Security Stack Sheet #14

Word of the week “Cyber-psychopathology”

Cyberchondria, cyberbullying, cybersuicide, cybersex: “new” psychopathologies for the 21st century?

The Internet and related technologies permeate our every-day functioning to the extent that it has become difficult to imagine life without them. As their penetrance increases, so does discussion of, and research into, new problematic behaviours and psychopathologies, especially “Internet addiction” and “online gaming addiction”.

However, cybertechnology is also reshaping “established” psychiatric disorders and phenomena, leading to symptoms and manifestations that are both familiar and novel, old and new. Of those, this paper will focus on health-related anxiety, bullying or stalking, suicide, and compulsive sexual behaviour. While far from unique, they illustrate the range of psychological functions that have been reconfigured by the digital revolution – and how simplistic a “big umbrella” approach that reduces the discussion to “technology addiction” is.

Links HERE and HERE and HERE and HERE


Word of the week special “Hardcoded secrets”

Links HERE and HERE and HERE and HERE and HERE and HERE

Tools HERE and HERE






Crypto challenge of the week

NSA Crop Calculations

A farmer, known for his unusual aesthetics, planted five circular fields. Four of the circles have a one furlong radius and were arranged so their centers form a square and they are each tangent to two of the other three circles. The fifth field was planted in the area enclosed by the four circles such that it is tangent to all of them.

What is the total area of the unplanted land enclosed by the five circles?

In this image, the fields are shown in green. We are interested in measuring the red regions.




May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS Is Easy!

Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare

Link HERE What Cloudflare says HERE and HERE Reasons to switch? HERE

HTTPS everywhere HERE

August – Holidays!!

September 21st: SEC Bitcoin ETF

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week

Some OWASP stuff first

-OWASP London meetup next week

“From zero to hero: building security from scratch” – Anthi Gilligan

Breaches mean financial, regulatory, legal, and above all reputational repercussions. Organisations are quick to react, however with security professionals in high demand and low supply, there has been an increase in individuals jumping on the “cybersecurity” bandwagon. In this talk, we discuss the pitfalls of the inadequately qualified “cybersecurity expert”, and examine the building blocks of a solid information security management system

“Smart Contract Security” – Evangelos Deirmentzoglou

Dapps and many Initial Coin Offerings (ICOs) run on smart contracts and tend to process a substantial amount of funds. This makes them a target, and therefore they often undergo attacks. Combined with the blockchain immutability, vulnerabilities undiscovered during development will exist forever in the blockchain. This talk will dive into the most common smart contract security vulnerabilities and provide in-depth knowledge on how these issues occur and their mitigation. Real world examples will be discussed and vulnerabilities like re-entrancy, overflows, gas limit attacks etc. will be demonstrated

Link HERE Register HERE Event will be live on Facebook OWASP London channel.

-Badgelife: A Defcon 26 retrospective


-What happened in Vegas stayed in Vegas? DEFCON’s Caesar’s Palace controversy

“At noon-ish on Thursday (August 9th), I received a phone call from Las Vegas Police requesting to interview me, saying that they had a ‘anonymous tip from a third party’ about ‘some threats which were made.’ I agreed to meet them at the work event I was hosting. When they arrived, they had a printed out copy of a single tweet I’d sent, which was part of a conversation with munin.

We had a brief chat and I explained that the tweet was talking about phone hacking/network hacking and not physically attacking people, and wasn’t intended to be a threat to anyone. The LVPD said that sounded reasonable and they found no reason to doubt my explanation. It took all of ten minutes to talk to them. They said don’t worry about it any further and thanks for chatting. I went from work to dinner, to an evening event, then back to Caesar’s around midnight.”


-Black Hat USA 2018: ransomware is still the star


-Finding the signal of community in all the noise at Black Hat


-BSides Manchester 2018

BSidesMCR 2018: Modern MacOS Security by Michael Jack

BSidesMCR 2018: Cracking The Perimeter: How Red Teams Penetrate by Dominic Chell

BSidesMCR 2018: Practical Web Cache Poisoning: Redefining ‘Unexploitable’ by James Kettle

BSidesMCR 2018: Burp Replicator: Automate Reproduction Of Complex Vulnerabilities by Paul Johnston

BSidesMCR 2018: Diversity In InfoSec (Not That Sort!) by Victoria Walberg

Good article HERE


-Application Security Podcast – last episode

Threat Modeling with a bit of #Startup (S04E04)


-Electron – abusing the lack of context isolation


Oldies but goodies:

-Scriptless Attacks – Stealing the Pie without touching the Sill


-In the DOM, no one will hear you scream




Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Software secure? What about your hardware? 

Researchers at the DEF CON 2018 cyber security convention revealed that they could access an internal network using legacy technology – a fax machine

Data breaches fueling phishing scams

An ongoing email scam claims to plant spyware on a victim’s computer or phone and to record them visiting adult websites. $1,000 in Bitcoin is then demanded to prevent wider release of the video


Troy Hunt weekly update



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning

Update, 8:10 p.m. ET: An earlier version of this story incorrectly stated that there were only 25 ATMs used in the cashout against Cosmos. The figure was meant to represent the number of countries with ATMs that were used in the heist, not ATMs, and that number is 28 at last count.

Links HERE and HERE

Australian schoolboy hacks into Apple’s network, steals files

Apple Says Customer Data Not Compromised in Breach

After an Australian teenager pleaded guilty to breaking into Apple’s main computer network, the company reassured customers that their data were not compromised. The teenager admitted to downloading 90 gigabytes of internal data and to accessing customer accounts

Links HERE and HERE

Evolution of Android Security Updates

At Google I/O 2018, in our What’s New in Android Security session, we shared a brief update on the Android security updates program. With the official release of Android 9 Pie, we wanted to share a more comprehensive update on the state of security updates, including best practice guidance for manufacturers, how we’re making Android easier to update, and how we’re ensuring compliance to Android security update releases


KeyPass ransomware


London City police squad foils over EUR 27 mln of fraudulent online scams in six months


Philips cardiovascular software found to contain privilege escalation, code execution bugs


Man-in-the-Disk attacks leave Android users exposed to data manipulation

Check Point researchers discovered a new attack surface for Android applications that leverages external storage, dubbed Man-in-the-Disk attacks


Gmail Confidential Mode

Gmail’s new Confidential Mode lets users send email messages that “self destruct” and cannot be printed or forwarded. Settings allow senders to choose an amount of time before the email expires (from one day to five years) and can restrict access to the message after it is sent. Senders can also choose to require a password to open the message. The email contains a link to the actual content of the message, which is hosted on Google servers. The Electronic Frontier Foundation (EFF) takes issue with Google’s claims of Confidential Mode’s security and privacy, pointing out that the messages are not encrypted end-to-end


Back to the 90’s: FragmentSmack

As we had the previous week SegmentSmack (CVE-2018-5390) allowing remote DoS attacks by sending crafted TCP packets, this week a similar vulnerability has been reported on IP fragments


Hacking any internal network through a poor printer or fax


The enemy is us: a look at insider threats


How’s that encryption coming, buddy? DNS requests routinely spied on, boffins claim

Uninvited middlemen may be messing with message


A severe PHP vulnerability has left thousands of WordPress websites open to attack


NPM – Three new features to help our users protect themselves


Booz Allen Hamilton wins $1 billion US cybersecurity contract


Useless CSP

CSP is tricky to get right, but some people aren’t even trying and are likely adding headers to tick a box on their assessment report.

We thought about making a public list might make them care a bit more.

It might also cheer up adminsys that are struggling to deploy a strict policy on a complex website, to see that even some big players have botched CSP


How Cloudflare protects customers from cache poisoning 

A few days ago, Cloudflare — along with the rest of the world — learned of a “practical” cache poisoning attack. In this post I’ll walk through the attack and explain how Cloudflare mitigated it for our customers. While any web cache is vulnerable to this attack, Cloudflare is uniquely able to take proactive steps to defend millions of customers.

In addition to the steps we’ve taken, we strongly recommend that customers update their origin web servers to mitigate vulnerabilities. Some popular vendors have applied patches that can be installed right away, including DrupalSymfony, and Zend

Link HERE Paper HERE


Research of the week

-The DevOps Roadmap for Security

How Security can take on a new role in the DevOps movement by embracing modern principles, practices, and tooling


-File Operation Induced Unserialization via the “phar://” Stream Wrapper

The risk of unserializing attacker-controlled data in PHP has been well known since Stefan Essar first presented the issue in detail in 2009[1]. This topic is closely associated with similar vulnerabilities in other languages (see CWE-502[2] and CWE-915[3]). Recent years have also seen several vulnerabilities in the native code implementing unserialization (CVE-2017-12934, CVE-2017-12933, CVE-2017- 12932 et al.) further demonstrating the risk of exposing unserialization to attacker-controlled data.

This paper will present a novel attack technique specific to PHP which can cause unserialization to occur in a variety of exploitation scenarios. The technique can be used when an XXE vulnerability occurs, as well as such circumstance that would typically be considered an SSRF vulnerability and in a number of other scenarios where the vulnerability would previously have been considered an information disclosure issue


-Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers

Regular expression denial of service (ReDoS) is a class of algorithmic complexity attacks where matching a regular expression against an attacker-provided input takes unexpectedly long. The single-threaded execution model of JavaScript makes JavaScript-based web servers particularly susceptible to ReDoS attacks. Despite this risk and the increasing popularity of the server-side Node.js platform, there is currently little reported knowledge about the severity of the ReDoS problem in practice. This paper presents a large-scale study of ReDoS vulnerabilities in real-world web sites. Underlying our study is a novel methodology for analyzing the exploitability of deployed servers. The basic idea is to search for previously unknown vulnerabilities in popular libraries, hypothesize how these libraries may be used by servers, and to then craft targeted exploits. In the course of the study, we identify 25 previously unknown vulnerabilities in popular modules and test 2,846 of the most popular websites against them. We find that 339 web sites (11% of the ones that use Express, a popular server-side JavaScript framework) suffer from at least one ReDoS vulnerability and some even suffer from multiple ones. A single request can block a vulnerable site for several seconds, and sometimes even much longer, enabling denial of service attacks that pose a serious threat to the availability of these sites. We also show that the fact whether a website is vulnerable is independent of its popularity, indicating that the problem requires attention across a wide spectrum of web providers. Our results are a call-to-arms for developing techniques to detect and mitigate ReDoS vulnerabilities in JavaScript


-Encryption at rest: Not the panacea to data protection


-The Secure Socket API: TLS as an Operating System Service

SSL/TLS libraries are notoriously hard for developers to use, leaving system administrators at the mercy of buggy and vulnerable applications. We explore the use of the standard POSIX socket API as a vehicle for a simplified TLS API, while also giving administrators the ability to control applications and tailor TLS configuration to their needs. We first assess OpenSSL and its uses in open source software, recommending how this functionality should be accommodated within the POSIX API. We then propose the Secure Socket API (SSA), a minimalist TLS API built using existing network functions and find that it can be employed by existing network applications by modifications requiring as little as one line of code. We next describe a prototype SSA implementation that leverages network system calls to provide privilege separation and support for other programming languages. We end with a discussion of the benefits and limitations of the SSA and our accompanying implementation, noting avenues for future work



Bypassing advanced kernel mitigations using page tables manipulations



Tool of the week

-The Secure DevOps ToolChain


-dcipher – Online Hash Cracking Using Rainbow & Lookup Tables

Other hash cracking:

– hashcat Download – Password Hash Cracking Tool
– IGHASHGPU – GPU Based Hash Cracking – SHA1, MD5 & MD4
– – SHA1 & MD5 Hash Cracking Tool


-Pacu: The Open Source AWS Exploitation Framework

With the continued proliferation of Amazon Web Services (AWS), companies are continuing to move their technical assets to the cloud. With this paradigm shift comes new security challenges for both Sysadmin and DevOps teams.  These aren’t just problems for the security-unaware, either.  Even large enterprises – such as GoDaddy and Uber – have had major breaches from AWS configuration flaws.

This is where an authenticated AWS penetration test can help.  By simulating a breach and providing an attacker with a set of ‘compromised’ AWS keys, the range of AWS services can fully vetted.

Several tools exist to aid in the scanning of AWS vulnerabilities, but focus on compliance requirements, rather than exploit potential.  The offensive security community has a glaring need for a tool that provides a structured, comprehensive approach to pentesting AWS


-Reminder: BDD-Security

BDD-Security is a security testing framework that uses Behaviour Driven Development concepts to create self-verifying security specifications.

The framework is essentially a set of Cucumber-JVM features that are pre-wired with Selenium/WebDriver, OWASP ZAPSSLyzeand Tennable’s Nessus scanner.

It tests Web Applications and API’s from an external point of view and does not require access to the target source code



Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings


-Reminder: Git Secret

There’s a known problem in server configuration and deploying, when you have to store your private data such as: database passwords, application secret-keys, OAuth secret keys and so on, outside of the git repository. Even if this repository is private, it is a security risk to just publish them into the world wide web


-Web Authentication
An API for accessing Public Key Credentials
Level 1 – Editor’s Draft, 22 August 2018


-Aqua Security Launches Open-Source Kube-Hunter Container Security Tool

Aqua Security has made its new Kube-hunter open-source tool generally available, enabling organizations to conduct penetration tests against Kubernetes container orchestration deployments



Other interesting articles

The moment when you realize every server in the world is vulnerable

Hash tables. Dictionaries. Associative arrays. Whatever you like to call them, they are everywhere in software. They are core. And when someone finds a vulnerability in such a low-level data structure, almost all software is implicated.

This is a story of one of those core vulnerabilities, and how it took a decade to uncover and resolve. The story is pretty amazing. But for context, let’s review what hash tables are


SipRound, the building block of SipHash



From Dev to InfoSec Part 1 – The Journey Begins

Hacking is awesome! I can understand the appeal of those that are doing it for a living. The hunt for bugs and the fight to secure systems from bad guys sounds like an incredible challenge of both intellect and skill. It’s probably why I’ve been drawn into the world of cybersecurity. It’s an exciting field to be in for a professional or a hobbyist and one that I’m keen to explore more.

This is the first of many articles that will document my journey from my roots as a coder and a career as a developer advocate at Microsoft to the very personal exploration into the world of information security. The intention is to not only make sense of the overwhelming scope of the field and its varying disciplines but also offer brutally honest assessments of myself and the industry that I so much want to be a part of. Here goes everything!



Enabling reliable, secure collaboration on data science and machine learning projects

Machine learning researchers often prototype new ideas using Jupyter, Scala, or R Studio notebooks, which is a great way for individuals to experiment and share their results. But in an enterprise setting, individuals cannot work in isolation—many developers, perhaps from different departments, need to collaborate on projects simultaneously, and securely. I recently spoke with IBM’s Paul Taylor to find out how IBM Watson Studio is scaling machine learning to enterprise-level, collaborative projects

Link HERE Use of machine learning for cyber security HERE


How an uploaded image could take over your website, and how to stop it

Vulnerability hunter Tavis Ormandy just reported a series of security problems in an application called Ghostscript.

Ormandy works for Google’s Project Zero – he literally finds bugs for a living – and his work is both well-known and renowned…

…but who or what is Ghostscript, and why would someone as skilled as Ormandy feel the need to dig into it?

Well, for many people, Ghostscript is software they’ve never heard of, but probably use or rely upon regularly without even realising it.

Ghostscript is a free, open source implementation of Adobe PostScript, a programming language and ecosystem that powers many printers, and that is the technical underpinning to almost every PDF file out there



And finally, Make Truth Great Again




AppSec Ezine

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *