Word of the Week “Cellebrite exploited” Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. A few months ago, they announced that they added Signal support to their software. Their products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software Link HERE AND “Nobody Cares About the Operating System Anymore” Isn’t that a bit dramatic? Link HERE AND Link HERE
Word of the Week Special “Adversarial Image Attacks” Link HERE
Bonus Link HERE Link HERE OWASP Top 10 AF Edition Link HERE Link HERE Link HERE and Password Storage Cheat Sheet HERE Type of Errors
Crypto challenge of the week Embedded Security CTF Scattered throughout the world in locked warehouses are briefcases filled with Cy Yombinator bearer bonds that could be worth billions comma billions of dollars. You will help steal the briefcases. Should be a milk run. Good luck. We’ll see you on a beach in St Tropez once you’re done Link HERE HackyEaster 2021 Link HERE
Dates
Deprecation of TLS1.0 and 1.1 HERE
The Future is More Terrifying Than We Can Imagine Link HERE
Link HERE
Book of the month The 2021 Hacker Report – by HackerOne Link HERE Link HERE
Comic of the week
##Some OWASP stuff first –The API Security Problem What security issues do APIs face? The Open Web Application Security Project (OWASP) has a top ten of security issues to look out for in APIs. The issues reflect those generally found on websites as there is a lot of commonality in the way they work and communicate across the internet . Of course there are more than just 10 issues that can affect an API, but this list is a great start! With awareness of a list like this, security can really improve, but how much awareness is there? The OWASP API Security top 10 was released in 2019, so it’s clear that this wasn’t a great concern before then. In the developer community, awareness of the API top 10 is generally quite low, with importance being places on the original OWASP top 10, which focused on websites and not APIs. Awareness of that top 10 is a great start, but it’s easy to miss the importance of security in APIs Link HERE – thanks to Gavin Learn OWASP TOP 10 API Security HERE –OWASP ZAP – Dynamic Security Testing Workshop for Testers Link HERE – thanks to Javan –Workshop: Scaling your AppSec Program with Semgrep Link HERE –Hunting for IDORs Anyone who’s watched Katie before knows that IDORs (Insecure Direct Object References) are some of her favourite bugs. Often caused by a single missing if statements, these lil bugs can have devastating impacts, and even worse they are everywhere! In this talk, she’ll go through the what, where, how, and fixes of these tricky bugs. Giving you the ultimate IDOR / BOLA (Broken Object Level Authorisation) / BFLA (Broken Function Level Authorisation) methodology, how this can be automated and how it can’t be automated, the fixes for some of these vulnerabilities and why even with all of this they’re still some of the most common bugs to find, and why they’re worth looking for Link HERE –How to build a successful application security program – by Microsoft Link HERE –Secure Deployment: 10 Pointers on Secrets Management Link HERE
Events OWASP events HERE TMHC Isolation Con – Red Team Link HERE Do app sec like a boss: The top 25 pros to follow Link HERE
Incidents Global ALERT level BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. Incident data HERE Find your country NCSC Weekly Threat Report
Hackers threaten to leak confidential US police data Ransomware attackers have threatened to release sensitive data on police informants if they are not contacted within three days. Washington DC’s Metropolitan Police Department has reportedly had its network breached in a targeted attack, which has been claimed by the ransomware group named Babuk Hedge funds warned of complex scams A recent report detailed how fraudsters are investing significant amounts of time and effort into elaborate scams targeting hedge funds. According to a BCG report, financial services firms are 300 times more likely than other companies to be targeted by a cyber attack Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE API Security Issue 131: API vulnerabilities at John Deere, Springfox, JWT lab, AutoGraphQL Vulnerability: John Deere John Deere is one of the leading manufacturers of expensive farming equipment, such as tractors and combine harvesters. Many of these are automated to the highest degree and cost millions of dollars. Researchers found a few vulnerabilities in the APIs behind the web and mobile applications for the machinery. John Deere has since fixed the found vulnerabilities Pentesting: JWT hacking challenges JWT (JSON Web Token) vulnerabilities and attacks are a common topic in this newsletter. They are critical because JWT serves as the foundation for authentication in many modern OAuth and OpenID Connect APIs Tools: AutoGraphQL AutoGraphQL by Ron Chan makes it easier to test GraphQL APIs for authorization vulnerabilities. AutoGraphQL can detect both Broken Object-Level Authorization and Broken Function-Level Authorization, making it very useful as these are high on the OWASP API Security Top 10 list Link HERE EP91: WEBJEDI What happens when an unauthorized intruder gets into the network of a major bank? Amélie Koran, aka webjedi, was there for one of these intrusions and tells us the story of what happened. You can find more talks from Amélie at her website webjedi.net Link HERE The Security Ledger Episode 212: China’s Stolen Data Economy (And Why We Should Care) Link HERE
Incidents & events detail FLASH Swap Attack on the Spartan Protocol Attacker used $61m in BNB to overcome the pools via a as yet unknown economic exploit path to remove roughly $30m in funds from the pools Links HERE and HERE – thanks to TK Update your Macs! Malware attacks can exploit critical flaws in Apple’s built-in defences Link HERE IBM bets homomorphic encryption is ready to deliver stronger data security for early adopters Link HERE All Your Macs Are Belong To Us Bypassing macOS’s file quarantine, gatekeeper, and notarization requirements Link HERE Ransomware attack causes supermarket cheese shortage in the Netherlands Company hit with ransomware was unable to deliver food to supermarkets Firm’s director says he suspects hackers exploited Microsoft Exchange Server flaw Link HERE REvil ransomware – what you need to know REvil is an ambitious criminal ransomware-as-a-service (RAAS) enterprise that first came to prominence in April 2019, following the demise of another ransomware gang GandCrab. The REvil group is also known sometimes by other names such as Sodin and Sodinokibi Link HERE Microsoft releases a cyberattack simulator – Shall we play a game? Link HERE Link HERE Staying safe with .NET containers Link HERE Disaster Recovery (DR) Architecture on AWS, Part II: Backup and Restore with Rapid Recovery Link HERE
Research of the week Argo Threat Model The Cloud Native Computing Foundation (CNCF) tasked Trail of Bits with conducting a component-focused threat model of the Argo CD, Argo Workflows, Argo Rollouts, and Argo Events systems. This threat model reviewed Argo components across six control families Link HERE From 0 to RCE: Cockpit CMS Our team searched for bugs in the source code of Cockpit, an open-source content management system. Here is the description of Cockpit from its official site: Cockpit is a headless CMS with an API-first approach that puts content first. It is designed to simplify the process of publication by separating content management from content consumption on the client side. Cockpit is focusing just on the back-end work to manage content. Rather than worry about delivery of content through pages, its goal is to provide structured content across different channels via a simple API. While investigating the Cockpit source code, we discovered numerous vulnerabilities. Attackers could exploit them to take control of any user account and perform remote code execution Link HERE Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google Link HERE The Consumer Authentication Strength Maturity Model (CASMM) v5 Visualize a user’s current internet hygiene level, and see how to improve it Link HERE A Seismic Shift in Application Security How to integrate and automate security in the devops lifecycle Link HERE
Tool of the week Tenet: A Trace Explorer for Reverse Engineers Conventional Debuggers Are Crumbling to Software Complexity, Now What? Link HERE Seth Seth is a tool written in Python and Bash to MitM RDP connections by attempting to downgrade the connection in order to extract clear text credentials. It was developed to raise awareness and educate about the importance of properly configured RDP connections in the context of pentests, workshops or talks. The author is Adrian Vollmer (SySS GmbH) Link HERE How to Decrypt RDP Traffic HERE Big List of Naughty Strings The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar Link HERE Data Sources, Containers, Cloud, and More: What’s New in ATT&CK v9? Link HERE ShellCheck – A shell script static analysis tool ShellCheck is a GPLv3 tool that gives warnings and suggestions for bash/sh shell scripts Link HERE CNCF Provides Insights into Secrets Management Tools with Latest End User Technology Radar The CNCF Technology Radar is an initiative from the CNCF End User Community, a group of more than 140 leading-edge companies and startups, such as Airbnb, Capital One, and Twitter, who use cloud native technologies and aim to identify challenges and best practices when adopting them. The Technology Radar shares insight into which tools are used by end users and how and which tools end users recommend for broad adoption
Link HERE – thanks to Prash
Other interesting articles ##DevOps, Observability, and the need to tear down organizational boundaries Links HERE and Changing Tools Requirements in the New Dev Sec Ops World HERE
##Iran’s Cyber Power Link HERE
##Why deepfakes are a growing cyber threat Link HERE
##Global Supply Chains in the Era of COVID-19 Our panelists examine the vulnerabilities in global supply chains exposed by the COVID-19 pandemic, resiliency options such as supplier diversification, reshoring critical industries, and stockpiling vital supplies, and the effect of such steps on international trade Link HERE
##And finally, On market concentration and cybersecurity risk Market concentration affects each component of the cybersecurity risk equation (i.e. threat, vulnerability and impact). As the Internet ecosystem becomes more concentrated across a number of vectors from users and incoming links to economic market share, the locus of cyber risk moves towards these major hubs and the volume of systemic cyber risk increases. Mitigating cyber risk requires better measurement, diversity of systems, software and firms, attention to market concentration in cyber insurance pricing, and the deliberate choice to avoid ubiquitous interconnection in critical systems Link HERE
##HACKING, TOOLS and FUN – CHECK BELOW! AppSec Ezine Must see URL: https://privatedrop.github.io/ Description: PrivateDrop – Breaking and Fixing Apple AirDrop. URL: https://philippeharewood.com/download-facebook-internal-mobile-builds/ Description: Download Facebook internal mobile builds. ? Links HERE and HERE and credits to HERE |