Security Stack Sheet #98

Word of the Week

“The new normal” as cyber-spies navigate pandemic

The Covid crisis has reshaped the cyber-threat landscape around the globe.

There may not have been a significant increase in the volume of cyber-attacks, but countries have pursued new targets, pushed boundaries and taken advantage of their adversaries working from home, according to cyber-security experts.

Intelligence analysts say some of the normally less active states have begun using cyber-espionage more aggressively and they have seen allies target each other for information for the first time. “It’s a free-for-all out there – and with good reason – you don’t want to be the intelligence agency that doesn’t have a good answer for what’s going on,” says John Hultquist, director of threat analysis at Mandiant

Home workers are regarded as particularly vulnerable to cyber attacks

Links HERE and HERE and HERE and HERE and HERE and HERE and HERE


A person standing next to a dog Description automatically generated


A screenshot of a social media post Description automatically generated


A close up of a building Description automatically generated

Thanks to Mithun

A screenshot of a cell phone Description automatically generated


Crypto challenge of the week


Hacky Easter Archive



  • May 25th 2018: Almost 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) becomes effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE

[Browsers, Office365, Cisco and many others]

  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – Brexit Finalised?
  • 1st of July 2020 – Freedom from viruses?
  • November 3rd 2020: Trump’s second term start

Political Cartoon: Mirror, mirror, who's the finest security ...

  • 2022 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

Learn Security Engineering

Security engineering, to me, is the discipline of building secure systems. Ultimately, I hope to learn how to systematically secure anything — whether it’s a computer network or medieval castle.

I tried for several years to read Ross Anderson’s book, and eventually I realized it wasn’t structured correctly for me. This learning path is, and hopefully it is for you, too


Comic of the week

Need Boss To Make Decision - Dilbert by Scott Adams

##Some OWASP stuff first

-Open Web Application Security Project (OWASP) – Portland, Oregon Chapter

Mike Goodwin and Jon Gadsden – Threat Dragon is for Threat Modelling. Come Help Build It!

A picture containing object Description automatically generated

Link HERE and Agile Threat Modelling HERE

-The State of Secure Software: Past, Present, and Future

A close up of a map Description automatically generated


-Injection Theory from OWASP

Injection can be complex. The subtleties of data flow, parsers, contexts, capabilities, and escaping are overwhelming even for security specialists. In the following sections we will outline these topics to make it clear how injection can happen in a variety of different technologies


-OWASP Juice Shop intro by Bjorn Kimminich

A picture containing light Description automatically generated


-SAST 101: The Basics of Static Application Security Testing


-Hash Spraying Attack

As soon as you get your hands on some hashes on a machine, consider leveraging hash spraying to verify local administrators accounts on additional machines as well high-valuable domain administrators accounts






Link HERE and Youtube presentations HERE

AWS Online Summit 17th June


A close up of a sign Description automatically generated

Date: 20/Jun/2020



Link HERE – thanks to Kane

OWASP Virtual AppSec Days
Summer of Security 2020

Training: June 23-24,
July 28-29, August 25-26


DevSecCon Online Event

DevSecCon24 Event




Global ALERT level

cid:<a href=[email protected]″>

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

New HMRC text message phishing scam targets self-employed

A new phishing scam, designed to steal personal and financial details from self-employed workers using the Self-Employment Income Support Scheme (SEISS), has been uncovered by litigation company Griffin Law

IT services firm hit by Maze ransomware attack

Earlier this week IT services provider Conduent confirmed that it had been affected by a ransomware attack.

The company, which deliver services and solutions on behalf of business and governments across the world, said that its European operations were hit by the attack overnight on 29 May

APTs continue to exploit vulnerabilities in several VPN products used worldwide

The NCSC is continuing investigations into the exploitation of known vulnerabilities affecting VPN products from Pulse Secure, Fortinet and Palo Alto

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 87 – Vulnerabilities in Digilocker, Facebook, VMware Cloud Director


Incidents & events detail

Babylon Health admits GP app suffered a data breach

Babylon Health has acknowledged that its GP video appointment app has suffered a data breach.

The firm was alerted to the problem after one of its users discovered he had been given access to dozens of video recordings of other patients’ consultations.

A follow-up check by Babylon revealed a small number of further UK users could also see others’ sessions.

The firm said it had since fixed the issue and notified regulators


Fake Black Lives Matter voting campaign spreads Trickbot malware


Unsecured AWS S3 Buckets Infected With Skimmer Code

Analysts Find Fresh Magecart Code and Redirectors to Malvertising Campaign


HSBC moves from 65 relational databases into one global MongoDB database

HSBC Bank is one of the world’s leading financial institutions. It is simplifying its data model by running its applications on MongoDB


Zoom discloses it took down US-based activists’ accounts at China’s behest, says it won’t enforce similar censorship requests going forward


Here’s what that Capital One court decision means for corporate cybersecurity

When a judge ruled last month that Capital One must provide outsiders with a third-party incident response report detailing the circumstances around the bank’s massive data breach, the cybersecurity world took notice.

The surprise decision, in effect, determined that Capital One would need to provide the forensic details — warts and all — about the hack to attorneys representing a group of customers suing the bank. It’s the kind of report that, if made public, could highlight technical and procedural failures that made it possible for a single suspect to allegedly collect gigabytes of data about 100 million people from a bank with $28 billion in revenue


AMD downplays Ryzen lifespan concerns over motherboard power misreporting


Persistence method using Facebook Messenger desktop app


Remember: Persisting on Pornhub


Gamaredon group grows its game

Active APT group adds cunning remote template injectors for Word and Excel documents; unique Outlook mass-mailing macro


Updated Specification Available for Universal Plug-and-Play Protocol Vulnerability

A flaw in the Universal Plug-and-Play Protocol (UPnP) protocol could be exploited to launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and scan internal ports. Dubbed CallStranger by the researchers who created proof-of-concept exploit code, the issue affects billions of Internet of Things (IoT) devices. An updated specification is available.
Don’t expose UPnP devices to the Internet. Know what UPnP devices you have and what they can access. Paul Asadoorian of Security Weekly gave me this reference on discovering UPnP devices on your network using Nmap or the miranda-upnp python package: UPnP Discovery With Nmap


The Impending Doom of Expiring Root CAs and Legacy Clients


Honda could be victim of ransomware cyber attack

Japanese car giant confirms IT issue but evidence indicates cyber criminals have targeted the company


Google Chrome team moving away from the words ‘blacklist’ and ‘whitelist’ to be more inclusive


Research of the week

Featuring – Availability Attacks against Neural Networks

Energy-Latency Attacks on Neural Networks shows how to find adversarial examples that cause a DNN to burn more energy, take more time, or both. They affect a wide range of DNN applications, from image recognition to natural language processing (NLP). Adversaries might use these examples for all sorts of mischief — from draining mobile phone batteries, though degrading the machine-vision systems on which self-driving cars rely, to jamming cognitive radar.

So far, our most spectacular results are against NLP systems. By feeding them confusing inputs we can slow them down over 100 times. There are already examples in the real world where people pause or stumble when asked hard questions but we now have a dependable method for generating such examples automatically and at scale. We can also neutralize the performance improvements of accelerators for computer vision tasks, and make them operate on their worst case performance



Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks

A software supply chain attack is characterized by the injection of malicious code into a software package in order to compromise dependent systems further down the chain. Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle. This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains, and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analysed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions. This work is meant to facilitate the future development of preventive and detective safeguards by open source and research communities


Security Correlation Then and Now: A Sad Truth About SIEM

Link HERE and Reminder: The Pyramid of Pain HERE

Web Applications vulnerabilities and threats: statistics for 2019


Figure 5. Vulnerabilities of various severity levels, by industry

Vulnerabilities of various severity levels, by industry

  • Hackers can attack users in 9 out of 10 web applications. Attacks include redirecting users to a hacker-controlled resource, stealing credentials in phishing attacks, and infecting computers with malware.
  • Unauthorized access to applications is possible on 39 percent of sites. In 2019, full control of the system could be obtained on 16 percent of web applications. On 8 percent of systems, full control of the web application server allowed attacking the local network.
  • Breaches of sensitive data were a threat in 68 percent of web applications. Most breachable data was of a personal nature (47% of breaches) or credentials (31%).
  • 82 percent of vulnerabilities were located in application code.
  • The average number of vulnerabilities per web application fell by a third compared to 2018. On average, each system contained 22 vulnerabilities, of which 4 were of high severity.
  • One out of five vulnerabilities has high severity


The Bug That Exposed Your PayPal Password

And Credit Card Number Too

A screenshot of a cell phone Description automatically generated


A survey of recent iOS kernel exploits

I recently found myself wishing for a single online reference providing a brief summary of the high-level exploit flow of every public iOS kernel exploit in recent years; since no such document existed, I decided to create it here.

This post summarizes original iOS kernel exploits from local app context targeting iOS 10 through iOS 13, focusing on the high-level exploit flow from the initial primitive granted by the vulnerability to kernel read/write. At the end of this post, we will briefly look at iOS kernel exploit mitigations (in both hardware and software) and how they map onto the techniques used in the exploits


Security Analysis of the Democracy Live Online Voting System

Democracy Live’s OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and (optionally) online voting. Three states — Delaware, West Virginia, and New Jersey — recently announced that they will allow certain voters to cast votes online using OmniBallot, but, despite the well established risks of Internet voting, the system has never been the subject of a public, independent security review.

We reverse engineered the client-side portion of OmniBallot, as used in Delaware, in order to detail the system’s operation and analyse its security. We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare


Remember: Actionable threat hunting in AWS

The focus is on the Preparation & Identification aspects of the SANS Incident Response framework


Ebb and Flow: Network Flow Logging as a Staple of Public Cloud Visibility or a Waning Imperative?


Tool of the week

JWT Cracking Tool

“A toolkit for validating, forging and cracking JWTs”

Functionality includes: checking the validity of a token, testing for known exploits, testing the validity of a secret/key file/Public Key/JWKS key, identifying weak keys via a high-speed dictionary attack, forging new token header and payload contents and creating a new signature with the key, timestamp tampering, and more.

The tool wiki also includes a JWT Attack Playbook with excellent details on known types of JWT vulnerabilities/misconfigurations and a repeatable methodology for attacking them


Remember: Automated pentest framework for offensive security experts

Sn1per v8.4 features a completely new active and passive vulnerability scanner called “Sc0pe” which will serve as the backbone of Sn1per’s new vulnerability scan engine. The new framework will make it quick and easy to scan for the latest CVE’s and web vulnerabilities as well as open up a slew of possibilities for users to create and share their own exploits and scanners (Submit your PR’s!)

Links HERE and HERE

HyperDbg debugger

A picture containing table Description automatically generated

An open-source, user mode and kernel mode Windows debugger with a focus on using hardware technologies



Application security testing for GraphQL backed applications


CVE-2020-1206 Uninitialized Kernel Memory Read POC


Anti-Debugging JavaScript Techniques


Automating the provisioning of Active Directory labs in Azure


Other interesting articles 

##Securing Your GraphQL API from Malicious Queries

With GraphQL you can query exactly what you want whenever you want. That is amazing for working with an API, but also has complex security implications. Instead of asking for legitimate, useful data, a malicious actor could submit an expensive, nested query to overload your server, database, network, or all of these…

Link HERE and How to survive a penetration test as a GraphQL Developer HERE


##Why Do Developers (Sometimes) Wreak Chaos on Their Own Systems?

High-load systems should be able to withstand sudden failures. That’s where continuous resilience steps in

A screenshot of a cell phone Description automatically generated



##What Happened When I Leaked My Server Password on

I deployed a honeypot and ‘accidentally’ leaked a valid SSH username and password into a GitHub repository. This is what happened over the next 24 hours



##Thoughts On Zero Trust

By Petko Petkov

I strongly believe that regardless of our level of technology and security maturity, every decision must be tested by removing all assumptions and thinking in terms of first principles. In other words, before we take an action we must test our assumptions first. Only then, once we face the ultimate and indisputable truth, we are safe to proceed

Title: Zero Trust Security Model. Subtitle: Zero Trust says to trust no one, both inside and outside of the network. Use visibility, analytics and automation to keep policies in check. Copy: Zero Trust Data, Zero Trust Networks, Zero Trust Workload, Zero Trust People, Zero Trust Devices

Links HERE and HERE and HERE

##And finally, A tool for procedurally generated Chinese landscape painting

Procedurally-generated vector-format infinitely-scrolling Chinese landscape for the browser. Generate your own




AppSec Ezine

Must see


Description: Bypassing LastPass’s “Advanced” YubiKey MFA – A MITM Phishing Attack.

URL:  (+)

Description: Cmd Hijack – a command/argument confusion with path traversal in cmd.exe.

Links HERE and credits to HERE



Leave a Reply

Your email address will not be published.