Security Stack Sheet #40

Word of the week “Valentine Romance Scams”

Links HERE and HERE



Facebook ex-security chief: How ‘hypertargeting’ threatens democracy – Great (and Long) article

Links HERE and HERE


Word of the week special “Risk of Oversharing”

Links HERE and HERE and HERE and HERE and HERE


The “Accidental Hacker”





University To Allow Blood Offerings As Viable Two Factor Authentication Option


Zerodium increase in bounties




If you use Huawei, at least 4 million Chinese have seen you on the toilet!

Link HERE (in Romanian)


Crypto challenge of the week

Crypt-o-Math 3.0 (Author: Lukasz_D)

Last year’s challenge was too easy? Try to solve this one, you h4x0r!





c = (a * b) % p




finding “a” will give you the flag.

Link with solution HERE

Switzerland Invites eVoting System Pen Testing
Starting later this month, Switzerland’s government will allow researchers and security companies to pen test its electronic voting system. Participants need to sign up prior to the start of the pen test period, which runs from February 25-March 24




May 25th 2018: GDPR Live! See incidents section below

June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Google HERE Firefox HERE Microsoft HERE

HTTPS everywhere HERE


Downgrade Attack on TLS 1.3 and Vulnerabilities in Major TLS Libraries


March 29th 2019: Brexit

September 2019: PSD2 security mandatory

November 3rd 2020: Trump’s second term start


Book on the month



Comic of the week


Some OWASP stuff first

-OWASP London event Wednesday – video and slides not available yet but monitor the link below for updates

  • “Introducing the OWASP ZAP Heads Up Display (HUD)” – Simon Bennetts (@psiinon)

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. It has a powerful desktop UI, a highly functional API and is used by everyone from people new to security, including developers and QA, right up to professional pentesters. It’s also more complex for newcomers than we would like. We are therefore introducing a new Heads Up Display (HUD) interface which overlays data and controls for ZAP over the web based application being tested.

  • “Incident Response in Your Pyjamas” – Paco Hope (@pacohope)

When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit the data centre to capture data from the systems. Getting on airplanes and going to data centres means you have to get dressed, and that’s a drag. When infrastructure is in the cloud, you have remote access and APIs for managing all your infrastructure, so you can respond to incidents with automation and do your forensic analysis in your bunny slippers. But is it as good as the capabilities you have in a data centre? Is getting dressed the price you have to pay for high quality forensics and incident response? In this talk Paco will explain the two major domains of cloud events (infrastructure domain and service domain) and describe the security and incident response techniques pioneered by AWS customers like Mozilla, Alfresco, and Netflix. He’ll explain how to isolate resources to preserve the integrity of the data; get RAM dumps and disk image snapshots; and identify unauthorised changes to cloud resources using API tools and logs. And all of this while wearing pyjamas.

  • “Developers – The Lucrative Target for Social Engineers” – Stuart Peck (@cybersecstu)

Developers are a lucrative target for attackers, especially those with public profiles, active on social media, and working on either high profile application and open source projects. The recent attack against an NPM package with malicious code that targeted a popular Bitcoin wallet was subject to a social engineering attack, where the attacker was able to trick the maintainer to hand over ownership, is one of the many examples this is an ever increasing vector This talk looks to explore how exposed some developers are and the impacts this can have either through the supply chain and/or directly to organisations. During this talk will we will demonstrate and discuss: Open Source Intelligence- recon techniques; Profiling targets, repos, developer backgrounds, coding style, digital footprint; Pretext creation – building trust and establishing legitimacy; Example Vishing calls, phishing emails, and case studies; What developers can do to challenge and reduce the impact of Social Engineering


-OWASP DevSlop – Episode 18: Azure Security Assessment


-Practical tips for defending web applications in the age of agile/DevOps

Link HERE and the Platform HERE

-AppSecCali 2019 Keynote – The Unabridged History of Application Security – Jim Manico


-Application security in the age of automated attacks growth


-Secure Coding Dojo

The Secure Coding Dojo is a platform for delivering secure coding training. While it provides two vulnerable training applications the training portal can be used in conjunction with other applications as well





All InfoSec events HERE

First AWS Security Conference – AWS re:Inforce 2019


Hack In Paris 2019 HERE

AppSec Europe Tel-Aviv May 2019




Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Which countries have the worst (and best) cybersecurity?


Incident data HERE Find your country

Deliveroo reportedly suffers credential stuffing attack

Deliveroo customers have reported that their accounts have been accessed, delivery addresses added and orders made without their knowledge or consent.

Scammers are reportedly ordering huge quantities of food and drink to seemingly random addresses, using bank details linked to the victim’s account.

Some account holders report receiving emails to say Deliveroo account details had been changed – specifically email addresses and phone numbers, rendering them unable to access their accounts.

Norwegian cloud computing company admits to compromise by APT10  

joint report by Recorded Future and Rapid7 has accused APT10 of infiltrating the network of Norwegian cloud computing company Visma.

According to Visma, its IT security staff detected the intrusion promptly. Although the incident did not affect any of Visma’s clients’ systems, it “could have been catastrophic” had it not been identified early.

Link Cyber Threat Analysis HERE – thanks to Ben

Recall of children’s smartwatch following data risk

A recall of a children’s smartwatch has been ordered by the European Commission following fears over a lack of encryption.

The Commission noted in a recall alert that the Enox Safe-Kid-One device was sending and receiving data unencrypted which increases the risk of attackers taking advantage. Furthermore, the Commission stated: “A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,”

Sophisticated phishing campaign targeting top brass

A new phishing campaign to steal login credentials from businesses is specifically targeting senior executives.

A fake email claiming to be from a company CEO discusses the rescheduling of a board meeting, but the email’s link leads users to a page resembling a Doodle poll which can steal Office 365 credentials. Researchers at GreatHorn first discovered the campaign.


Troy Hunt weekly update


Transatlantic Cable podcast, episode 78 – by Kaspersky

Users complain of account hacks, but OkCupid denies a data breach

Amazon gobbles up eero to round out its smart home plan

Internet-connected industrial refrigerators can be remotely defrosted, thanks to default passwords



Incidents & events detail



Google Launches Its First Cybersecurity Company, Chronicle

A new sister company to Google launches with two service offerings


The dangers of malicious browser extensions

Be careful with what you install


CVE-2019-0676 | Internet Explorer Information Disclosure Vulnerability

An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.

An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website.

The security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory


Google security researchers say two recently patched iOS bugs had been exploited in the wild
Blockchain technology could prove useful in an effort to stop police body cameras from being tampered with
Email provider VFEmail suffered what it’s calling a “catastrophic” attack
Russia is working on a plan to remove itself from the global internet by routing all of its data through the country rather than internationally


Facebook expands support for Let’s Encrypt – protecting people on Facebook and beyond


Microsoft MIM PAM cross-site scripting vulnerability


Payloads to bypass WAFs

Links HERE and HERE

CVE-2019-5736: runc container breakout


iPhone apps record your screen sessions without asking


Spying on Safari in Mojave


Australian Parliament Network User Passwords Reset Following Unspecified Security Incident

Australia’s Department of Parliamentary Services (DPS) reset all user passwords for accounts with access to Australia’s Parliamentary network following an unspecified incident that occurred late last week. DPS and other government agencies are investigating the incident


Apple will pay the teenager who discovered the Group FaceTime bug



Research of the week

-Executive View – Current and future cybersecurity architecture on one page

Links HERE and HERE

-The State of Code Review 2018

Trends and Insights into Collaborative Software Development


-2019 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics

Link HERE and Google has paid security researchers over $15 million for bug bounties, $3.4 million in 2018 alone Link HERE

AND A scientists view of 2019 HERE and Threat Intelligence Report 2018 HERE

-The Curious Case of Convexity Confusion

Some time ago, I noticed a tweet about an externally reported vulnerability in Skia graphics library (used by Chrome, Firefox and Android, among others). The vulnerability caught my attention for several reasons:

Firstly, I looked at Skia before within the context of finding precision issues, and any bugs in the code I already looked at instantly evoke the “What did I miss?” question in my head.

Secondly, the bug was described as a stack-based buffer overflow, and you don’t see many bugs of this type anymore, especially in web browsers.

And finally, while the bug itself was found by fuzzing and didn’t contain much in the sense of root cause analysis, a part of the fix involved changing the floating point precision from single to double which is something I argued against in the previous blog post on precision issues in graphics libraries.

So I wondered what the root cause was and if the patch really addressed it, or if other variants could be found. As it turned out, there were indeed other variants, resulting in stack and heap out-of-bounds writes in the Chrome renderer



Tool of the week

-Introducing AresDB: Uber’s GPU-Powered Open Source, Real-time Analytics Engine

At Uber, real-time analytics allow us to attain business insights and operational efficiency, enabling us to make data-driven decisions to improve experiences on the Uber platform. For example, our operations team relies on data to monitor the market health and spot potential issues on our platform; software powered by machine learning models leverages data to predict rider supply and driver demand; and data scientists use data to improve machine learning models for better forecasting


-Mozilla SSL Configuration Generator


-CANalyzat0r: A security analysis toolkit for proprietary car protocols


-Top 10 Android Pentesting tools


-GoScan : Interactive Network Scanner 2019



A tool that automates bug detection in software via distributed fuzzing infrastructure ClusterFuzz has found ~16,000 bugs in Chrome and ~11,000 bugs in over 160 open source projects integrated with OSS-Fuzz


-Anti-Deepfake Video Tool

A new tool aims to help detect when video footage has been compromised by deepfake manipulation. The tool, which runs in the background on recording devices, generates regular, periodic hashes of the data which are then recorded to a public blockchain.

Research on video manipulation, including Deepfake, is needed, but this tool is not worth getting excited about in the short term. While the approach has some possible use cases, they don’t meet the most immediate Deepfake detection needs. It’s the equivalent of saying you’ve created software for detecting syslog manipulation when the “detection mechanism” is comparing the current log to hashes of the logs taken previously


-Phishing Kit with JavaScript Keylogger

Link HERE and Phishing via Google Translate HERE


Other interesting articles

Securing your Single-Page application Anno 2019

How we can securely authorize and authenticate our users in a Single-Page application (SPA). We’re specifically talking about browser-based JavaScript applications running on the same domain as the API.

First we had cookies, then we had tokens and now it looks like we’re back to cookies

Link HERE and the State of the Implicit Flow in OAuth HERE


DNS over HTTPS (+ModSecurity WAF)

One of the main security problems with DNS is that a query is sent over an unencrypted connection. That means that anyone listening to packets between you and your DNS server could know what websites you are visiting, even if the website that you are browsing is secured with HTTPS. In this article I’ll show you how I was able to use the CloudFlare as your DNS over a HTTPS resolver, and also how to filter out phishing domains using libModSecurity at the same time.

Another problem you can solve with DNSSEC is the Man-In-The-Middle scenario, when unsecured it’s easy to change DNS answers and forward visitors to a phishing site and unfortunately only a small percentage of website domains use DNSSEC



What Microsoft and Google Are Not Telling You About Their A.I.

In September of 2018, iFlytek, a Chinese technology company and world leader in A.I. — particularly in voice recognition software — was accused of disguising human translation as machine translation during a tech conference in Shanghai. The whistleblower was an interpreter, Bell Wang, who was doing live translation at the conference. He noticed that iFlytek was using his translations as live subtitles on a screen…



And finally, Quantum Teleportation: Beam Me Up!

Quantum internet. This would let users communicate between quantum-entangled nodes on a network, allowing for the sending of unhackable information via quantum key distribution.

The reality is that we will probably see a fundamentally more powerful internet due to our quantum research over the next 10–20 years, and be able to take full advantage of quantum computing. This will help propel us into the future ever faster by enhancing our ability to generate massive numbers of simulations and optimizations.

And, perhaps one day in the next century, we might be recreating a human consciousness on some distant world

What can we do with the amazing property of quantum entanglement?

Link HERE and the Future for humanity is interplanetary HERE and Quantum Computing – End of Blockchain? HERE



AppSec Ezine

Must see

URL:  (+)

Description: My first XML External Entity (XXE) attack with .gpx file.

URL:  (+)

Description: SSRF Protocol Smuggling in Plaintext Credential Handlers – LDAP.


Description: Hijacking accounts by retrieving JWT tokens via unvalidated redirects.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *