Security Stack Sheet #62

Word of the week “Ambient Privacy”

Bruce Schneier – For the purposes of this essay, I’ll call it “ambient privacy” — the understanding that there is value in having our everyday interactions with one another remain outside the reach of monitoring, and that the small details of our daily lives should pass by unremembered. What we do at home, work, church, school, or in our leisure time does not belong in a permanent record. Not every conversation needs to be a deposition.

Until recently, ambient privacy was a simple fact of life. Recording something for posterity required making special arrangements, and most of our shared experience of the past was filtered through the attenuating haze of human memory. Even police states like East Germany, where one in seven citizens was an informer, were not able to keep tabs on their entire population. Today computers have given us that power. Authoritarian states like China and Saudi Arabia are using this newfound capacity as a tool of social control. Here in the United States, we’re using it to show ads. But the infrastructure of total surveillance is everywhere the same, and everywhere being deployed at scale.

Ambient privacy is not a property of people, or of their data, but of the world around us. Just like you can’t drop out of the oil economy by refusing to drive a car, you can’t opt out of the surveillance economy by forswearing technology (and for many people, that choice is not an option). While there may be worthy reasons to take your life off the grid, the infrastructure will go up around you whether you use it or not.

Because our laws frame privacy as an individual right, we don’t have a mechanism for deciding whether we want to live in a surveillance society. Congress has remained silent on the matter, with both parties content to watch Silicon Valley make up its own rules. The large tech companies point to our willing use of their services as proof that people don’t really care about their privacy. But this is like arguing that inmates are happy to be in jail because they use the prison library. Confronted with the reality of a monitored world, people make the rational decision to make the best of it.

That is not consent

Links HERE and HERE and Ambient Threat – thanks to Paddy

Word of the week special

“Security Architecture Anti-patterns” – from NCSC

Image result for Anti-pattern

Link HERE – thanks to Richard / Other links HERE and HERE and HERE and HERE


JEDI Cloud from the Pentagon


“Harry Potter techniques in cyber security”

cid:<a href=[email protected]″>

Authentication At Hogwarts: Lessons in Security Usability From the Wizarding World of Harry Potter.

Security usability is a complex topic of critical importance to any computer user which, these days, can be almost anyone. Examples illustrating security usability concepts from a well-known and well-loved literary source like Harry Potter enhance both recognition and retention. Traditionally people have learned life lessons from fables, fairy tales, parables and even urban legends. The ubiquity and popularity of the wizarding world of Harry Potter makes it a highly accessible source to mine for security usability education

Link HERE – thanks to Paddy


cid:<a href=[email protected]″>

Kerberos Infographic


cid:<a href=[email protected]″>


cid:<a href=[email protected]″>


Crypto challenge of the week

I speak without a mouth and hear without ears. I have no body, but I come alive with wind. What am I? 



  • May 25th 2019: 1 year of GDPR Live! See incidents section below

GDPR Enforcement Tracker

Link HERE – thanks to Marius

  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective

Image result for ccpa


Privacy Periodic Table

No alt text provided for this image


  • June 30th 2018: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

The privacy of the TLS 1.3 protocol

TLS (Transport Layer Security) is a widely deployed protocol that plays a vital role in securing Internet traffic. Given the numerous known attacks for TLS 1.2, it was imperative to change and even redesign the protocol in order to address them. In August 2018, a new version of the protocol, TLS 1.3, was standardized by the IETF (Internet Engineering Task Force). TLS 1.3 not only benefits from stronger security guarantees, but aims to protect the identities of the server and client by encrypting messages as soon as possible during the authentication. In this paper, we model the privacy guarantees of TLS 1.3 when parties execute a full handshake or use a session resumption, covering all the handshake modes of TLS. We build our privacy models on top of the one defined by Hermans et al. for RFIDs (Radio Frequency Identification Devices) that mostly targets authentication protocols. The enhanced models share similarities to the Bellare-Rogaway AKE (Authenticated Key Exchange) security model and consider adversaries that can compromise both types of participants in the protocol. In particular, modelling session resumption is non-trivial, given that session resumption tickets are essentially a state transmitted from one session to another and such link reveals information on the parties. On the positive side, we prove that TLS 1.3 protects the privacy of its users at least against passive adversaries, contrary to TLS 1.2, and against more powerful ones


HTTPS everywhere HERE

  • Halloween Brexit! or later or not or bust Brexit Fatigue HERE
  • September 2019: PSD2 security mandatory
  • November 3rd 2020: Trump’s second term start

Book on the week/month

8 Books to choose from for your holidays


Enumeration Guide for your OSCP journey

Link HERE plus Prep guide HERE


Comic of the week

 - Dilbert by Scott Adams

##Some OWASP stuff first


The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics



-OWASP Container Security Verification Standard (CSVS)

The Container Security Verification Standard (CSVS) is a community-effort to establish a framework of security requirements and controls that focus on normalizing the functional and non-functional security controls required when designing, developing and testing container-based solutions with a focus on Docker


cid:<a href=[email protected]″>


cid:<a href=[email protected]″>


-What is Parameter Tampering

Parameter manipulation involves tampering with URL parameters to retrieve information that would otherwise be unavailable to the user. Risks from exploitation depend upon what parameter is being modified, and the method by which it is submitted to the web  application server. Parameter manipulation attacks can be used to achieve a number of objectives, including disclosure of files above the web root, extraction of information from a database and execution of arbitrary operating-system level commands. Recommendations include adopting secure programming techniques to ensure that only expected data is accepted by an application


-Tommy Ross — The BSA Framework for Secure Software

Tommy Ross serves as Senior Director, Policy with BSA | The Software Alliance. In this role, he works with BSA members to develop and advance global policy positions on a range of key issues, with a focus on cybersecurity, privacy, and market access barriers. Tommy is one of the coordinators/collaborators on the BSA Framework for Secure Software.  This document caught our attention when it came out a few months ago, as it is a reliable representation of all the pieces an organization needs for software security. Tommy shares with us some of the background stories on how this document came to be, and also walks through the various pieces contained within.

If you’d like to comment or collaborate on this document, it is available in the review form at HERE

The PDF is available on the BSA website HERE





All InfoSec events HERE

OWASP LONDON event at Revolut


  • Lightning Talk – “Scaling Security – Move fast and make things” – Paul Heffernan
  • “Hack In, Cash Out: Hacking and Securing Payment Technologies” – Tim Yunusov

cid:<a href=[email protected]″>

Presentation HERE

  • “Advanced Bots and Security Evasion Techniques” – David Warburton

Ps: Revolut offices are equipped with a free no name payment card dispenser! Handy!


Remember AppSec TelAviv 23 hours of sec

Image result for global appsec telaviv

Link to playlist HERE

The complete Security Events calendar – Peerlyst


Webcast – A BEAST and a POODLE celebrating SWEET32

In last couple of years we have witnessed many SSL/TLS vulnerabilities with various acronyms: POODLE, BEAST, BREACH, CRIME, DROWN, FREAK and SWEET32 – to name some. Almost every time, a snazzy logo and a lot of panic around the vulnerability made us believe that this is the end of secure communication on the Internet.

However, we are yet to see any real hacks that actually exploited one of the above mentioned vulnerabilities.

This presentation will explain how these vulnerabilities work and will comment on their viability for web, mobile and fat client applications



Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

cid:<a href=[email protected]″>

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image

Scale of Magecart attacks growing

The scale of the Magecart web skimming malware, a scam which attempts to harvest payment information via malicious JavaScript, is ‘much larger than previously reported’ according to a new RiskIQ study.

Magecart is targeting unprotected AWS S3 buckets, used to store uploaded data including card details. It has reportedly compromised over 17,000 websites since April

TrickBot malware develops new email infection capacity

recent report from cyber security company Deep Instinct has revealed that the Trickbot malware has returned with a new variant, ‘TrickBooster’ which attacks individual’s email accounts.

TrickBot, a piece of malware circulating since 2016, was designed to access online accounts with the goal of obtaining Personally Identifiable Information (PII) which can be used to facilitate identity fraud

2019 ACD report highlights progress in protecting UK cyberspace

The 2019 Active Cyber Defence (ACD) report was released earlier this week showing real progress protecting UK citizens and dissuading criminals.

The report, published by the NCSC and its Technical Director Ian Levy, shared impressive figures for 2018 including:

  • takedown of 22,133 phishing campaigns hosted in UK delegated IP space, totalling 142,203 individual attacks
  • 14,124 UK government-related phishing sites removed
  • number of phishing campaigns against HMRC continued to fall dramatically – with campaigns spoofing HMRC falling from 2,466 in 2017 to 1,332 in 2018
  • number of takedowns of fraudulent websites was 192,256 with 64% of them down in 24 hours
  • the number of individual web checks run increased with a total of 111,853 advisories issued direct to users


Troy Hunt Weekly update 148

cid:<a href=[email protected]″>



Incidents & events detail

Hacked UK forensic firm pays ransom after malware attack

Largest private provider Eurofins hands over undisclosed fee to regain control of systems


UK Met Police hacked with bizarre tweets and emails posted

Screengrab of hacked Met Police tweet


Fieldwork Software database leak exposed sensitive SMB records, customer credit card details

vpnMentor cybersecurity researchers said 26GB of data was exposed in the breach. The leak was found as part of vpnMentor’s web scanning project, in which ports are checked and ana-lysed for open databases and the accidental public disclosure of sensitive, corporate data


Defending an Iconic Brand – Wimbledon – Cyber Security in a Distributed Hybrid Cloud Environment

Image result for wimbledon


The app everyone is using to make them look old now warns you it’s uploading your picture

cid:<a href=[email protected]″>|CNBC Tech: FaceApp agreement


Remember this one:

Backdoor found in Ruby library for checking for strong passwords

Cookie-accepting, eval-running backdoor found in popular Ruby library


Google deprecates XSS Auditor for Chrome


Data of ‘nearly all adults’ in Bulgaria stolen


New EvilGnome Backdoor Spies on Linux Users, Steals Their Files

cid:<a href=[email protected]″>


Logitech wireless USB dongles vulnerable to new hijacking flaws

Vulnerabilities found in Logitech’s proprietary Unifying USB dongle technology

cid:<a href=[email protected]″>

Link HERE and tool HERE – thanks to Sylwester

Researchers Easily Trick Cylance’s AI-Based Antivirus Into Thinking Malware Is ‘Goodware’

By taking strings from an online gaming program and appending them to malicious files, researchers were able to trick Cylance’s AI-based antivirus engine into thinking programs like WannaCry and other malware are benign


Lenovo Confirms 36TB Data Leak Security Vulnerability


How it works: Visa’s artificial intelligence (A.I.) for payment authorization and fraud detection

Link HERE – thanks to Naz

Research of the week

Featuring – The end of passwords

Adopt modern authentication technologies to provide ease of use without the risk of passwords

Image result for the end of passwords

Link HERE Another link HERE and another HERE Risks of password managers HERE


Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with local a Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files


Investigating sources of PII used in Facebook’s targeted advertising

In this paper, we focus on Facebook and investigate the sources of PII used for its PII-based targeted advertising feature. We develop a novel technique that uses Facebook’s advertiser interface to check whether a given piece of PII can be used to target some Facebook user, and use this technique to study how Facebook’s advertising service obtains users’ PII. We investigate a range of potential sources of PII, finding that phone numbers and email addresses added as profile attributes, those provided for security purposes such as two-factor authentication, those provided to the Facebook Messenger app for the purpose of messaging, and those included in friends’ uploaded contact databases are all used by Facebook to allow advertisers to target users. These findings hold despite all the relevant privacy controls on our test accounts being set to their most private settings. Overall, our paper highlights the need for the careful design of usable privacy controls for, and detailed disclosure about, the use of sensitive PII in targeted advertising



Tool of the week



Or hooking for dummies

Link HERE and tool HERE

Advanced Blind XSS payloads


BinaryNinja – Cloud Open Beta Is Live

Link HERE – thanks to TK

Commando VM: The First of Its Kind Windows Offensive Distribution


Kali NetHunter App Store – Public Beta



OWASP Zap chart for Kubernetes



Other interesting articles

##A proactive approach to more secure code

What if we could eliminate an entire class of vulnerabilities before they ever happened?

cid:<a href=[email protected]″>



##Hacking macOS: How to Dump 1Password, KeePassX & LastPass Passwords in Plaintext

Passwords managers rely on the operating system’s clipboard. An attacker can dump the clipboard contents and exfiltrate passwords



In mid-2018, I found a stored XSS on Twitter in the least likely place you could think of. Yes, right in the tweet! But what makes this XSS so special is that it had the potential to be turned into a fully-fledged XSS worm


##And finally, understanding Random Forest

How the Algorithm Works and Why it Is So Effective

Image result for random forest

Random forests are a personal favourite of mine. Coming from the world of finance and investments, the holy grail was always to build a bunch of uncorrelated models, each with a positive expected return, and then put them together in a portfolio to earn massive alpha (alpha = market beating returns). Much easier said than done!

Random forest is the data science equivalent of that. Let’s review one last time. What’s a random forest classifier?

The random forest is a classification algorithm consisting of many decisions trees. It uses bagging and feature randomness when building each individual tree to try to create an uncorrelated forest of trees whose prediction by committee is more accurate than that of any individual tree.

What do we need in order for our random forest to make accurate class predictions?

  • We need features that have at least some predictive power. After all, if we put garbage in then we will get garbage out.
  • The trees of the forest and more importantly their predictions need to be uncorrelated (or at least have low correlations with each other). While the algorithm itself via feature randomness tries to engineer these low correlations for us, the features we select and the hyper-parameters we choose will impact the ultimate correlations as well




Trust is the enabler of global business — without it, most market transactions would be impossible. It is also a hallmark of high-performing organizations. Employees in high-trust companies are more productive, are more satisfied with their jobs, put in greater discretionary effort, are less likely to search for new jobs, and even are healthier than those working in low-trust companies. Businesses that build trust among their customers are rewarded with greater loyalty and higher sales. And negotiators who build trust with each other are more likely to find value-creating deals.

cid:<a href=[email protected]″>

Despite the primacy of trust in commerce, its neurobiological underpinnings were not well understood until recently. Over the past 20 years, research has revealed why we trust strangers, which leadership behaviors lead to the breakdown of trust, and how insights from neuroscience can help colleagues build trust with each other — and help boost a company’s bottom line



AppSec Ezine

Must see


Description: RCE via ImageTragick on SEMrush (Triage WTF!).

URL:  (+)

Description: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!


Description: U-XSS in OperaMini for iOS Browser.

Link HERE and credits to HERE





1 thought on “Security Stack Sheet #62

Leave a Reply

Your email address will not be published.