Security Stack Sheet #33

Word of the week “Hot tub hack” reveals washed-up security protection

Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, BBC Click has revealed.

Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone



“KringleCON” by SANS

Over the past three years during the SANS #HolidayHack challenge, vicious holiday super villains have conspired to destroy the entire holiday season and the North Pole itself. Santa has just declared, “Enough is enough! It’s time to bring security professionals, hobbyists, and hackers from around the world in a unique meeting of the minds this December, to help improve the state of cyber security world-wide!”



Word of the week special “Top 2018 Security and Privacy Stories”

  • Cryptocurrency Mining Malware

It’s been a wild ride with the cryptocurrency boom and sorta bust. The year started out with a steady onslaught of hackers shifting from extorting money from victims via ransomware to planting cryptojacking malware. The switch was to take advantage of sky-high valuations for cryptocurrencies such as Monero. In March, we learned that one cryptoming gang earned $7 million in six months. As of December, the price for virtual currency has dropped so low that ransomware has come back into vogue.

  • DDoS Attacks

Compared to 2017, DDoS attacks grew five-fold. Not only did they become more popular, they also became bigger, smarter and more diverse. One of the most notable evolutions in the DDoS landscape over the past year was the growth of peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols. Making matters worse, 2018 also saw a record number of devices, such as routers, become infected with malware such as VPNFilter.

  • Breach Fatigue

The year kicked off with the Department of Homeland Security announcing a breach that exposed the data of 240,000 employees. But, things were just getting started. In March, Under Armour reported a breach impacting 150 million MyFitnessPal accounts. And after that, breaches began to pile up from TicketmasterGirl ScoutsBritish AirwaysQuoraMarriott and others.

  • Meltdown and Spectre

Chip-makers were sent scrambling in January when teams of researchers revealed two major vulnerabilities hiding in microprocessorsCalled Meltdown and Spectre, the flaws impacted Intel microprocessors and other modern CPUs. Both vulnerabilities impact how microprocessors isolate sensitive data in memory. It opened the door for an attacker to gain access to data such as passwords, encryption keys or potentially even data from adjacent virtual systems co-located on the same server.

  • Facebook Privacy Fiasco

The story broke about Facebook and Cambridge Analytica in the early months of 2018. And Facebook hasn’t stopped saying sorry ever since. The revelations began with the news that Facebook partner Cambridge Analytica had harvested personal data of Facebook users without their consent via the app thisisyourdigitalife. Then came the apology tour with Facebook CEO Mark Zuckerberg making nearly a dozen stops before Congress and the Senate Judiciary Committee. But just when you thought Facebook might catch its breath, in October there were new revelations about a security issue involving access tokens that exposed 50 million users. Then in December more reveals: This time it was a bug that exposed private images of 6.8 million users and then revelations of a data-sharing agreement with 150 tech firms where some had access to private Facebook Direct Messages.

  • End-to-End Encryption

The 2018 debate over the government’s authority to access private encrypted data on digital devices was kicked off in January when the FBO Director Christopher Wray called unbreakable encryption an “urgent public safety issue.” The year will likely also be remembered for a controversial bill passed in Australia, which could give the government there access to data otherwise protected by end-to-end encryption. The year also saw challenges to end-to-end encryption by Russian authorities who ordered secure messaging service Telegram to hand over the encryption keys of 9.5 million active Russian users.

  • Advanced Persistent Threats

In 2018, activity among the usual Advanced Persistent Threat (APT) suspects has been a little quieter than usual, say researchers. That’s not to say that some – Sofacy, Turla and CozyBear, notably – didn’t make waves this year. According to a year-end analysis by Kaspersky Lab, Sofacy was the most active of the three. “One of the most high-profile incidents was abuse of Computrace LoJack by this actor in order to deploy its malware on victim machines, in what can be considered a UEFI-type rootkit,” Kaspersky researchers wrote. The year also made room for newcomers as well, including Middle East APTs LazyMerkaats, FruityArmorDarkHydrus and DomesticKittens.

  • Destructive Malware

Soon after the start of the Winter Olympics in Pyeongchang, there were reports of malware attacks on infrastructure related to the Games. What became known as Olympic Destroyer shut down display monitors used by Olympic organizers, zapped Wi-Fi networks and prevented visitors from printing tickets by crippling the official Olympics website. The activity was an attribution confusion bomb, so researchers simply call the APT behind it “Hades.” And, we also saw destructive malware in 2018 in the form of the SamSam ransomware which is tied to crippling attacks on the city of Atlanta and Newark, N.J. Data-wiping malware Shamoon reappeared in December destroying drives at an Italian oil and gas company. And an incident in September forced an Indiana hospital to cancel elective surgeries and divert ambulances.

  • GDPR Arrives

In late May, the European Union’s General Data Protection Regulation (GDPR) was signed into law. GDPR is considered the most comprehensive regulation on the protection of personal data in the world. It introduces a sweeping set of privacy requirements impacting everything from US consumer privacy, cybersecurity, the role of technology companies and the future of the transatlantic digital economy. Yet, while 2018 may have been a milestone for GDPR, there have been few fines and many are still trying to sort out compliance.

  • Router Attacks

As criminals focused on stealing data and growing bot armies, routers became an attractive target for doing both. In May, Talos researchers reported that Russian-speaking threat actors, with links to the BlackEnergy APT group, were behind the VPNFilter malware that infected 500,000 routers. In August, reported a massive cryptomining campaign targeting MikroTik routers, infecting 170,000devices with the CoinHive malware. In March, we learned of a cyber-espionage threat, dubbed Slingshot, which targeted routers and used them as a springboard to attack computers within a network. And in November, 45,000 routers were reported compromised by a campaign designed to open networks to attacks by EternalBlue, according to Akamai.



Security Resolutions 2019 – for the regular individual 

  1. Choose strong passwordsand change them on a regular basis.
  2. Always securemy laptop and portable devices.
  3. Review my bank and credit cardstatements every month.
  4. Ensure software on my computer and other devicesis up-to-date.
  5. Mentora young person in safe computer use practices



SOME 2019 PREDICTIONS (More in the coming weeks!)

  1. Increasing cloudiness—which is a good thing
  2. GDPR’s worldwide reach brings reach for security too
  3. Blockchain blowback
  4. DevSecOps rising
  5. Privacy a priority—really?
  6. Smart—and disconnected





Link HERE Read the whole thread!




Crypto challenge of the week

fake xmass balls

A rogue manufacturer is flooding the market with counterfeit yellow xmas balls. They are popping up like everywhere!

Can you tell them apart from the real ones? Perhaps there is some useful information hidden in the fakes…


Concise Christmas Cryptography Challenges 2019 – from Cloudflare

Last year we published some crypto challenges to keep you momentarily occupied from the festivities. This year, we’re doing the same. Whether you’re bored or just want to learn a bit more about the technologies that encrypt the internet, feel free to give these short cryptography quizzes a go.

We’re withholding answers until the start of the new year, to give you a chance to solve them without spoilers. Before we reveal the answers; if you manage to solve them, we’ll be giving the first 5 people to get the answers right some Cloudflare swag. Fill out your answers and details using this form so we know where to send it.

Have fun!




May 25th: GDPR Live! See incidents section below

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

TLS 1.0 and TLS 1.1 ARE GOING!!

Google HERE Firefox HERE Microsoft HERE


Now: HTTPS mandatory

HTTPS everywhere HERE


Why closing port 80 is bad for security


March 29th 2019: Brexit

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start


Comic of the week

Some OWASP stuff first

-ODVSA – a Damn Vulnerable #serverless Application


Lessons are available HERE

-OWASP ServerlessGoat

A serverless application demonstrating common serverless security flaws

Links HERE and HERE plus 10 Critical risks for Serverless HERE

-AWS Educate

With the increasing demand for cloud employees, AWS Educate provides an academic gateway for the next generation of IT and cloud professionals. AWS Educate is Amazon’s global initiative to provide students and educators with the resources needed to accelerate cloud-related learning


-“Building Better Defences: Engineering for the Human Factor”

In this talk, Allison Miller will explore how today’s defenders are evolving from a relatively simple model — isolation- and perimeter-based — into a more dynamic and flexible form that enables interconnectivity and data flows across independent environments, in real time and at scale. Upleveling our game in defense requires a more sophisticated approach to deflecting exploits and vulns, but also means designing for the “human factor”: mapping out complex sets of incentives, designing for interdependencies, and inventing new approaches to thinking about security, risk, & trust. Allison will discuss ideas for the next wave of security engineers and practitioners, including lessons learned from applying big data plus ML/AI in developing real-time risk modeling & algorithmic defense, and how today’s defenders are rewriting the playbooks on protecting the end-user zone


-Dependency Track 3.4

Continuous Component Analysis Platform





All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019




Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents in the world last week (UK)

Find your country HERE

Data breach statistics HERE – not being kept up-to-date

Cyber breaches abound in 2019


Map of Threat Actors HERE

Troy Hunt weekly update


Transatlantic Cable podcast, episode 71 – by Kaspersky

Holiday tech tips for visiting family

During the course of our chat, we will discuss 12 things that can help secure your relatives and offer some tips to make it a bit less painful, so you can get back to the festivities.

Some additional helpful links include:


Everyday Espionage Podcast

Work-Life balance is real, but it’s not what you’ve been told. Real balance puts you on the edge of falling; the edge of failing. But it also puts you on the edge of success. The world has been sold the lie that less work equals more life. While ‘work-life balance’ has become a multi-million dollar catch phrase, Andrew explains that when life is in the balance, more work equals more life.

In this unprecedented TEDx-style podcast, former covert CIA intelligence officer Andrew Bustamante discusses real-world international espionage techniques that can be used in everyday life. From business to personal relationships, spies know how to control their environment, drive predictable behaviour, and gain unique advantages. Secrets once reserved for the world’s elite intelligence services are now brought to light



Incidents & events detail


I want to believe that all of you know about ImageMagick and its Tragick. This issue was found in the end of the April, 2016 and due to many processing plugins depends on the ImageMagick library this issue has a huge impact. Since there were evidences that information about this issue was available not only for researchers, who discovered it and ImageMagick’s development team, but also for others, on the 3rd of May, 2016 the information (without PoC) was disclosed. Many of researchers got this low-hanging fruit while discovering applications which were not updated in time. But for some unknowable reason i was not among them. But this was in May


The Clickjacking Bug that Facebook Won’t Fix


‘Serious’ Twitter flaw allows hackers to post on other people’s accounts

A vulnerability in Twitter allows hackers to send tweets, private messages, post images or videos, and turn off security features, says British security researcher


Common Phishing Attack Types


Click2Gov Breaches Show The Power Of Zero Days


Caribou Coffee notifies customers of data breach

Retailer said 265 stores were tied to months long theft of customer data


DDoS for hire domains seized – thanks to Naz

Links HERE and HERE and HERE

Amazon inadvertently sent more than 1,700 voice recordings of random people to a man in Germany after the submitted a GDPR request to the company

Windows Sandbox

Earlier this year, Microsoft indicated that it was planning to release a Windows 10 feature called inPrivate Desktop for enterprise users; the feature has been renamed Windows Sandbox and is now available to Windows 10 Pro users as well. Windows Sandbox is “an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC,” according to Microsoft.
Users of Apple iOS have enjoyed such a safe execution environment for years. My PC is configured to resist running any untrusted software or to interpret downloaded data (a pain) and I do all browsing and e-mail on my iPad or iPhone. Software to automagically intercept and interpret all URLs in a virtual machine (“isolated, temporary,” and safe environment) has been available at a price for years. Provision of such an isolated environment by Microsoft is late but powerful. One hopes that it is on by default

Links HERE and HERE


Research of the week

-The Layered Cyber Security Approach and Model

Link HERE Paper: The Layered Security Model and its Representation using Bigraphs to Analyse Critical Infrastructure HERE

-Exploring Quantum Neural Networks – by Google


-Hack the Air Force 3.0 Results

The Hack the Air Force 3.0 bug bounty program took place between October 19 and November 22 of this year. Nearly 30 participants discovered more than 120 vulnerabilities in public-facing Air Force website and services. This is the third bug bounty program for the Air Force and the seventh overall within the Department of Defense (DOD). The competition was open to participants from 191 countries; applicants were vetted by HackerOne, which facilitated the event along with the Department of Defense’s Defense Digital Service.
We have several years of data points showing well-managed bug bounty programs can be both effective and efficient at finding vulnerabilities in systems and software. But, the headlines we really, really need to see are something like “Bug Hunting Challenge Finds No Vulnerabilities in Production Systems Because Bug Hunting Challenge Prior to Production Release Found Them First.”



Tool of the week

-Nmap Cheat Sheet

Link HERE and nmap HERE

-Teaching test-driven development and continuous integration with “Evil Fizz Buzz”

Fizz Buzz is the word-game in which players in a circle count from 1 up, substituting multiples of three with “fizz” and multiples of five with “buzz” (“1, 2, Fizz, 4, Buzz, Fizz, 7, 8, Fizz, Buzz, 11, Fizz, 13, 14, Fizz Buzz, 16, 17, Fizz, 19, Buzz, Fizz, 22, 23, Fizz, Buzz, 26, Fizz, 28, 29, Fizz Buzz, 31, 32, Fizz, 34, Buzz, Fizz, …”)





Other interesting articles

How security features can save your product and make it a super star

Indonesia overturns ban on Tik Tok after video streaming service agrees to increase security controls




After years of data pollution, the perfect storm hits Facebook



Interop’s Labyrinth: Sharing Code Between Web & Electron Apps

Things aren’t always what they seem in this place, so you can’t take anything for granted



And finally, The 60 Dumbest Moments in Tech 2018

Maybe it would have been easier to list the things that happened that weren’t strange, embarrassing, and/or unfortunate




AppSec Ezine

Must see


Description: Exploiting XXE with local DTD files.


Description: How I could have stolen your photos from Google.


Description: Linux privilege escalation via trusted $PATH in keybase-redirector.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *