Security Stack Sheet #17

Word of the week “Paranoia Is Now a Best Practice”

Bust out the tinfoil—the data security crisis is worse than you ever imagined.

Online content manipulation contributed to a seventh consecutive year of overall decline in internet freedom, along with a rise in disruptions to mobile internet service and increases in physical and technical attacks on human rights defenders and independent media.

Nearly half of the 65 countries assessed in Freedom on the Net 2017 experienced declines during the coverage period, while just 13 made gains, most of them minor. Less than one-quarter of users reside in countries where the internet is designated Free, meaning there are no major obstacles to access, onerous restrictions on content, or serious violations of user rights in the form of unchecked surveillance or unjust repercussions for legitimate speech.

Links HERE and HERE and HERE


Word of the week special “QAppSec”

Why app sec and QA testing teams need to partner


“The Most Persuasive Word in the Dictionary is…BECAUSE”





“The Effectiveness of Publicly Shaming Bad Security”



Crypto challenge of the week

Perplexed by cryptic crosswords?




May 25th: GDPR Live! See incidents section below – 100 days of GDPR HERE

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS Is Easy!

Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare

Link HERE What Cloudflare says HERE and HERE Reasons to switch? HERE

HTTPS everywhere HERE

August – Holidays over!!

September 21st: SEC Bitcoin ETF

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week


Some OWASP stuff first 

-OWASP London meetup today (news next week) and next week again  

Watch this one!! “Bug Hunting Beyond” – Jack Whitton

Facebook’s Whitehat bug bounty program receives 1000’s of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook’s Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of “”

Event last week hosted video HERE

-Conferences to watch out for

AppSec Israel happened last week:

Security is everybody’s job… Literally!


-AppSec Podcast: A Slice of the Razor with ASP.Net Core


-GrrCON 2018 Videos




DevSecCon London HERE

44Con London HERE – happening this week! More details next week.

OWASP AppSec Bucharest HERE




Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

British Airways data breach

British Airways (BA) have reported that it suffered a data breach that compromised names, email addresses and credit card information. BA suspect the breach was a result of criminal activity, and have notified the police and relevant authorities.

The NCSC is working with partners to better understand this incident and how it has affected customers, and have published a statement. It has been reported that up to 380,000 customers could have been affected. The incident is thought to have affected some customers who made bookings on the BA website or app between August 21 and September 5, 2018. BA have reported that the compromised data includes names, email addresses and credit card information. You can read BA’s latest information here

Mobile spyware hacks and breaches 

Media sources have reported multiple hacks and a data breach affecting businesses that offer mobile spyware as a service. In the last week TheTruthSpy, Family Orbit and mSpy have all been compromised. The NCSC previously reported on a similar data breach of the TeenSafe app back in May

Domain abandonment and hijacking 

Gabor Szathmari, an independent Australian cyber security researcher has published a blog highlighting the dangers of allowing corporate domain names to expire. Known as domain name abandonment, companies that have merged, been acquired, changed name or gone out of business will often abandon their domain name which is then available for anyone to re-register from domain registrars. Domain name abandonment allows threat actors to gain access to, or reset passwords for online services and profession-specific portals

Printers need to be secured

A recent survey of 200 enterprises with over 1,000 employees in the UK, France, Germany and the US by business and IT analyst firm Quocirca revealed that 61% admitted suffering at least one data breach through insecure printers. Modern multi-function printers come with a host of features to print, copy, fax, scan and e-mail documents, making them, in effect, computers themselves and therefore potentially vulnerable to cyber attack


Troy Hunt weekly update



Incidents detail

Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims

Only 22 lines of script victimized 380,000 people

Links HERE and HERE and HERE  and HERE and GDPR/PCI impact? HERE

Several apps on the Mac store were recently discovered to be stealing users’ data

Some of which is being sent to Chinese servers


Two VPN clients re-patched a vulnerability that was still exploitable after an initial fix was rolled out earlier this year


Apple is working on a new portal designed to help law enforcement agencies file official requests for customers’ information during investigations


Microsoft intercepting Firefox and Chrome installation on Windows 10


Report on Equifax breach is out

They essentially had a lack of asset inventory, vulnerable infrastructure, and failures in SecOps (eg vuln mgmt didn’t identify Struts issue, 10 month expired certificate so no monitoring etc.)

Links HERE and HERE

Public IP Addresses of Tor Sites Exposed via SSL Certificates


Abandoning a domain name can come back to bite you, research shows


EICAR – The Most Common False Positive in the World


Open .git Directories Expose Site Source Code

Researcher Vladimir Smitka found nearly 400,000 web pages with open .git directories. The directories can expose database passwords, API keys, and other information that should not but which often is stored in the repository

This is a symptom of the larger problem of poorly audited permissions on directories accessible from the Internet. If you haven’t audited your website for forced browsing attacks, the time to do so is now. With the increased attention on .git directories, expect to see an increase in attackers scanning for forced browsing vulnerabilities of all types.
When deploying an application to your site, make sure that the .git directory is not available. Even without an index file and directory browsing disabled, well known files can still be retrieved, such as the list of commits in /.git/logs/HEAD. Verify the directory contents are not retrievable by attempting to access <web-site>/.git/HEAD

Links HERE and HERE

Small businesses targeted by highly localized Ursnif campaign

A new malware campaign puts that to the test by targeting home users and small businesses in specific US cities. This was a focused, highly localized attack that aimed to steal sensitive info from just under 200 targets


Developers are worth more to tech companies than cash


Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation


Tesla Will Reflash Car Firmware for Vulnerability Testers

Tesla has reiterated that researchers are permitted to hack its cars without voiding the vehicle’s warranty or facing legal liability. Tesla says it will restore firmware and operating systems on cars that have undergone and have become incapacitated by testing, with some conditions: the researcher and the vehicle must be registered and approved as part of Tesla’s vulnerability reporting program


Solid password practice on Capital One’s site? Don’t bank on it

What’s in your wallet? Definitely not a password manager


Windows Zero-Day: Advanced Local Procedure Call (ALPC)

An unpatched flaw in Windows Advanced Local Procedure Call (ALPC) is being actively exploited. The vulnerability was first disclosed on August 27, 2018. The issue is due to the ALPC function not properly checking user permissions when interacting with files in the Windows Task Scheduler folder in Windows OS versions later than Windows 7

Links HERE and HERE

How to nab a HTTPS cert for a stranger’s website: Step one, shatter those DNS queries…

Domain validation systems fooled by boffins


MEGA Chrome Extension Hacked – Detailed Timeline of Events



Research of the week

-DZone Research: The Future of Security

In this final installment of DZone security research, we dive into automation and its support by Artificial Intelligence (AI) and Machine Learning (ML)


-Fear the Reaper: Characterization and Fast Detection of Card Skimmers

Payment card fraud results in billions of dollars in losses annually. Adversaries increasingly acquire card data using skimmers, which are attached to legitimate payment devices including point of sale terminals, gas pumps, and ATMs. Detecting such devices can be difficult, and while many experts offer advice in doing so, there exists no large-scale characterization of skimmer technology to support such defences. In this paper, we perform the first such study based on skimmers recovered by the NYPD’s Financial Crimes Task Force over a 16 month period. After systematizing these devices, we develop the Skim Reaper, a detector which takes advantage of the physical properties and constraints necessary for many skimmers to steal card data. Our analysis shows the Skim Reaper effectively detects 100% of devices supplied by the NYPD. In so doing, we provide the first robust and portable mechanism for detecting card skimmers

Link HERE and HERE

-Integer Factorization — Defining The Limits of RSA Cracking



Tool of the week

– Retire.JS, but for .Net

It checks your apps for known vulnerable dependencies


-Safety checks your installed dependencies for known security vulnerabilities for Python – thanks to Neil


-Search for vulnerabilities associated exploits and Metasploit modules – thanks to Naz

Link HERE How to start with Metasploit HERE and hacking without Metasploit HERE

-Russian Security Researcher i_bo0om releases Sploitus 

A search engine for exploits and tools


-7 open source tools for rugged DevOps

  1. Gauntlt: The ruggedization framework for DevOps
  2. Vault: Secrets management
  3. OWASP Dependency Check: Software dependency security
  4. js: Insecure JavaScript libraries
  5. ChaoSlingr: Chaos engineering
  6. InSpec: Secure configuration & compliance validation
  7. OpenControl and Compliance Masonry: Compliance as code


-OpenSSL 1.1.1 release

Major new features: TLS 1.3, side-channel hardening, new RNG, SHA3, Ed25519 support



Other interesting articles

Netflix Cloud Security: Detecting Credential Compromise in AWS

Credential compromise is an important concern for anyone operating in the cloud. The problem becomes more obvious over time, as organizations continue to adopt cloud resources as part of their infrastructure without maintaining an accompanying capability to observe and react to these compromises. The associated impacts to these compromises vary widely as well. Attackers might use this for something as straightforward as stealing time and CPU on your instances to mine Bitcoin, but it could be a lot worse; credential compromise could lead to deletion of infrastructure and stolen data



Deploy only what you trust: introducing Binary Authorization for Google Kubernetes Engine

“How do I trust what is running on my production infrastructure?” is one of the top questions we hear from those working in enterprise security and DevOps. To help you answer that question, we’re excited to introduce Binary Authorization in beta so you can be more confident that only trusted workloads are deployed to Google Kubernetes Engine. Integrated into the Kubernetes Engine deployment API, Binary Authorization is a container security feature that provides a policy enforcement chokepoint to ensure only signed and authorized images are deployed in your environment



A Clean Start: Finding Vulnerabilities in your Docker Base Images



Cybersecurity is Rapidly Changing



Working in Cyber Security: “Have fun with the work and don’t try to learn everything all at once”

What is it like to work in cyber security?


Have fun with the work and don’t try to learn everything all at once. Cyber security is such a big field and there are a lot of specializations, you can get overwhelmed if you don’t take things one step at a time

Link HERE and the Rise of the Cyber-mercenaries HERE


And finally, Sim Ethics

Say you could make a thousand digital replicas of yourself — should you? What happens when you want to get rid of them?

What Are Our Ethical Obligations to Future AI Simulations?




AppSec Ezine

Must see

URL: (+)

Description: XSS using quirky implementations of ACME http-01.


Description: View Private Instagram Photos.


Description: Hacking The RPi Cam Web Interface.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *