Security Stack Sheet #116

Word of the Week

“Inverse Privacy” 

An item of your personal information is inversely private if some party has access to it but you do not. Inverse privacy is ubiquitous. Each interaction you have with commercial and other institutions generates inversely private data. The inverse privacy problem is unjustified inaccessibility of your inversely private data to you. Elsewhere a subset of these authors determined that the problem has a market-based solution that provides consumers with large amounts of their personal data to be mined and processed to benefit them. Here we sketch a particular solution.

Your personal data splits into four buckets:

· directly private, that which you have access to but nobody else does;

· inversely private, that which some party has access to but you do not;

· partially private, that which you and a few other parties have access to;

· public

Links HERE and HERE and HERE

AND

Top 10 Technology Trends Impacting DevOps

Link HERE and HERE

Word of the Week Special

“The Githubification of InfoSec” 

A community-based approach in infosec can speed learning for defenders. Attack knowledge curated in the MITRE ATT&CK™ framework, detection definitions expressed in Sigma rules, and repeatable analysis written in Jupyter notebooks form a stackable set of practices. They connect knowledge to analytics to analysis.

If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization

Image for post

Link HERE

“Dependency Confusion”

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Image for post

Link HERE and HERE

Bonus

Tattoo tweet

Link HERE – thanks to Andi

No alternative text description for this image

Link HERE

Link HERE

Link HERE

Crypto challenge of the week

HV20.12 Wiener waltz

Introduction

During their yearly season opening party our super-smart elves developed an improved usage of the well known RSA crypto algorithm. Under the “Green IT” initiative they decided to save computing horsepower (or rather reindeer power?) on their side. To achieve this they chose a pretty large private exponent, around 1/4 of the length of the modulus – impossible to guess. The reduction of 75% should save a lot of computing effort while still being safe. Shouldn’t it?

Mission

Your SIGINT team captured some communication containing key exchange and encrypted data. Can you recover the original message?

Link HERE

Dates

  • May 25th 2018: Almost 3 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 1st of July 20201 – Freedom from viruses?

Link HERE

  • 2021 15th of June – Bitcoin hits $100k

Security Concerns and Risks Related To Bitcoin

Link HERE

  • 2022 1st of January – Bitcoin hits $100k again
  • 20226 – First trip to Mars according to Elon Musk
  • 2043 – WW3

The throne behind the power: from Putin’s toilet brush to Trump’s golden bowl

Link HERE

China’s Military-Civil Fusion Strategy: What to Expect in the Next Five Years

Link HERE

  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Emerging Architectures for Modern Data Infrastructure

Data Hubs, Data Lakes and Data Warehouses: How They Are Different and Why They Are Better Together

Link HERE and HERE

Comic of the week

Dogbert Gets Greenland - Dilbert by Scott Adams

##Some OWASP stuff first

–OWASP Top-10 2021. Statistics-based proposal

OWASP Top 10 Security Risks and Vulnerabilities

Link HERE

–AppSec Bites Part 3: Has the New Virtual Reality Created Opportunities for AppSec?

Link HERE

–Threat modelling without a diagram

ISO15408 relations

Link HERE

–Who corrupted the data! Get a fast and precise answer with the taint

In vulnerability analysis, a frequent question that needs answering is: “who corrupted this data?” Data flow tainting provides a unique way to answer this question. This article presents REVEN Taint Engine and gets under the hood

Link HERE

–Finding More IDORs – Tips And Tricks

Link HERE

 

Events

OWASP events HERE

OWASP London virtual event 4th of March 2021

“Teaching the OWASP Top 10 to Beginning Developers” – Olivia Liddell
“Finding Your Next Bug: GraphQL Hacking” – Katie Paxton-Fear
“Teaching the OWASP Top 10 to Beginning Developers” – Olivia Liddell

“Finding Your Next Bug: GraphQL Hacking” – Katie Paxton-Fear

Link HERE

OWASP Nettacker Project @OWASP Kiev

Link HERE

GOOGLE CLOUD – Security Talks 2021

Link HERE and

Cloud Security Podcast by Google

HERE

OWASP Newcastle – February 2021

-Enforcing Code & Security Standards with Semgrep

-Wham bam, thank you scam!

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

VMware Security Updates

VMware have released security updates to address a remote code execution vulnerability and a server side request forgery vulnerability affecting VMWare vCenter Server and Client (CVE-2021-21972 and VE-2021-21973). In addition, a security update is available to address a heap overflow vulnerability affecting ESXi OpenSLP (CVE-2021-21974)

Cyber security software vendor shines a light on APT vulnerabilities of choice

In a new blog post published this week, Check Point Software Technologies claims that a Chinese-affiliated attack group cloned and actively used an American cyber offensive tool

Large numbers of CNI organisations impacted by cyber attacks in the past year

recent report has shown that many organisations within the UK CNI sector have been the target of a cyber attack in the past year, and highlights the potential risks of organisational use of legacy infrastructure connecting to corporate networks and the internet

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 122: API issues at Clubhouse and healthcare apps, scope-based recon, OAS v3.1.0

  • Vulnerability: Clubhouse

Clubhouse is an audio-only social network app for iPhone. Last Sunday, it had a data spill incident in which one of the users started streaming multiple rooms from their own website. This breaks Clubhouse’s terms of service and customer expectations: conversations are only supposed to be accessible live and only to the users in that particular room.

  • Research: API security in healthcare mobile apps

Approov has published security research by Alissa Knight on 30 popular medical healthcare apps. It is estimated that together these apps have 23 million users.

The findings of the research are pretty dismal:

  • 100% of the checked apps were vulnerable to Broken Object-Level Authorization (BOLA/IDOR) and exposing personal (PII) and health (PHI) information!
  • 50% of the APIs tested gave access to other patients’ pathology, X-rays, and clinical results.
  • 77% of applications had hard-coded API keys, tokens, or credentials
  • Methodology: Reconnaissance guidelines

Reconnaissance (aka recon) is the process of discovering the attack surface of a system under penetration testing. With modern complex systems, the attack surface can be significant, and thus the discovery could include several different approaches and tools

Link HERE

EP85: CAM THE CARDER

This is the story of Cam Harrison, aka “kilobit” and his rise and fall as a prominent carder

Link HERE

Incidents & events detail

Microsoft president asks Congress to force private-sector orgs to admit when they’ve been hacked

Senate intelligence committee hears ideas in light of SolarWinds disaster

Link HERE

Mutually Agreed Norms for Routing Security

Now, more than ever, we need a more resilient Internet. Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats

Link HERE

ZINC attacks against security researchers

Link HERE

How We Escaped Docker in Azure Functions

Link HERE

Sensitive AWS API Calls That Return Credentials and Data

Link HERE

NurseryCam Company Gets Security Help from NCSC

Link HERE

Firefox 86 Includes Total Cookie Protection

Link HERE

Senate Intelligence Committee Hearing on SolarWinds

Link HERE

Botnet Uses Blockchain to Maintain Persistence

Researchers at Akamai have discovered that a botnet being used to mine cryptocurrency is now using blockchain to facilitate infected machines’ communications with the command-and-control server. In the event that the regular command-and-control server is sinkholed, the infected machines search for the IP address of a backup server that is encoded in the Bitcoin blockchain

Link HERE

Research of the week

Avoiding npm substitution attacks

Supply chain attacks are a reality in modern software development. Thankfully, you can reduce the attack surface by taking precautions and being thoughtful about how you manage your dependencies. We hope you walk away from this with tangible steps to take to ensure you’re protecting yourself when using npm.

This post is focused on npm, but for further reading of prevention measures against supply chain attacks for other package managers, check out this whitepaper from Microsoft.

TL;DR

1.Use scopes for internal packages.

2.Use a .npmrc file in the root of a project to set the intended registry.

3.Take care when proxying.

4.Respond quickly to build failures.

Link HERE – thanks to Prash

Post-Spectre Web Development

A Collection of Interesting Ideas, 25 February 2021

In early 2018, Spectre made it clear that a foundational security boundary the web aimed to maintain was substantially less robust than expected. [SPECTRE] This revelation has pushed web browsers to shift their focus from the platform-level origin boundary to an OS-level process boundary. Chromium’s threat model, for instance, now asserts that “active web content … will be able to read any and all data in the address space of the process that hosts it”. [POST-SPECTRE-RETHINK] This shift in thinking imposes a shift in development practice, both for browser vendors, and for web developers. Browsers need to align the origin boundary with the process boundary through fundamental refactoring projects (for example, [SITE-ISOLATION] and [PROJECT-FISSION]). Moreover, browsers must provide web developers with tools to mitigate risk in the short term, and should push the platform towards safe default behaviors in the long term. The bad news is that this is going to be a lot of work, much of it falling on the shoulders of web developers. The good news is that a reasonable set of mitigation primitives exists today, ready and waiting for use.

This document will summarize the threat model which the Web Application Security Working group espouses(?), point to a set of mitigations which seem promising, and provide concrete recommendations for developers responsible for protecting users’ data

Link HERE

New whitepaper: CISO’s guide to Cloud Security Transformation

Moving to the cloud represents a huge opportunity to transform your company’s approach to security. To lead your security organization and your company through this transformation, you need to think differently about how you work, how you manage risk, and how you deploy your security infrastructure. As CISO, you need to instill a culture of security throughout the company and manage changes in how your company thinks about security and how your company is organized. The recommendations throughout this whitepaper come from Google’s years of leading and innovating in cloud security, in addition to the experience that Google Cloud experts have from their previous roles as CISOs and lead security engineers in major companies that have successfully navigated the journey to cloud. We are excited to collaborate with you on your cloud security transformation

Link HERE

The 2021 Snyk Infrastructure as Code Security Insights Report

  • By 2025, 70% of container attacks will be from known vulnerabilities and misconfigurations
  • Only 26% of IaC users are confident they can spot security mistakes in their configurations
  • 48% of organizations say automated code testing for IaC in CI/CD would increase their confidence in spotting misconfigurations

Link HERE

Best Practices for Serverless Endpoints on AWS

How to Use AWS Services to Secure your Endpoints Without Provisioning Infrastructure

Link HERE and Cloud Security Table Top Exercises HERE

 

Tool of the week

Google: Our new tool makes open-source security bugs easier to spot

Open Source Vulnerabilities (OSV)

Google steps up its game on open-source security

Link HERE

Centralize your security response with Azure Sentinel & PagerDuty

We will cover the process to integrate and centralize your security response in Azure Sentinel with PagerDuty

thumbnail image 1 of blog post titled Centralize your security response with Azure Sentinel & PagerDuty

Link HERE

Mandiant Azure AD Investigator

Link HERE

The Missing Guide to AWS API Gateway Access Logs

Link HERE

Container Security & Tools

Link HERE – thanks to Alvin

Remember: Semgrep

CoNuKWqblAAAAABJRU5ErkJggg==

Link HERE and How to HERE

Damn Vulnerable GraphQL Application

Link HERE

KS8 Threat Model

Kubernetes Trust Boundaries - Courtesy of CNCF

Link HERE

Forensicating Azure VMs

Link HERE

Other interesting articles 

##The cloud trust paradox: 3 scenarios where keeping encryption keys off the cloud may be necessary

As we discussed in “The Cloud trust paradox: To trust cloud computing more, you need the ability to trust it less” and hinted at in “Unlocking the mystery of stronger security key management,” there are situations where the encryption keys must be kept away from the cloud provider environment. While we argue that these are rare, they absolutely do exist. Moreover, when these situations materialize, the data in question or the problem being solved is typically hugely important

Link HERE

 

##Knocking on Turing’s door: Quantum Computing and Machine Learning

Link HERE 

##Scientists May Have Detected a Signal That Could Change Astronomy Forever

Scientists think they may have spied the universe’s “gravitational wave background” after more than a decade of searching

“There is a lot of evidence for hierarchical galaxy growth over cosmic time, whereby galaxies grow larger and more structured through mergers,” McLaughlin said. “However, there are many unanswered questions about this merger process. How many galaxies are the product of a merger? What are the roles of astrophysical processes such as stellar scattering and accretion in the merger process?”

Link HERE

 

##And finally, Watching Androids Dream of Electric Sheep: Immersive Technology, Biometric Psychography, and the Law

Virtual reality and augmented reality present exceedingly complex privacy issues because of the enhanced user experience and reality-based models. Unlike the issues presented by traditional gaming and social media, immersive technology poses inherent risks, which our legal understanding of biometrics and online harassment is simply not prepared to address. This Article offers five important contributions to this emerging space. It begins by introducing a new area of legal and policy inquiry raised by immersive technology called “biometric psychography.” Second, it explains how immersive technology works to a legal audience and defines concepts that are essential to understanding the risks that the technology poses. Third, it analyzes the gaps in privacy law to address biometric psychography and other emerging challenges raised by immersive technology that most regulators and consumers incorrectly assume will be governed by existing law. Fourth, this Article sources firsthand interviews from early innovators and leading thinkers to highlight harassment and user experience risks posed by immersive technology. Finally, this Article compiles insights from each of these discussions to propose a framework that integrates privacy and human rights into the development of future immersive tech applications. It applies that framework to three specific scenarios and demonstrates how it can help navigate challenges, both old and new

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://ysamm.com/?p=627

Description: Leaking Facebook user information to external websites.

URL: https://link.medium.com/TCEdlfHR1db   

Description: Grafana Admin Panel bypass in Google Acquisition (VirusTotal).

URL: http://bit.ly/3dPJJeN  (+)

Description: Middleware, middleware everywhere – and lots of misconfigurations to fix.

Links HERE and HERE and credits to HERE

 

 

Sage Business Cloud

The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.

Leave a Reply

Your email address will not be published. Required fields are marked *