Word of the Week
An item of your personal information is inversely private if some party has access to it but you do not. Inverse privacy is ubiquitous. Each interaction you have with commercial and other institutions generates inversely private data. The inverse privacy problem is unjustified inaccessibility of your inversely private data to you. Elsewhere a subset of these authors determined that the problem has a market-based solution that provides consumers with large amounts of their personal data to be mined and processed to benefit them. Here we sketch a particular solution.
Your personal data splits into four buckets:
· directly private, that which you have access to but nobody else does;
· inversely private, that which some party has access to but you do not;
· partially private, that which you and a few other parties have access to;
Top 10 Technology Trends Impacting DevOps
Word of the Week Special
“The Githubification of InfoSec”
A community-based approach in infosec can speed learning for defenders. Attack knowledge curated in the MITRE ATT&CK™ framework, detection definitions expressed in Sigma rules, and repeatable analysis written in Jupyter notebooks form a stackable set of practices. They connect knowledge to analytics to analysis.
If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Link HERE – thanks to Andi
Crypto challenge of the week
HV20.12 Wiener waltz
Security Concerns and Risks Related To Bitcoin
The throne behind the power: from Putin’s toilet brush to Trump’s golden bowl
China’s Military-Civil Fusion Strategy: What to Expect in the Next Five Years
Book of the month
Emerging Architectures for Modern Data Infrastructure
Data Hubs, Data Lakes and Data Warehouses: How They Are Different and Why They Are Better Together
Comic of the week
##Some OWASP stuff first
–OWASP Top-10 2021. Statistics-based proposal
–AppSec Bites Part 3: Has the New Virtual Reality Created Opportunities for AppSec?
–Threat modelling without a diagram
–Who corrupted the data! Get a fast and precise answer with the taint
In vulnerability analysis, a frequent question that needs answering is: “who corrupted this data?” Data flow tainting provides a unique way to answer this question. This article presents REVEN Taint Engine and gets under the hood
–Finding More IDORs – Tips And Tricks
OWASP events HERE
OWASP London virtual event 4th of March 2021
“Teaching the OWASP Top 10 to Beginning Developers” – Olivia Liddell
“Finding Your Next Bug: GraphQL Hacking” – Katie Paxton-Fear
OWASP Nettacker Project @OWASP Kiev
GOOGLE CLOUD – Security Talks 2021
Link HERE and
Cloud Security Podcast by Google
OWASP Newcastle – February 2021
-Enforcing Code & Security Standards with Semgrep
-Wham bam, thank you scam!
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
Incident data HERE Find your country
NCSC Weekly Threat Report
VMware Security Updates
Cyber security software vendor shines a light on APT vulnerabilities of choice
Large numbers of CNI organisations impacted by cyber attacks in the past year
API Security Issue 122: API issues at Clubhouse and healthcare apps, scope-based recon, OAS v3.1.0
EP85: CAM THE CARDER
This is the story of Cam Harrison, aka “kilobit” and his rise and fall as a prominent carder
Incidents & events detail
Microsoft president asks Congress to force private-sector orgs to admit when they’ve been hacked
Senate intelligence committee hears ideas in light of SolarWinds disaster
Mutually Agreed Norms for Routing Security
Now, more than ever, we need a more resilient Internet. Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats
ZINC attacks against security researchers
How We Escaped Docker in Azure Functions
Sensitive AWS API Calls That Return Credentials and Data
NurseryCam Company Gets Security Help from NCSC
Firefox 86 Includes Total Cookie Protection
Senate Intelligence Committee Hearing on SolarWinds
Botnet Uses Blockchain to Maintain Persistence
Researchers at Akamai have discovered that a botnet being used to mine cryptocurrency is now using blockchain to facilitate infected machines’ communications with the command-and-control server. In the event that the regular command-and-control server is sinkholed, the infected machines search for the IP address of a backup server that is encoded in the Bitcoin blockchain
Research of the week
Avoiding npm substitution attacks
Supply chain attacks are a reality in modern software development. Thankfully, you can reduce the attack surface by taking precautions and being thoughtful about how you manage your dependencies. We hope you walk away from this with tangible steps to take to ensure you’re protecting yourself when using npm.
1.Use scopes for internal packages.
2.Use a .npmrc file in the root of a project to set the intended registry.
3.Take care when proxying.
4.Respond quickly to build failures.
Link HERE – thanks to Prash
Post-Spectre Web Development
A Collection of Interesting Ideas, 25 February 2021
In early 2018, Spectre made it clear that a foundational security boundary the web aimed to maintain was substantially less robust than expected. [SPECTRE] This revelation has pushed web browsers to shift their focus from the platform-level origin boundary to an OS-level process boundary. Chromium’s threat model, for instance, now asserts that “active web content … will be able to read any and all data in the address space of the process that hosts it”. [POST-SPECTRE-RETHINK] This shift in thinking imposes a shift in development practice, both for browser vendors, and for web developers. Browsers need to align the origin boundary with the process boundary through fundamental refactoring projects (for example, [SITE-ISOLATION] and [PROJECT-FISSION]). Moreover, browsers must provide web developers with tools to mitigate risk in the short term, and should push the platform towards safe default behaviors in the long term. The bad news is that this is going to be a lot of work, much of it falling on the shoulders of web developers. The good news is that a reasonable set of mitigation primitives exists today, ready and waiting for use.
This document will summarize the threat model which the Web Application Security Working group espouses(?), point to a set of mitigations which seem promising, and provide concrete recommendations for developers responsible for protecting users’ data
New whitepaper: CISO’s guide to Cloud Security Transformation
Moving to the cloud represents a huge opportunity to transform your company’s approach to security. To lead your security organization and your company through this transformation, you need to think differently about how you work, how you manage risk, and how you deploy your security infrastructure. As CISO, you need to instill a culture of security throughout the company and manage changes in how your company thinks about security and how your company is organized. The recommendations throughout this whitepaper come from Google’s years of leading and innovating in cloud security, in addition to the experience that Google Cloud experts have from their previous roles as CISOs and lead security engineers in major companies that have successfully navigated the journey to cloud. We are excited to collaborate with you on your cloud security transformation
The 2021 Snyk Infrastructure as Code Security Insights Report
Best Practices for Serverless Endpoints on AWS
How to Use AWS Services to Secure your Endpoints Without Provisioning Infrastructure
Tool of the week
Google: Our new tool makes open-source security bugs easier to spot
Open Source Vulnerabilities (OSV)
Google steps up its game on open-source security
Centralize your security response with Azure Sentinel & PagerDuty
We will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty
Mandiant Azure AD Investigator
The Missing Guide to AWS API Gateway Access Logs
Container Security & Tools
Link HERE – thanks to Alvin
Damn Vulnerable GraphQL Application
KS8 Threat Model
Forensicating Azure VMs
Other interesting articles
##The cloud trust paradox: 3 scenarios where keeping encryption keys off the cloud may be necessary
As we discussed in “The Cloud trust paradox: To trust cloud computing more, you need the ability to trust it less” and hinted at in “Unlocking the mystery of stronger security key management,” there are situations where the encryption keys must be kept away from the cloud provider environment. While we argue that these are rare, they absolutely do exist. Moreover, when these situations materialize, the data in question or the problem being solved is typically hugely important
##Knocking on Turing’s door: Quantum Computing and Machine Learning
##Scientists May Have Detected a Signal That Could Change Astronomy Forever
Scientists think they may have spied the universe’s “gravitational wave background” after more than a decade of searching
“There is a lot of evidence for hierarchical galaxy growth over cosmic time, whereby galaxies grow larger and more structured through mergers,” McLaughlin said. “However, there are many unanswered questions about this merger process. How many galaxies are the product of a merger? What are the roles of astrophysical processes such as stellar scattering and accretion in the merger process?”
##And finally, Watching Androids Dream of Electric Sheep: Immersive Technology, Biometric Psychography, and the Law
Virtual reality and augmented reality present exceedingly complex privacy issues because of the enhanced user experience and reality-based models. Unlike the issues presented by traditional gaming and social media, immersive technology poses inherent risks, which our legal understanding of biometrics and online harassment is simply not prepared to address. This Article offers five important contributions to this emerging space. It begins by introducing a new area of legal and policy inquiry raised by immersive technology called “biometric psychography.” Second, it explains how immersive technology works to a legal audience and defines concepts that are essential to understanding the risks that the technology poses. Third, it analyzes the gaps in privacy law to address biometric psychography and other emerging challenges raised by immersive technology that most regulators and consumers incorrectly assume will be governed by existing law. Fourth, this Article sources firsthand interviews from early innovators and leading thinkers to highlight harassment and user experience risks posed by immersive technology. Finally, this Article compiles insights from each of these discussions to propose a framework that integrates privacy and human rights into the development of future immersive tech applications. It applies that framework to three specific scenarios and demonstrates how it can help navigate challenges, both old and new
##HACKING, TOOLS and FUN – CHECK BELOW!
Description: Leaking Facebook user information to external websites.
Description: Grafana Admin Panel bypass in Google Acquisition (VirusTotal).
URL: http://bit.ly/3dPJJeN (+)
Description: Middleware, middleware everywhere – and lots of misconfigurations to fix.
|The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.|