Security Stack Sheet #118


Word of the Week


Types of RansomCloud attack

  • Piggy-Backing on Sync
  • Remote Connection With Stolen Credentials
  • Attacking The Cloud Provider

RansomCloud Exploit

Link HERE and HERE and HERE and HERE and HERE and HERE


Word of the Week Special

“Why Is the Majority of Our MFA So Phishable?”

The huge push to multifactor authentication (MFA) is ostensibly to help people avoid getting so easily phished. But are we making the same mistake with MFA and making too much of it too easily phishable? Will we be pushing our organizations and end-users to MFA only to repeat many of the same mistakes? The US government is worried about it. You should be worried as well


“Why Zero-Days Are Essential to Security”

Link HERE and HERE – thanks to Andi and Javan

And Google on the topic HERE and Bruce Scheier HERE

Want to find yourself? This tool HERE




You merely adopted broken CSS,
I was born in it, moulded by it,
I didn’t know proper CSS renderings until I was a man



Graphical user interface, text, application, chat or text message  Description automatically generated




Crypto challenge of the week

Hacky Easter 2022 Teaser

Diagram  Description automatically generated




  • May 25th 2018: 3+ years of GDPR Live! See incidents section below GDPR Enforce Tracker Link HERE – thanks to Marius
  • Now: TLS1.2 mandatory for proper security HTTPS everywhere HERE
  • 1st of July 202012 – Freedom from viruses?
  • 2022 1st of January – Bitcoin hits $100k again
  • 20226 – First trip to Mars according to Elon Musk
  • 2043 – WW3
  • 2023 – 3DES is deprecated for all new applications and usage is disallowed after 2023 HERE
  • 2024 – Back to the Moon according to Trump and NASA

Book of the month

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race




Comic of the week

Covid Excuses   - Dilbert by Scott Adams



##Some OWASP stuff first

–OWASP Top 10 2021 by Jim Manico

OWASP Top 10:2021



A few months ago we saw a post on the r/programminghorror subreddit: A developer describes the struggle of identifying a syntax error resulting from an invisible Unicode character hidden in JavaScript source code. This post inspired an idea: What if a backdoor literally cannot be seen and thus evades detection even from thorough code reviews?


–Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond

A picture containing toy  Description automatically generated





Open Security Summit

ASVS User Stories Creation – Part 8

Check out their (lateral) moves! The importance of blast radius in DevSecOps

Using Teleport to Secure SSH and Kubernetes Access

The OWASP Top Ten 2021 Release

Learn Threat Modeling using the amazing OSS resources

Check out their (lateral) moves! The importance of blast radius in DevSecOps

Using Teleport to Secure SSH and Kubernetes Access

The OWASP Top Ten 2021 Release

Cooking The Perfect Docker Container For A React App

Agile Threat Modeling with Open-Source Tools

Using Jira to Map and Visualise Risks

Going Multicloud: Securing Human and Service Identities in AWS vs Azure

Using Elastic and Kibana for Scale and Security Visualisation

Threat Mapping – A Workshop Discussion

Developing Secure Multi-Cloud Kubernetes Applications

CVE CWE CVSS CWSS where do I look first?

Creating a Scalable API Test Framework using AWS and Elastic

Panel – Prioritizing Risks and Vulnerabilities based on Context


A person smiling for the camera  Description automatically generated with medium confidence

Link HERE – thanks to Prash



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred. 

Incident data HERE Find your country

NCSC Weekly Threat Report

Provided Image 

56% of UK businesses plan to hire a CISO

A survey of UK information security and IT professionals conducted by cloud provider Fastly showed that over half (56%) plan to employ a Chief Information Security Officer (CISO) over the next six months to two years

Cyber attacks lead to data breaches

High profile cyber attacks continue to affect a wide range of demographics. This week alone there has been widespread reporting of an incident affecting an organisation handling Labour Party members’ data, and a ransomware attack on high-end jeweller Graff

Link HERE – Report Vulns to NCSC HERE and Who is Government Security HERE

API Security Issue 159: Vulnerability in GoCD CI/CD platform, views on full lifecycle API security, articles on API security and sprawl

Case study: Raiffeisen Bank International on their journey toward full lifecycle API security

Gerdenitsch describes how RBI made a shift toward a product-led agile structure in 2019. This transition included the role of Security Champion within each of the product DevSecOps teams:

Security Champions lead in all aspects of product security within their business unit. A key point to the role is that it is a volunteer-driven role. RBI’s experience was that they had no shortage of volunteers and that they got much interest from a variety of disciplines within the organization. As with many popular Security Champion programs, RBI opted to use the martial arts’ belt system, shown below:

In terms of API security, the blue belt level included  specialized courses just on API security and at the black belt level the focus was on hands-on manual pentest skills



Arya Ebrahami has had quite a personal relationship with darknet marketplaces. In this episode you’ll hear about his adventures on tor


The Security Ledger
COVID vaccine passport

Episode 230: Are Vaccine Passports Cyber Secure?



Incidents & events detail

A pair of PS5 hacks could be the first steps towards jailbreaking Sony’s latest console


“Squid Game” and Google Ads Crypto Scams Illustrate the Risks of an Unregulated Marketplace

Link HERE and HERE and reaction HERE

Hunting for secrets in Docker Hub: what we’ve found



Research of the week

Trojan Source: Invisible Vulnerabilities

We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as we call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. We present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. We propose definitive compiler-level defences, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack

Link HERE and Site HERE

Bugs in our Pockets: The Risks of Client-Side Scanning

In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused


Analysing a watering hole campaign using macOS exploits



Tool of the week

Exploiting and defending anonymous access in Azure


Measure and Improve Your Application Resilience with AWS Resilience Hub



Simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords



Diagram  Description automatically generated



Other interesting articles 

##Magic Quadrant for Web Application and API Protection

Strategic Planning Assumptions

  • By 2026, 40% of organizations will select their WAAP provider based on advanced API protections, as well as web application security features — up from less than 10% this year.
  • By 2026, more than 40% of organizations with consumer-facing applications that initially relied only on their WAAP for bot mitigation will seek additional anomaly detection technology from specialized providers — up from less than 10% today.
  • By 2024, 70% organizations implementing multicloud strategies for web applications in production will favour cloud WAAP services over WAAP appliances and IaaS-native WAAP.

Gartner defines web application and API protection (WAAP) as the evolution of the web application firewall market (WAF), expanding WAF capabilities to four core features (see Defining Cloud Web Application and API Protection Services):

  • WAF
  • Distributed denial-of-service (DDoS) protection
  • Bot management
  • API protection

A picture containing graphical user interface  Description automatically generated



##And finally, Will the craze for crypto startups ever produce the next tech giant?

As big investors weigh in, valuations are reaching the stratosphere

Chart, line chart, histogram  Description automatically generated




AppSec Ezine

Must see


Description: Reddit IDOR to pay less for coin purchases.


Description: Google Chrome NTP XSS via Google Search CSRF.

URL:  (+)

Description: Becoming A Super Admin In Someone Elses Gsuite Org. And Taking It Over.

Links HERE and credits to HERE




Sage Business Cloud


The information contained in this email transmission may constitute confidential information. If you are not the intended recipient, please take notice that reuse of the information is prohibited.

Leave a Reply

Your email address will not be published.