|
Word of the Week “Ransomcloud” Types of RansomCloud attack
Link HERE and HERE and HERE and HERE and HERE and HERE Word of the Week Special “Why Is the Majority of Our MFA So Phishable?” The huge push to multifactor authentication (MFA) is ostensibly to help people avoid getting so easily phished. But are we making the same mistake with MFA and making too much of it too easily phishable? Will we be pushing our organizations and end-users to MFA only to repeat many of the same mistakes? The US government is worried about it. You should be worried as well Link HERE “Why Zero-Days Are Essential to Security” Link HERE and HERE – thanks to Andi and Javan And Google on the topic HERE and Bruce Scheier HERE Want to find yourself? This tool HERE Bonus // You merely adopted broken CSS, // By TK Link HERE From TL;DR SEC Crypto challenge of the week Hacky Easter 2022 Teaser
Link HERE Dates
Book of the month This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
Link HERE
Link HERE Comic of the week
##Some OWASP stuff first –OWASP Top 10 2021 by Jim Manico
Link HERE –THE INVISIBLE JAVASCRIPT BACKDOOR A few months ago we saw a post on the r/programminghorror subreddit: A developer describes the struggle of identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. This post inspired an idea: What if a backdoor literally cannot be seen and thus evades detection even from thorough code reviews? Link HERE –Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond
Link HERE Events OWASP events HERE Open Security Summit ASVS User Stories Creation – Part 8 Check out their (lateral) moves! The importance of blast radius in DevSecOps Using Teleport to Secure SSH and Kubernetes Access The OWASP Top Ten 2021 Release Learn Threat Modeling using the amazing OSS resources Check out their (lateral) moves! The importance of blast radius in DevSecOps Using Teleport to Secure SSH and Kubernetes Access The OWASP Top Ten 2021 Release Cooking The Perfect Docker Container For A React App Agile Threat Modeling with Open-Source Tools Using Jira to Map and Visualise Risks Going Multicloud: Securing Human and Service Identities in AWS vs Azure Using Elastic and Kibana for Scale and Security Visualisation Threat Mapping – A Workshop Discussion Developing Secure Multi-Cloud Kubernetes Applications CVE CWE CVSS CWSS where do I look first? Creating a Scalable API Test Framework using AWS and Elastic Panel – Prioritizing Risks and Vulnerabilities based on Context Link HERE
Link HERE – thanks to Prash Incidents Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. Incident data HERE Find your country NCSC Weekly Threat Report
56% of UK businesses plan to hire a CISO A survey of UK information security and IT professionals conducted by cloud provider Fastly showed that over half (56%) plan to employ a Chief Information Security Officer (CISO) over the next six months to two years Cyber attacks lead to data breaches High profile cyber attacks continue to affect a wide range of demographics. This week alone there has been widespread reporting of an incident affecting an organisation handling Labour Party members’ data, and a ransomware attack on high-end jeweller Graff Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE API Security Issue 159: Vulnerability in GoCD CI/CD platform, views on full lifecycle API security, articles on API security and sprawl Case study: Raiffeisen Bank International on their journey toward full lifecycle API security Gerdenitsch describes how RBI made a shift toward a product-led agile structure in 2019. This transition included the role of Security Champion within each of the product DevSecOps teams: Security Champions lead in all aspects of product security within their business unit. A key point to the role is that it is a volunteer-driven role. RBI’s experience was that they had no shortage of volunteers and that they got much interest from a variety of disciplines within the organization. As with many popular Security Champion programs, RBI opted to use the martial arts’ belt system, shown below: In terms of API security, the blue belt level included specialized courses just on API security and at the black belt level the focus was on hands-on manual pentest skills Link HERE EP104: ARYA Arya Ebrahami has had quite a personal relationship with darknet marketplaces. In this episode you’ll hear about his adventures on tor Link HERE The Security Ledger Episode 230: Are Vaccine Passports Cyber Secure? Link HERE Incidents & events detail A pair of PS5 hacks could be the first steps towards jailbreaking Sony’s latest console Link HERE “Squid Game” and Google Ads Crypto Scams Illustrate the Risks of an Unregulated Marketplace Link HERE and HERE and reaction HERE Hunting for secrets in Docker Hub: what we’ve found Link HERE Research of the week Trojan Source: Invisible Vulnerabilities We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as we call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. We present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. We propose definitive compiler-level defences, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack Bugs in our Pockets: The Risks of Client-Side Scanning In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused Link HERE Analysing a watering hole campaign using macOS exploits Link HERE Tool of the week Exploiting and defending anonymous access in Azure Link HERE Measure and Improve Your Application Resilience with AWS Resilience Hub Link HERE Passhunt Simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords Link HERE THE COGNITIVE BIAS CODEX
Link HERE Other interesting articles ##Magic Quadrant for Web Application and API Protection Strategic Planning Assumptions
Gartner defines web application and API protection (WAAP) as the evolution of the web application firewall market (WAF), expanding WAF capabilities to four core features (see Defining Cloud Web Application and API Protection Services):
Link HERE ##And finally, Will the craze for crypto startups ever produce the next tech giant? As big investors weigh in, valuations are reaching the stratosphere
Link HERE ##HACKING, TOOLS and FUN – CHECK BELOW! AppSec Ezine Must see URL: https://hackerone.com/reports/1213765 Description: Reddit IDOR to pay less for coin purchases. URL: https://bugs.chromium.org/p/chromium/issues/detail?id=1251541 Description: Google Chrome NTP XSS via Google Search CSRF. URL: https://bit.ly/3HefPwH (+) Description: Becoming A Super Admin In Someone Elses Gsuite Org. And Taking It Over. Links HERE and credits to HERE |
 |
| The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited. |