Security Stack Sheet #22

Word of the week “Cyber Security Month”

Week 3: Oct. 15–19: It’s Everyone’s Job to Ensure Online Safety at Work

When you are on the job – whether it’s at a corporate office, local restaurant, healthcare provider, academic institution or government agency ‒ your organization’s online safety and security are a responsibility we all share. And, as the lines between our work and daily lives become increasingly blurred, it is more important than ever to be certain that smart cybersecurity carries over between the two. Week 3 will focus on cybersecurity workforce education, training and awareness while emphasizing risk management, resistance and resilience. NCSA’s CyberSecure My Business™ will shed light on how small and medium-sized businesses can protect themselves, their employees and their customers against the most prevalent threats

Links HERE and HERE and HERE and HERE

NIST publication – Cybersecurity is Everyone’s Job – HERE – thanks to Naz


Word of the week special


The Art Of Making Difficult Things Look Simple


“Treat auditors like mushrooms – keep them in the dark and feed them *hit”

Javaad Malik (@j4vv4d) – Security Advocate at AlienVault

“GDPR Bot” – thanks to Naz


“Security at the expense of usability comes at the expense of security”




They know this already!






Links HERE and HERE

Mactop Astronaut!




Crypto challenge of the week


The Wargame

Welcome to Krypton! The first level is easy. The following string encodes the password using Base64:


Use this password to log in to with username krypton1 using SSH on port 2222. You can find the files for other levels in /krypton/




May 25th: GDPR Live! See incidents section below

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

TLS 1.0 and TLS 1.1 ARE GOING!!

Google HERE Firefox HERE Microsoft HERE

Now: HTTPS mandatory

HTTPS everywhere HERE

The Illustrated TLS Connection

Every byte of a TLS connection explained and reproduced.

In this demonstration a client has connected to a server, negotiated a TLS 1.2 session, sent “ping”, received “pong”, and then terminated the session. Click below to begin exploring


March 29th 2019: Brexit

September 2019: PSD2 security mandatory


Comic of the week


##Some OWASP stuff first

-OWASP London event next week

  • “If You Liked It, You Should Have Put Security On It” – Zoë Rose

We no longer live in a world where ignorance on security is even remotely okay, you can’t breach a data protection act with the defence that ‘oops we didn’t realise’. Not only will you owe major fines, but your reputational damage will be extravagant. Why is it then, in the media seemingly every day, an insane breach is reported? The reality is, we live in a world of fail by design more than security or privacy by design. The challenge is: * Security is confusing, it is this confusion that leads to negativity and enables a shift to being a taboo topic. * We need things to ‘just work’ across all situations, environments, and work consistently with a quick to market and competitive price. How did we get here? Well, let’s face it, we created a no win market, that organisations can’t possibly compete with. There is hope, as the world changes it’s approach, which we are doing slowly, we can become a safer and more secure world. In this talk, we will be looking at how to make that first step in our personal and professional lives. Including the steps we can take to change the market to value us and our personal data.

  • “Lessons From The Legion (The OWASP London Remix)” – Nick Drage

Look at your job, your colleagues, your industry. Smart people, working hard… and yet it feels like we’re losing. Why? Cyber security has always been a technology driven, engineer led industry – vague default strategies have emerged from the tactics and point solutions chosen by self-taught practitioners based on what fits in with their preferred ways of working and studying. We need better strategies, we can learn them from other contexts and conflicts to improve our own methods and practices.Would you like to start winning?

  • “A Holistic View On Cyber Security In Evolutionary Terms (food-for-thought)” – Dr. Grigorios Fragkos

The Red Queen hypothesis, also referred to as the Red Queen effect, is an evolutionary hypothesis which proposes that organisms must constantly adapt, evolve, and proliferate not merely to gain a reproductive advantage, but also simply to survive while pitted against ever-evolving rival organisms in a continuously changing environment. Let’s explore under a Cyber lens this evolutionary hypothesis in contrast to the evolving (cyber)threats and our adaptation (as professionals) to equally evolve our Cyber Resiliency capabilities (as an industry). This presentation is an opportunity to explore as professionals our security mindset and draw some personal conclusions on our Cyber Security culture in order to better ourselves. From user awareness all the way to Cyber Resilience, from developing by writing secure code to the effort it takes in breaking it, from gaps in hiring talents to hiring for the right reasons, this brief session is intended to spark a personal “eureka” moment in the mindmap of each security professional inside and outside the room


-OWASP AppSec EU talk – WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behavior – Soroush Dalili

Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism. Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the project


-AppSec USA videos

(in)Security is eating the world – Michael Coates – Link HERE


-Threat Libraries in the Cloud (S04E12)

Tony UV joins Robert on this weeks episode to discuss all things threat libraries in the cloud


-The Threat Playbook

A (relatively) Unopinionated framework that faciliates Threat Modeling as Code married with Application Security Automation on a single Fabric

Link HERE Plus Threat Modeling as code example + selecting which tests/tools to run in CI/CD HERE

-Top 10 Web Hacking Techniques of 2017

  1. Binary Webshell Through OPcache in PHP 7
  2. Cure53 Browser Security Whitepaper
  3. Request Encoding to bypass web application firewalls
  4. A deep dive into AWS S3 access controls
  5. Advanced Flash Vulnerabilities
  6. Cloudbleed
  7. Friday The 13th JSON Attacks
  8. Ticket Trick
  9. Web Cache Deception
  10. A New Era of SSRF




DevSecCon London HERE Happening today, more news in the coming weeks!

OWASP AppSec Bucharest HERE


BSides Bucharest HERE

BlackHat London HERE



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.


Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Californian state law change for connected devices

In a bid to strengthen cyber security, California passed a state law requiring all manufacturers of internet connected devices to improve their security features.

By 2020, in order to sell their products in California, manufacturers will need to ensure that devices such as home routers have a unique pre-programed password or an enforced user authentication process as part of the set up. Default passwords such as ‘password’ or ‘default’ will be deemed weak and in breach of the state law. This could then open the manufacturer up for prosecution should the user become the victim of cyber crime because of weak security on the device

Google+ and Project Strobe

On 8 October, Google announced the existence of Project Strobe – a comprehensive review of third-party developer access to Google account and Android device data, and their philosophy around apps’ access to data

Last one HERE

Troy Hunt weekly update



Incidents detail

Major cyberattack could hit the UK soon, warns NCSC


Spring Framework – Privilege Escalation in spring-security-oauth2 – Update NOW!


A mysterious grey-hat is patching people’s outdated MikroTik routers

Internet vigilante claims he patched over 100,000 MikroTik routers already


To Understand Facebook, Study Capgras Syndrome


Twitter Under Formal Investigation for How It Tracks Users in the GDPR Era


Developer tricks Microsoft, publishes app under Google LLC name in Windows Store


Fortinet Discovers New Android Apps that Mine the Unminable


DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More


NSA Attacks Against Virtual Private Networks

A 2006 document from the Snowden archives outlines successful NSA operations against “a number of “high potential” virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems.”

It’s hard to believe that many of the Snowden documents are now more than a decade old


AES Resulted in a $250-Billion Economic Benefit

NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the study and its conclusions — it’s all in the 150-page report, though — but I do like the pretty block diagram of AES on the report’s cover



Research of the week

-A Question of Timing

When considering website performance, the term TTFB – time to first byte – crops up regularly. Often we see measurements from cURL and Chrome, and this article will show what timings those tools can produce, including time to first byte, and discuss whether this is the measurement you are really looking for


-Cost of a Data Breach

The average cost of breaches in the UK is £2.69m according to the new 2018 Cost of a Data Breach Study by Ponemon


-Observations from the front lines of threat hunting

This report provides a summary of OverWatch’s findings from intrusion hunting during the first half (January through June) of 2018. It reviews intrusion trends during that time frame, provides insights into the current landscape of adversary tactics and delivers highlights of notable intrusions OverWatch identified. OverWatch specifically hunts for targeted adversaries. Therefore, this report’s findings cover state-sponsored and targeted eCrime intrusion activity, not all forms of attacks


-Top business risks for 2018


The most important corporate perils for the year ahead and beyond, based on the insight of more than 1,900 risk management experts from 80 countries



-Counting People through a Wall with Wi-Fi

In the team’s experiments, one WiFi transmitter and one WiFi receiver are behind walls, outside a room in which a number of people are present. The room can get very crowded with as many as 20 people zigzagging each other. The transmitter sends a wireless signal whose received signal strength (RSSI) is measured by the receiver. Using only such received signal power measurements, the receiver estimates how many people are inside the room an estimate that closely matches the actual number. It is noteworthy that the researchers do not do any prior measurements or calibration in the area of interest; their approach has only a very short calibration phase that need not be done in the same area



Tool of the week

-Helm is a personal, private email server that won’t share your data

Link HERE and HERE

-JA3 – A method for profiling SSL/TLS Clients

JA3 is a method for creating SSL/TLS client fingerprints that are easy to produce and can be easily shared for threat intelligence


-Google’s “Shielded VMs”

In beta test, which ensures that when virtual machines boot up, they’ll be running code that hasn’t been compromised



Other interesting articles

URLs are hard, let’s kill them

We’ve seen a couple of changes in the Chrome UI recently and one of them attracted some pretty fierce criticism online rather quickly. With the removal of some of the URL components from the address bar I was quite relieved so see a simplification of this complicated UI feature. Turns out that not everyone felt the same way!



How to get a job if you were a Blackhat

If you are a black hat you are probably a self starter and probably smarter than the vast majority of the general population. One thing many billionaires have in common is an IQ over 160. The other thing most billionaires have in common is that they start out as multi-millionaires through inheritance or family trust. So maybe you don’t have generational wealth, but if you are a hacker you probably have some intelligence



Using phishing tools against the phishers— and uncovering a massive Binance phishing campaign

Jeremiah O’Connor (security researcher at Cisco) forwarded me a domain that has been phishing for Binance logins —

This domain has a different phishing kit to previous ones we’ve seen, as it changes the user sign-in journey to collect personal information to eventually use in social engineering methods — this server does not communicate with the Binance domain



Brian Krebs Talks with Tony Sager About Supply Chain Security

Krebs’s conversation with Tony Sager, “senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency,” covers a range of topics relating to supply chain security, from the Trusted Foundry program to Sandia National Laboratories approach to supply chain security to its relationship to the Internet of Things (IoT). Sager says that the problem of supply chain security is “outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.”
A truly “safe” supply chain can come only at the price of some reduction in innovation or market efficiency



And finally, I’m an Amazon Employee. My Company Shouldn’t Sell Facial Recognition Tech to Police

Amazon’s ‘Rekognition’ program shouldn’t be used as a tool for mass surveillance

Links HERE and HERE Or better let’s become cyborgs HERE Until we reach Schadenfraude HERE



AppSec Ezine

Must see


Description: A timing attack with CSS selectors and Javascript.


Description: An interesting Google vulnerability that got me 3133.7 reward.

URL: (+)

Description: Get as image() pulls Insights/NRQL data from New Relic accounts (IDOR).

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *