Security Stack Sheet #12

Word of the week “Security booze” – thanks to Naz

Stress, bad workplace cultures are still driving security folk to drink

Self-medicating with booze is no answer, hackers warned at conference



Word of the week special

“Uber GDPR”

Is it right for Uber drivers to rate passengers? Do passengers know that?

What are Uber drivers actually rating?

Is it right for Uber to have access to that information? Who are they sharing it with?

Could one be denied a loan or a purchase because of their Uber passenger rating?

Links HERE and HERE Uber got hacked massively not long ago HERE and HERE


“Elder fraud”

Links HERE and HERE and HERE








Crypto challenge of the week




May 25th: GDPR Live! See incidents section below – Worst breaches in 2018 so far HERE

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS Is Easy!

Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare

Link HERE What Cloudflare says HERE and HERE Reasons to switch? HERE


Deploying TLS 1.3 at scale with Fizz, a performant open source TLS library


The opposite -> NeverSSL HERE :)

This website is for when you try to open Facebook, Google, Amazon, etc on a wifi network, and nothing happens. Type “” into your browser’s url bar, and you’ll be able to log on

August – Holidays!!

September 21st SEC Bitcoin ETF

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week


Some OWASP stuff first 

-BlackHat and Defcon happening right now! More in the coming weeks!

Links HERE and HERE

Slides and presentations for BlackHat HERE

-Hacker Summer Camp GUIDE – Surviving Vegas – Part one


-New Pluralsight Course: Bug Bounties for Researchers

Earlier this year, I spent some time in San Fran with friend and Bugcrowd founder Casey Ellis where we recorded a Pluralsight “Play by Play” titled Bug Bounties for Companies. I wrote about that in the aforementioned post which went out in May and I mentioned back then that we’d also created a second course targeted directly at researchers. We had to pull together some additional material on that one but I’m please to now share the finished product with you: Bug Bounties for Researchers


-Course: The State of GDPR: Common Questions and Misperceptions

In this course, you’ll learn how to distinguish fact from misperception when it comes to the General Data Protection Regulation (GDPR) and get answers to many commonly asked GDPR questions


-Critical log review checklist for security incidents


-Cyber Security Body Of Knowledge

Software Security




-Application Security Podcast – last episodes


-Social engineer podcast – last one


-Network Monitoring Is Going Away…Now What? TLS, QUIC and Beyond

Protocol improvements to prevent pervasive monitoring, such as forward secrecy and metadata hiding, are being standardized and deployed in response to greater awareness of threats to network traffic. The changes impact monitoring




Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Data breach suffered by Reddit

Reddit confirmed earlier this week that it had suffered a data breach back in June 2018 with all data created between 2005 and 2007 compromised.

This data included users’ protect passwords and email addresses as well as current usernames and corresponding email addresses which were obtained from the weekly email digests that roundup top Reddit posts

Used connected cars need disconnecting 

Once upon a time you sold your car, handed over the keys, log book, MOT certificate and pocketed the cash or bought a new car and thought no more about it. No longer. In today’s connected world – you may have just sold a computer on wheels

Social engineering as a malware delivery mechanism: technical support fraud 

We are all used to warnings about the need to keep security patches up-to-date in an effort to make our computers harder to exploit, but hackers have long been using social engineering alone as a means to exploit us and our computers. One type of scam – technical support fraud – seems to be on the rise again


Weekly Intelligence Summary from Digital Shadows

Intelligence summary

  • In the spotlight this week: the reemergence of the “Kronos” banking trojan in three active campaigns targeting entities in Germany, Japan and Poland. The revival coincides with an increase in email phishing campaigns distributing banking trojans during the first quarter of 2018.
  • Other highlights focus on: the detection of a multi-tiered supply-chain attack affecting a software vendor; the return of the extortionist threat actor(s) “thedarkoverlord”; and a Middle Eastern espionage group’s use of a custom backdoor variant.
  • Looking ahead, cyber espionage activity in the Middle East is likely to continue as geopolitical tensions affect different nations’ interests in the region. Additional extortion activity attributed to thedarkoverlord will likely be reported; the general election in Zimbabwe could trigger cyber attacks; and a hacktivist response will likely follow PricewaterhouseCoopers’ negotiations with the Saudi Arabian military



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

Capture NTLM Hashes using PDF (Bad-Pdf)

Today we are demonstrating stealing NTLM hashes through a pdf file. We have already discussed the various method to Capture NTLM Hashes in a Network in our previous article. Recently a new tool has launched “Bad-PDF” and in this article, we are sharing our experience


Security Patch Management — 7 Do’s and Don’ts

#1 Do: Come Prepared: Put a Security Patch Management Policy in Place

#2 Do: DevOps it Up: Automate Your Patch Management Strategy

#3 Do: SCA to the Rescue: Patch Management for Open Source Components

#4: Do: Test and Monitor Your Security Patches

#5: Don’t Take Your Time

#6: Don’t Get Too Attached to Your Patch Management Policy

#7: Don’t Patch and Run

Security Patch Management: It’s a Marathon, not a Sprint


Windows App Development Environment Bug

A flaw in the Minimalist GNU for Windows for 64-bit PCs (mingw-w64) compiling tool produces executable Windows files that are incompatible with Address Space Layout Randomization (ASLR) exploit mitigation technology. An advisory from CERT/CC suggests a workaround for the issue, but there are not presently any fixes. Vendors were notified about the issue in late July

Links HERE and HERE

The Gorgon Group: Slithering Between Nation State and Cybercrime


HP Releases Fix for InkJet Printer Flaws

HP has released a firmware update to address two flaws affecting its InkJet printers. The vulnerability affects at least 166 different models of HP InkJet printers. Malicious files sent to vulnerable devices could result in stack or static buffer overflows, which could allow remote code execution. In May, HP launched a bug bounty program, the first such program to address flaws in printers. The program is private; 34 researchers were invited to participate.
Part of the problem here is that there is too much gratuitous general-purpose computer function included in these printers and exposed to public networks. We should be building appliances with only the function necessary rather than including too much function which we then have to compensate for

Links HERE and HERE and HERE

New attack on WPA/WPA2 using PMKID


Security flaws let hackers hit in-flight and at sea WiFi


GitHub announces new account security and recovery practices


Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally


John McAfee’s ‘unhackable’ Bitcoin wallet (allegedly) got hacked


ASP.NET resource files (.RESX) and deserialisation issues



Research of the week

-Vulnerability research and responsible disclosure: Advice from an industry veteran

“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab


-Adopting a Zero Trust approach is the best strategy to control access

A new study conducted by Forrester Consulting found that organizations powering Zero Trust Security with next-gen access solutions reported twice the confidence to accelerate new business models and customer experiences


-Nine years of bugs & coordinated vulnerability disclosure: Trends, observations & recommendations for the future


-How to security harden your friend’s new Android phone

I’ve loved using Android phones ever since I bought my first in 2011. I’ve even dabbled in Android development a bit, just for the fun of it.

But Android is one of the top platforms for malware. And because Android isn’t quite as restrictive as iOS, consumers can be especially susceptible to mobile cyber attacks if they don’t know what they’re doing. My Android phone has reasonably good endpoint security, but then again I do know what I’m doing


-Burn Box Self-Revocable Encryption

Researchers from Cornell University, Cornell Tech, and the University if Illinois Champaign-Urbana have developed a form of self-revocable encryption, which would allow users to temporarily revoke access to selected files on their devices. The feature could be especially useful to journalists and human rights workers who want to prevent authorities from viewing sensitive information. The researchers plan to present their work at Usenix Security Symposium in Baltimore later this month.

When using such techniques, caution has to be taken to not appear to lying or otherwise obstructing law enforcement or border control officials which can lead to an extended scope inspection. The safest bet is not store sensitive data on the devices going through control points and log out of cloud services that can access the data



Tool of the week

-Bomgar releases free privileged account Discovery Tool

As the quantity and scope of cyber attacks continues to grow, organizations are focusing on the risk from privileged users such as insiders and third parties. The free Bomgar Discovery Tool provides key information on the scope of these privileged accounts to equip you with the information you need to proactively protect them


-OSS-Fuzz – continuous fuzzing of open source software

Currently OSS-Fuzz supports C and C++ code (other languages supported by LLVM may work too)


-How to Implement Spring Security With OAuth2

Spring Security provides comprehensive security services for J2EE-based enterprise software applications. It is powerful, flexible, and pluggable. It is not like a Proxy server, firewall, OS level Security, Intrusion Detection System, or JVM Security



Other interesting articles

Getting product security engineering right

Product security is an interesting animal: it is a uniquely cross-disciplinary endeavor that spans policy, consulting, process automation, in-depth software engineering, and cutting-edge vulnerability research. And in contrast to many other specializations in our field of expertise – say, incident response or network security – we have virtually no time-tested and coherent frameworks for setting it up within a company of any size

Links HERE and HERE Book from Cambridge 600 pages HERE


How to balance development goals with security and privacy

As a software security evaluator and a one-time engineer, I can confirm what the daily security breaches are telling us: software engineers and architects regularly fail at building in sufficient security and privacy. As someone who has been on both sides of this table, I’d like to share some of my own security-related engineering sins and provide some practical advice for both engineers and security officers on how best to balance development goals with privacy concerns



Let’s Encrypt Root Trusted By All Major Root Programs

As of the end of July 2018, the Let’s Encrypt root, ISRG Root X1, is directly trusted by Microsoft products. Our root is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.

Let’s Encrypt is currently providing certificates for more than 115 million websites



Adventures in vulnerability reporting

At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of the time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into the hands of vendors. Since it is important to user security that software vendors fix reported vulnerabilities in a timely matter, and vendors need to actually receive the report for this to happen, we have decided to share some of our experiences. We hope to show that good practices by software vendors can avoid delays in vulnerability reporting



How Open Source Intelligence Could Save Your Network

Sites dedicated to compiling information about indicators from the atomic to the behavioral include:

  • Team Cymru’s Community Services portal: This portal includes IP reputation lookup and malware hash analysis.
  • Threatminer: Search by domains, hashes, user-agent strings and registry entries.
  • Threatcrowd: Look for information on domains, IP addresses, emails and organizations.
  • URLQuery: This site profiles URLs for web-based malware.
  • InfoByIP: This site finds the domain, location, internet service provider (ISP) and autonomous system number (ASN) for IPs or domains — which is good for bulk queries.
  • Cymon: Input IPs, domains or hashes and get activity and malware reports.
  • Shodan: This site helps analysts determine which devices are publicly connected to the internet.
  • ATT&ACK: This is MITRE’s collection of attack techniques and tactics


And finally, Google – you autocomplete me

At what point will Google’s predictive technology grow so powerful that we begin thinking of its personalized recommendations as our own?

I don’t like to say “hi.” I’m a “hey” person. But more and more, I find myself greeting friends and colleagues with a “hi” on email. Why? Because Google suggests that I do. In May, Gmail…




AppSec Ezine

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *