Security Stack Sheet #85

Word of the Week

Modern and Medieval Mass Surveillance – “Identify, Correlate, Discriminate”

P1000851 cropped

Links HERE and HERE and HERE and HERE and HERE

Word of the Week Special

“Cyber Frenemy”

Governments are the frenemies of society on hacking.

Smart, unscrupulous players are exploiting the vulnerabilities of our digital devices

Links HERE and HERE and HERE and HERE



A close up of a logo Description automatically generated

UK police deny responsibility for poster urging parents to report kids for using Kali Linux

Updated: Using Discord, too, is apparently a warning sign that your child is turning into a naughty hacker

Link HERE – thanks to Mithun

Translation not needed



A screenshot of a social media post Description automatically generated


A close up of a logo Description automatically generated


Crypto challenge of the week

This Sculpture Holds a Decades-Old C.I.A. Mystery. And Now, Another Clue




  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius

A screenshot of a cell phone Description automatically generated


  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE DONE

Update 1/31/2020: The grade change is now live on Servers that support TLS 1.0 or TLS 1.1 are capped to B grade.

  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?

A picture containing person, indoor Description automatically generated


  • November 3rd 2020: Trump’s second term start

A screenshot of a cell phone Description automatically generated


  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Pentagon requests $15.4B for Space Force


Book of the month


Comic of the week

Cancelled Presentation - Dilbert by Scott Adams

##Some OWASP stuff first

-OWASP DefectDojo

OpenSource Application Security Management

The leading application vulnerability management tool built for DevOps and continuous security integration.


-Thick Client Penetration Testing Methodology

Thick client pentesting involves both local and server-side processing and often uses proprietary protocols for communication.
Simple automated assessment scanning is not sufficient and testing thick client applications requires a lot of patience and a methodical approach. Moreover, the process often requires specialized tools and custom testing setup.

Thick client testing can be exciting for pentesters because the attack surface of these applications can be significant. Unlike web applications or infrastructure pentests, thick client pentests have a more notable success rate because the client is available locally and, hence, critical vulnerabilities may be found during the engagements


-How to Use OWASP Amass: An Extensive Tutorial


-Security coaches






All InfoSec events HERE – the best Conferences in 2020 HERE

OffensiveCon Keynote


Webinar Series:

How to leverage endpoint detection and response (EDR) in AWS investigations


NDC London 2020 – Write-up

NDC London My Highlights




Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

A close up of a map Description automatically generated

Incident data HERE Find your country

A close up of a map Description automatically generated

NCSC Weekly Threat Report

Provided Image 

Ransomware attack brings down college IT

A college in Scotland fell victim to an apparent ransomware attack last week with the incident bringing down its IT systems.

Ransomware is a type of malware that makes data or systems unusable until the victim makes a ransom payment. Students of Dundee and Angus School were subsequently kept away and told that they would need to reset their passwords following the attack

Attackers using the Coronavirus as a phishing trap

The coronavirus outbreak is being used in phishing attacks according to researchers at Proofpoint.

Attackers are taking advantage of the widespread concern about the virus to lure people into phishing traps using conspiracy theories about “unreleased” cures. One example describes a ‘confidential cure solution’ before giving users the option to follow a link through to a fake website asking for credentials. Proofpoint’s report has other examples of phishing traps being utilised

Link HERE – Report Vulns to NCSC HERE

API Security Issue 70: Vulnerabilities in Twitter, Likud, Iowa caucus apps, two API security talks


Troy Hunt Blog – Issue 178


Incidents & events detail

The intelligence coup of the century

A screenshot of a cell phone Description automatically generated

For decades, the CIA read the encrypted communications.

The Swiss cryptography firm Crypto AG sold equipment to governments and militaries around the world for decades after World War II. They were owned by the CIA:

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

This isn’t really news. We have long known that Crypto AG was backdooring crypto equipment for the Americans. What is new is the formerly classified documents describing the details:

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.

The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations’ gullibility for years, taking their money and stealing their secrets.

The operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history


Exfiltrating Data from Air-Gapped Computers Using Screen Brightness

A picture containing indoor Description automatically generated


PayPal fraud scam cost UK users £1 million in last quarter


Compensation confidentiality in tech… or not?


Checkmarx Research: SoundCloud API Security Advisory

Recently, the Checkmarx Security Research team investigated the online music platform SoundCloud. According to their website, “As the world’s largest music and audio platform, SoundCloud lets people discover and enjoy the greatest selection of music from the most diverse creator community on earth.”


Intel Discovers Security Flaw in CSME Firmware

A screenshot of a cell phone Description automatically generated

The flaw means vulnerability to privilege escalation, denial of service and information disclosure


500 Chrome Extensions Caught Stealing Private Data of 1.7 Million Users


Malware Threats on Macs Outpace Windows For First Time Ever


Average tenure of a CISO is just 26 months due to high stress and burnout

Report: The vast majority of interviewed CISO executives (88%) report high levels of stress, a third report stress-caused physical health issues, half report mental health issues

A screenshot of a cell phone Description automatically generated

Links HERE and HERE

440M records found online in unprotected database belonging to Estée Lauder


Internet’s safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can’t open a safe

Online security process stalled by offline security screw-up

Link HERE and Cloudflare says HERE and IANA says HERE

Research of the week

Featuring – Forging SWIFT MT Payment Messages for fun and pr… research!

With a bit of research and support we were able to demonstrate a proof of concept for introducing a fraudulent payment message to move £0.5M from one account to another, by manually forging a raw SWIFT MT103 message, and leveraging specific system trust relationships to do the hard work for us!


Escaping the Chrome Sandbox with RIDL

Vulnerabilities that leak cross process memory can be exploited to escape the Chrome sandbox. An attacker is still required to compromise the renderer prior to mounting this attack. To protect against attacks on affected CPUs make sure your microcode is up to date and disable hyper-threading (HT).

In my last guest blog post “Trashing the Flow of Data” I described how to exploit a bug in Chrome’s JavaScript engine V8 to gain code execution in the renderer. For such an exploit to be useful, you will usually need to chain it with a second vulnerability since Chrome’s sandbox will limit your access to the OS and site isolation moved cross-site renderers into separate processes to prevent you from bypassing restrictions of the web platform


Blind SSRF exploitation

Image result for ssrf attack

Links HERE and HERE and definition HERE

Mitigations are attack surface, too

This blog post discusses a bug leading to memory corruption in Samsung’s Android kernel (specifically the kernel of the Galaxy A50, A505FN – I haven’t looked at Samsung’s kernels for other devices). I will describe the bug and how I wrote a (very unreliable) exploit for it. I will also describe how a second vulnerability, which had long been fixed in the upstream kernel, the upstream stable releases, and the Android common kernel, but not in Samsung’s kernel, aided in its exploitation


Hypervisor Necromancy

Reanimating Kernel Protectors

Until recently, to compromise an entire system during runtime attackers found and exploited kernel vulnerabilities. This allowed them to perform a variety of actions; executing malicious code in the context of the kernel, modify kernel data structures to elevate privileges, access protected data, etc. Various mitigations have been introduced to protect against such actions and hypervisors have also been utilized, apart from their traditional usage for virtualization support, towards this goal. In the Android ecosystem this has been facilitated by ARM virtualization extensions, which allowed vendors/OEMs to implement their own protection functionalities/logic

Link HERE – thanks to Alvin

Ghost in the shell: Investigating web shell attacks

Recently, an organization in the public sector discovered that one of their internet-facing servers was misconfigured and allowed attackers to upload a web shell, which let the adversaries gain a foothold for further compromise. The organization enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct a full incident response and remediate the threat before it could cause further damage.

DART’s investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts. This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbtstat.exe, and eventually move laterally using PsExec


Principled Artificial Intelligence

Mapping Consensus in Ethical and Rightsbased Approaches to Principles for AI

A close up of a device Description automatically generated



Dopamine and temporal difference learning: A fruitful relationship between neuroscience and AI


Attacking Driverless Cars with Projected Images

A close up of a sign Description automatically generated

The absence of deployed vehicular communication systems, which prevents the advanced driving assistance systems (ADASs) and autopilots of semi/fully autonomous cars to validate their virtual perception regarding the physical environment surrounding the car with a third party, has been exploited in various attacks suggested by researchers. Since the application of these attacks comes with a cost (exposure of the attacker’s identity), the delicate exposure vs. application balance has held, and attacks of this kind have not yet been encountered in the wild. In this paper, we investigate a new perceptual challenge that causes the ADASs and autopilots of semi/fully autonomous to consider depthless objects (phantoms) as real. We show how attackers can exploit this perceptual challenge to apply phantom attacks and change the abovementioned balance, without the need to physically approach the attack scene, by projecting a phantom via a drone equipped with a portable projector or by presenting a phantom on a hacked digital billboard that faces the Internet and is located near roads. We show that the car industry has not considered this type of attack by demonstrating the attack on today’s most advanced ADAS and autopilot technologies: Mobileye 630 PRO and the Tesla Model X, HW 2.5; our experiments show that when presented with various phantoms, a car’s ADAS or autopilot considers the phantoms as real objects, causing these systems to trigger the brakes, steer into the lane of oncoming traffic, and issue notifications about fake road signs. In order to mitigate this attack, we present a model that analyzes a detected object’s context, surface, and reflected light, which is capable of detecting phantoms with 0.99 AUC. Finally, we explain why the deployment of vehicular communication systems might reduce attackers’ opportunities to apply phantom attacks but won’t eliminate them


Tool of the week

Nray – Distributed Port Scanner


Pytm – A Pythonic Framework For Threat Modelling


Hashcracker – Python Hash Cracker

Supported hashing algorithms: SHA512, SHA256, SHA384, SHA1, MD5
Features: auto detection of hashing algorithm based on length (not recommended), bruteforce, password list


Polymorphic Linux? What does it fix?

Even when expanded out to all vulnerabilities, memory-based vulnerabilities still represent approximately half of all vulnerabilities since 1999


Planning to become OSCP Certified? Check this: OSCPRepo

Link HERE and other tools and goodies HERE

Asset Finder

Find domains and subdomains related to a given domain

Link HERE – thanks to Kane

Analyzing WhatsApp Calls with Wireshark, radare2 and Frida


MISP Dashboard

A dashboard showing live data and statistics from the ZMQ feeds of one or more MISP instances. The dashboard can be used as a real-time situational awareness tool to gather threat intelligence information. The misp-dashboard includes a gamification tool to show the contributions of each organisation and how they are ranked over time. The dashboard can be used for SOCs (Security Operation Centers), security teams or during cyber exercises to keep track of what is being processed on your various MISP instances

Link HERE and tutorial HERE

Other interesting articles 

##These 20 ‘Hackers’ Helped Shape The Cybersecurity Landscape Forever

Best Hackers in the World



##Deep Dive into Real-World Kubernetes Threats

On Saturday, February 1st, I gave my talk titled “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” at Shmoocon 2020. I’m following up with this post that goes into more details than I could cover in 50 minutes. This will re-iterate the points I attempted to make, walk through the demo, and provide resources for more information


##Top Ten New Open Source Security Vulnerabilities in 2019 – Have you patched against these?


##And finally, BBC ideas…

What exactly is Déjà vu?



NYC Parks Are Using a Designer’s ‘Tree Font’ to Plant Secret Messages with Real Trees

New York City Tree Font Alphabet by Katie Holten



AppSec Ezine

Must see

URL:  (+)

Description: CSS data exfiltration in Firefox via a single injection point.


Description: Exploiting Netgear’s

Links HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *