Archive
Cloud Database Leak Exposes 425GB of Financial Data
A financial startup (known as a fintech) has put almost half a terrabyte of data in a cloud based storage for use in a mobile app.
Security specialist with concerns for the inevitable future of OpenAPI for banking have been screaming about this nightmare for years. What do we do for the 100s of 1000s of people who have now lost their financial data?
Steps should be taken to encrypt this data at rest to address this very situation WHEN it happens and not allow the use of data by fintechs without these controls. Allowing banks to encrypt all data before it is shared and sharing the keys to registered companies may be the only sure way to prevent this in the future.
https://www.infosecurity-magazine.com/news/cloud-leak-exposes-425gb-financial/
Think Open Source Software is secure, think again?
So you thought that when all the source code was available for everyone to see, you would have a better chance of finding bugs right?
It turns out that just because everyone can read it, that doesn’t mean anyone will do anything about it? I mean, this software is created by volunteers, modified by volunteers and used by anyone who wants to use it. Who said anything about making sure it was secure?
Forbes: Jack Welch, Former General Electric CEO And Chairman, Dies At 84
A titan in the world of management and a hero to us all.
Forbes: Jack Welch, Former General Electric CEO And Chairman, Dies At 84. https://www.forbes.com/sites/lisettevoytko/2020/03/02/jack-welch-former-general-electric-ceo-and-chairman-dies-at-84/
NTLMv2 – no problems
I really like when someone takes the time to show how fragile our networks really are.
Use a sniffer to collect your favourite ntlmv2 challenge and plug it into your monster hashcat box. Plug it in and turn it up on high until it warms the room and soon…
Out comes your one of your corporate colleagues password! (Serve warm) 🤟
https://research.801labs.org/cracking-an-ntlmv2-hash/amp/?__twitter_impression=true
Cert pinning bypass on okHttp
One of the security controls that mobile makes strong use of is certificate pinning.
There is a library that is commonly used by a lot of application development teams called okHttp.
Mix these two together and you have a pretty good recipe for success but what if your application isn’t built to prevent an advisary from tampering with it?
Learn how to bypass this library and defeat certificate pinning in this article.
https://captmeelo.com/pentest/2020/02/24/bypass-okhttp-cert-pinning.html
Hackers Were Inside Citrix for Five Months — Krebs on Security
https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/
To understand why guessing a password for one of your users is so easy is to understand that your organization is only as strong as its weakest link.
Even an organization that provides security solutions like Citrix can be a victim.
Learning how to educate our users on password hygiene, investing in multi factor methods of authentication and making an investment into FIDO (https://fidoalliance.org) may be the only way we will see a return on investment in cybersecurity.
Docker Registries Expose Hundreds of Orgs to Malware, Data Theft | Threatpost
If you were wondering how an attacker can gain access to your organization when you were so careful to validate your software and your laptops and your employees, what out for how they run your software.
Docker base images have long been the target of the more sophisticated attacker now. Let’s face it, creating and setting up tomcat to run your platform isn’t really something that any development team can do so why not use a prebuilt image? It can be so easy to setup a repository and start with a known good base image but watch out for the wolf in sheep’s clothing.
https://threatpost.com/docker-registries-malware-data-theft/152734/
Certificate Expiry – Doh
Don’t you just hate when that happens – you have a nice, professional website that is generating revenue for your company and someone forgets to renew the TLS certificate!
Packt Publishing sure does today when it seems clear that almost all of its visitors will not be able to connect to their website.
It happens to many of us and it is due to poor certificate management. Microsoft Teams announced that they had surpassed Slack as the number one platform for messaging and collaboration but recently experienced an outage due to an expired certificate. Imagine how that affected their reputation and think of the brand impact that could have resulted in incalculable loss!
Whether you have 1 SSL/TLS Certificate protecting your website or you have setup an extensive server farm both inside and outside your organization, managing certificate renewal can bite you in the A$$.
Think strongly about a certificate management program that can alert you to thinks like certificate expiry for items like websites, Internet of Things and even network devices. With the push to ensure that we adopt https everywhere, you will need to manage certificates for almost every endpoint we use for mail, for file and print services and of course for all of the applications that use web based browsers. Even some of the desktop application are just shells that use a custom shell to deliver http based content so you may also have outage associated with certificates for some of the popular applications like Slack and Teams on your desktop.
Prevent outage by discovering and being aware of all of your certificates before someone else tells you!
Are you a Secure Programmer?
Happy New Year to those of you who read this blog, and to those folks who remember my predictions about going over 20,000 unique CVEs in 2019, I trust you may agree that 2019 was a banner year for vulnerabilities. Lucent/Alcatel are among the vendors who have CVEs that have taken us over 20,000 this year (CVE-2019-20047, 20048).
It’s time to ask yourself, are the hackers getting better at ‘hacking’ or are coders just getting worse? If we are going to examine how the last half of a decade has had more than 10,000 unique vulnerabilities each year and that number keeps increasing, we will all need to come to the conclusion that programmers just don’t know how to create programs that are secure by default!
Here is a chance for some of the best and brightest programmers to change course and learn how to avoid these vulnerabilities once and for all.
A California University (UCDavis) has created an online course that can help teach the Principles of Secure Coding. In a series of four courses, developers can learn about the fundamentals, identify vulnerabilities and walk on the wildside as they learn how to hack just like the a blackhat!
Take one, two or the set of four courses and really understand how pentesters can exploit how code works so you can learn how to avoid many of the common pitfalls. https://www.coursera.org/specializations/secure-coding-practices
Security Analyst - Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH 