Security Stack Sheet #2

Word of the week “Logsponsibility!” thanks to Mike for the new word

Links HERE and HERE and HERE and HERE and HERE and HERE

NIST on log management HERE


Word of the week special

“’Happy Birthday’ song violation”

Fourteen girls aged between 5 and 6 have been detained by police after revealing, publicly, the name of the girl whose birthday party they were attending, whilst singing Happy Birthday to her in the café of the celebrated dinosaur attraction, Tamba Park.

Quick-thinking members of the public alerted police when the children, who cannot be named for legal reasons, blurted out the girl’s name, having made no attempt to first acquire in writing her consent for them to do so






Crypto challenge of the week

Can you crack the NCSC’s regex crossword?

Can you crack our cryptic crossword? Instead of a word or phrase, each clue is a regular expression (or a ‘regex’). To complete the puzzle, find the letter matching both the horizontal and vertical regex for each square.

No link.



May 25: GDPR Live! Waiting for big incidents!

June 12 2018: Trump meets Kim (maybe)

June 30: TLS1.1 mandatory for PCI-DSS compliance

Now: TLS1.2 mandatory for proper security

Jun 14: World Cup 2018

July and August – Holidays!!

March 29 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week

##Some OWASP stuff first

-OWASP Top 10 new icons!


-Loco Moco Security Conference Hawaii – videos

Allison Miller: Building Better Defenses: Engineering for the Human Factor HERE

John Melton: Starting an AppSec Program: An Honest Retrospective HERE

Alvaro Muñoz: .NET Serialization: Detecting and defending vulnerable endpoints HERE

Scott Helme: Revocation is broken, here’s how we’re fixing it HERE

Jeremy Long: The (Application) Patching Manifesto HERE


-LangSec 2018 slides – thanks to Renato


Secure SCADA Protocol for the 21st Century (SSP-21) Crain-SSP21.pdf
From Verified Parsers and Serializers to Format-Aware Fuzzers Delaware-Narcissus.pdf
Languages at Galois Dodds-Languages-at-Galois.pdf
Proving un-exploitability of parsers  Dullien-Unexploitability-of-Parsers.pdf
Retrofitting Security in input parsing routines Hauser-Retrofitting-Security-in-Close-Source-Binary-Programs.pdf
Redesigning Secure Protocols to Compel Grammatical Compliance Checking Irwin-CompellingGrammarChecking.pdf
A Mathematical Model of Exploitation and Mitigation Techniques Using Set Theory Kawakami-Exploit-modeling-using-set-theory.pdf
LangSec revisited: input security flaws of the 2nd kind Poll-Flaws-of-second-kind.pdf
Bidirectional and executable specifications of machine code decoding and encoding Tan-Bigrammar-LangSec2018.pdf
Challenges and Possibilities for Safe and Secure ASN.1 Encoders and Decoders Tullsen-Safe-ASN1.pdf
The Automated Exploitation Grand Challenge A Five-Year Retrospective Vanegue-AEGC-5-year-perspective.pdf



-Google CTF 2018

Google CTF 2017 was a big success! We had over 5,000 players, nearly 2,000 teams captured flags, we paid $31,1337.00, and most importantly: you had fun playing and we had fun hosting!

Date and time: 00:00:01 UTC on June 23th and 24th, 2018

Location: Online

Prizes: Big checks, swag and rewards for creative write-ups

-Don’t forget: InfoSecurity Europe 2018 in London – FREE event with great keynotes




Incidents in the world last week

Other source HERE Find your country

Incidents detail

Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system

Internet policy wonks scramble over GDPR


Small merchants are not effectively engaging with PCI programs


The Twitter account for the Dutch bank ABN AMRO ( has reported that their website was under a DDoS attack earlier on 24 May


Misconfigured CalAmp Server Enabled Vehicle Takeover


For our French readers: French cybercrime gang boss caught in Thailand

Suspect allegedly obtained customer details at a British bank and threatened to leak the information unless he was paid


More Data Leaked from AWS Bucket Misconfigurations


New VPNFilter malware targets at least 500K networking devices worldwide

You probably heard the advice given earlier this week to reset your router due to some malware referred to as “VPNFilter” infecting a large number of routers. I do not want to second guess this advice, but instead, outline a couple of issues with “resetting” a router.

First of all: Pretty much all router malware (Mirai variants, TheMoon and various Linux Perl/bash scripts affecting routers) will not survive a simple power cycle of the router. However, the vulnerability that allowed access to the malware will. Secondly, some configuration changes may survive. In particular changes to DNS settings that are often done without actual malware, but by using CSRF vulnerabilities in the routers web-based admin interface.

My main problem with having thousands of users reset their routers to factory default settings is that they inadvertently may reset it to use a simple default password.


Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs

Reinhold: Serialization was a “horrible mistake”

Oracle plans to end support for Java serialization, which has been the source of many security issues. Oracle’s Java platform group chief architect Mark Reinhold said that adding serialization to Java in 1997 was a “horrible mistake.” Oracle has not set a date for ending serialization support.


One remembers the security claims that were made for Java (also Chrome) when it was released. As with many other products, security is sacrificed to “features.” The claims are washed away by the endless chain of announcement of security vulnerabilities and patches. Patching has become a necessary and routine part of doing business.


This move is likely to result in worse security. Serialization support is not unique to Java – most object-oriented languages support it. While many Java developers implement serialization in an unsafe manner, the problem is the use of the feature, not the feature itself. Many applications we pentest today use serialization in a relatively safe manner and will require major refactoring to remove the feature. Rather than refactoring the applications, many organizations will simply opt to execute existing code on legacy Java versions, making everyone less secure


Most SAP systems vulnerable to critical security configuration risk


Malware Distributed via .slk Files

Attackers are always trying to find new ways to infect computers by luring not only potential victims but also security controls like anti-virus products. Do you know what SYLK files are? SYmbolic LinK files (they use the .slk extension) are Microsoft files used to exchange data between applications, specifically spreadsheets


BackSwap malware finds innovative ways to empty bank accounts


Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)

As part of an engagement for one of our clients, we analysed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.

Under certain circumstances this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected


JosepCrypt Ransomware

Data encryption Trojan that supports standard encryption algorithms like AES and RSA


Side-channel attacking browsers through CSS3 features

With the staggering amount of features that were introduced through HTML5 and CSS3 the attack surface of browsers grew accordingly. Consequently, it is no surprise that interactions between such features can cause unexpected behavior impacting the security of their users. In this article, we describe such a practical attack and the research behind it.

·         We (co-)discovered a side-channel vulnerability in browser implementations of the CSS3 feature “mix-blend-mode” which allowed to leak visual content from cross-origin iframes.

·         We demonstrate the impact of this vulnerability by showing how visiting a malicious site was enough to de-anonymize Facebook users. In particular, exploitation allowed to leak the profile picture, username and likes of unsuspecting visitors all while requiring no additional user interaction.

·         This vulnerability affected major browsers like Chrome and Firefox and was disclosed responsibly


General Data Protection Regulation (GDPR) Phishing Email

Links HERE and HERE


Research of the week

-A Deep Dive on AWS CloudFormation Custom Resources

Learn How to Implement Serverless Authentication The Custom Way!

We will describe a basic yet complete authentication system using Auth0. I find Auth0 to be a very flexible and easy to use authentication service. Let’s dive deeper.

We will describe a microservice using an AWS CloudFormation template. Throughout the building process, I will emphasize some best practices I have learnt over an extensive use of custom resources


-The Importance of Encrypted Platforms – Iagon

IAGON is an Open Source platform for harnessing the storage capacities and processing power of multiple computers over a decentralized Blockchain grid. IAGON utilizes enables to store big data files and repositories , as well as smaller scales of files, and to carry out complex computational processes, such as those needed for artificial intelligence and machine learning operations , within a fully secure and encrypted platform that integrates blockchain, cryptographic and AI technologies in a user-friendly way

Link HERE and paper HERE

-2018 Open Source Security and Risk Analysis


-Experimental Security Assessment of BMW Cars: A Summary Report

Link HERE Twitter discussion HERE

-Low level PC/server attack papers collection by Xeno Kovah


-The detection of faked identity using unexpected questions and mouse dynamics

The detection of faked identities is a major problem in security. Current memory-detection techniques cannot be used as they require prior knowledge of the respondent’s true identity. Here, we report a novel technique for detecting faked identities based on the use of unexpected questions that may be used to check the respondent identity without any prior autobiographical information. While truth-tellers respond automatically to unexpected questions, liars have to “build” and verify their responses. This lack of automaticity is reflected in the mouse movements used to record the responses as well as in the number of errors. Responses to unexpected questions are compared to responses to expected and control questions (i.e., questions to which a liar also must respond truthfully). Parameters that encode mouse movement were analyzed using machine learning classifiers and the results indicate that the mouse trajectories and errors on unexpected questions efficiently distinguish liars from truth-tellers. Furthermore, we showed that liars may be identified also when they are responding truthfully. Unexpected questions combined with the analysis of mouse movement may efficiently spot participants with faked identities without the need for any prior information on the examinee


-For the security advanced: SOC Value Chain & Delivery Models


-For the security initiated: BUG BOUNTY HUNTING (METHODOLOGY , TOOLKIT , TIPS & TRICKS , Blogs)



Tool of the week

-AWS security tools

A list of different tools that you can deploy to test AWS infrastructure. Remember to fill out the form if doing testing like this.

1.       prowler – Tool based on AWS-CLI commands for AWS account hardening, following guidelines of the CISAmazon Web Services Foundations Benchmark (

2.       nccgroup/Scout2 – Security auditing tool for AWS environments

3.       cloudsploit/scans – AWS security scanning checks

4.       The amazon inspector‍ –

5.       Netflix/security_monkey – Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations

6.       Aardvark – Aardvark is a multi-account AWS IAM Access Advisor API

7.       Repokid – AWS Least Privilege for Distributed, High-Velocity Deployment

8.       DenizParlak/Zeus – AWS Auditing & Hardening Tool

9.       Nimbostratus – Tools for fingerprinting and exploiting Amazon cloud infrastructures + video presentation and intro blog post

10.   Bucket finder – This is a fairly simple tool to run, all it requires is a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon’s S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect.

Public buckets are checked for directory indexing being enabled, if it is then all files listed will be checked using HEAD to see if they are public or private.Redirects are followed and the final destination checked. All this is reported on so you can later go through and analyse what has been found.


-Prowler – Distributed Network Vulnerability Scanner


-Bash tricks


-Pornhub launches VPNhub – a free and unlimited VPN service


-Kali Linux 2018.2 Release



Kewl articles

Everything you need to know about getting application security buy-in



Penetration Testing Requirements for GDPR

What the Information Commissioners Office has said about Penetration Testing and GDPR

Article 32 of GDPR is the section that covers security testing and it simply says this:

“a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

Well that’s as clear as mud then isn’t it! But don’t worry there is some further guidance:

Nigel Houlden, head of technology policy at the Information Commissioners Office (ICO), said: “There may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”

He added: “We therefore strongly recommend that organisations determine which of their systems are vulnerable, and test and apply the patches as a matter of urgency. Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act (DPA) is serious enough to warrant a civil monetary penalty.”



The critical hole at the heart of our cell phone networks

In February 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages



The Security Token Thesis


The security token movement has substantial momentum at this point. The hype around blockchain will add fuel to this momentum, but realization of real benefits will sustain it in the longer term.

The features listed below form the foundation of the thesis that security tokens will see widespread adoption across numerous asset classes in the coming years.

·         24/7 markets

·         Fractional ownership

·         Rapid settlement

·         Reduction in direct costs

·         Increased liquidity and market depth

·         Automated compliance

·         Asset interoperability

·         Expansion of the design space for security contracts



Most dangerous attack techniques, and what’s coming next

The five threats outlined are:

1.       Repositories and cloud storage data leakage

2.       Big Data analytics, de-anonymization, and correlation

3.       Attackers monetize compromised systems using crypto coin miners

4.       Recognition of hardware flaws

5.       More malware and attacks disrupting ICS and utilities instead of seeking profit



Only half of CI/CD workflows include appsec testing elements

Only half of CI/CD workflows include application security testing elements despite respondents citing awareness of the importance and advantages of doing so…

What are the most critical application security testing elements to add to CI/CD workflows?



20 years on, L0pht hackers return to D.C. with dire warnings

In May 1998, seven members of the L0pht hacker collective spoke before Congress, telling them “any of the seven individuals seated before you” could take down the Internet in 30 minutes. Twenty years later, four members of that group gathered to speak on a panel hosted by the Congressional Internet Caucus. They said that while technology has changed significantly over the past two decades, many of the underlying security concerns remain. Chris Wysopal noted that “We keep building new things on old infrastructure that never seems to get fixed.”



Why product strategy matters

Code in haste, count the waste.



##And finally,

Imagine a world where everything you ever do or say is watched and rated by invisible eyes.

·         Who do you talk to?

·         Why?

·         What did you buy?

·         Do you brush your teeth?

·         Did you forget to floss?

·         Do you watch too much TV or play video games or talk on the phone?

·         Do you own a gun?

·         Do you recycle?

·         Are your political opinions in line with the people in power?

·         Did you pay your water bill or taxes on time?

Now imagine if all the things you ever did wrong followed you around like a big, bright red Scarlett letter.


Leave a Reply

Your email address will not be published.