OWASP London Chapter at Facebook

Yes, this whole surface is a screen at the headquarters of Facebook in London. We have been invited by Facebook to host the OWASP London Chapter meet-up at this amazing space. 

T1: "Bug Hunting Beyond facebook.com" - Jack Whitton
Facebook's Whitehat bug bounty program receives 1000's of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook's Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of "facebook.com".

L1: "Open Source for Young Coders" - Hackerfemo
Inspirational 12 year old Hackerfemo will tell us all about how open source helps him run coding and robot workshops for 10-16 year olds throughout the world.

T2: "Reviewing and Securing React Applications" - Amanvir Sangha
As developers start using front-end frameworks such as React they must be made aware of any related security issues. Whilst React provides developers with proactive measures such as output encoding, there still exist edge cases which can lead to cross-site scripting issues. This talk explores common security issues in the framework and how to defend against them

L2: - "Introducing OWASP Amass Project" - Jeff Foley (remote)
Jeff will introduce the OWASP Amass project - a tool which obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. All the information is then used to build maps of the target networks.

The video recordings of the OWASP London Chapter talks: 
OWASP London Chapter Youtube channel

More Information, presentations, and upcoming events: 
OWASP London Chapter wiki

OWASP London Chapter at Microsoft Reactor

We had the pleasure of having one of our OWASP London Chapter events hosted by Microsoft, at its community space called Reactor London. 

T1: "From zero to hero: building security from scratch" - Anthi Gilligan

Breaches mean financial, regulatory, legal, and above all reputational repercussions. Organisations are quick to react, however with security professionals in high demand and low supply, there has been an increase in individuals jumping on the “cybersecurity” bandwagon. In this talk, we discuss the pitfalls of the inadequately qualified “cybersecurity expert”, and examine the building blocks of a solid information security management system

T2: "Smart Contract Security" - Evangelos Deirmentzoglou 

Dapps and many Initial Coin Offerings (ICOs) run on smart contracts and tend to process a substantial amount of funds. This makes them a target, and therefore they often undergo attacks. Combined with the blockchain immutability, vulnerabilities undiscovered during development will exist forever in the blockchain. This talk will dive into the most common smart contract security vulnerabilities and provide in-depth knowledge on how these issues occur and their mitigation. Real world examples will be discussed and vulnerabilities like re-entrancy, overflows, gas limit attacks etc. will be demonstrated

L1: "Driving OWASP ZAP using Selenium" - Mark Torrens 

OWASP ZAP is great tool but it's not magic! When used in a CI/CD pipeline, ZAP needs some help to discover the routes through a web application. Basic authentication, user logins and form validation can all stop ZAP in its tracks. I show how to drive ZAP using Selenium scripts and increase the security coverage of a web application.

The video recording of the talks from this event: 
OWASP London Chapter Youtube channel

More Information, presentations, and upcoming events: 
OWASP London Chapter wiki

Global OWASP AppSec EU 2018

The OWASP Global Application Security Conference took place this week in the heart of London. see: OWASP AppSecEU 2018

The QEII conference centre, just across the Westminster Abbey was packed with brilliant minds from all over the world, dedicated in advancing security across all technologies. 

The premier application security conference for European developers and security experts. AppSec EU provides attendees with insight into leading speakers for application security and cyber security, training sessions on various applications, networking, connections and exposure to the best practices in cybersecurity.

As an OWASP London Chapter leader, (@OWASPLondon) it was an honor to be part of the team that delivered this amazing 1 week event. 

The OWASP foundation staff and board did an amazing job and we all enjoyed working together. We reached out to all OWASP chapters across the globe and we are dedicating ourselves in amazing things to come. 

ISSA UK meet on board the HQS Wellington

This week we had an amazing event with @issauk. The meet took place on-board the @HQSWellington #HQSWellington #InfoSec #CyberSecurity #CyberDefense #CyberDecence 

ISSA-UK, isthe UK Chapter of the ISSA. With active participation from individuals and chapters all over the world, the Information Systems Security Association (ISSA) is the largest international, not-for-profit association specifically for information security professionals. Having welcomed over 1,800 members since our beginnings in 2003, the ISSA-UK Chapter is the world’s most successful chapter. 

Security BSides Athens 2018

Security BSides Athens 2018 was the 3rd Ethical Hacking conference that took place in Athens, Greece. Once again we created a conference for the information security community, by the information security community, with a special thanks to all our volunteers. 

We love moving the venue to different locations each year to ensure the participants get to "rediscover" the event. One of the main reasons why we love scouting for a new location each year, is because we adapt the conference to the venue's attributes, whichever these are. This is what makes the event unique each year and a lovely memorable experience, while trying to bring more quality, rather that focus on quantity. 

Security BSides Athens 2018 (www.bsidesath.gr) took place at Impact Hub Athens (link) which allowed us to bring a different look and feel to the whole event. (All the information for our previous events is archived and can be found here: https://www.bsidesath.gr/index.php#Pevents)

Security BSides London 2018 - Thank you!

It was an amazing feeling seeing my logo all over the place at Security BSides London this year. In case you missed it, this blog post will bring you up to speed. 

> @BSidesLDN #BSidesLDN #BSidesLDN2018 

> #LogoWinner #BreachDayClock #2minutesToMidnight #Breach #BreachDay #DataBreach #InfoSec #CyberSecurity #BinaryClock #CyberTheme

> @OWASP #AppSec @AppSecEU @OWASPLondon

> #AfterParty @mwrinfosecurity #RansomWear

See you in Security BSides London 2019! ;)

Cyber Europe 2018 by ENISA (EU Agency for Network and Information Security)

The EU Agency for Network and Information Security (ENISA) manages the programme of pan-European exercises known as Cyber Europe #CE2018. 

The Cyber Europe exercises are simulations of large-scale cybersecurity incidents that escalate to become Cyber crises. 

I am part of ENISA's approved NIS Experts*, where I have both designed and reviewed different Cyber incidents/exercises for the pan-European Cyber Europe exercise, I wanted to share with you the opportunity to get to know more about this very important bi-annual European initiative. This year is the 5th pan European Cyber crisis exercise.

The scenario

• Cyber Europe 2018 planners developed a scenario revolving around Aviation which can include, Civil Aviation Authorities, Air Navigation Service Providers (ANSPs), Airport Companies, Air Carriers, with potential impacts in other sector.
• The scenario will contain real life inspired technical incidents to analyse, from forensic and malware analysis, open source intelligence, and of course non-technical incidents.
• The incidents will build up into a crisis at all levels: local, organization, national, European. Business continuity plans and Crisis management procedures will be put at test

The exercise is organised for IT security, business continuity and crisis management teams coming from EU and EFTA Member States only.


More: https://www.enisa.europa.eu/topics/cyber-exercises/cyber-europe-programme 

*NOTE: The CEI List of Experts is a tool used solely for the purposes of assessing and identifying suitable external experts for a potential future contractual working relationship with ENISA. It is emphasised that inclusion in the list does NOT mean that you are considered to be an official representative of ENISA or in any way entitled to represent the Agency.

'The next tech leap in our evolution'

As a "thought-provoking" moment this morning, let me share with you the following as food-for-thought...

Think for a second about the moment the next leap in our technological evolution is made. This will most probably be defined by using properly well-defined Artificial Intelligence #AI capabilities, Machine Learning #ML (most likely Deep Learning #DL, for classifying and profiling attacks/attackers, possibly minimizing the risk of being trained the wrong way), successfully adapting Chaos Engineering #ChaosEngineering on Software Defined Networks #SDN (which will have the ability to be redefined seamlessly in Real-Time by the #AI, performing any number of complicated micro-segmentations), capable of running "as a Service" in the #Cloud (hosting a whole virtual network/computer infrastructure, where the end-points are simply tabs opened on "web" browsers).

Read more at: 

https://www.linkedin.com/pulse/next-tech-leap-our-evolution-grigorios-fragkos/

#AI #ML #DL #ChaosEngineering #SDN #Cloud #Quantum #QuantumComputing #Internet #IInternet

Security BSides London 2018 - Logo competition

This year I decided to submit a design for the Security BSides London annual logo competition. The theme for this year's event is:

"BreachDay Clock: 2mins to midnight"

Due to this year's theme, I decided to make a design that illustrates a binary clock. The binary clock is set to 23:58:00, hence, the "2 minutes to midnight". The time instead of being represented in decimal, it is represented in hexadecimal, hence the 17:3A:00. The number 1528273800 represents the epoch Date & Time of the human readable format of the Date & Time for this year's Security BSides London 2018: 

GMT: Wednesday, June 6, 2018 8:30:00 AM

You can find all submissions here and make sure you vote your favorite one! 

UK Minister for Digital on CyberSecurity..

Britain’s most critical industries are being warned to boost cyber security or face hefty fines, as the government acts to protect essential services from cyber attacks.

"We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services," said the current Minister for Digital, Margot James.

In August last year, it was mentioned by the former Minister of Digital Matt Hancock, that a new government directive is being considered, that will allow regulators to inspect the Cyber Security status of companies.
More specifically, it was said that companies in the Energy, Transport, Water and Health sectors, are expected to have "the most robust safeguards".

The Global Risks Landscape 2018

Towards the end of each year, we tend to come across several reports and white papers that discuss the cyber-threat predictions/concerns for the following year. However, I do believe that very few of these reports really attempt to dig deep when it comes to emerging Cyber related threats and really discuss future trends. 

I have had several discussions regarding the future of cyber risk exposure and how cyber risk assessments will start experiencing a significant shift in the following months. There is a bigger picture when it comes to cyber threats and cyber crime. It is not only how much a data breach or business disruption will cost, but at what scale it affects people's lives. This is the moment we need to take a step back and look at magnitude and implications. The main reasons why things should be expected to dramatically change in the Cyber front between 2018-2020, are briefly outlined below:

a) The General Data Protection Regulation (GDPR). GDPR has brought Information Security and Cyber Security into the boardroom as a discussion topic, "motivating" stakeholders to act upon the requirements before the regulation is finally in effect (25 May 2018). You should also consider that the disclosure of a breach needs to take place within 72 hours from the moment it was detected, the increased cost of responding to a data breach, and the fines imposed under GDPR.    

b) The number of Cyber attacks expected in 2018 and their impact, according to the Cyber Security Breaches Survey conducted for 2017. (FYI: The official Cyber Security Breaches Survey 2018 detailing business action on cyber security and the costs and impacts of cyber breaches and attacks will be publish in April 2018).

c) Now consider the domino effect when it comes to the scale and magnitude of the cyberattacks anticipated by 2020, in contrast with the current state of readiness of business entities and their dependencies across all industries. 

The recently published Global Risk Report by the World Economic Forum (www.weforum.org) has highlighted some very important facts regarding the risk perception for the year 2018. Cyberattacks are now perceived as a global risk of highest concern, especially to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018 according to the publish Global Risks Report. 

A "HIPPA Extortion" case hit the news

Following my recent article where I tried to explain the concept of "GDPR Extortion", a data breach of a Health IT provider hit the news early this week, and the case of "HIPPA Extortion" became a sad reality.

For those of you who are not familiar with HIPAA (Health Insurance Portability and Accountability Act of 1996), is a United States legislation that provides data privacy and security provisions for safeguarding medical information, and in this case it applies to the Health IT provider that was breached.

The Nashville-based company (Medhost) is being asked by the cyber-criminals to pay 2 Bitcoins (BTC) which at the moment is approximately $35K (USD), otherwise they will sell the data they managed to steal. What is however very interesting in this story, is that they try to make their case by saying that they will do:

" ..a media release regarding the lack of security in a HIPPA environment. "

The screenshot is from Google's cache*, as the website of the breach company appeared on 19/Dec 2017 at 20:02 GMT. 

Will "GDPR Extortion" become the new "trend" in cybercrime?

Even though this is not an "official" term that is being used (well, at least not yet), it does describe the concern I am trying to explain to people at different occasions. I often discuss GDPR from the security perspective, and the conversations most of the time end up focusing at the implications of the regulation and the "next day". 

This is when I end up trying to describe the potential scenario of "GDPR Extortion", as I always like to see things through different lenses when it comes to forward-thinking in Information Security and CyberSecurity. 

