Security Stack Sheet #6

Word of the week “Cyber storm”

Link HERE Other cyber storm links HERE and HERE and HERE and HERE and for 2018 HERE and HERE


Word of the week special “False positive” – thanks to Naz & “Cyber alert fatigue”

A recent research focused on understanding the financial losses companies incur in their actions to stifle cyber-attacks reveals that an average of $1.27 / €1.09 million per year is wasted on dealing with false positive security alerts

Links HERE and HERE and HERE and HERE and HERE and HERE and How to reduce HERE and Can you solve the false positive riddle? HERE



Bill doesn’t care about vulnerable code. He codes fast.

Scaling in AWS

Threat Modelling paranoia

Link about TM HERE






Crypto challenge of the week

-Tiling with Pentominos

Have you ever seen one of those puzzles where you have to try and fit a collection of various shapes into a certain area?

The Pentomino was first devised by American professor Solomon Golomb in 1953. A Pentomino is a single polygon made up of 5 congruent squares. A full set of Pentominos consists of all 12 of the possible combinations of the 5 squares (excluding reflections and rotations).

Pentominos have the special property of being able to be packed into many different shapes. For example, with a full set of 12 Pentominos, you could create a rectangle of size 6×10, 5×12, 4×15, and 3×20. Other smaller shapes can be made, but with less Pentominos. Additionally, you can also fill an 8×8 square with 4 holes in it (although certain positions of the holes can make it impossible).

The challenge is to output one solution for the given rectangle


-NSA Challenge – Complete the Puzzle

Link HERE (Disclaimer: You will need a Facebook account probably for NSA to contact you later about your great skillz! – haha)



May 25: GDPR Live! See incidents section below

June 30: TLS1.1 mandatory for PCI-DSS compliance


Now: TLS1.2 mandatory for proper security

Deprecating TLS1.0 and TLS1.1 – draft-moriarty-tls-oldversions-diediedie-00 – HERE

Jun 14: World Cup 2018 ongoing and Russia still seems a safe place (!)

Cyber Games at the World Cup


July and August – Holidays!!

March 29 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week

Some OWASP stuff first


-On-Demand AWS Tech Talks – Security, Identity & Compliance




-Application Security Podcast – Malicious User Stories


-Don’t forget about

Conference Preview HERE



Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE

Football or Phishing?

At least two phishing campaigns are taking advantage of this year’s football World Cup.

Fraudsters are attempting to exploit fans’ eagerness to keep up with the games and the results in the expectation that fans might click on links more readily

Is your device earning money for cyber criminals?

Recent reports have suggested a substantial increase in ‘cryptojacking’, where cyber criminals install malware onto a victim’s devices and use them to mine cryptocurrency

Attackers target cryptocurrency software

On 15 June, Syscoin, a cryptocurrency that advertises its instant transactions, announced that its Github account had been compromised just under a week earlier

Good cyber hygiene can help fend off LokiBot

Fraudulent account activity and identity theft are some of the most common threats on the internet. Cyber criminals often use credential-stealing malware to obtain usernames and passwords

The ECSEPA Cybersecurity Evidence Study

The Evaluating Cyber Security Evidence for Policy Advice (ECSEPA) project survey is intended to learn more about how the UK Government policy advisory and policymaking community evaluate evidence in their roles – Survey HERE



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

Subdomain takeover against Shopify


Crypto news: Tron (TRX) Responds to Security Concerns as New Network Generates First Block

Link HERE Whitepaper HERE

HMRC takes 5 million taxpayers’ Voice IDs without consent


Pwned with ‘4 lines of code’: Researchers warn SCADA systems are still hopelessly insecure

How Stuxnet, Shamoon, et al ran riot


‘Hidden Tunnels’ Help Hackers Launch Financial Services Attacks


Apple IOS <= 12 Erase Data bypass

Tested heavily with iOS11, brute force 4/6digit PIN’s without limits (complex passwords YMMV)

Watch the demo of the exploit in action


Indian Banks Must Migrate ATMs from Windows XP

India’s banks have until June 2019 to stop using Windows XP in ATMs. (For reference, Microsoft ended support for Windows XP in April 2014.) The Reserve Bank of India sent financial institutions a notice setting out a timeline for migration; at least 50 percent of the machines must be migrated by the end of this calendar year; they must implement anti-skimming and application whitelisting technologies by March 2019; and they must be completely migrated a year from now. The banks must file compliance plans by the end of July 2018


Researchers are warning against a new email phishing campaign that utilizes the WannaCry ransomware


Mobile Service Providers Will Stop Selling Location Data

In a June 15, 2018 letter to Wyden, Verizon pledged to end the practice of sharing information with location aggregators.  After being publicly criticized by US Senator Ron Wyden (D-Oregon), Sprint, AT&T, and T-Mobile have said that they will follow Verizon’s example and no longer sell customers’ real-time cell location data to third parties. Wyden sent letters to the carriers after learning of information being shared with a company that used the data in ways that violated carrier policy.
The company to whom the carriers were selling the data existed for the purpose of reselling to those to whom the carriers did not want to be seen as selling directly. Kudos to Senator Wyden for holding them accountable for this abuse

Link HERE and Verizon letter HERE


OpenBSD Disables Intel CPU Hyper-Threading Due to Security Concerns


InvisiMole malware can use machine’s camera, microphone
A new malware known as InvisiMole can infect a victim machine and use the camera and microphone to record audio and video. InvisiMole has been targeting computers in Russia and Ukraine for the past five years, according to researchers


60,000 Android devices hit with ad-clicking bot malware

A malicious Android app that infects devices with click bot malware is also capable of stealing text messages and log data. The app has infected at least 60,000 Android devices. Users are led to the app through a pop-up ad telling them that there is a problem with their device’s battery. The app does actually monitor battery levels and shuts down processes that are using too much power when the battery is low

Link HERE­­­­


Research of the week

-Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials – thanks to Naz

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-theshelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s



The Wi-Fi Alliance, which certifies wireless network standards, has unveiled WPA3, a new wireless internet security protocol

Links HERE and HERE

-Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices



Tool of the week

-AWS Landing Zone – thanks to Neil

AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices, setting up a multi-account environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services. This solution can help save time by automating the set-up of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of core accounts and resources


-Find and remove the FlexiSPY stalkerware

There is a software industry dedicated to the production of full-fledged spyware to be sold to just about anyone. These products are hidden applications that, once installed, will silently monitor everything you do with your computer and phone. That includes watching you as you chat on Facebook, intercept your emails, steal your pictures as well as watch you through the webcam


-Free and open source interactive HTTPS proxy

Good at capturing traffic made by a mobile phone for example


-Comparison of enterprise authentication products


-Baseline security policy for Azure AD admin accounts in public preview!



Other interesting articles

Where in the DevOps cycle do you do security?

The short answer: everywhere. Here’s how to implement a strategy

Link HERE Bonus DevSecOps 2018 Survey results HERE


Securing the build environment: A “critical” component of container security


Companies don’t usually think of the build environment when it comes to securing their containers. But they should, observes David Bisson. He looks at how attackers can exploit development practices like CI and CD to infiltrate the build environment. Then he offers practical advice for maintaining build security as a critical component of your container security



Scaling Network Security: The New Network Security Requirements

In our last post we bid adieu to The Moat, given the encapsulation of almost everything into standard web protocols and the movement of critical data to an expanding set of cloud services. Additionally, the insatiable demand for bandwidth further complicates how network security scales. So it’s time to reframe the requirements of the new network security. Basically, as we rethink network security, what do we need it to do?



Storing encrypted credentials in git

We all know that we should not commit any passwords or keys to the repo with our code (no matter if it’s public or private). Yet, thousands of production passwords can be found on GitHub(and probably thousands more in internal company repositories). Some have tried to fix that by removing the passwords (once they learned it’s not a good idea to store them publicly), but passwords have remained in the git history



And finally, FIFA World Cup 2018: A Data-Driven Approach to Ideal Team Line-Ups (cooool!)


So based purely on the FIFA 18 Data:

Spain has the highest average overall rating, followed by Germany and Brazil.

Germany has the highest total value, followed by Spain and France.

Spain has the highest average wage, followed by Germany and Brazil.

My bet is for a Spain vs France in the final, and Brazil vs Germany for the 3rd place. And Les Bleus will win it all! What are your thoughts?





AppSec Ezine

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published.