Credit the face app

Is your social media feed full of old people? Are we turning into a dystopia a la ‘Walking Dead’ where everyone is ageing quickly?

No, it’s the latest epidemic called FaceApp

I’m a bit concerned about the massive rise in popularity of such an app and it has nothing to do with what my older self looks like.

The list of people using the face app includes a vast array of famous personalities, including Gordon Ramsay as above. I have refrained from downloading and using the app, as it sounds rather dubious.

The app uses artificial intelligence to change your photos — changing them so that users look younger or older, or swapping their genders. It also lets you remove facial hair, change your hairstyle or add makeup.

It might seem quite appealing to download a free trial of an app, but you have to ask what’s hidden behind a free service? The answer is you and your data, in this case, the use of your face. So I went through the T&C and guess what? They can do whatever they want with your data.

Update 29/7/19

Credit The hacker news

New ‘feature’ now enables you to download your picture for ‘free’ but in exchange it request unnecessarily request access to the contacts and request to authenticate with facebook account

This has been confirmed also by the well known security website The hacker news:

https://thehackernews.com/2019/07/faceapp-facebook-privacy.html?m=1

What does this mean? Fundamentally giving access to the app the right to authenticate using the Facebook token and gather information on your friends.

This create a list of profiles and a map of facebook in all effect providing invaluable insight in any intelligence service or product analytics.

Apparently the feature was supposed to support a feature called “social Stylyst” that now is disabled…but what do you know…the app still request the collection of users

Even more concerning is that the app has been created and launched by Russian firm Wireless Lab. Russia is renowned for adopting hybrid warfare, which is the practice of using non-conventional weapons, like information and cyberspace, also known as the internet, to destabilise a country.

Another issue surrounding the app has been on the charges.

People are being charged the full annual charge on sign up — as they failed to honour the three-day free trial is offered. There is now no response to complaints and no refunds being issued.

This has sparked a huge debate online with articles on any significant outlets, including the likes of TechCrunch.

Dangerous Terms and Conditions

The real danger of using such an app is in the subtle (or not so subtle)terms and conditions.

Let me point out section 5 of the FaceApp t’s and c’s: use, reproduce, modify and adapt user content and media… in a nutshell, you are saying ‘here is my face do whatever you want with it’.

You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.

WOW…..

For a full list of the scary T&C refer to https://faceapp.com/terms

But you don’t have to listen to my warnings, I’m no lawyer, but hopefully, you will trust a real one.

Tiffany Li, a technology attorney and legal scholar, who is a Postdoctoral Fellow at Yale Law School’s Information Society Project, said users should also be worried about the overall privacy protection model.

“Stop using FaceApp because there are no controls on how your face data is used. But also — walking around anywhere can get your face included in facial recognition databases. So … stop going outside? This privacy protection model doesn’t work,” she wrote on Twitter.

Tiffany and Tech crunch are not the only ones complaining about the app publicly. Lisa Ventura, recent winner of Cybersecurity woman of the year, raise the awareness on the community

All of this also throws up the issue of informed consent. Terms and conditions are commonly littered with such legal jargon that no one reads them, and as security professionals, we should all do more on informed consent and have a set of principles to inform the users on what their data will be used for, in clear terms anyone can understand.

So should you use it?

I’d say no if you care about your face and your data!

Using AI to alter human faces is a well-known research method, and according to an IEEE research paper this, typically, boils down two techniques

• Either having an algorithm to analyse pairs of images where a person differs in age,
• Showing algorithm pictures of younger people and pictures of older people to identify similarities that are independent of a person’s identity.

Looking at FaceApp’s creations, the app tends to whiten hair, add wrinkles and jowls, and redden the skin.

But the age database with millions of pictures already exists…the problem with that database is the T’s & C’s does not consent for re-using or changing the image…

Earlier this year, an NBC News report detailed how IBM created a facial recognition dataset of more than a million people by scraping publicly available images.

If I’m honest sharing pictures on Instagram and Facebook is not that much different…

Facebook says in its usage policies that it uses and can similarly modify your data.

Facebook and Instagram are even more explicit in its privacy policy: “We use the information we have (including from research partners we collaborate with) to conduct and support research and innovation on topics of general social welfare, technological advancement, public interest, health, and well-being.”

Nonetheless, Facebook and FaceApp are very different in principle and nature. One is a shady, operating company, with shifting and dubious privacy policies and intent, under scrutiny from all media and the other is a Russian born app called FaceApp.

As Lauren Conrad once said: “Like everybody and trust no one.”

Should you use the app? Well, I’ll let you judge by yourself, but don’t trust anyone, read the T&Cs and make your call.

So I have adopted yubico for few days…on the browser (chrome) quite a breeze…

Have used it to authenticate on devices all good…

Hence I said why not take it to the next level? What could go wrong…

And I have to admit I failed …I failed myself and I had to hack myself back or around the yubico (from hell)

Hell everything and at the time you need it most.

Lesson learned:

Always backup, have an alternative account to login and never ever trust technology.

Also, we are not there yet with the simplicity of interaction, at least for the smart card

Note — in those situations you need hand holding of some client trough recovery step…this could be misused but nonetheless required to help onboarding people.

The setup:

MacOS X Mojave

Yubico 5 USBC

https://support.yubico.com/support/solutions/articles/15000006478-getting-started-with-the-yubikey-on-macos

The Setup in detail

Setup yubico on the browser -> https://support.google.com/accounts/answer/6103523

Open the Chrome browser.

Go to your Google Account.

On the left navigation panel, select Security.

In the “Signing in to Google” panel, select 2-Step Verification.

• If you haven’t set up 2-Step Verification already, select Get started. Otherwise, move on.

Select Choose another option

Security Key.

Follow the steps to add your security key.

• To help you sign in if your key is lost, add recovery info and backups.

2. Setup yubico for MFA

• Open Terminal.
• Insert your YubiKey to an available USB port on your Mac.
• Run: ykpamcfg -2
• If you selected the Require touch option, touch the metal contact on your YubiKey when it begins flashing.
• Repeat these steps for any additional YubiKeys you wish to associate with your account.

3. Setup Yubico for screensaver (safe)

• Now the Mac can be configured to require two-factor authentication for the screensaver.
• Open Terminal.
• Run: sudo nano /etc/pam.d/screensaver
• When prompted, type your password and press Enter.
• Add the line below above the account required pam_opendirectory.so line.
• auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response

4. Setup yubico for authentication (be careful this is painful if fails)

• Open Terminal.
• Run: sudo nano /etc/pam.d/authorization
• When prompted, type your password and press Enter.
• Add the line below above the account required pam_opendirectory.so line.
• auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response
• Press Ctrl+X, Y, and then Enter to save the file.

Notes

1. Failvault password is still required
2. Enabling the macOS Login Tool is a system-wide change and will affect all accounts on the Mac. Unlike in Linux, it is not possible in macOS to apply PAM rules to select user accounts.
3. If Touch ID is enabled, it will bypass the macOS Login Tool due to how Touch ID was implemented.

The Fail

After reboot, I’ve tried to log-in with yubico…first of all didn’t work and it was not that clear that you’d need to log in with file vault (of course disk is encrypted)

Once at the login screen was not prompted for a PIN when using the yubico and the certificate/key injected was not working.

The panic

So what do I do?

• Try credentials without the yubico (does not work due to the sequence of authentication and authorization)
• Reboot and reset password — not working
• Reboot and try a soft reset or reboot in user mode (command+s) — not working (thank god for file vault…or not in this case) — https://support.apple.com/en-gb/HT201573
• Hard reset (command+r) not working again — need to mount the disk…somehow the password was desync. https://support.apple.com/en-gb/HT201314
• Despair
• Cry

• Call for a miracle

I Started hearing this:

• Reset Credentials (with icloud) — not working
• Resort to backup Time Capsule … frantically trying to find back the credentials and failed multiple times. Emergency reset of the network drive
• After I’ve managed to get access to my network drive there was no backup
• At this point I really was hoping someone would walk in and wake me up…
• Ok no panic…i have to hack me back into working

Hacking myself back…or around yubico

• Enable SSH daemon from command + r
• Enable shell
• Mount Disk (need to know the password) and unencrypted
• gain back root
• Mount the drive (from graphic or command prompt mount -rw drive name)
• Navigate into the drive (cd. cd /Volumes/drive/etc…)
• Modify back the auth and authorization files
• sudo vim /Volumes/drive/etc/pam.d/authorization (nano does not work in recovery mode) — where the drive is the name of your drive
• Remove the line below:
• auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response
• Modify back the auth for screensaver files
• sudo vim sudo vim /Volumes/drive/etc/pam.d/screensaver (nano does not work in recovery mode) — where the drive is the name of your drive
• Remove the line below:
• auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response
• Reboot
• Login with reset credentials

Cry for joy, drink whiskey, be marry

The lesson:

• Keep the drive encrypted is more difficult to go around the password reset
• There are multiple ways around yubico but you still need to know some of the credentials (file vault and admin)
• Suggestion: Keep file vault and admin separate
• The admin needs to be different from the sudoers/admin
• Keep normal account not admin -> sudo everything else
• Keep Backup available on multiple drives on multiple locations (potentially one emergency one in geolocation separate)
• Systematically backup your files with one backup option
• Backup the files on cloud storage if possible

Are you curious? is it possible? It is a potential and there is no clear statement out as we speak (2/6/19–2 PM GMT). Nonetheless, I don’t want to do another blog that slag Google… they offer a service and a bloody good one.

Think how much collaboration you get done through Gcloud, Gdocs etc… I do use it a lot and makes a brilliant writing experience across the board…

The incident

Now yesterday 02/06/2019 my google docs started acting up. I’ve rebooted half of the device in the house (turn it on and off anyone?), but nothing did seem to be working.

Around 9.45 PM GMT, I did go and checked the services and…holy, moly half of Google was down! Now at this point in time, it started getting hard working on a document with my team.

This made me realize how dependent my organization is on a number of easy to use services. Even having a solid plan for backup, and a fairly regular test and run I realize the alternatives were not as good. Will add some more comments and my 5 suggestion on the Backup and recovery options later.

1. Decide how much data you want to lose
2. That drives the decision on how frequently you back up
3. Back up on a different cloud provider
4. Make sure you know how to access and use the other cloud provider (don’t just copy google drive documents in Dropbox)
5. Test the backup and recovery into google cloud once every 2–6 months depending on how risky you want to be

So what happened?

YouTube, Snapchat, Gmail, Nest, Discord, and a number of other web services suffered major outages in USA and Europe region.

The root cause is still unknown and there are rumours on too much traffic….could be a nation-state hack? Could it be a misconfiguration? Could be a Hack? All is possible for now…

After 1 or 2 hours of frustration on google docs, I kick-started the backup plan (work on other providers and with another method). It was still possible to work on the text of the documents and extract them but was a painful experience.

I felt at this point in time the pain of the Google Operation Center

Speculation bingo was open and the conversation was on fire…

And John did pick me up on the pool organizing a more serious one (DDoS and cert seem to be winning)…even if I’m sceptical about the DDoS as the capacity of Google datacenter is probably massive.

Timeline

Nonetheless, there was a serious issue across the board that affected all the services. This is the timeline just for google docs.

Statement from Google on the verge: ‘ Google’s issues started at around 3 PM ET /12 PM PT, and the company resolved them after more than four hours.’

Official statement: “high levels of network congestion in the eastern USA” for the issues. “We will conduct a post mortem and make appropriate improvements to our systems to prevent this from happening again,” says a Google spokesperson in a statement to The Verge. “We sincerely apologize to those that were impacted by today’s issues.”

Now on the facts, the service kept on working with glitches on the first hour, got really bad the second (unusable) and then annoying glitches for the other two hours…

the service was completely unusable for 2 or so hours, and very spotty for the remaining two (sometimes unusable).

I’ve invoked my Disaster Recovery plan at this point as the Business Continuity (keep on using the Google cloud with other integrated tools) was not working anymore.

I have lost some work and time since the last time I’ve backed up on another provider but not too much.

The important of the plan

Those are my 5 steps to have a pain free experience

1. have a plan (continuity and disaster recovery)
2. test the plan regularly
3. do backup
4. test the backup regularly
5. Go back to 1 rinse and repeat, also update with the lesson learned

When using google cloud services (drive, gdoc,…) you have two options:

1. use the native format — this maximizes the use of collaboration services and notifications
2. use native Microsoft format (.docx, .ppt) and have limited functionalities but the easier method of backup

Now is all good to have Business Continuity Plans but if you haven’t actually tested than they are pointless…

The testing part is not just performing a backup of your documents in some other cloud provider (this for drive/google docs) but also making sure the backups are regular, and that you actually have a way to use those backups.

Backing up from one cloud provider is not as easy it might sound and especially if you use google docs and drive sync is not always intuitive to extract document

If you want to backup your document in a usable form you’ll have to export in Microsoft format (.pptx or .docx) and then move to another cloud provider.

This ensures that you will be able to open the document with MS-Word regardless of where you are.

Now if you want to be even more drastic and only work with Microsoft word in google cloud (option 2 mentioned above)

Is all google fault if I couldn’t deliver that document in time!!!

No, it was not, as cloud users, we shall be a bit lawyer and go through the terms and conditions of a cloud provider.

The cloud provider ensures that it will operate within certain Service Level Agreement in their Term and conditions (those lengthy legalese documents that no one reads)…

https://gsuite.google.com/intl/en/terms/sla.html

Google simply will rebound you if those Service Level are breached…nonetheless you have to reflect (as an individual or more important as a business) how much downtime of service will affect you.

The Business Continuity and Disaster Recovery plan ensure exactly this. As users of a cloud provider we are responsible for putting one in place (that might account for the cloud provider one), test verify and use it at least once per year.

this leads to another one of my pet peeves: the cloud responsibility model

With Google Gclud (docs, Gmail etc…) we are in a SaaS case. As a user of the cloud we are responsible for:

• Controlling the users (granting and revoking access)
• Content what goes in the provider (harmful material and backup).
• Overall usage (not abusing the term and conditions).

There is no way out of those elements. you can delegate the responsibility of some of those but never the accountability as you, the customer, your revenues your brand will get affected.

For a more comprehensive overview of the division of responsibilities see below an extract of one of my upcoming talk: is the cloud secure? (you can find the others here NSC42 Press)

Conclusions

To recap what you should do to prevent those harmful events to affect you in the future?

• Understand the service credits
• Understand the term and conditions of the cloud providers
• Have an exit strategy (how to get out of a cloud provider)
• Have tested disaster recovery plans and business continuity plan.

Easy steps to have a piece of mind

1. Decide how much data you want to lose
2. That drives the decision on how frequently you back up
3. Back up on a different cloud provider
4. Make sure you know how to access and use the other cloud provider (don’t just copy google drive documents in Dropbox)
5. Test the backup and recovery into google cloud once every 2–6 months depending on how risky you want to be

Rinse and repeat :) and enjoy a happy cloud experience

The article as appears on NSC42 Blog: https://www.nsc42.co.uk/blog/appsec-cali-19-sun-beach-warm-and-infosec

also on LinkdIn: https://www.linkedin.com/pulse/appsec-cali-sunbeachwarm-infosec-francesco-cipollone/

About Francesco the author

Francesco Cipollone is the director NSC42 is a public speaker and attends conferences, this year will report on Appsec California. If you’d like to hear more of this and other conferences get in touch on NSC42 Blog page, Linkedin and medium. Francesco is an active researcher and director of events for the Cloud Security Alliance and part of ISC2.

Francesco and NSC42 can help to improve and align your organisation security, cybersecurity strategy cloud and traditional security architecture and DEVSECOPS offering a range of dedicated consultancy, webinar, guide and other materials. Get in touch with me on Linkedin or via email at Francesco.cipollone @ NSC42.co.uk for collaboration or more information.

Note — most of the picture in this website are mine, but feel free to reuse them under creative common as long as the author and the article are cited.

CC licence — BY-SA — Attribution + ShareAlike

Intro

Picture from Appsec Cali website

What a refreshing conference….that’s, in a nutshell, was my thinking on the last day of AppSec Cali 2019 conference. Logistics were flawless, thanks to the volunteers, and the location was terrific with the Annenberg Community Beach House overlooking the Santa Monica beach and the calm “winter” Pacific Ocean. The schedule of the event was well paced and packed with exciting talks and keynote that I will briefly summarise in this article.

The view from the Santa Monica beach

Nevertheless, those are not the key things that made AppSec Cali different from other great conferences (like Black Hat, Defcon, BSides ….).

What made the difference, aside from the climate and the view, was the small and collected nature of the conference.

Throughout the whole conference, I felt like I was amongst a group of a friend coming together and discussing ideas and collectively progressing infosec.

Maybe it was the relaxed nature of Southern California (read it as SoCal), perhaps it was the beach, but the conference has been a fantastic and relaxed way to network, discuss and share ideas with fellow Infosec professionals.

Sundown from the conference center

Call to actions:

I’d love to hear from you! Only with your feedback, we will improve infosec. Leave a comment and engage in the conversation at the bottom of this article.

This report represents my view of the conference, but I’d love to hear your opinion on the other application-specific conference. Things I’d like to hear from you:

• What conference (Appsec and DEV) did you enjoy this year
• What do you think of AppSec Cali or similar conference
• How to include DEV teams into the Security discussion

Most of the pictures in the conference are mine, but where they are not, I’ll mention the author.

Speakers:

The organizer Richard Greenberg that keeps on putting effort to improve cybersecurity in the application word by organizing events like this and ISSA-LA

The speaker lineup was broad with a top line of speakers and subject matter experts

Nonetheless, the other speaker was not less than the headline speakers.

The Conference:

The bright day started with a short commute through the beach toward the convention center. The ride of choice was the Uber electric scooter due to the inclement weather … 20 degrees and sunny…

One of the many ride options available in Santa Monica

After a short fun ride, the path to the convention center is through the Santa Monica beach skirting Pacific Coast Highway (PCH)

Richard Greenberg kicked off the conference with a nice invite to the various sponsors.

Also a gentle reminder from Richard of the OWASP core values:

Like any other convention, the sponsors and vendors were there but it was not intrusive, and the poolside view is a nice perk

Nonetheless, Richard allows time to recognize the effort and the contribution of the various sponsors/vendors.

To cite and thanks just a few sponsors: netsparker , Shiftleft, Checkmark, Qualys, and many others)

After an excellent introduction from Richard, a round of talks started; I’ll offer some highlights on the one that I attended and my opinion on the one I did like the most.

A note for the folks those are purely my opinion, and my view does not represent one of my employees (yadda yadda yadda)…

CISO Panel

The CISO panel had two key ingredients: from startups to financials CISO as well as well seasoned CISO.

The panel was formed (left to right):

• Bruce Phillips SVP & CISO of Williston Financials
• Martin Mazor Senior VP and CISO at Entertainment Partners
• Shyama Rose CISO at Avant
• Coleen Coolidge Head of security at Segment

The panel went on quite flawlessly explaining the modern challenges of CISOs establishing an AppSec program. The nice part of the panel is that it mixed up different genders and different organisation sizes (from well established to startups). Richard did a great job moderating and pacing the questions.

One interesting concept that I got from the whole talk was the struggle with the DEV-SEC-OPS definition that I believe is a big dilemma those days.

The DEV-OPS concept is still maturing, and the DEV-SEC-OPS is an evolution on this with a natural consequence of the DEV-BIZ-SEC-OPS. In the latter, proposed in the CISO panel, the Business becomes an integral part of the development and operational process.

Also to note the nice gender balance and the effort AppSec is making to sponsor women in Cybersecurity.

Adrienne Porter opens with the chrome improvements on web security

2019 marked the year where half of the web pages turned HTTPs on. There is still a lot to do though.

Adrienne Porter Felt Google Engineer and manager for chrome explained the challenges faced by the public with “secure” web pages.

When HTTPs has introduced the visualisation of the page in the URL has been debated. Initially, people thought if the URLs is green, and the color green was long discussed, the page content is safe. The use of HTTPs will guarantee client-server safeties of communication not the content of the page.

Also, Google is having a series of phishing test campaign to raise the awareness and ultimately working to kill the URL (read the interesting wired article for more info).

Nonetheless, there is an inherited perception of safeties of a page when the URL is displayed in green.

Slack had similar challenges when presenting the apps in their store (see below my take on Slack’s talk)

Netflix and the security pizza

William Bengtson and Travis McPeak gave, in my opinion, one of the best presentations. The speech on the security layers deployed by Netflix was a step onward from the presentation William gave at Black hat 2018 on credential compromise detection.

The talk had the pizza analogy, and William was wearing the “you got me at pizza” T-shirt (nice prop). The speech had the ingredient analogy for each layer of security. The speech was well paced, and the exchange between Travis and William was smooth.

Considering the challenges of a two-person presentation, I have to say William and Travis handled the introduction calmly and appeared well prepared on their speech.

Sorry for the speech analysis but my toastmaster club teaching nags at me sometimes.

The talk presented the various layers with the metadata proxy and the different scenario of attacks leveraging metadata.

Another interesting topic is the temporary key issued to DEV and the privilege, sometimes higher, but with access control…Netflix almost got on AWS the on-time access that Azure is working on with security center.

The other layer added on top of the security pizza is the collection and reduction of roles and permission one VM has…

Last but not last the level of monitoring and alerting Netflix does is terrific. Rarely I’ve seen an organization that knows their infrastructure to the degree where they can detect so carefully when something deviates from the norm…nonetheless, this comes at a cost (and William buzzer in the middle of the night).

Aside from the structure of the talk I’ve been amazed by the level of sharing and giving back to the community Netflix is doing.

Flee talks about powerlifting and AppSec

Following the CISO talk, another heavyweight in security Frederick Lee (flee) head of Information Security at Square had a flawless take on an appsec programme.

Aside from the content, that was easy to understand and well-paced; I have to say I’ve admired the talk as it was well structured. Flee introduced the topics and the key elements at the beginning, narrated them with analogies and concluded with the same themes he started with.

The talk had a nice touch of analogies between powerlifting, Flee passion and an AppSec Programme.

The talk revolved around the three fundamental of powerlifting and the appsec programme.

• Code review of the critical code (prioritize)
• Training for developers that is specific to their dev language
• Threat modeling of the essential applications

In conclusion, a well structured AppSec program is challenging to kill (as strong people are).

The honesty of slack — AppStore security challenges

Nikki Brandt and Kelly Ann presented the problems slack security had in introducing the apps to the AppStore.

Like any other startup, there are some challenges in security and the balance an organization at the inception has to have when doing pentest or bug bounty

Nonetheless, there is an inherited “trust” of people when selecting an app in a store part of your application…

Despite the best disclaimer that might impact the brand of slack and there was no solution yet…but they are getting there

Despite the closure on the uncertain note, I appreciate the honesty of the talk and the challenges faced.

Closing Day 1 with Bryan on what improves in appsec

Bryan Payne @bdpsecurity, Netflix’s director of Engineering, Product & Application Security, delivered a remarkable closing note on the history of application security and the learnings.

Netflix has given a lot in this conference, and each talk was polished, well presented and gave something back to the community.

So we keep on making the same mistakes as we were doing a long time ago…and for one reason, the basic stuff is also the hardest to implement…

Nonetheless, Bryan has given us a few essential items that did work in the past and will keep on improving in the future.

The two most important is learning from mistakes… better and sharing the knowledge with the community (one of the critical thing Netflix does brilliantly)

The other important one was improving fixes to the code, and with this Bryan stressed a pragmatic approach to the code: you can’t fix and review it all so prioritize the fixes what is vital and critical.

Also, Bryan shared few open source tool that can make the code review an easier job. One open source project mentioned was SPIFFE : a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments.

Threat Modeling and the game of infosec

Aside from the Capture The Flag (CTF) I’ve also appreciated the talk on threat modeling and the idea of gamification introduced into the threat modeling.

Ultimately some process that could end up being complicated and difficult like threat modeling could be turned into something fun with a card game.

AppSec and CTF lots of other talks in appsec Cali

Aside from the main talks, appsec Cali had CTF and pentest basic open to all the skill set.

Most important the conference and the training were oriented to Infosec people but most importantly to DEV.

The whole effort is to improve the overall security in the development process.

Others talks have been remarkable but will just mention them:

The vulnerability management from a Security PM Prospective

Alexandra Nassar and Harshil Parikh (absent) walks us through the challenges of security in an organization that perceives security as a blocker. Also how perks personalization (the logo is her creation) and the branding can massively help an appsec programme.

William from Netflix on Identifying lost keys in the cloud

William has delivered once again the overview of how to prevent AWS credentials exfiltration

Closing Speech from Jim Manico

Jim Manico founder of Manicode Security is a well known and respected contributor to the OWASP chapter. Jim delivered the closing talk of the second day with the history of application security.

The stage presence and the way Jim talks about application security is amazing and shows what a seasoned developer, and most crucial security-oriented developer he is.

Also, he is funny and solid tough out the talk.

Jim has become kind of a rockstar with people asking to take a picture with him (photo taken for Daniel @danielblqz)

Conclusions

Appsec Cali 19 has been a refreshing conference and will definitely come back and possibly send across a Call For Paper next year.

The conference would have never happened without the effort of all the volunteers and Richard stringing it up

Aside from the environment, the climate, the people I’ve appreciate the effort that the OWASP chapter and the fellow infosec people have put into improving the overall quality of the code by bringing the DEV community closer to the SEC community.

The DEV-OPS concept is still maturing, and the DEV-SEC-OPS is an evolution on this with a natural consequence of the DEV-BIZ-SEC-OPS. In the latter, proposed in the CISO panel, the Business becomes an integral part of the development and operational process.

Aside from everything Santa Monica is a fantastic place for conference and overall for the viewers and will come back for more INFOSEC in Santa Monica (see you at ISSA XI in May)

AppSec Cali 19 — Sun…Beach…Warm and infosec was originally published in NSC42 on Medium, where people are continuing the conversation by highlighting and responding to this story.

Reported: Clement Lecigne of Google’s Threat Analysis Group

Category: Microsoft/IE/RCE

Date: 19/12/2018

Overview:

Microsoft has released an emergency security update to patch an Internet Explorer (IE) critical zero-day vulnerability.

Discovered by researcher Clement Lecigne of Google’s Threat Analysis Group.
The vulnerability tracked as vulnerability tracked as CVE-2018–8653 is a remote code execution (RCE) flaw in the IE browser’s scripting engine.

Patches

The patch for this vulnerability is available on the Microsoft Website.

The vulnerability comes after the following zero days (that can be chained together previous zero-days (CVE-2018–8611, CVE-2018–8589, CVE-2018–8453, CVE-2018–8440). You can manually download these updates via the Microsoft Catalog website.

Mitigation

Patching is always the best method to fix the vulnerability.

Users who can’t immediately patch, not recommended, can mitigate the threat by restricting access to the jscript.dll file by running following command in the command prompt using admin privileges.

• For 32-bit System — cacls %windir%\system32\jscript.dll /E /P everyone:N
• For 64-bit System — cacls %windir%\syswow64\jscript.dll /E /P everyone:N

The above command will force the web browser to use Jscript9.dll and but any website that relies on Jscript.dll will fail to render.
The above is just temporary mitigation and the patching the application remains best practice

Vulnerability Details

The vulnerability affects the following installations of IE: Internet Explorer 11 from Windows 7 to Windows 10 as well as Windows Server 2012, 2016 and 2019; IE 9 on Windows Server 2008; and IE 10 on Windows Server 2012.

An unspecified memory corruption vulnerability, as per the advisory, resides in the scripting engine JScript component of Microsoft Internet Explorer. This engine is deemed to handle execution of scripting languages.

If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user.
The vulnerability is even more dangerous if an attacker can chain previous zero days vulnerabilities (as consequences of unpatched IE).

Microsoft has realised patches for four other zero-days. Exploiting all these zero-days will result in “elevation of privilege.”

This means that if a victim has missed any of the previous four Windows Patch Tuesday patches, an attacker can chain the IE zero-day with one of the earlier zero-days (CVE-2018–8611, CVE-2018–8589, CVE-2018–8453, CVE-2018–8440) to gain SYSTEM-level access, and immediately take over a targeted computer.

You can manually download these updates via the Microsoft Catalog website.

Even worse if the user is logged on with administrative privileges, in fact, the attacker can piggyback on the user rights, by exploiting the vulnerability, escalate privileges and could potentially take control of an affected system. As a consequence of this the attacker can deploy payloads with more malware, install shell, view, change, or delete data; ultimately for persistence, the attacker can create new accounts with full administrative privileges (as per the advisory).

Besides the above exploit, an attacker can also target victims by convincing them into viewing a specially crafted HTML document (e.g., a web page or an email attachment), MS Office document, PDF file or any other document that supports embedded IE scripting engine content.

Despite the fact that the exploit available in the wild Neither Google nor Microsoft has yet publicly disclosed any technical details about the IE zero-day vulnerability.

IE Emergency patch — Patch Under-Attack IE Zero Day was originally published in NSC42 on Medium, where people are continuing the conversation by highlighting and responding to this story.