Security Stack Sheet #3

Word of the week 

So. Many. Developers.” & “How many developers really care about security?”

According to the Global Developer Population and Demographic Study conducted by Evans Data Corporation, there are over 22 million developers worldwide and this figure is expected to raise to 26 million in 2022. 300k are based on Greater London.

“60% of developers lack confidence in their app security, but don’t take steps to fix it” – that’s 13.2 million developers!!

This is 2016 – the 2018 figures are 5.1 Europe, 5.9 US.

Links HERE and HERE and HERE and HERE and HERE and HERE and study on node.js Devs HERE


Word of the week special

“Security badgering” – thanks to Neil

Or “How To Sell Security Solutions (Without) Using Fear, Uncertainty And Doubt”

Links HERE and HERE and HERE and HERE and HERE and HERE



Microsoft faces wrath of developers after GitHub acquisition

Link HERE What does GitHub say HERE and more HERE

Thanks to Naz

NSA Security posters – thanks to Naz and Arturo



Crypto challenge of the week

-NSA Puzzle Periodical – First or Second?

On a rainy summer day, brothers Dylan and Austin spend the day playing games and competing for prizes as their grandfather watches nearby. After winning two chess matches, three straight hands of poker and five rounds of ping-pong, Austin decides to challenge his brother, Dylan, to a final winner-take-all competition. Dylan clears the kitchen table and Austin grabs an old coffee can of quarters that their dad keeps on the counter.

The game seems simple as explained by Austin. The brothers take turns placing a quarter flatly on the top of the square kitchen table. Whoever is the first one to not find a space on his turn loses. The loser has to give his brother tonight’s dessert. Right before the game begins, Austin arrogantly asks Dylan, “Do you want to go first or second?”

Dylan turns to his grandfather for advice. The grandfather knows that Dylan is tired of losing every game to his brother. What does he whisper to Dylan?


-Hacky Easter 2018 solutions and writeup




May 25: GDPR Live! Waiting for first incident (and fine)!

June 12 2018: Trump meets Kim (maybe)

June 30: TLS1.1 mandatory for PCI-DSS compliance


Now: TLS1.2 mandatory for proper security

Jun 14: World Cup 2018

July and August – Holidays!!

March 29 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week


##Some OWASP stuff first

-From Open Security Summit London: Mapping security testing


-DevSecOps Studio Project

DevSecOps Studio is one of its kind, self contained DevSecOps environment/distribution to help individuals in learning DevSecOps concepts. It takes lots of efforts to setup the environment for training/demos and more often, its error prone when done manually. DevSecOps Studio is easy to get started, mostly automatic and battle tested during our Free Practical DevSecOps Course


-Security Is Everybody’s Job … Literally. – Tanya Janca

Security Learns to Sprint!

In a DevOps world everyone performs security work, whether they like it or not. With a ratio of 100/10/1 for Development, Operations, and Security, it’s impossible for the security team alone to get it all done. We must build security into each of “the three ways”; automating and/or improving efficiency of all security activities, speeding up feedback loops for security related activities, and providing continuous learning opportunities in relation to security. While it may sound like the security team needs to learn to sprint, give feedback, and teach at the same time, the real challenge is creating a culture that embodies the mindset that security is everybody’s job


-How to Secure an Angular Web Application

In this presentation, we will cover all the elements required to build a secure web application with Angular and Node.

We will discuss SSL/TLS, authentication and authorization, cookies vs JSON Web Tokens (JWT) for session management, password hashing, salting and enforcing password policy. Finally, we will look at how this can be implemented in an example Angular/Node application


-Securing Spring Applications with Hashicorp Vault

The talk held at Spring I/O 18 on 24th of May 2018 showed how to use Hashicorp Vault to secure Spring applications. Token and Approle authentication as well as the PKI and database backends have been shown.

The companion code is available from


-Oldie, but good: iOS App Security

A brief introduction to hacking iOS applications. This covers:

– Network security.
– Static analysis.
– Runtime analysis and manipulation.
– Decompilation and reverse-engineering.

To get a better understanding of the topic, check out DVIA:


-Redis – Persistence, Availability & Security


-Defense-in-Depth Techniques for Modern Web Applications and Google’s Journey with CSP


-How NOT to behave as a security researcher




Incidents in the world last week

Other source HERE Find your country

Global ALERT level

Incidents detail

Zip Slip

Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote command execution. It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal and many more (CVEs and full list here)

Link HERE Who found it HERE

Busted! Founder sells $51m website, hacks it, tries to sell site its own data

What’s worse than Dracula sucking out your lifeblood? Dracula sucking out your lifeblood, bottling it and trying to sell it back to you…


2018 Fraud World Cup


Miscreants hijacked the defunct SpamCannibal blacklist service

The SpamCannibal blacklist service was hijacked since Wednesday morning, attackers changed the DNS name server settings for the website overnight


FontCode Technique Can Hide Secret Messages Inside Font Glyphs

Three researchers from Columbia University have created a technique named FontCode that can be used to embed hidden messages inside font glyphs (characters).

The technique takes advantage of how computers work with font glyphs, which for them, are nothing more than mathematical equations used to draw lines and curves on a screen.

The FontCode technique consists of altering these equations to produce slight perturbations in one or more font characters.

An external observer can scan for these perturbations and decode them into individual letters based on a custom algorithm.


Bug in git opens developer systems up to attack


VPNfilter makes a comeback


Pet trackers open to mitm attacks, interception


12 iOS 12 features Apple didn’t mention at WWDC



Research of the week

-A Methodical Approach to Browser Exploitation

The Exploit Development Lifecycle, From A to Z(ero Day)


-A Practical Overview of Stack Based Buffer Overflow



-Advanced Techniques for DDoS Mitigation and Web Application Defence

Link HERE IoT based attacks HERE

-SecOps Playbook for Cloud Infrastructure


-NIST Seeking Comments on Lightweight Encryption Algorithm Project

NIST has launched an initiative “to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable.” Comments on the DRAFT: Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process will be accepted through June 28, 2018.

In the early days of web browsers and servers, there was a lot of software implementing crappy “crypto” under the guise of utilizing Secure Socket Layer. NIST drove FIPS 140-1 in 1994 to standardize how good crypto should be built and it greatly raised the bar for secure transport. The Internet of Things is causing a repeat of the crappy crypto era – good to see NIST driving this forward.

For many applications and environments, the cryptographic algorithms, “codes and ciphers” that we use, are stronger than we need them to be. While they are computationally intensive, the cost of computation continues to fall. The problems that we have are not so much with the algorithms as with their selection, application, implementation, and operation. Therefore, as relates to IoT, what we really need are not new algorithms but implementations that are easy to use effectively and difficult to get wrong. Note that few IoT developers are using encryption at all and almost none are implementing it from scratch.



Tool of the week

-Reminder: Infer Static Analysis Tool from Facebook (free)

Infer checks for null pointer exceptions, resource leaks, annotation reachability, missing lock guards, and concurrency race conditions in Android and Java code



An OSS Project Sponsored by Capital One – One Dashboard for the Entire CI/CD Pipeline.

A single, configurable, easy to use dashboard to visualize near real-time status of the entire software delivery pipeline. Key enhancements to v.3.0 include an Executive Dashboard, Gamification, and Audit API features


-Post-quantum Cryptography VPN from Microsoft


-Amazon EKS is generally available, bringing fully-managed Kubernetes to AWS

57 percent of Kubernetes users run Kubernetes on AWS, according to the Cloud Native Computing Foundation

Links HERE and HERE Secure it with THIS


Kewl articles

Mobile App Developers Making Old Mistakes

Researchers from Texas A&M University say that mobile app developers are making the same security mistakes that web developers made nearly twenty years ago, locating business logic in client-side code rather then in server-side code. In their paper, “Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities,” the researchers describe a system they have developed that analyzes mobile apps to see if they are vulnerable to HTTP request parameter injection attacks.
The app developer often has more control over the client side than the server side. Also, by definition, in the client-server model, servers are stateless. That is why we have cookies, to store state on the client side

Links HERE and HERE and HERE


An Expertly Crafted Crypto Phishing Attempt (and How to Detect it)



Isolated Networks in the Cloud

Network isolation is an vital part of any layered security approach. It’s used by all players, from small businesses to large organizations, in different capacities. More demanding networks require a high level of outbound filtering, to prevent data exfiltration and lessen the impact of breaches.

We chose to test AWS, Google Cloud, and Azure, since they’re some of the most popular providers. They also provide a good amount of networking features for larger organizations wanting to mimic their on-prem infrastructure in the cloud

Link HERE Check out SCION the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communications HERE SCION paper HERE


Serverless Security Scorecard

  • Cloud Providers Handle OS & Runtime Security & Patching
  • Smaller Microservices = Fine-Grained IAM
  • Stateless/Ephemeral == No Long-Term Resident Injections
  • More Visibility into App Behavior
  • Security Visibility Got Harder
  • Many More Points of Attacks, Protocols & Vectors
  • Erosion of The Perimeter as We Used to See It
  • More Resources = More Permissions to Manage
  • Where Do You Deploy Security?
  • Attacks and Attackers
  • Application Velocity
  • Cloud Security Is Mostly AppSec



An encryption upgrade could upend online payments

At the end of June, digital credit card transactions are getting a mandatory encryption upgrade. It’s good news—but not if you have an old device, or depend on a retailer that hasn’t completed the transition.

When data moves from one device to another, it needs protection so it isn’t intercepted and manipulated along the way. This defense is especially crucial, as you might imagine, for sensitive communications like financial transactions. And with credit card fraud booming, the Payment Card Industry Security Standards Council announced last year that it would phase out an old, buggy encryption scheme used for processing digital credit card transactions, called Transport Layer Security 1.0, in favor of more secure options. The deadline: June 30



UK’s FCA Actively Probing Two Dozen Cryptocurrency Firms

The cryptocurrency industry is undergoing some big changes. For their part, the UK’s Financial Conduct Authority is looking for ways to crack down on illicit activity in the cryptocurrency industry. Cracking down on companies running illegitimate businesses is of the utmost importance.

At present, the FCA is launching no less than two dozen investigations involving cryptocurrency firms. Additionally, seven whistle-blower reports were investigated in 2018. All of those reports pertain to Bitcoin and other cryptocurrencies, although the exact nature of the investigations is rather unclear at this time



Pen Testing in the Era of APIs and Microservices

Software development practices are going through an evolution: large monolithic applications are falling out of favor, being quickly replaced by loosely coupled and modular microservices that are easier to develop, test, and scale. These services may be outwardly exposed as part of a software-as- a-service or other API offering



And finally, this is how Google will collapse

Reporting from the very near, post-Google future

Google made almost all its money from ads. It was a booming business — until it wasn’t. Here’s how things looked right before the most spectacular crash the technology industry had ever seen




 █████╗ ██████╗ ██████╗ ███████╗███████╗ ██████╗    ███████╗███████╗██╗███╗   ██╗███████╗
██╔══██╗██╔══██╗██╔══██╗██╔════╝██╔════╝██╔════╝    ██╔════╝╚══███╔╝██║████╗  ██║██╔════╝
███████║██████╔╝██████╔╝███████╗█████╗  ██║         █████╗    ███╔╝ ██║██╔██╗ ██║█████╗  
██╔══██║██╔═══╝ ██╔═══╝ ╚════██║██╔══╝  ██║         ██╔══╝   ███╔╝  ██║██║╚██╗██║██╔══╝  
██║  ██║██║     ██║     ███████║███████╗╚██████╗    ███████╗███████╗██║██║ ╚████║███████╗
╚═╝  ╚═╝╚═╝     ╚═╝     ╚══════╝╚══════╝ ╚═════╝    ╚══════╝╚══════╝╚═╝╚═╝  ╚═══╝╚══════╝

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published.