Security Stack Sheet #13

Word of the week “Save your Company’s Bacon”

Do you know an individual or team that deserves recognition for going over and above the call of duty when it comes to protecting their organisations from cyber threats? Maybe they have saved the day from a cyber attack or malware infection or rescued the organisation from ransomware? Did they implement a cyber risk awareness campaign that made a difference to the office culture when it comes to phishing; or are they simply a great advocate when it comes to security best practices?

Nominate until the 24th of August!

Categories are:

  1. Fraud Fighter
  2. Captain Compliance
  3. Godfather/Godmother of Security
  4. Cyber Writer
  5. Security Avengers
  6. Best Security Awareness Campaign
  7. Security Leader/Mentor
  8. Apprentice/Rising Star
  9. Best Educator
  10. Best Ethical Hacker/Pen-Tester
  11. Data Guardian
  12. SecDevOps Trailblazer
  13. Best Cyber Security Sales Leader
  14. CISO Supremo



Word of the week special

“Chaff Bugs”

Deterring Attackers by Making Software Buggier

Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes)

Article HERE Paper HERE




1337d00m – thanks to Daniel

1337d00m is a hacker’s version of the original DOOM


Name the most horrible part of this code.




Crypto challenge of the week

Kudelski Security’s 2018 pre-Black Hat crypto challenge

For this year’s crypto challenge we have 3 stages, but it’s on a server which is receiving a lot of empty UDP packets and it sometimes reboots without notice, very strange, but IT tells us they are working on it … Here is how you access the API to query the oracle, good luck!

All challenges can be queried on the API under (N.B. it refuses insecure connection). Any submitted characters not in [a-zA-Z0-9 ] will generate an error.

To solve the first 2 challenges, you must write a program that creates valid signatures, in order to send the /win endpoint the message specified in the /flag one. That signed message must be successfully verified by the verification service. Obviously, your program should not just copy a signature received from the signing service, and we’ve thus blacklisted the winning messages.

The 3rd and final challenge is won by decrypting the flag




May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS Is Easy!

Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare

Link HERE What Cloudflare says HERE and HERE Reasons to switch? HERE

HTTPS everywhere HERE

TLS 1.3 Standard is Official

Transport Layer Security 1.3 (TLS 1.3) standard is now official. The revised standard was approved in March 2018; the Internet Engineering Task Force (IEFT) calls it “a major revision designed for the modern Internet.” Its developers have worked hard to make TLS 1.3 easy to deploy.


August – Holidays!!

September 21st: SEC Bitcoin ETF

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week


Some OWASP stuff first

-BlackHat and Defcon 2018!

Refresh from last week: Slides and presentations for BlackHat HERE

BlackHat key note: Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes


Defcon slides, presentations, workshops and music HERE L0pht reunite at Defcon HERE

Defcon closing ceremony HERE Defcon press HERE Blackhat photos HERE





























DEFCON-26-Richard-Thieme-The-Road-to-Resilience .pdf













Links HERE and HERE

-Application Security Podcast – last episode

Securing DevOps (S04E03)


-Social engineer podcast – ep. 108  Neil Fallon Is My Tech Support – Security through Education


-InSecurity Podcast: Katie Moussouris Breaks Down Bug Bounty Programs

Link HERE Example Tesla Bug Bounty and changes HERE

-Top 10 Web Hacking Techniques of 2017 – Voting Open



-How the OWASP Top 10 can Secure your DevSecOps Initiative

As software becomes increasingly complex, the difficulty of achieving application security increases. With the rapid pace of modern software development processes, securing the software from the beginning can be challenging.
-How can developers write more secure applications?
-What are the security techniques they could use while writing their software?




Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Social engineering to gain access: SIM swapping 

SIM swapping (also known as ‘SIM splitting’) emerged several years ago but is on the increase as mobile phone numbers become more widely used as part of security checks. The scam sees attackers access victims’ texts, calls and other sensitive information, including security codes used as part of two-factor authentication (2FA).

To be successful, attackers first need personal information, gleaned through various forms of phishing, purchasing victims’ details from organised crime networks, or by conducting open source research. Social media sites can also contain sufficient information for attackers to masquerade as genuine customers

US payment processing services targeted by BGP hijacking attacks 

Three United States payment processing companies were reportedly targeted by Border Gateway Protocol (BGP) hijacking attacks on their DNS servers in July

Bitpaymer: Cyber attack against Alaskan local government 

The Alaskan local government borough of Matanuska-Susitna (Mat-Su) has confirmed they suffered a large scale, disruptive cyber attack in July, caused by a multi-faceted malware package containing Bitpaymer ransomware

Malware targets cryptocurrency ATMs

Trend Micro have reported that malware specifically designed to target cryptocurrency ATMs is being sold on the DarkNet for $25,000 by an apparently established user who regularly sells ATM and other financially-related malware

Increase of mobile phone enabled fraud

Last week the social news aggregator Reddit reported a data breach that saw hackers able to access a backup system containing user data, including email addresses, and a 2007 database with usernames and hashed passwords. Several Reddit employees’ accounts connected to cloud and hosting providers were compromised.

The company employed an SMS-based two-factor authentication system where a one-time passcode was used to access systems, along with a password. The hack was accomplished by intercepting SMS messages, circumventing Reddit’s 2FA system. See the NCSC’s advice following the Reddit breach.

SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, exploitation and intercept of legacy telephone signalling systems, or by directly intercepting and decrypting signals from cell towers


Troy Hunt weekly update



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

FBI ATM Cashout Warning

A confidential FBI alert sent to banks last week warns that criminals are planning an ATM cashout, an attack in which there is a coordinated effort to empty ATMs of all the cash they contain using cloned cards. The scheme involves compromising the system at a bank or payment card processor and using information obtained there to program clones of legitimate cards. The FBI’s alert recommends that banks implement strong security measures, such as two-factor authentication using a physical or digital token, dual authentication procedures for withdrawals that exceed a certain threshold, and application whitelisting.


In the early days of ATMs we limited cash withdrawals to $200 per account per day. Over the decades banks have relaxed this limit. While banks would be reluctant to reinstitute it, it would be one way of addressing this risk. Note that the application of two-factor (card and PIN) authentication began with ATMs. It was very effective until the cost of cloning cards dropped. When the issuers stop using mag-stripe and use “chips,” the cost of cloning will go back up and the risk will go down.


This is a two-step exploit. First, controls are disabled at the financial institution, such as maximum withdrawal amount or maximum number of ATM transactions, then cloned cards are used to drain accounts. Implementing multi-factor authentication, whitelisting, active monitoring, separation of duties, and dual-person controls are key to protecting the back-end systems from exploitation. While the elimination of the mag-stripe on ATM cards makes the cloning activity very difficult, removing the mag-stripe will take a while. The US deadline for automated fuel pumps to convert to EMV is pushed to October 2020, even when all merchants are no longer using mag-stripe readers, card holders will still need to be issued cards without the enabled capability.

Update, Aug. 15, 11:11 a.m. ET: Several sources now confirm that the FBI alert was related to a breach of the Cosmos cooperative bank in India. According to multiple news sources, thieves using cloned cards executed some 12,000 transactions and stole roughly $13.5 million from Cosmos accounts via 25 ATMs located in Canada, Hong Kong and India


Hack Can Turn Robotic Vacuum Into Creepy Rolling Surveillance Machine


Siri is listening to you, but she’s NOT spying, says Apple


Hashcat developer discovers simpler way to crack WPA2 wireless passwords


Only 8% of orgs have effective DevSecOps practices

Link HERE Article to infuse security throughout the app dev process HERE Integrating security into DevOps HERE

Vulnerabilities in mPOS devices could lead to fraud and theft

Links HERE and HERE

Intel’s SGX blown wide open by, you guessed it, a speculative execution attack

Speculative execution attacks truly are the gift that keeps on giving


Alert Fatigue


CGit clone objects bug
Description: There is a directory traversal vulnerability in CGit, a web frontend for Git repositories, identified as CVE-2018-14912. The vulnerability exists in the cgit_clone_objects function in CGit before version 1.2.1 when `enable-http-clone=1` is not turned off


Vulnerabilities in election machines

Hackers at the Black Hat conference last week in Las Vegas were able to discover several new vulnerabilities in election machines used in the U.S. Conference attendees had physical access to the devices

Windows 10 is getting a new disposable sandbox feature that will allow users to run suspicious apps in a virtualized environment


Snapchat source code leaked on GitHub – but no one knows why


The Pentagon has banned deployed soldiers from using wireless GPS systems, including fitness trackers, citing security concerns  

FakesApp: A Vulnerability in WhatsApp


Applying Linkage Analysis to Cyber Crime Attribution

Case linkage or linkage analysis is a technique used by law enforcement to connect multiple crimes to a single individual. By examining behavioural fingerprints, law enforcement can draw conclusions that link seemingly unrelated cases. At DefCon last week, Matt Wixey presented efforts to apply the technique to digital crimes, using granular behaviour to identify hackers


Comcast data loss

More than 26.5 million Comcast customers potentially had their personal information exposed due to a flaw on the cable and internet company’s login page

Microsoft – Protecting the protector: Hardening machine learning defenses against adversarial attacks


Vulnerabilities Found in the Firmware of 25 Android Smartphone Models


GCHQ Director: New technologies are opening the door to cyber-rogues; you can help shut it



Research of the week

-DevSecOps Reference Architectures

Degrees of DevSecOps Automation


-NIST Working on Final Public Draft of Risk Management Framework 2.0

The National Institute of Standards and Technology (NIST) is hard at work on the next version of its Risk Management Framework 2.0 (RMF 2.0). The final public draft of RMF 2.0 is expected to be available in September 2018, with final publication expected in November. RMF 2.0 will address supply chains, systems engineering, and privacy


-Computer forensics equipment – ForensicMagiCube – thanks to Naz

Link HERE Details HERE


Tool of the week

-Awesome Cryptography

A curated list of cryptography resources and links – Theory, Tools, Frameworks and Libs and other resources


-WhiteSource Vulnerability Checker (free!)

Identify the Top Open Source Vulnerabilities


-Social Mapper

A free tool for automated discovery of targets’ social media accounts.

Social Mapper is an Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review


-Bluetooth Low Energy Swiss-army knife

Btlejack provides everything you need to sniff, jam and hijack Bluetooth Low Energy devices. It relies on one or more BBC Micro:Bit. devices running a dedicated firmware



Other interesting articles

5 Threats to Financial Services

Five Threats to Financial Services: Part One, Insiders

Five Threats to Financial Services: Banking Trojans

Five Threats to Financial Services: Part Five, Hacktivism

Five Threats to Financial Services: Part Four, Payment Card Fraud

Five Threats to Financial Services: Phishing Campaigns

Links above


5 Things to Know For a Successful Pen Testing

Penetration testing (AKA Pen test) is an authorized deliberate hacking of a corporate network and computer infrastructure to determine its vulnerability. The vulnerability report arising from pen test is a valuable part of the system audit, which will enable the production of a credible mitigation plan while preserving overall security and privacy of the system and its users. In penetration testing, a distribution of Linux is used. This is because the mainstream desktop OS, Windows is inefficient for pen test purposes due to the artificial restriction set by Microsoft. In Windows, the user does not fully control the OS, Microsoft maintains full authority and control of it

Link HERE Security testing effectiveness HERE


Android 9 Pie Security

  • Built-in support for DNS over TLS, automatically upgrading DNS queries to TLS if a network’s DNS server supports it.
  • HTTPS by default. App developers who want HTTP traffic for specific domains will have to change their app’s network security config to allow those connections.
  • A new hardware security module and stronger protection for private keys(API support for devices that provide key storage in tamper-resistant hardware with isolated CPU, RAM, and secure flash.)
  • Support for encrypting Android backups with a client-side secret (by default if the user has set a screen lock for their device that requires a PIN, pattern, or password to unlock.)
  • Compiler-level mitigations for detecting dangerous behaviour and integer overflow sanitizers for mitigating memory-corruption and information-disclosure vulnerabilities.
  • A consistent UI for biometric authentication across apps and devices. Apps no longer need to build their own dialog to prompt the user for any supported type of biometric authentication (fingerprint, face, iris). They can use the BiometricPrompt API to show the standard system dialog instead.
  • Android P now restricts access to the microphone, camera, and all SensorManager sensors by apps running in the background.
  • “While your app’s UID is idle, the mic reports empty audio and sensors stop reporting events. Cameras used by your app are disconnected and will generate an error if the app tries to use them,” the company explained. Idle apps will also not receive events from sensors.



And finally, Is Humanity About To Accidentally Declare Interstellar War On Alien Civilizations?

If the Breakthrough Starshot initiative, promoted by Stephen Hawking, works exactly as planned, it could lead to disaster.

There are a great variety of stars with known exoplanets within 25 light years of the Sun, and missions like K2 and TESS will only find more. These are excellent targets for interstellar travel, but if we don’t do it carefully, our explorations could be mistaken for a malicious act of aggression. (NASA/GODDARD/ADLER/U. CHICAGO/WESLEYAN).




AppSec Ezine

Link HERE and credits to HERE

2 thoughts on “Security Stack Sheet #13

  1. Author gravatar
    baccarat 29th November 2019, 20:09

    Technology is way more impresive then before !

Leave a Reply

Your email address will not be published. Required fields are marked *