Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

A financial startup (known as a fintech) has put almost half a terrabyte of data in a cloud based storage for use in a mobile app.

Security specialist with concerns for the inevitable future of OpenAPI for banking have been screaming about this nightmare for years. What do we do for the 100s of 1000s of people who have now lost their financial data?

Steps should be taken to encrypt this data at rest to address this very situation WHEN it happens and not allow the use of data by fintechs without these controls. Allowing banks to encrypt all data before it is shared and sharing the keys to registered companies may be the only sure way to prevent this in the future.

https://www.infosecurity-magazine.com/news/cloud-leak-exposes-425gb-financial/

So you thought that when all the source code was available for everyone to see, you would have a better chance of finding bugs right?

It turns out that just because everyone can read it, that doesn’t mean anyone will do anything about it? I mean, this software is created by volunteers, modified by volunteers and used by anyone who wants to use it. Who said anything about making sure it was secure?

A titan in the world of management and a hero to us all.

Forbes: Jack Welch, Former General Electric CEO And Chairman, Dies At 84. https://www.forbes.com/sites/lisettevoytko/2020/03/02/jack-welch-former-general-electric-ceo-and-chairman-dies-at-84/

I really like when someone takes the time to show how fragile our networks really are.

Use a sniffer to collect your favourite ntlmv2 challenge and plug it into your monster hashcat box. Plug it in and turn it up on high until it warms the room and soon…

Out comes your one of your corporate colleagues password! (Serve warm) 🤟

https://research.801labs.org/cracking-an-ntlmv2-hash/amp/?__twitter_impression=true

One of the security controls that mobile makes strong use of is certificate pinning.

There is a library that is commonly used by a lot of application development teams called okHttp.

Mix these two together and you have a pretty good recipe for success but what if your application isn’t built to prevent an advisary from tampering with it?

Learn how to bypass this library and defeat certificate pinning in this article.

https://captmeelo.com/pentest/2020/02/24/bypass-okhttp-cert-pinning.html

https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/

To understand why guessing a password for one of your users is so easy is to understand that your organization is only as strong as its weakest link.

Even an organization that provides security solutions like Citrix can be a victim.

Learning how to educate our users on password hygiene, investing in multi factor methods of authentication and making an investment into FIDO (https://fidoalliance.org) may be the only way we will see a return on investment in cybersecurity.

If you were wondering how an attacker can gain access to your organization when you were so careful to validate your software and your laptops and your employees, what out for how they run your software.

Docker base images have long been the target of the more sophisticated attacker now. Let’s face it, creating and setting up tomcat to run your platform isn’t really something that any development team can do so why not use a prebuilt image? It can be so easy to setup a repository and start with a known good base image but watch out for the wolf in sheep’s clothing.

https://threatpost.com/docker-registries-malware-data-theft/152734/