Security Stack Sheet #20

Word of the week “Cyber Security Month”

Week 1: Oct. 1­–5: Make Your Home a Haven for Online Safety 

Every day, parents and caregivers teach kids basic safety practices ‒ like looking both ways before crossing the street and holding an adult’s hand in a crowded place. Easy-to-learn life lessons for online safety and privacy begin with parents leading the way. Learning good cybersecurity practices can also help set a strong foundation for a career in the industry. With family members using the internet to engage in social media, adjust the home thermostat or shop for the latest connected toy, it is vital to make certain that the entire household ‒ including children – learn to use the internet safely and responsibly and that networks and mobile devices are secure. Week 1 will underscore basic cybersecurity essentials the entire family can deploy to protect their homes against cyber threats

Links HERE and HERE and HERE and HERE

Hacker Halloween HERE


Word of the week special “Credential Stuffing”

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes

Link HERE Article HERE OWASP link HERE Incident HERE Another view HERE




Clone Phish



MS-DOS v1.25 and v2.0 Source Code



Crypto challenge of the week


5th October: the Reply CYBER SECURITY FLAG, CAPTURE THE FLAG edition (CTF) is a team-based security online competition. Its open both to students and professionals, and created by the Keen Minds, a team of Replyers who are passionate cyber security specialists.

In the Jeopardy-style CTF edition, each team tries to solve 25 challenges, divided into 5 categories: Coding, Web, Trivia, Crypto, and Binary. Each category is made up of 5 levels.




May 25th: GDPR Live! See incidents section below – 100 days of GDPR HERE

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS everywhere HERE

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week


Some OWASP stuff first

-The OWASP Application Security Verification Standard 4.0 is coming out late this year


-OWASP Benchmark Project

The OWASP Benchmark for Security Automation (OWASP Benchmark) is a free and open test suite designed to evaluate the speed, coverage, and accuracy of automated software vulnerability detection tools and services (henceforth simply referred to as ‘tools’). Without the ability to measure these tools, it is difficult to understand their strengths and weaknesses, and compare them to each other. Each version of the OWASP Benchmark contains thousands of test cases that are fully runnable and exploitable, each of which maps to the appropriate CWE number for that vulnerability.

You can use the OWASP Benchmark with Static Application Security Testing (SAST) tools, Dynamic Application Security Testing (DAST) tools like OWASP ZAP and Interactive Application Security Testing (IAST) tools. The current version of the Benchmark is implemented in Java. Future versions may expand to include other languages


-OWASP Mobile Security Testing Guide


-OWASP Glue Tool Project

The OWASP Glue Tool Project is a tools based project intended to make security automation easier. It is essentially a ruby gem that co-ordinates the running of different analysis tools and reporting from those tools


-‘Lampião: 1’ is an intentionally vulnerable Ubuntu machine


-Awesome Malware Analysis Tools


-WIA: Women in #AppSec (S04E10)

On this episode, Chris is joined by Jessie and Vandana from Women in #AppSec to discuss the project! They dive in what the project is and how the numerous OWASP Chapters around the world can participate!


-DevSeCCon Boston photos and slides

Link HERE and HERE



DevSecCon London HERE

OWASP AppSec Bucharest HERE





Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Cyber criminal behind ‘Scan4you’ website jailed

A Latvian resident was sentenced to 14 years in prison last week for his e-crime service, ‘Scan4you’.

Advertised as a legitimate ‘penetration testing’ service, Scan4you was in fact a counter antivirus operation. The service enabled cyber criminals to test their malware against antivirus software, especially those used by the US retail sector, but also global government and financial institutions

Credential stuffing botnets

According to a new report from technology company Akamai, there were over 30 billion malicious login attempts between November 2017 and the end of June 2018, with activity spiking towards the end of this period. The UK was found to be the sixth most targeted country for this type of attack.

Botnets will use breached credentials to attempt to logon to another website. Consequently, one of the most effective ways of managing these credential stuffing botnets is the ‘low and slow’ method, which sees attackers attempt to camouflage their attack amongst legitimate traffic whilst limiting the number of attempts made. The more attempts made, the more valid login credentials will be identified. However, the botnets need to be carefully managed to ensure victims do not notice this activity, possibly mistaking them for a DDoS attack due to the high volumes of traffic they generate

Don’t yank my chain – the cyber threat to software supply chains

The continuing threat to the software supply chain is again in the spotlight following a new report by threat intelligence company Crowdstrike.

The NCSC defines the supply chain threat as “operations or activities that are designed to threaten the confidentiality, integrity or availability of communications, data or systems: and which use any part of the supply chain as an attack vector.”

Last one HERE

Troy Hunt weekly update



Incidents detail

Facebook HACK – 50 Milion Users

Attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Facebook Forces Mass Logout After Breach

Facebook logged 90 million users out of their accounts after the company discovered that hackers had been exploiting a flaw in Facebook code that allowed them to steal Facebook access tokens and take over other people’s accounts. The stolen tokens could also be used to access apps and websites linked to the Facebook accounts. The hackers exploited a trio of flaws that affected the “View As” feature, which lets users see how their profiles appear to other people. Facebook has fixed the security issue; it has also reset the access tokens for 90 million accounts. Facebook became aware of the issue on September 16, when it noticed an unusual spike in people accessing Facebook.
The forced logout invalidated the existing authentication session tokens, meaning they could not be used to login to Facebook or any other sites enabled to allow access via your Facebook credentials. While Facebook has worked to identify all impacted users, consider logging out all of your Facebook sessions to be sure your authentication tokens are not at risk. This is done from the security settings where you can see and logout all your active sessions.
Since it is National Computer Security Awareness Month and a lot of awareness presentations are being given, it is good advice to tell employees “never use those “Login with Facebook” buttons on websites in their personal online activities

Links HERE and HERE and HERE and HERE Facebook is like the NSA HERE

Magecarts malware continues to target online consumers’ credit cards
The Magecart group continues to attack different public-facing websites in an attempt to steal credit card information. The group’s malware recently hit British Airways, Ticketmaster U.K., and online retailer Newegg. Magecart sets up its malware on HTTPS servers and scans online retailers sites for financial information as transactions are completed


Chrome 70 Lets you Control Automatic Login and Deletes Google Cookies

It has been a really bad week for Google and Chrome 69. First there was a large outcry about being forced to login to Chrome when you login to or one of their services. Then news came out that when you deleted all of the cookies in Chrome, the browser did not properly remove Google’s own authentication cookies.

Let’s just say Chrome users are not happy. Google, though, appears to be listening and has decided to backtrack on some of these changes in the upcoming Chrome 70, which is slated to be released in the middle of October

Link HERE Product updates HERE How Browsers work HERE Another source HERE

Mega-bites of code: Python snakes into 1st place for cyber-attacks

Hackers share general public’s love of popular programming language


Telegram anonymity fails in desktop – CVE-2018-17780


Tesco Bank faces huge fine as FCA gets tough over cyberattacks

The banking arm of Britain’s biggest retailer is contesting a proposed £30m-plus fine from the City watchdog, Sky News can reveal


Facial recognition technology that the U.S. hopes to install in all airports by 2021 is plagued with technical and operational challenges, according to a new report


Oracle’s Java 11 trap – Use OpenJDK instead!


S3 Antivirus Scanning with Lambda and ClamAV by Dennis Webb — AWS Cloud Expert and Slack Comedian – thanks to Estevan

There have been many stories over the past months about S3 buckets being left unsecured. Terabytes of sensitive data available for the whole world to download. CyberSecurity 101 teaches, “Don’t leave private data open to the public.”, but somehow many major companies have let this one slip through the cracks.

Another lesson that everybody knows is, “Never open a file that has not been scanned for viruses.” So how do you protect yourself and scan the files stored on S3? Amazon doesn’t have a built-in antivirus tool for the task. At Upside, we’ve created our own solution with Lambda and S3 events


Cloudflare was so shocked to see thier famous lava lamps random number generator tampered with in NCIS Season 16 episode 1 causing a nuclear reactor hack, so they issued this statement


LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

ESET researchers have shown that the Sednit operators used different components of the LoJax malware to target a few government organizations in the Balkans as well as in Central and Eastern Europe


Microsoft fortifies security and brings AI to the masses at Ignite 2018

The company also demonstrated how AI, IoT and edge computing have become the foundation of the enterprise for a more secure, productive and intelligent workplace


FBI’s IC3 Warns of Increased RDP Exploits

The FBI’s Internet Crime Complaint Center (IC3) and the Department of Homeland Security (DHS) have issued a joint warning that Windows Remote Desktop Protocol (RDP) is increasingly being used as an attack vector. RDP has been used to spread ransomware and other types of malware. The FBI and DHS recommend that organizations use strong passwords, employ two-factor authentication, ensure that the versions of RDP they use are up to date, restrict access to the default RDP port, and disable the service if it is not needed. Organizations are also advised to enable logs and make sure the logs include RDP logins.
“Strong passwords” address brute force attacks; this is not what we are seeing. What is indicated is “strong authentication (at least two kinds of evidence, at least one of which is resistant to replay.)”


Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish

Threat groups such as GOLD KINGSWOOD are using their extensive resources and network insights to target high-value financial organizations around the world


Ransomware: Employing Object Storage to Defeat a Growing Threat

If ransomware attacks cannot be stopped completely, a utilitarian approach is required to prevent harm in the event of a successful breach. Once you’ve been breached, your last line of defense is in the storage layer. Some storage vendors have started to market product features that they say will allow customers to recover from attacks. Four options here are data encryption, continuous data protection, WORM and data versioning


DOJ Cyberattack Response Best Practices

The US Department of Justice’s (DOJ’s) Cybersecurity Unit has released updated Best Practices for Victim Response and Reporting of Cyber Incidents. The document comprises four sections: Steps to Take Before a Cyber Intrusion or Attack Occurs; Responding to a Cyber Incident: Executing Your Incident Response Plan; What Not to Do Following a Cyber Incident; and What to do After a Cyber Incident Appears to be Resolved



Research of the week

-Writing a Basic Keylogger for macOS in Python

A brief look at how to covertly log user activity on macOS


-Dangerous Contents – Securing .Net Deserialization



A HYPR published study on the difference between passwordless user experiences and true passwordless security

Link HERE and check this tool HERE – The Secretless Broker lets your applications connect securely to services – without ever having to fetch or manage passwords or key

-MDM Me Maybe: Device Enrollment Program Security

Duo Labs has discovered an authentication weakness in Apple’s Device Enrollment Program with serious real-world implications for organisations.

The Device Enrollment Program (DEP) is a service provided by Apple for bootstrapping Mobile Device Management (MDM) enrollment of iOS, macOS, and tvOS devices. DEP hosts an internet-facing API at, which – among other things – is used by the cloudconfigurationd daemon on macOS systems to request DEP Activation Records and query whether a given device is registered in DEP.

In our research, we found that in order to retrieve the DEP profile for an Apple device, the DEP service only requires the device serial number to be supplied to an undocumented DEP API. Additionally, we developed a method to instrument the cloudconfigurationd daemon to inject Apple device serial numbers of our choosing into the request sent to the DEP API. This allowed us to retrieve data specific to the device associated with the supplied serial number

Link HERE Article HERE

-SMTP MTA Strict Transport Security (MTA-STS)

SMTP MTA Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers (SPs) to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate



Tool of the week

-Introducing Project Atlas

Project Atlas will connect the BitTorrent peer-to-peer network and the TRON blockchain network via a set of bittorrent protocol extensions, a custom token, and an in-client token economy to address existing limitations and open a new borderless economy for exchanging value for computer resources on a global scale


-UDP2Raw Tunnel – A Tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP


-Announcing [email protected]

Every user of the npm Registry will begin receiving automatic warnings if you try to use code with a known security issue. npm will automatically review install requests against the NSP database and return a warning if the code contains a vulnerability.

In addition, a new command in [email protected], `npm audit`, will soon allow you to recursively analyze your dependency trees to identify specifically what’s insecure — so you can swap in a new version or find a safer alternate dependency


-Introducing Firefox Monitor, Helping People Take Control After a Data Breach


-Best Automation Testing Tools for 2018 (Top 10 reviews)


-How Cloud Foundry will save the world from Yak Shaving

Link HERE Main site HERE

-Javascript security analysis tools

Link HERE Scrambler for Javascript HERE


Other interesting articles

What to Do and What to Avoid When Implementing Security in the DevOps Lifecycle

DevOps is redefining the way organizations handle software development. But it’s also challenging security professionals in their efforts to manage digital risk. With that said, there are security teams need to be strategic about how they approach DevOps security



Web Security: an introduction to HTTP

This is part 2 of a series on web security: part 1 was “Understanding The Browser

HTTP is a thing of beauty: a protocol that has survived longer than 20 years without changing much.

As we’ve seen in the previous article, browsers interact with web applications through the HTTP protocol, and this is the main reason we’re drilling down on the subject. If users would enter their credit card details on a website and an attacker would be able to intercept the data before it reaches the server, we would definitely be in trouble



Working in Cyber Security: “The problems we have to solve … are some of the toughest in any industry”

What is it like to work in cyber security? We ask some of the members of the team in Symantec. Today, we hear from Robert Newton, Infrastructure and Automation Engineer



The Reddit Router Scam

A couple of days ago one Reddit user had the misfortune to return home and discover something rather interesting hooked up to their router, placed there by their roommate. A cross between a multi-level marking scam and hardware malware, the malicious board had been put into a position that allowed it to harvest every bit of available data from their local network



Inside the Lawless New World of Electric-Scooter Hacking

It’s surprisingly easy to hijack the brains of your Bird and create your own robot ride-slave



And finally, RSA ANIMATE: The Secret Powers of Time

Link HERE Re-examine your unconscious biases HERE



AppSec Ezine

Must see

URL:  (+)

Description: Subdomain Takeover via Unsecured S3 Bucket Connected to the Website.


Description: Reflected XSS at

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *