Security Stack Sheet #1

Word of the week Unfortunately it has to be “GDPR”

Or Global Defence Posture Realignment? nah.. General Data Protection Regulation

Free GDPR tools and toolkits HERE and HERE and HERE and HERE  and ICO HERE Microsoft tool HERE

Good article GDPR & PageUp Security HERE Freaking out? HERE

Note: You are required your private info in order to download some of these tools ha-ha J


Word of the week special




“WARNING. In our butcher’s shop we might ask your name and remember your meat-related preferences.

If you are worried about this, please enter the shop while shouting ‘I DO NOT AGREE!’, and we will henceforth pretend we don’t know you.”



Crypto challenge of the week

May 2018 Puzzle Periodical – Shall We Play a Game? Computer Tic-Tac-Toe

This month’s NSA Puzzle Periodical pays tribute to the 1983 motion picture “WarGames.” In the movie, a supercomputer is programmed to play Tic-Tac-Toe.

The computer plays itself, with each X and O placed uniformly at random into any square (this means the computer plays without regard to strategy). What is the probability a game will end in a draw?

Assume perfect random number generation. The first X will be placed in any square with probability 1/9. The first O will go into any of the remaining squares with probability 1/8, and so on.


HackyEaster2018 Solutions




May 25: GDPR enforced (tomorrow!)

May 25: First GDPR related incident

June 12 2018: Trump meets Kim (maybe)

June 30: TLS1.1 mandatory for PCI-DSS compliance

Now: TLS1.2 mandatory for proper security

Jun 14: World Cup 2018

July and August – Holidays!!

March 29 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week

##Some OWASP stuff first

-Play by Play: OWASP Top 10 2017

By Troy Hunt and Andrew van der Stock

In this course, you’ll learn the risks that made the 2017 OWASP Top 10 and how best to utilize the OWASP Top 10 in your organisation


-Event next week in London: Beginner’s Guide to Emotional Intelligence + Improving Your Cyber Security Hires – opinions and slides to follow


-Contribute! How do we Stop Spilling the Beans Across Origins?

A primer on web attacks via cross-origin information leaks and speculative execution.

While concerns about Spectre are a direct motivation for the mechanisms discussed above, we propose that it is critical to consider the broader problem of cross-origin information leaks and design defenses for this more general class of attacks. This is especially important for any opt-in protections whose value depends on adoption by application developers, for two reasons:

·         Web developers don’t understand Spectre, and they shouldn’t need to in order to protect their applications, but they have long had to deal with other vulnerabilities discussed in this document (CSRF, XSSI). Providing mechanisms which can protect from a larger class of attacks, especially those known to developers, increases their security value and makes it more likely that they will be adopted in real applications.

·         Web developers don’t understand browser process models, but are familiar with the concept of allowing application resources to be loaded only from a small set of origins from which the developer expects requests (for example via CORS, or when handling data sent via postMessage). Aligning security mechanisms with the standard web model of policing cross-origin relationships, instead of focusing on ad hoc mitigations tailored to Spectre, may make the protections more understandable and increase the likelihood of their adoption


-InfoSecurity Europe 2018 in London – FREE event with great keynotes


-PCI Security Standards Council publishes PCI DSS 3.2.1

PCI DSS version 3.2.1 replaces version 3.2 to account for effective dates and SSL/early TLS migration deadlines that have passed. No new requirements are added in PCI DSS 3.2.1. PCI DSS 3.2 remains valid through 31 December 2018 and will be retired as of 1 January 2019




Incidents in the world

Source HERE Find your country

Incidents detail

Many faced threats to Serverless security


Extracting SSH Private Keys from Windows 10 ssh-agent


SECOND remote Rowhammer exploit

Link HERE Paper HERE

Up to 800,000 Draytek router attacked by new Zero day


Data of Over 200 Million Japanese Sold on Underground Hacking Forum


The Verge Hack, Explained

Time Warps, Mining Exploits, Denial of Service, and More!


iOS / Android “Zipper Down” Vulnerability 


PDF exploit built to combine zero-day Windows and Adobe Reader bugs


Mobile carriers may be selling real-time location data to third-party companies, which may be putting that data in unsafe places


The University of Greenwich fined £120,000 by Information Commissioner for “serious” security breach


DLL Hijacking via URL files


AWS Security Flaw which can grant admin access!


More Meltdown and Spectre Issues

Additional variants of the Meltdown/Spectre processor flaws have been detected. Dubbed Variants 3A and 4, the newly detected issues are a rogue system register read and a speculative store bypass. Intel and other companies are releasing microcode updates to address the problem.


Regression testing is key in this space. As more Meltdown/Spectre fixes are released, make sure to fully test them before deploying to the enterprise as the impact of the fix is tied to the specific work mix of the systems were the fixes are being deployed

Link HERE Examining Spectre and Meltdown attacks by Synopsis HERE

System Management Mode Speculative Execution Attacks


Securus Hacked

Securus, the company that was recently revealed to be providing cell phone location data to law enforcement, was the target of a data breach last week. The intruder stole a database that includes some passwords for some of Securus’s law enforcement customers. Securus acquires phone location data from service providers. The information is usually sold to marketing companies, but it was recently found that Securus offers a service for law enforcement agencies as well. Last week, US Senator Ron Wyden (D-Oregon) asked the Federal Communications Commission (FCC) to investigate wireless carriers that allow law enforcement unrestricted access to customer location data




Research of the week

-The 2018 Hacker Report

We are in the age of the hacker. Hackers are lauded as heroes, discussed daily in the media, villainized at times, and portrayed by Hollywood – anything but ignored


-The Future of JavaScript: 2018 and Beyond

-The State of .NET in 2018

Links HERE and HERE + Yarn uses checksums to verify the integrity of every installed package before its code is executed – HERE


Tool of the week

-DIY passive security scanning & verification

1.       -SSL/TLS deep analysis of public web servers – SSLLabs – HERE

2.       -Testing TLS/SSL encryption anywhere on any port – – HERE

3.       -Analyse the HTTP response headers of websites – – HERE

4.       –Utility that uncovers the technologies used on websites – Wappalyzer – HERE

5.       -Domain security report – – HERE

6.       -CIS security benchmarks for Operating systems, Databases etc. – HERE

7.       -Use Developer Tools debug section in your browser – HERE

8.       -Mozilla secure site tool – All in one scanner – HERE

9.       -Scanner to check if an internet connected device is publicly insecure – HERE

10.   -Scan for open ports from the outside – HERE

11.   -See if your server is blacklisted and other information gathering online tools – HERE

12.   -Scan for vulnerable JavaScript libraries – Retire.js – HERE

13.   -Check if your account has been compromised in a data breach – have I been pwned – HERE

14.   -Check if you can see the real IPs behind Cloudflare WAF – Cloudflair – HERE and HERE and HERE

15.   -Create, analyze, and edit client HTTP requests / Encoding, decoding tool – Acunetix HTTP Editor – HERE

16.   -Proxy that allows you to analyze HTTP requests and responses, and manually crawl a site structure – Acunetix HTTP Sniffer – HERE

17.   -Tool that allows one to identify and fingerprint Web Application Firewall (WAF) – WAFW00F – HERE

18.   -Tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and rate-limiting – Acunetix HTTP Fuzzer – HERE

19.   -Tool that performs numerous checks on a database to evaluate security – DbDat – HERE

20.   -Security auditing tool for AWS environments – Scout2 – HERE

21.   -Security auditing tool for Azure environments – Azucar – HERE

22.   -Simple HS256 JWT token brute force cracker – test your JWT – HERE

23.   -BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases – HERE

24.   -OWASP ZAP Passive Scanning – finding vulnerabilities in web applications – HERE and tool HERE

25.   -Free cross-platform web debugging proxy with user-friendly companion tools – Fiddler – HERE

26.   -A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification – Anchore – HERE

27.   -Vulnerability Static Analysis for Containers – Clair – HERE and Open Source compliance for containers – tern – HERE

28.   -Google Hacking Database – magic searches with Google – HERE

29.   -RSA CTF Tool – Tool to attack RSA public keys and ciphertexts in common ways – check how strong your encryption is – HERE

30.   -Analyze suspicious files and URLs to detect types of malware, automatically – Virustotal – HERE

-SleuthQL: A SQL Injection Discovery Tool


-Certificate Transparency is coming, are you ready?

CT is one of those things where once you know what it does you find yourself thinking ‘why hasn’t it always been like that?’. It fixes a problem we’ve had in the PKI ecosystem for some time and in many ways CT is a lot more awesome than you might realise. I have a blog post, Certificate Transparency, an introduction, if you’d like to go into more detail on exactly what CT is, but at a high level it means that you can always be aware of exactly what certificates exist for your domain. Right now there is no way for you to be absolutely sure what certificates exist and that means employees, friends, attackers or your dog could get a certificate for your site and if they didn’t tell, you would never know. Think about, if I can bribe or compromise a CA, or even request a certificate outside of the normal company process, without me disclosing that I’ve done that there’s basically no way to know it exists. This is a really dangerous place to be and this is exactly what CT fixes. CT requires that all certificates are logged into public CT Logs so that their existence can never be a secret and never be hidden from the domain owner. The CT Logs will provide something called a Signed Certificate Timestamp which is proof that the certificate has been placed on the log and it’s this proof that the browser will soon want to see or it will reject the certificate


-Want exploits?



Kewl articles

Product Security Framework

Product Security is a superset of application security, infrastructure security, and incident response around a particular product or system

Link HERE Others HERE and HERE and HERE

My Favourite Security Folks on Twitter. From Rookie to Pro

When I first started looking into InfoSec as a career path I did what I usually do when trying to make these types of decisions. I took to twitter to follow folks who were already in the business or those who were new like me but with similar goals.

It’s pretty easy to go follow all of the big names but what I find is that I tend to learn more from the women and men down in the trenches and doing this stuff every day. So I wanted to put together a list of some folks you may or may not know who I have learned a lot from in my short time following them. This is in no way meaning that there are not others I have learned from but a list can only be so long!

Link HERE Where does a CISO spend her time HERE

So you want to be a web security researcher?

·         Breaking stuff for a living

·         Moving beyond known techniques

·         Iterate, invent, share

Link HERE Debate HERE

An introduction to cryptography and public key infrastructure


Learn the basic concepts behind cryptography, with a focus on confidentiality, integrity, and authenticity


How to measure risk with a better OKR Objective and Key Result

I’ve become a big fan of the Objective and Key Result (OKR) at companies that take them seriously. I’ll describe an opinionated method that fits within an OKR and measures the reduction (or increase) of a chosen risk. This will inform a team’s decision to reduce or increase engineering efforts to mitigate that risk going forward.

This method is similar to how a meteorologist forecasts the weather.

For deep dives into OKR’s, you can read this, watch this, or read this.

OKR’s are a simple way to express a motivational goal and commit to a short list of measurable outcomes that push a group towards that goal. They sometimes cascade from executive management out to all employees. OKR’s are a common practice among tech companies and many security teams I work with

Link HERE Set goals with OKRs HERE

How to secure the mother of all networks, the Internet? And perfect Operational Security (OPSEC)

Links HERE and HERE

Five Features of Information Security Every Cloud Platform Should Provide

1: Identity and Access Management (IAM)

2: Networking Security and Host Security

3: Data Security: Encryption and Key Management

4: Application Security and DevSecOps

5: Visibility and Intelligence


And finally, Mental Models, Dragonfloxes, and How to Think Real Good

A lot has been said recently about mental models. If you are at all interested in clear thinking and decision-making, the term seems to show up everywhere.

The most famous proponent of the concept is Warren Buffett’s business partner, Charlie Munger. He considers mental models the key to ‘elementary wordly wisdom.’

Here he is:

“I’ve long believed that a certain [decision-making] system — which almost any intelligent person can learn — works way better than the systems that most people use. …what you need is a latticework of mental models in your head.And you hang your actual experience and your vicarious experience (that you get from reading and so forth) on this latticework of powerful models. And, with that system, things gradually get to fit together in a way that enhances cognition.”


Leave a Reply

Your email address will not be published.