By saying "GDPR Extortion" I tend to mean something similar to "DDoS Extortion", and it is easier to give an example to people in order to explain this type of potentially evolving threat. 

RIPE NCC - RIPE ATLAS

I recently saw Vesna Manojlovic’s  (@Ms_Multicolor) talk at BalCCon (@BalCC0n) about the RIPE Atlas device and I wanted to find out more about the project. I felt a need to play around with the device, see how it works, run a few security tests, and of course, be part of the online community that has access to the data in real-time.

Getting started with the RIPE Atlas probe (@RIPE_Atlas) was more or less straightforward. 

The RIPE NCC (@RIPE_NCC) is building the largest Internet measurement network ever made. 

For those who are not familiar, the RIPE NCC assigns and allocates Internet number resources across Europe, the Middle East and parts of Central Asia. The RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of the state of the Internet in real time. You can explore the RIPE Atlas measurements, maps and tools, once you register for an account. 

Starting with the probe I had to visit the URL http://probev3.ripe.net which redirected me to https://atlas.ripe.net/docs/probe-v3/. On that page, one can find further information about the device, and what one should do if they find one connected to a network, and of course what to do if one has found a lost device. 

"Moving Towards CyberResilience", BalCCon2k17

This year is my first time to the Balcan Computer Congress, known as BalCCon (BalCCon2k17) in Novi Sad, in Serbia. I have visited Serbia a few times for work and it is a pleasure to have the opportunity be back, attending this amazing conference and present a talk. 

BalCCon (@balcc0n) is a three-day conference with a great line-up of speakers, hackspace activities that include soldering and hardware hacking, retro gaming, workshops, and a pleasant atmosphere with a party-mood throughout the day. 

This year’s event is the 5th BalCCon2k17.  The conference opened on Friday 15/Sep/2017 by Jelena Georgijevic Krasojevic. She welcomed everyone and gave a small introduction about the event and its history. The event started at 14:00, which gave people enough time to fly to the country in the morning or make sure they had a really good night sleep if they arrived the previous night. 

If you haven't been to BalCCon, it is time for you to make plans for next year. The package includes, amazing talks, plenty activities for people to do, many workshops to attend, a friendly atmosphere, good food, and warm weather. 

Security BSides Amsterdam 2017

My passion for contributing to the information security community as much as possible, led me into getting myself involved with the formation of another information security conference. After a number of discussions, I decided to help out with putting together a Security BSides conference in the Netherlands. More specifically, the first ever Security BSides Amsterdam 2017 (www.bsidesams.nl) took place on Friday, 1/Sep/2017 in the heart of Amsterdam, at Zalen Pakhuis de Zwijger B.V. (dezwijger.nl). 

We tried to engage the Dutch information security community as much as possible as this was  our first attempt to make this conference a reality. We were very pleased to have so many speakers submitting a talk to the conference, and the support of OWASP and especially OWASP Netherlands. 

On our account on peerlyst you will find a list of all the talks of the day, along with their respective YouTube video. 

You can also find all of the videos on our YouTube channel, all combined in one playlist here. 

Security BSides Athens 2017

This was the second Security BSides Athens in Greece this year, which allowed us to move to a slightly bigger venue. We tried to put together a better event since last year and further improve the quality of the conference.

Security BSides Athens 2017 (www.bsidesath.gr) took place at "The Athinais Cultural Center" - ATHINAIS

OWASP London chapter meeting (Guest Speaker)

It is a great honour to have been invited to speak at the OWASP London Chapter meeting this May. (Thursday, 18 May 2017 - Central London)
More importantly, as this meeting is sponsored by WorldPay, it is a fantastic opportunity to share previous work I have done on payment systems over the past few years.   

Allow me to say a big Thank You to the OWASP London Chapter organisers for the work they put in to keep the London chapter so live & active, and of course to WorldPay, for supporting this meeting, and for being so kind to host it at their premises. If you are interested to find out more OWASP, make sure you attend the OWASP Summit 2017.

Given the opportunity for this blog-post, I would also like to thank you all for your messages about my talk. I am very pleased to hear that the tickets for OWASP London Chapter meeting this month were sold-out that fast and that the organisers had to activate the waiting list. The organisers also mentioned that due to the high demand, they will consider live streaming. So, stay tuned for updates on that as I am planning to schedule a number of tweets to go out before and during the talk. Thus, for updates you can follow me on Twitter: @drgfragkos

30 days to go for the OWASP Summit 2017

Owasp will host its 2017 Global Summit in London where hundreds of participants will join forces in Working Sessions focused on solving hard Application and Cyber Security problems.

This is not a conference with unidirectional presentations. Using the same model as the past two OWASP Summits in Portugal, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Every thoroughly prepared working session is geared towards a specific application security challenge and will be focused on actionable outcomes.

With participants flying from all over the world and from major security/development teams, service/product providers and research organizations, this is the place to be to learn and collaborate with industry peers (and even competitors).

The event is split over the following tracks, each focusing on a specific set of challenges:

• Threat Modeling - This is one of the strongest tracks, with most of the core Threat Modeling talent in the world joining forces and collaborating
• OwaspSAMM - This is another track where we have the main contributors and users of this Owasp project participating at the Summit
• DevSecOps - This track has been generating quite a buzz among participants, since it is addressing real pain points and problems that companies face today
• Education - Always strong in OWASP, this track ranges from University master degree to how to create the next generation of AppSec professionals
• Mobile Security - Another track where the key Owasp leaders of Mobile-related Owasp projects are participating
• CISO - This track reaches a wide audience of CISOs and covers a wide range of CISO-related topics
• Research - This track covers really important and interesting research topics (it’s important to look at the future and work on the next generation of Application Security)
• Agile AppSec - This is a track driven by a couple participants who really care about Agile and want to find better ways to integrate it with AppSec practices
• Security Crowdsourcing - This is a track that is focused on scaling AppSec activities via internal and external crowdsourcing
• Owasp Project’s Summit - Last but not least, this track has 31x Working Sessions directly related to an Owasp Project (with most having the Project Leader participating)

Ransomware outbreak at a global scale | #wannacry

Approximately 74 countries are currently under an ongoing cyber-attack. The NHS in the UK has been massively affected, along with major companies worldwide. 

Computer systems are being infected with the ransomware known as WanaCrypt0r 2.0 (known as WCry and WannaCry). The malicious file targets a known computer vulnerability (MS17-010). 

System Administrators:
- Ensure systems are fully patched, especially by addressing the MS17-010 vulnerability. 
- Disable SMBv1.
- Firewall protect ports: 139/445 & 3389
- Make sure you have a backup of your data and it is also stored offline. 
- Ensure Antivirus is installed and active.

Legacy systems should be isolated and any systems which are infected, consider removing them from the network. 

Under Attack?

• Customers in the healthcare sector should follow the national guidance as instructed by the NHS and the National Cyber Security Centre (NCSC).
• UK customers consult the Cyber Information Sharing Platform (CiSP).
• DeepRecce customers requiring further advice or information should contact our 24/7 incident response line www.deeprecce.com

--

Repository of information:

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm
https://gist.github.com/pcostesi/87a04a3bbbdbc4aeb8b787f45eb21197 

Microsoft released notes:
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

OWASP Top 10 (2017 Release Candidate) - Thoughts

OWASP Top 10 2017 Release Candidate - PDF

I understand the importance of highlighting the Underprotected APIs (A10), and I do agree with the importance of it. However, to my eyes this is another stage during a security assessment, while the penetration tester is engaging into testing for different types of Injections (A1). 

I believe Injections (A1) should include the Underprotected APIs.
(especially based on the example attack scenarios given in the PDF page 17 for the Top 10 RC)

From what I have seen on several real-world projects, Unvalidated Redirects and Forwards, is a very common security issue (when you manage to identify where it is hiding) but it is not highlighted in security reports (and penetration testing reports) that often. Thus, it seems and fills like, it is not that popular as a finding. 

One of the main reasons this particular security issue is not mentioned that often, is because businesses (the business perspective) see this highlighted risk as a "two-step attack", so, instead of addressing it, they simply "accept the risk".

From what I have seen in different real-life projects, dropping "A10 – Unvalidated Redirects and Forwards" will be mistakenly perceived (misunderstood) as an "insignificant" security issue, while, it can be used to spawn a number of attacks. 

If an attacker manages to redirect/forward a user to a fraudulent website (that looks exactly like the legitimate one), then it is game-over for that user. How many of you remember the issues with the Unicode URLs back in the day? In one case, two companies lost a significant amount of money because of a fraudster, due to this "insignificant" issue.

Just to mention a couple very recent examples: 
punicode https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
or the unvalidated redirect on linkedin, which allowed to download malware from linkedin redirects (even though they were hashing the urls).
https://gfragkos.blogspot.co.uk/2015/06/linkedin-security-issue-unvalidated.html

So, in my humble opinion, A1 should be Injections that include calls to Underprotected APIs: 
A1 - Injections, including Underprotected APIs

and keep:
A10 - Unvalidated Redirects and Forwards. 

This blog post is intended to be perceived as food-for-thought.

Xcode update is stuck at waiting

This is something that happens often and I wanted to make sure you are going to fix this the right away, without causing any problems to your system and save you some time. 

This was written for Xcode 8.3 (but it has worked for previous versions as well) and it is confirmed that it works on:
OS X 10.10 Yosemite, OS X 10.11 El Capitan, and macOS 10.12 Sierra.

I am assuming that you are at your Updates screen and Xcode is stuck at "waiting". Click on Xcode (the actual name/caption of the pending update) and the relevant page of Xcode on App Store will show (see below). 

When you click the Update button (beneath the application icon on App Store), a little progress bar appears beneath it, and it usually tells you "less than a minute" (but it is stuck there forever). 

Don't navigate away from this screen on App Store, because we want this little progress bar to be our indicator on what is happening. 

• Open a new Finder window and click Applications (top left hand side). 
• Scroll down to the Xcode application and drag the application to Trash.
• You will be asked to confirm your password before moving Xcode to Trash.
• Once you enter your password, there will be a prompt asking you if you want to cancel the update or delete the app. Choose delete. 
• You will notice that immediately after clicking delete, xcode starts downloading the updated version, and you can see/confirm that at the progress bar (as discussed earlier on) and it will tell you how long it will take (it can take an hour, depending on your Internet connection).
• (optional) If you want to save some space on your disk, go to Trash, right-click on xcode, and delete it completely from the system. It will ask you again to confirm your password. 

Don't forget to plug-in your computer, as the whole process takes a while, and the computer might go to sleep and suspend the download and/or the installation. 

IBAN Country List

IBAN (International Bank Account Number) that originates from a member or joining country of the EU or the EEA. FYI: Switzerland and other countries that have adopted the use of IBAN. 

A couple things about the IBAN

Instructions for Screen or Braille Reader users

• This IBAN Checker validates the format of an IBAN which you can either type or paste into the input boxes.
• The results of validation are normally shown on the screen. To receive the IBAN Checker results in a dialogue box that your screen reader should be able to interact with, check the first checkbox that you come across in the form. The prompt for this box reads 'Screen reader users please check this box to receive the results of the IBAN Checker as a dialogue box'.
• Two sets of input text boxes are provided for you to enter your IBAN for checking.
  • The first set of nine input text boxes allow you to type in the IBAN four characters at a time.
    • You will need to tab from one text box to the next.
    • Each text box will only allow a maximum of four characters.
    • The IBANs have a specific format, and some possible formatting errors are detected as you are keying characters into these text boxes.
    • These errors are notified to you in dialog boxes with an OK button which you must action before you carry on.
    • When you action these dialogue boxes you should be aware that incorrect input is not cleared out of the input text boxes.
  • After the multiple input boxes there is a single longer input box into which you can type the complete IBAN. Or alternatively you can paste the IBAN into this box if you have received it electronically - ie in an email.
  • Typing into any of the multiple input text boxes will clear out any characters you may have typed or pasted into the longer input text box.
  • Similarly typing or pasting into the longer text box will clear out any characters you may have typed into the multiple input text boxes.
• Two buttons are provided on the form.
  • The first button triggers the checking of the IBAN you have entered.
  • The second button clears out all the input text boxes.

- