Security Stack Sheet #21

Word of the week “Cyber Security Month”

Week 2: Oct. 8–12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity


A key risk to our economy and security continues to be the shortage of cybersecurity professionals to safeguard our ever-expanding cyber ecosystem. Raising the next generation of interested and capable cybersecurity professionals is a starting point to building stronger defenses. There are limitless opportunities to educate students of all ages – from high school into higher education and beyond – on the field of cybersecurity as they consider their options. In addition, veterans and individuals who are looking for a new career or re-entering the workforce, should explore the multitude of well-paying and rewarding jobs available. Week 2 will address ways to motivate parents, teachers and counselors to learn more about the field and how to best inspire students and others to seek highly fulfilling cybersecurity careers.

Links HERE and HERE and HERE and HERE


Word of the week special

“The Lucifer effect” in Cyber Security

Links HERE and HERE and HERE

“Agent fatigue”

Links HERE and HERE and HERE and older article HERE and paper on agents HERE and Indestructible Agents paper HERE









Crypto challenge of the week

Embedded Security CTF Challenge

You’ll want to know a bit about memory corruption vulnerabilities. Feeling lost? Let’s see if we can’t clear that up in just a few sentences:

  • Trick a device into consuming more input than it allocated memory for and you’ve caused a buffer overflow.
  • Overflow a buffer that lives on the program stack and you’ve “smashed the stack”; look that up on Google if you like, but the exploit is simple: overwrite another stack variable, often the return address of the function you’re in, and use that to take control of the device, often by aiming the CPU at memory you control.
  • Overflow a buffer that was created by an allocator and you’ve “corrupted the heap”: allocators keep metadata to track the memory they’re managing, and they trust that only the program can manipulate that metadata; corrupt to trick the program into writing to arbitrary places in memory.
  • Zero bottles of beer on the wall, zero bottles of beer; take one down, pass it around, 65535 bottles of beer on the wall.

Good luck!




May 25th: GDPR Live! See incidents section below

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS everywhere HERE

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week

Some OWASP stuff first 

-Remember: The OWASP Code Pulse Project – version 2.5.0 is out since August!

A tool that provides insight into the real-time code coverage of black box testing activities. It is a cross-platform desktop application that runs on most major platforms


-Red Team Telemetry

Link HERE and video HERE

-OWASP Cloud-Native Application Security Top 10


-Docker Security Threat Modelling

Link HERE Article HERE and Container Security Verification Standard HERE

-Application Security Podcast

Chaos Engineering and #AppSec (S04E11)

On this episode, Chris and Robert talk to Aaron Rinehart about how the security community can embrace chaos engineering




DevSecCon London HERE NEXT WEEK Thursday!

Use code for 20% reduction – devseccon20

OWASP AppSec Bucharest HERE





Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.


Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Microsoft Warns Fileless Malware on the Rise

Media reporting has highlighted a recent warning from Microsoft that so-called ‘fileless’ malware attacks are on the rise.

According to the report, the trend towards fileless malware is being driven by the increasing effectiveness of antivirus solutions, which can detect the installation of malicious files on a hard-drive.

Attribution of Russian close access and remote cyber operations

Dutch and UK authorities attributed a range of malicious cyber activity to Russian military intelligence (GRU) on Thursday 4 October.

LoJax – A new type of rootkit

Security researchers at anti-virus software company ESET have revealed a new type of malwarethat is capable of surviving reinstallation of the Windows operating system or even hard drive replacement.

This type of clandestine rootkit is designed to provide continued privileged access to a computer while actively hiding its presence. This is the first time this type of malware has been seen ‘in the wild’

Last one HERE

Troy Hunt weekly update



Incidents detail

GDPR vs Facebook Hack

That same Facebook hack could lead to the social media giant facing up to a $1.63 billion fine in the European Union under GDPR regulations

Chinese hackers may have installed tiny chips onto devices used in the U.S.

…that could be used to carry out cyber espionage. The companies named in the report, including Amazon and Apple, have so far denied that this happened


Google plans to shut down its Google+ social media platform after it tried to cover up a data breach

The company chose to not disclose that thousands of users could have had their information stolen over the past three years, according to a report in the Wall Street Journal, which led it to shut down the site

Bypassing Web Cache Poisoning Countermeasures


Many online services, such as Tinder and Pinterest, are still unsure how a recent data breach at Facebook may impact them

Intel Adds Spectre/Meltdown Mitigation to 9th Generation CPUs


Google released new regulations for extension developers, hoping to curtail the number of malicious apps that appear in the store for the Google Chrome web browser

Google PDFium information disclosure vulnerability
Google PDFium’s JBIG2 library contains a bug that could lead to an information leak, which could be used as part of a larger exploit. PDFium is a PDF reader used in Google’s Chrome and Chromium web browser. An attacker can exploit this flaw by convincing the user to open a malicious PDF


Trusting the delivery of Firefox Updates


Disclosure of Servers With Hardware Back-Doors

Brian Krebs places the Chinese technology manufacturing threat to the US supply chain in context. For example, it isn’t new: “More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.” And it will be extremely hard to counter: “ … it is often tough to tell from the brand name of a given gizmo who actually makes all the multifarious components that go into any one electronic device sold today,” and “it’s quite time consuming and expensive to detect when products may have been intentionally compromised during some part of the manufacturing process. Your typical motherboard of the kind produced by a company like Supermicro can include hundreds of chips, but it only takes one hinky chip to subvert the security of the entire product.” He closes by offering five steps we need to take now to help mitigate the problem – from Bill Murray’s list


Credit reporting agency Experian’s website contained a flaw

…that exposed the credit freeze PINs of its users, which was patched in a matter of hours

Popping shells on Splunk


Auditing KRACKs in Wi-Fi

Preventing all attacks is hard in practice


Github Token Leaked publicly for


California’s IoT Security Bill Will Require Devices to Ship With Unique Passwords

On September 28, 2018, the Information Privacy: Connected Devices bill was signed into law. Effective January 1, 2020, the law requires that Internet of Things (IoT) devices ship with unique passwords instead of a common default password.


Having users set up a strong password upon first use is a step in the right direction. Devices will also have to include password recovery mechanisms, which must have appropriate validation checks.


This is a step in the right direction for security, but will likely lead to greater implementation and troubleshooting issues. I’m betting that manufacturers will implement a factory reset password scheme that is algorithmically generated based on some data available without authentication (e.g. some unauthenticated endpoint that returns a device ID, which can be used to derive the password)



Research of the week

Interactive Application Security Testing 101: How to Evaluate and Implement an IAST Solution

How can I benefit from IAST?

  1. Actionable findings for development teams
  2. Comprehensive vulnerability and security risk reporting earlier in the SDLC
  3. Low false-positive rates
  4. Seamless integration into automated development and testing environments


-7 Common Security Pitfalls to Avoid When Migrating to The Cloud


-The Hacker Powered Security Report 2018


-How Does an Intel Processor Boot?

When we switch on a computer, it goes through a series of steps before it is able to load the operating system. In this post we will see how a typical x86 processor boots. This is a very complex and involved process. We will only present a basic overall structure. Also what path is actually taken by the processor to reach a state where it can load an OS, is dependent on boot firmware. We will follow example of coreboot, an open source boot firmware



Tool of the week

-Remember: Leave your VPN and cURL secure APIs with Cloudflare Access


-Bellingcat’s Online Investigation Toolkit – thanks to Naz


-Security and convenience with biometrics and Windows Hello


-Astam Correlator

Vulnerability consolidation and management tool, enhances scan results by merging different findings of the same weakness across multiple static/dynamic scans


-Bypassing WAFs and cracking XOR with Hackvertor


-Token Binding specs are RFC: deploy NOW with mod_token_binding

Today the so-called Token Binding specifications have formally been promoted to proposed standards RFC by the IETF. Essentially those specs define how to securely bind tokens to the communication channel running between a client and a server. As simple as that sounds, it is an extremely important step forward in web security: tokens are used everywhere across the Internet today  (e.g. for SSO, APIs, Mobile Apps) but moreover, the ubiquitous HTTP cookie also falls into the security token category


-Simple HS256 JWT token brute force cracker 



Other interesting articles

How to Enable Developers to Build Secure Software

“Having security professionals work with developers is a good process, but what is equally important is to provide security training to developers, so they can help themselves.”

Link HERE and What truly makes a senior developer HERE


Why You Shouldn’t Use Facebook to Log In to Other Sites

Facebook offered a convenient and secure way to sign up for online services. A major hack shows it failed at its one job.

I’m going to quit using Facebook to log in to apps and sites online. You should, too

Link HERE and OAuth is not authentication HERE


Remember: The 2018 DevOps RoadMap

An illustrated guide to becoming a DevOps Engineer with links to relevant courses

Link HERE and The DevOps Roadmap for Security HERE and Defending DevOps course HERE


And finally, Say It to My Face

Discussing the implications of face recognition technology with artist and researcher Adam Harvey.

Faces have evolved to convey information. Facial recognition was developed to replicate that human perceptual task. Then, in the last two years, researchers figured out a new way of seeing that isn’t human anymore. For example, by amplifying the green color channel in your forehead, I can extract your heart rate. The capabilities of computer vision broke away from the bottlenecks of our own built-in multimodal perceptual systems

Link HERE and Why Academics are creating deep fakes HERE



AppSec Ezine

Must see


Description: Google Stored XSS in Payments.

URL: (+)

Description: Applying a small bypass to steal Facebook Session tokens in Uber.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published.