Security Stack Sheet #115


 Word of the Week

“Cyber Security 2020 in Review”

2020 was a year we will never forget. The year where the words “COVID-19” and “corona” were being said by the entire world in every other sentence. Where takeout food, wearing a mask became the norm. And it wasn’t just the pandemic that caused the world to go into panic mode and uncertainty.



The world experienced a great deal of stress with natural disasters such as the fires in Australia and in California, as well as social and political tensions with the United States being in the epicentre. The social demonstrations following the killing of George Floyd and the presidential election were topics of great discussion and change

Links HERE and HERE and HERE and HERE


“Cyber Trends for 2021”

Graphical user interface, website  Description automatically generated with medium confidence

Links HERE and HERE and HERE and HERE and HERE and Software Development in 2021 and beyond HERE


Word of the Week Special

“Lessons from the SolarWinds incident” 

Link HERE – thanks to TK


“Russian Hacking”


As Understanding of Russian Hacking Grows, So Does Alarm

Those behind the widespread intrusion into government and corporate networks exploited seams in U.S. defences and gave away nothing to American monitoring of their systems.

An act of cyberwar is usually not like a bomb, which causes immediate, well-understood damage. Rather, it is more like a cancer – it’s slow to detect, difficult to eradicate, and it causes ongoing and significant damage over a long period of time. Here are five points that cybersecurity experts – the oncologists in the cancer analogy – can make with what’s known so far.

1. The victims were tough nuts to crack

2. This was almost certainly the work of a nation – not criminals

3. The attack exploited trusted third-party software

4. The extent of the damage is unknown

5. The fallout could include real-world harm

We’re not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the world’s supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day won’t help create the safer world in which we all want to live

Links HERE and HERE and HERE and HERE and HERE and Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop HERE and protection HERE and more details HERE and victim companies list HERE



Graphical user interface, application, Teams  Description automatically generated


Graphical user interface, application  Description automatically generated


Text  Description automatically generated


No alternative text description for this image


A picture containing text, grass, outdoor, person  Description automatically generated


Crypto challenge of the week

HV20.06 Twelve steps of Christmas

On the sixth day of Christmas my true love sent to me…

six valid QRs,
five potential scrambles,
four orientation bottom and right,
and the rest has been said previously.

Link HERE and HERE



  • May 25th 2018: Over 2 years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • Sanctions Explorer
  • Link HERE
  • 1st January 2020 – The California Consumer Privacy Act (CCPA) became effective Link HERE
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • DO NOT DELAY TLS1.2 migration LATER THAN JUNE 2020 or A FEW THINGS WILL STOP WORKING! [Browsers, Office365, Cisco and many others]
  • January 2020 – Qualys SSLLabs will rate your TLS1.0 setup as B – Qualys will de-grade you HERE
  • June 2020 – Microsoft plans to deprecate TLS versions 1.0 and 1.1 in Office 365 and Office 365 GCC – HERE
  • 31st of December 2020 – BrexitDONE

Got Brexit Done': Tory party sells £12 tea towel in celebration | Brexit |  The Guardian


Ben Jennings cartoon 11.01.21


Text  Description automatically generated

  • 1st of July 20201 – Freedom from viruses?

UK jobs could disappear as Covid puts automation on ‘steroids’

Research warns of ‘disastrous double whammy’ for low-paid workers unable to retrain


Hackers accessed vaccine documents in cyber-attack on EMA

Papers relating to Pfizer/BioNTech vaccine reportedly targeted in attack on European Medicines Agency


Reverse Engineering the source code of the BioNTech/Pfizer SARS-CoV-2 Vaccine

First 500 characters of the BNT162b2 mRNA. Source: World Health Organization

The BNT162b2 mRNA vaccine has this digital code at its heart. It is 4284 characters long, so it would fit in a bunch of tweets


  • November 3rd 2020: Trump’s second term start

As Twitter bans Donald Trump's account permanently, it's raining memes  online | Trending News,The Indian Express



Martin Rowson 8.1.21

  • 20226 – First trip to Mars according to Elon Musk
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA
  • December 31st, 2020 Flash End-of-Life
  • US Government Websites Will be Accessible Through HTTPS Only, After September 1


Book of the month



On Modelling for Security Engineering as a Submodel of the Digital Twin


3 Cyber Security Books Everyone Should Read In 2021



Comic of the week

Audit Blackmail - Dilbert by Scott Adams


##Some OWASP stuff first

–How RASPs and WAFs can work together

This is the biggest difference between RASPs and WAFs: WAFs look for suspicious payloads, while RASPs look for exploitation attempts


–A Pentester’s Guide to Code Injection

OWASP defines Code Injection as a general term for any attack type that consists of injecting code that is then interpreted and executed by the application. This type of attack exploits the poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation such as: allowed characters (standard regular expressions classes or custom), data format, amount of expected data


–The Elements of Application Security Testing (With Apologies to Strunk and White)


–Shifting Cloud Security Left — Scanning Infrastructure as Code for Security Issues

In the cloud, misconfigurations will get you hacked well before zero-days do. According to a report released in 2020, the NSA asserts that misconfiguration of cloud resources is the most prevalent vulnerability in cloud environments. Looking at a few recent data breaches in AWS…

  • The Capital One breach was caused by a firewall left inadvertently open to the Internet, along with an overprivileged EC2 instance role
  • The Los Angeles Times website started mining cryptocurrency in your browser due to a world-writable S3 bucket
  • The Magecart group backdoored Twilio’s SDK which was hosted on a world-writable S3 bucket



–How developers can take the lead on security


–Shifting Threat Modeling Left: Automated Threat Modeling Using Terraform





Open Security Summit 2021 logo



FEB 1–3, 2021


Security and Privacy Ideas That Matter




Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

Ongoing threat of ransomware

In the last week, the Scottish Environment Protection Agency (SEPA) confirmed it was the victim of an ongoing ransomware attack. The NCSC has been supporting investigations to understand the impact of this incident.

Ransomware is a serious cyber threat. Cyber criminals can often threaten the publication of data if payment is not made.

Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:

  1. there is no guarantee that you will get access to your data or computer
  2. your computer will still be infected
  3. you will be paying criminal groups
  4. you’re more likely to be targeted in the future

Organisations should take steps to protect themselves from the loss of access to their data by ransomware, as well as from the risk of data theft

Fake apps responsible for rise in attacks targeting remote devices

The number of organisations experiencing malware attacks on remote devices has increased over the past year since the COVID-19 global pandemic began, which is detailed in a recent Cloud Security Report by Wandera

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 117: Vulnerabilities in YouTube and Ring Neighbors app, OAuth Mix-Up attacks, Tamper Dev

  1. Vulnerability: YouTube

David Schütz found a clever way to get (limited) access to private YouTube videos via a vulnerable API

  1. Vulnerability: Amazon Ring Neighbours

Amazon’s Ring camera has a companion app called Neighbours. The app allows users to anonymously share footage that they deem suspicious

  1. Standards: OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response

We discussed OAuth 2.0 Mix-Up attacks in issue 83



In this episode we interview two NSA Cryptologists, Marcus J. Carey and Jeff Man. We hear their story of how they got into the NSA and what they did while there



Incidents & events detail

Ticketmaster fined $10 million after hack of business rival

“Screen-grab the hell out of the system”


New Golang-based Crypto worm infects Windows and Linux servers


Malwarebytes said it was hacked by the same group who breached SolarWinds

Malwarebytes becomes fourth major security firm targeted by attackers after Microsoft, FireEye, and CrowdStrike


Cloudflare WAF bypass exploits revealed


Browser security briefing: Google and Mozilla lay the groundwork for a ‘post-XSS world’


PsExec Local Privilege Escalation


T-Mobile suffers its fourth hack in less than three years – still “takes the security of your information very seriously”


CISA releases a PowerShell-based tool to detect malicious activity in Azure, Microsoft 365


Remote Desktop Bugs: Patches That Took Priority in a Pandemic Year

Remote Desktop flaws were a patching priority this year as Microsoft distributed fixes and businesses scrambled to protect remote employees


Security PSA: Ledger Phishing Attacks


No, Cellebrite cannot ‘break Signal encryption.’


CVE-2020-9967 – Apple macOS 6LowPAN Vulnerability


Unsecured Azure blob exposed 500,000+ highly confidential docs from UK firm’s CRM customers

Medical records, insurance claim docs, promotion process feedback… you name it, Probase bared it


GCP OAuth Token Hijacking in Google Cloud – Part 1

If an attacker compromises a Google Cloud Platform (GCP) user’s device, he can easily steal and abuse cached credentials, even if MFA is enabled



Research of the week

How we’re helping to reshape the software supply chain ecosystem securely

Although the history of software supply chain attacks is well-documented, each new attack reveals new challenges. The seriousness of the SolarWinds event is deeply concerning but it also highlights the opportunities for government, industry, and other stakeholders to collaborate on best practices and build effective technology that can fundamentally improve the software ecosystem. We will continue to work with a range of stakeholders to address these issues and help lay the foundation for a more secure future


Detection and Hunting of Golden SAML Attack

The SolarWinds software supply chain attack is known to have affected U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat actor since at least March 2020. U.S. authorities now believe that additional initial access vectors other than the SolarWinds platform exist, but these are still being investigated. The US Cybersecurity & Information Security Agency (CISA) expects that removing this threat actor from compromised environments will be highly complex and challenging.

One of the major techniques used by the threat actor as part of the SolarWinds attack, was compromising the Security Assertion Markup Language (SAML) signing certificate, using their Active Directory privileges. CISA explained that “once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs)”[1].

The “Golden SAML” attack technique enables attackers to forge SAML responses and bypass ADFS authentication to access federated services. First reported by CyberArk in 2017, the current attack is the first time that this technique is known to have been used “in the wild”.

To successfully leverage Golden SAML, an attacker must first gain administrative access to the ADFS server and extract the necessary certificate and private key. Once this is accomplished, unauthorized access can be performed from anywhere, without further access to the victim environment


SolarWinds/SunBurst FNV-1a-XOR hash founds analysis


Best Practices for AWS Security – Part 1 with Scott Piper

Link HERE and IaC Security governance program HERE

Security and Risk Management Leaders Primer for 2021

As organizations go full in with digital initiatives, security and risk management leaders must help the business actualize value in an increasingly distributed risk decision-making environment built for real-time adaptability and resilience through risk-based programs

Security and Risk Management Leaders Overview

SRM leaders should:

  • Design an operating model that takes into account the enterprise culture and maturity.
  • Have explicit conversations with senior leadership about their function’s scope and objectives.
  • Assess the effectiveness of not just their immediate teams, but also of the cybersecurity professionals who report directly into the business.
  • Develop and maintain policy as a process, asking for and implementing feedback from those expected to adhere to it.
  • Define and plan the skills, knowledge and capabilities needed most by the enterprise, and assist different parts of the business in bringing them in.
  • Work with senior leadership to define objectives that their programs support.
  • Clearly define scope of responsibilities, focusing on comparative advantage.
  • Help the organization balance the need to facilitate business outcomes against the need to manage risk holistically.
  • Assess and transform SRM programs, as well as themselves, to become digital business enablers.
  • Prioritize building relationships with stakeholders who are in areas of the business, while maintaining relationships with IT stakeholders for efficiency.
  • Assess the enterprise constituencies and craft targeted messages.
  • Recognize that communication alone does not help build the case. Show value and deliver services that help the organization achieve its objectives


Hunting for Bugs in Windows Mini-Filter Drivers

In December Microsoft fixed 4 issues in Windows in the Cloud Filter and Windows Overlay Filter (WOF) drivers (CVE-2020-17103CVE-2020-17134CVE-2020-17136CVE-2020-17139). These 4 issues were 3 local privilege escalations and a security feature bypass, and they were all present in Windows file system filter drivers. I’ve found a number of issues in filter drivers previously, including 6 in the LUAFV driver which implements UAC file virtualization



Tool of the week

No alternative text description for this image



Finding and exploiting vulnerable Malware


Mitigating Obsolete TLS

This repository lists a number of tools, SNORT signatures, and web server configurations to help network owners detect and remediate the use of obsolete TLS


The ultimate OSINT collection

A collection of the very best OSINT related materials, resources, trainings, guides, sites, tool collections, and more


Adidas DevOps maturity framework

adidas C.A.L.M.S.



DevTool Desktop App designed to manage and secure Cloud Access in multi-account environments.

The App is designed to work with Cloud Providers APIs, CLIs, and SDKs.

It’s a tool that securely stores your access information in a secure place and generates temporary credential sets to access your Cloud from your local machine


Compliance-as-code and auto-remediation with Cloud Custodian



Other interesting articles 

##Drawing good architecture diagrams

Some tips on good diagram drafting and pitfalls to avoid when trying to understand a system in order to secure it



##Homomorphic Encryption: The ‘Golden Age’ of Cryptography

The ability to perform complex calculations on encrypted data promises a new level of privacy and data security for companies in the public and private sectors. So when can they get started?

The origins of homomorphic encryption date back to 1978. That’s when a trio of researchers at MIT developed a framework that could compute a single mathematical operation (usually addition or multiplication) under the cover of encryption. The concept gained life in 2009, when Craig Gentry, now a research fellow at the blockchain-focused Algorand Foundation, developed the first fully homomorphic encryption scheme for his doctoral dissertation at Stanford University in 2009



##How to organize your security team: The evolution of cybersecurity roles and responsibilities

An image showing each function works as part of a whole security team, within the organization, which is part of a larger security community defending against the same adversaries.

Each function works as part of a whole security team within the organization, which is part of a larger security community defending against the same adversaries



##And finally, Covid-19 Ushered in a New Era of Government Surveillance

Government-mandated drone surveillance and location tracking apps could be here to stay

It’s unclear how many of these surveillance programs will outlast the pandemic itself. Events like 9/11 have previously heralded long-standing security measures such as the Patriot Act, which legalized broad categories of government surveillance, as well as the creation of the Department of Homeland Security, which has not only reshaped airports and international travel, but turned U.S. borders into highly surveilled and militarized zones. That means that many of these programs aren’t just stop-gap efforts, but a glimpse of a future in which governments track their citizens’ every move



Maximizing Appreciation of Life

“I enjoy finding patterns in how people pursue meaning, constructing models for how said meaning works, and then creating, discussing, and sharing possible frameworks for improving it.”




AppSec Ezine

Must see


Description: Hijacking Google Docs Screenshots



Description: Deep Dive into Site Isolation


Description: 0Day RCE in Apple’s Travel Portal.


Description: How clicking a link can give away your precise location.


Description: Bad regex in FB JS SDK leads to account takeovers in sites that included it.

Links HERE and HERE and credits to HERE




Sage Business Cloud


The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.

Leave a Reply

Your email address will not be published.