Security Stack Sheet #117

Word of the Week

“Cellebrite exploited”

Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software.

Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software

Cellebrite case on side of road.

Link HERE

AND

“Nobody Cares About the Operating System Anymore”

Isn’t that a bit dramatic?

Link HERE

AND

Text Description automatically generated

Link HERE

Word of the Week Special

“Adversarial Image Attacks” 

Image

Link HERE

Bonus

A baby wearing a hat Description automatically generated with low confidence

Link HERE

Graphical user interface, text, application Description automatically generated

Link HERE

OWASP Top 10 AF Edition

Image

Link HERE

Graphical user interface Description automatically generated

Link HERE

A picture containing graphical user interface Description automatically generated

Link HERE and Password Storage Cheat Sheet HERE

Type of Errors

A picture containing text, newspaper Description automatically generated

Crypto challenge of the week

Embedded Security CTF

Scattered throughout the world in locked warehouses are briefcases filled with Cy Yombinator bearer bonds that could be worth billions comma billions of dollars. You will help steal the briefcases.

Should be a milk run. Good luck. We’ll see you on a beach in St Tropez once you’re done

Link HERE

HackyEaster 2021

Link HERE

Dates

  • May 25th 2018: Almost 3 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE

Deprecation of TLS1.0 and 1.1 HERE

  • 1st of July 20201 – Freedom from viruses?

The Future is More Terrifying Than We Can Imagine

Link HERE

  • 2021 15th of June – Bitcoin hits $100k
  • 2022 1st of January – Bitcoin hits $100k again

Text Description automatically generated

  • 20226 – First trip to Mars according to Elon Musk
  • 2043 – WW3
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Image

Link HERE

Book of the month

The 2021 Hacker Report – by HackerOne

A picture containing text Description automatically generated

Link HERE

Link HERE

Comic of the week

Because Of The Pandemic - Dilbert by Scott Adams

##Some OWASP stuff first

–The API Security Problem

What security issues do APIs face? The Open Web Application Security Project (OWASP) has a top ten of security issues to look out for in APIs. The issues reflect those generally found on websites as there is a lot of commonality in the way they work and communicate across the internet . Of course there are more than just 10 issues that can affect an API, but this list is a great start! With awareness of a list like this, security can really improve, but how much awareness is there?

The OWASP API Security top 10 was released in 2019, so it’s clear that this wasn’t a great concern before then. In the developer community, awareness of the API top 10 is generally quite low, with importance being places on the original OWASP top 10, which focused on websites and not APIs. Awareness of that top 10 is a great start, but it’s easy to miss the importance of security in APIs

Link HERE – thanks to Gavin

Learn OWASP TOP 10 API Security HERE

–OWASP ZAP – Dynamic Security Testing Workshop for Testers

Link HERE – thanks to Javan

–Workshop: Scaling your AppSec Program with Semgrep

Link HERE

–Hunting for IDORs

Anyone who’s watched Katie before knows that IDORs (Insecure Direct Object References) are some of her favourite bugs. Often caused by a single missing if statements, these lil bugs can have devastating impacts, and even worse they are everywhere! In this talk, she’ll go through the what, where, how, and fixes of these tricky bugs. Giving you the ultimate IDOR / BOLA (Broken Object Level Authorisation) / BFLA (Broken Function Level Authorisation) methodology, how this can be automated and how it can’t be automated, the fixes for some of these vulnerabilities and why even with all of this they’re still some of the most common bugs to find, and why they’re worth looking for

Link HERE

–How to build a successful application security program – by Microsoft

Link HERE

–Secure Deployment: 10 Pointers on Secrets Management

Link HERE

 

Events

OWASP events HERE

TMHC Isolation Con – Red Team

Link HERE

Do app sec like a boss: The top 25 pros to follow

Link HERE

 

Incidents

Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Hackers threaten to leak confidential US police data

Ransomware attackers have threatened to release sensitive data on police informants if they are not contacted within three days.

Washington DC’s Metropolitan Police Department has reportedly had its network breached in a targeted attack, which has been claimed by the ransomware group named Babuk

Hedge funds warned of complex scams

recent report detailed how fraudsters are investing significant amounts of time and effort into elaborate scams targeting hedge funds.

According to a BCG report, financial services firms are 300 times more likely than other companies to be targeted by a cyber attack

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 131: API vulnerabilities at John Deere, Springfox, JWT lab, AutoGraphQL

Vulnerability: John Deere

John Deere is one of the leading manufacturers of expensive farming equipment, such as tractors and combine harvesters. Many of these are automated to the highest degree and cost millions of dollars.

Researchers found a few vulnerabilities in the APIs behind the web and mobile applications for the machinery. John Deere has since fixed the found vulnerabilities

Pentesting: JWT hacking challenges

JWT (JSON Web Token) vulnerabilities and attacks are a common topic in this newsletter. They are critical because JWT serves as the foundation for authentication in many modern OAuth and OpenID Connect APIs

Tools: AutoGraphQL

AutoGraphQL by Ron Chan makes it easier to test GraphQL APIs for authorization vulnerabilities. AutoGraphQL can detect both Broken Object-Level Authorization and Broken Function-Level Authorization, making it very useful as these are high on the OWASP API Security Top 10 list

Link HERE

EP91: WEBJEDI

What happens when an unauthorized intruder gets into the network of a major bank? Amélie Koran, aka webjedi, was there for one of these intrusions and tells us the story of what happened.

You can find more talks from Amélie at her website webjedi.net

Link HERE

The Security Ledger
China Hacking Concept

Episode 212: China’s Stolen Data Economy (And Why We Should Care)

Link HERE

Incidents & events detail

FLASH Swap Attack on the Spartan Protocol

Attacker used $61m in BNB to overcome the pools via a as yet unknown economic exploit path to remove roughly $30m in funds from the pools

Links HERE and HERE – thanks to TK

Update your Macs! Malware attacks can exploit critical flaws in Apple’s built-in defences

Link HERE

IBM bets homomorphic encryption is ready to deliver stronger data security for early adopters

Link HERE

All Your Macs Are Belong To Us

Bypassing macOS’s file quarantine, gatekeeper, and notarization requirements

Link HERE

Ransomware attack causes supermarket cheese shortage in the Netherlands

Company hit with ransomware was unable to deliver food to supermarkets

Firm’s director says he suspects hackers exploited Microsoft Exchange Server flaw

Link HERE

REvil ransomware – what you need to know

REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019, following the demise of another ransomware gang GandCrab.

The REvil group is also known sometimes by other names such as Sodin and Sodinokibi

Link HERE

Microsoft releases a cyberattack simulator – Shall we play a game?

Link HERE

Text Description automatically generated

Link HERE

Staying safe with .NET containers

Link HERE

Disaster Recovery (DR) Architecture on AWS, Part II: Backup and Restore with Rapid Recovery

Link HERE

Research of the week

Argo Threat Model

The Cloud Native Computing Foundation (CNCF) tasked Trail of Bits with conducting a component-focused threat model of the Argo CD, Argo Workflows, Argo Rollouts, and Argo Events systems. This threat model reviewed Argo components across six control families

Link HERE

From 0 to RCE: Cockpit CMS

Our team searched for bugs in the source code of Cockpit, an open-source content management system. Here is the description of Cockpit from its official site:

Cockpit is a headless CMS with an API-first approach that puts content first. It is designed to simplify the process of publication by separating content management from content consumption on the client side.

Cockpit is focusing just on the back-end work to manage content. Rather than worry about delivery of content through pages, its goal is to provide structured content across different channels via a simple API.

While investigating the Cockpit source code, we discovered numerous vulnerabilities. Attackers could exploit them to take control of any user account and perform remote code execution

Link HERE

Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google

Text Description automatically generated

Link HERE

The Consumer Authentication Strength Maturity Model (CASMM) v5

Visualize a user’s current internet hygiene level, and see how to improve it

casmm miessler v5.3

Link HERE

A Seismic Shift in Application Security

How to integrate and automate security in the devops lifecycle

Graphical user interface, website Description automatically generated

Link HERE

 

Tool of the week

Tenet: A Trace Explorer for Reverse Engineers

Conventional Debuggers Are Crumbling to Software Complexity, Now What?

Link HERE

Seth

Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH)

Link HERE

How to Decrypt RDP Traffic HERE

Big List of Naughty Strings

The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar

Link HERE

Data Sources, Containers, Cloud, and More: What’s New in ATT&CK v9?

Link HERE

ShellCheck – A shell script static analysis tool

ShellCheck is a GPLv3 tool that gives warnings and suggestions for bash/sh shell scripts

Link HERE

CNCF Provides Insights into Secrets Management Tools with Latest End User Technology Radar

The CNCF Technology Radar is an initiative from the CNCF End User Community, a group of more than 140 leading-edge companies and startups, such as Airbnb, Capital One, and Twitter,  who use cloud native technologies and aim to identify challenges and best practices when adopting them. The Technology Radar shares insight into which tools are used by end users and how and which tools end users recommend for broad adoption

 

Link HERE – thanks to Prash

Other interesting articles 

##DevOps, Observability, and the need to tear down organizational boundaries

Links HERE and Changing Tools Requirements in the New Dev Sec Ops World HERE

 

##Iran’s Cyber Power

Link HERE

 

##Why deepfakes are a growing cyber threat

Timeline Description automatically generated

Link HERE

 

##Global Supply Chains in the Era of COVID-19

Our panelists examine the vulnerabilities in global supply chains exposed by the COVID-19 pandemic, resiliency options such as supplier diversification, reshoring critical industries, and stockpiling vital supplies, and the effect of such steps on international trade

Link HERE

 

##And finally, On market concentration and cybersecurity risk

Market concentration affects each component of the cybersecurity risk equation (i.e. threat, vulnerability and impact). As the Internet ecosystem becomes more concentrated across a number of vectors from users and incoming links to economic market share, the locus of cyber risk moves towards these major hubs and the volume of systemic cyber risk increases. Mitigating cyber risk requires better measurement, diversity of systems, software and firms, attention to market concentration in cyber insurance pricing, and the deliberate choice to avoid ubiquitous interconnection in critical systems

Link HERE

##HACKING, TOOLS and FUN – CHECK BELOW!

AppSec Ezine

Must see

URL: https://privatedrop.github.io/

Description: PrivateDrop – Breaking and Fixing Apple AirDrop.

URL: https://philippeharewood.com/download-facebook-internal-mobile-builds/

Description: Download Facebook internal mobile builds. 😐

Links HERE and HERE and credits to HERE

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *