance (aka recon) is the process of discovering the attack surface of a system under penetration testing. With modern complex systems, the attack surface can be significant, and thus the discovery could include several different approaches and tools Link HERE EP85: CAM THE CARDER This is the story of Cam Harrison, aka “kilobit” and his rise and fall as a prominent carder Link HERE Incidents & events detail Microsoft president asks Congress to force private-sector orgs to admit when they’ve been hacked Senate intelligence committee hears ideas in light of SolarWinds disaster Link HERE Mutually Agreed Norms for Routing Security Now, more than ever, we need a more resilient Internet. Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats Link HERE ZINC attacks against security researchers Link HERE How We Escaped Docker in Azure Functions Link HERE Sensitive AWS API Calls That Return Credentials and Data Link HERE NurseryCam Company Gets Security Help from NCSC Link HERE Firefox 86 Includes Total Cookie Protection Link HERE Senate Intelligence Committee Hearing on SolarWinds Link HERE Botnet Uses Blockchain to Maintain Persistence Researchers at Akamai have discovered that a botnet being used to mine cryptocurrency is now using blockchain to facilitate infected machines’ communications with the command-and-control server. In the event that the regular command-and-control server is sinkholed, the infected machines search for the IP address of a backup server that is encoded in the Bitcoin blockchain Link HERE Research of the week Avoiding npm substitution attacks Supply chain attacks are a reality in modern software development. Thankfully, you can reduce the attack surface by taking precautions and being thoughtful about how you manage your dependencies. We hope you walk away from this with tangible steps to take to ensure you’re protecting yourself when using npm. This post is focused on npm, but for further reading of prevention measures against supply chain attacks for other package managers, check out this whitepaper from Microsoft. TL;DR 1.Use scopes for internal packages. 2.Use a .npmrc file in the root of a project to set the intended registry. 3.Take care when proxying. 4.Respond quickly to build failures. Link HERE – thanks to Prash Post-Spectre Web Development A Collection of Interesting Ideas, 25 February 2021 In early 2018, Spectre made it clear that a foundational security boundary the web aimed to maintain was substantially less robust than expected. [SPECTRE] This revelation has pushed web browsers to shift their focus from the platform-level origin boundary to an OS-level process boundary. Chromium’s threat model, for instance, now asserts that “active web content … will be able to read any and all data in the address space of the process that hosts it”. [POST-SPECTRE-RETHINK] This shift in thinking imposes a shift in development practice, both for browser vendors, and for web developers. Browsers need to align the origin boundary with the process boundary through fundamental refactoring projects (for example, [SITE-ISOLATION] and [PROJECT-FISSION]). Moreover, browsers must provide web developers with tools to mitigate risk in the short term, and should push the platform towards safe default behaviors in the long term. The bad news is that this is going to be a lot of work, much of it falling on the shoulders of web developers. The good news is that a reasonable set of mitigation primitives exists today, ready and waiting for use. This document will summarize the threat model which the Web Application Security Working group espouses(?), point to a set of mitigations which seem promising, and provide concrete recommendations for developers responsible for protecting users’ data Link HERE New whitepaper: CISO’s guide to Cloud Security Transformation Moving to the cloud represents a huge opportunity to transform your company’s approach to security. To lead your security organization and your company through this transformation, you need to think differently about how you work, how you manage risk, and how you deploy your security infrastructure. As CISO, you need to instill a culture of security throughout the company and manage changes in how your company thinks about security and how your company is organized. The recommendations throughout this whitepaper come from Google’s years of leading and innovating in cloud security, in addition to the experience that Google Cloud experts have from their previous roles as CISOs and lead security engineers in major companies that have successfully navigated the journey to cloud. We are excited to collaborate with you on your cloud security transformation Link HERE The 2021 Snyk Infrastructure as Code Security Insights Report
Link HERE Best Practices for Serverless Endpoints on AWS How to Use AWS Services to Secure your Endpoints Without Provisioning Infrastructure Link HERE and Cloud Security Table Top Exercises HERE
Tool of the week Google: Our new tool makes open-source security bugs easier to spot Open Source Vulnerabilities (OSV) Google steps up its game on open-source security Link HERE Centralize your security response with Azure Sentinel & PagerDuty We will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty Link HERE Mandiant Azure AD Investigator Link HERE The Missing Guide to AWS API Gateway Access Logs Link HERE Container Security & Tools Link HERE – thanks to Alvin Remember: Semgrep Damn Vulnerable GraphQL Application Link HERE KS8 Threat Model Link HERE Forensicating Azure VMs Link HERE Other interesting articles ##The cloud trust paradox: 3 scenarios where keeping encryption keys off the cloud may be necessary As we discussed in “The Cloud trust paradox: To trust cloud computing more, you need the ability to trust it less” and hinted at in “Unlocking the mystery of stronger security key management,” there are situations where the encryption keys must be kept away from the cloud provider environment. While we argue that these are rare, they absolutely do exist. Moreover, when these situations materialize, the data in question or the problem being solved is typically hugely important Link HERE
##Knocking on Turing’s door: Quantum Computing and Machine Learning Link HERE ##Scientists May Have Detected a Signal That Could Change Astronomy Forever Scientists think they may have spied the universe’s “gravitational wave background” after more than a decade of searching “There is a lot of evidence for hierarchical galaxy growth over cosmic time, whereby galaxies grow larger and more structured through mergers,” McLaughlin said. “However, there are many unanswered questions about this merger process. How many galaxies are the product of a merger? What are the roles of astrophysical processes such as stellar scattering and accretion in the merger process?” Link HERE
##And finally, Watching Androids Dream of Electric Sheep: Immersive Technology, Biometric Psychography, and the Law Virtual reality and augmented reality present exceedingly complex privacy issues because of the enhanced user experience and reality-based models. Unlike the issues presented by traditional gaming and social media, immersive technology poses inherent risks, which our legal understanding of biometrics and online harassment is simply not prepared to address. This Article offers five important contributions to this emerging space. It begins by introducing a new area of legal and policy inquiry raised by immersive technology called “biometric psychography.” Second, it explains how immersive technology works to a legal audience and defines concepts that are essential to understanding the risks that the technology poses. Third, it analyzes the gaps in privacy law to address biometric psychography and other emerging challenges raised by immersive technology that most regulators and consumers incorrectly assume will be governed by existing law. Fourth, this Article sources firsthand interviews from early innovators and leading thinkers to highlight harassment and user experience risks posed by immersive technology. Finally, this Article compiles insights from each of these discussions to propose a framework that integrates privacy and human rights into the development of future immersive tech applications. It applies that framework to three specific scenarios and demonstrates how it can help navigate challenges, both old and new Link HERE ##HACKING, TOOLS and FUN – CHECK BELOW! AppSec Ezine Must see Description: Leaking Facebook user information to external websites. URL: https://link.medium.com/TCEdlfHR1db Description: Grafana Admin Panel bypass in Google Acquisition (VirusTotal). URL: http://bit.ly/3dPJJeN (+) Description: Middleware, middleware everywhere – and lots of misconfigurations to fix. Links HERE and HERE and credits to HERE |
![]() |
The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited. |