Security Stack Sheet #96

Word of the Week

“In-app protection & self-defending applications”

Self-defending applications become crucial as modern architectures migrate software logic to the client side. Security and risk management leaders must take due care in protecting their application clients to avoid turning a promising software design trend into a security failure.

Main Threats Addressed by In-App Protection

Key Findings

In-app protection instils self-defending capabilities into client-side applications. It includes application shielding, client-side runtime application self-protection (RASP) and anti-malware techniques, and is well-suited to provide a zero-trust approach to applications.

In-app protection has experienced adoption in consumer mobile apps, especially in financial services, and online retail and media. The proliferation of smart clients and dynamically loaded content on front ends will further expand adoption of the technology.

A screenshot of a social media post Description automatically generated

Awareness of the technology and urgency to adopt it is low outside the security department in mainstream organizations. While line-of-business executives recognize its fraud detection and customer experience improvement benefits, developers rarely feel their applications could be attack targets.

Links HERE and HERE and HERE

Word of the Week Special

“Verizon Data Breach Investigation Report 2020”

A screenshot of a cell phone Description automatically generated

The Verizon DBIR is always a good synopsis of incidents and trends to watch for. The report also notes that unsecured or misconfigured cloud data storage opens the doors of small businesses to attacks previously faced only by larger organizations. The report also shows a trend in breaches related to configuration errors catching up with socially engineered ones.
This is one of the most valuable reports a security professional can read. The report will give you valuable insights into how to defend your systems and networks. It also gives you good data points when dealing with security vendors to ask them how their product would deal with the breaches and issues raised in the report.
The DBIR continues to be a valuable source of open source intelligence. Be sure to read the disclaimers.


Web Application Attacks Double from 2019: Verizon DBIR

Verizon’s annual data breach report shows most attackers are external, money remains their top motivator, and web applications and unsecured cloud storage are hot targets

Top Actor varieties in breaches

A screenshot of a cell phone Description automatically generated

Top discovery methods in Error breaches

A picture containing bird Description automatically generated

Top data varieties compromised in Phishing breaches

A screenshot of a cell phone Description automatically generated

Links HERE and HERE and HERE and HERE


A screenshot of a cell phone Description automatically generated


A screenshot of a cell phone Description automatically generated


A screenshot of a cell phone Description automatically generated


A screenshot of a cell phone Description automatically generated


A screenshot of a cell phone Description automatically generated


Crypto challenge of the week

OSCE Exam Practice – Parts I to V


Hacky Easter Archive


And challenge

A picture containing food, sitting, table, holding Description automatically generated



  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE

Moving the Internet to TLS 1.3, asap

You do know that WPA-2 is fundamentally flawed? And you know that some versions of TLS are weak from a security point-of-view?

Imagine that a new building material had been created which was stronger than all previous ones? Or where it was found that a previous building material had flaws? Civil engineers would be really pushing it out. But with TLS 1.3 and WPA 3? Where the great voice of the cybersecurity industry pushing forward to fix the flaws of the past? A little quiet, perhaps?



  • 31st of December 2020 – Brexit Finalised?
  • 1st of July 2020 – Freedom from viruses?

Coronavirus: Five things a Covid-19 symptom-tracking app tells us



covid-19 occupational risk scores


  • November 3rd 2020: Trump’s second term start

A picture containing cake, photo, birthday, holding Description automatically generated

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Remember – thanks to TK


Please Google for it

Link HERE – thanks to Petko

Comic of the week

Smartphones Spread Viruses - Dilbert by Scott Adams

##Some OWASP stuff first

-9 Secure Code Review Best Practices For Your Web Application

Here are some questions you should consider while conducting a secure code review:

  • Have you implemented proper authorization controls?
  • Have you implemented proper authentication controls? Do you have two-factor or multi-factor authentication in place?
  • Is sensitive data encrypted? How do you handle encryption keys?
  • Does the error message display sensitive information to the user?
  • Do you have other security controls in place that prevent SQL Injection, XSS attacks, malware, etc?


-Håkon Olsen – Security in development: how automated security testing drives good practice


-Medical Device Threat Modelling

This whitepaper describes threat modelling in the context of creating secure medical device systems. International regulators as well as customers are expecting Medical Device Manufacturers to deliver proactively secured devices. This is in part a question of technology, but equally a question of security engineering best practices applied during the product development lifecycle. This includes applying a mature Cybersecurity Risk Assessment methodologies during the Risk Management process. One powerful technique available to engineers is threat modelling, as we will discuss in this whitepaper





Reduce API Security Risks with Automated and Continuous API Scanning


Covid-19 webinar: Securing DevOps in cloud environments

We recognise the crucial role DevOps plays during these challenging times and how important it is to maintain a ‘business as usual’ approach, however, how can we ensure these issues don’t impact our cloud environments and put the Software Development Lifecycles (SDLC) at risk?


Trond Klevstuen & Stein Morten Rustad – From on-premise to multi tenant cloud – 3 years in “hell”


SANS ISC Channel on YouTube




Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Older versions of the QTS operating system vulnerable

Users of the QTS operating system have been urged to ensure it is updated to the latest version.

A bug bounty report has found that QNAP NAS devices running older versions of the QTS operating system may be attacked through a number of vulnerabilities which, when chained together, would allow an attacker to gain remote access

Advice issued following EasyJet cyber incident

Earlier this week, EasyJet revealed that it had suffered a cyber attack and was in the process of contacting affected customers.

In a statement, the company said that the email address and travel details of approximately 9 million customers were accessed. Credit card details of 2,208 customers were also accessed.

Compromised personal details can be used by hackers to create convincingly personalised scam emails, which can be hard to spot. EasyJet customers are encouraged to report any suspicious emails to the NCSC, using the Suspicious Email Reporting Service (SERS)

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 84 – Unprotected APIs at Google Firebase, leaky Arkansas PUA portal

Vulnerability: Google Firebase

Google Firebase is a development platform for mobile apps. It claims to be used in over 1.5 million mobile apps to provide standard platform functions like authentication, cloud storage, messaging, and analytics.

Security researchers from Comparitech found unsecured API access to the Firebase cloud storage used by estimated 24,000 Android apps. The vulnerability is not really a vulnerability in Firebase itself, but how a lot of Android developers set up and use Firebase. It is also good to note that because Firebase is a cross-platform tool, the impact might not be limited to just Android


Incidents & events detail

EasyJet admits data of nine million hacked

EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers.

It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”


Researchers Disclosed 5 Windows Zero-Day Bugs That Allow Hackers to Escalate System Privileges

Link HERE – thanks to Jachar

‘Flight risk’ employees involved in 60% of insider cybersecurity incidents

The majority of staff planning their exit also take sensitive information with them, research suggests


CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive


What is up on Port 62234?


Working From Home? Don’t View P0rn on Your Corporate VPN


Facebook New Messenger Warnings are Based on Metadata



The NXNSAttack is a new vulnerability that exploits the way DNS recursive resolvers operate when receiving NS referral response that contains nameservers but without their corresponding IP addresses (i.e., missing glue-records). The number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers’ IP addresses. This inefficiency becomes a bottleneck and might be used to mount a devastating attack against either or both, recursive resolvers and authoritative servers. The NXNSAttack is more effective than the NXDomain attack: i) It reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) Besides the negative cache, the attack also saturates the ’NS’ resolver caches


A Joint Analysis Reveals APT Group Spying Activities


Several so-called “malware testing services” are offering to fix flaws in adversaries’ code, shoring up any vulnerabilities researchers may use to inspect the malware

Research of the week

Featuring – Stealing Secrets from Developers using Websockets

This is a story of a convoluted, not-very-useful method for extracting codez from unwitting JavaScript developers working on top secret projects.

A couple of articles have hit the sites recently about websites abusing websocket functionality to port-scan user’s computers’


Panaseer 2020 Financial Services Security Metrics Report

A screenshot of a cell phone Description automatically generated

And the interesting one

A screenshot of a cell phone Description automatically generated


The Many Kinds of Creepware Used for Interpersonal Attacks

Abstract—Technology increasingly facilitates interpersonal attacks such as stalking, abuse, and other forms of harassment. While prior studies have examined the ecosystem of software designed for stalking, there exists an unstudied, larger landscape of apps—what we call creepware—used for interpersonal attacks. In this paper, we initiate a study of creepware using access to a dataset detailing the mobile apps installed on over 50 million Android devices. We develop a new algorithm, CreepRank, that uses the principle of guilt by association to help surface previously unknown examples of creepware, which we then characterize through a combination of quantitative and qualitative methods. We discovered apps used for harassment, impersonation, fraud, information theft, concealment, and even apps that purport to defend victims against such threats. As a result of our work, the Google Play Store has already removed hundreds of apps for policy violations. More broadly, our findings and techniques improve understanding of the creepware ecosystem, and will inform future efforts that aim to mitigate interpersonal attacks

Link HERE – thanks to Naz

Tool of the week


This tool will help you understand how input is transformed on a system, which can help you craft better payloads



semgrep is an open-source tool for lightweight static analysis using a familiar syntax


Ninjutsu logo


Other interesting articles 

##Safely navigating the COVID-19 cyber-threat landscape

Ben Aung, Global Chief Information Security Officer at Sage, describes how businesses with staff working from home should be protecting themselves from cyber-threats during the pandemic



##The mobile security threats to be aware of in 2020

With the technological advancements of the modern world has come the emergence of unscrupulous characters looking to take advantage of them. Security threats are a constant, especially when it comes to mobile phones. It’s a real problem



##My high-quality idiot-proof recording setup

Good audio for virtual presentations is absolutely critical. Even before the new world of 2020, I was delivering remote training and recording videos, so I invested in a decent audio setup



##And finally, what if the next large-scale hack involved your vehicle instead of your security camera?

But my vehicle doesn’t connect to the internet….Are you sure?

A screenshot of a cell phone Description automatically generated



AppSec Ezine

Must see


Description: RCE in Google Cloud Deployment Manager.


Description: jQuery 3.5.0 Security Fix (CVE-2020-11022/CVE-2020-11023).

Links HERE and credits to HERE



Leave a Reply

Your email address will not be published.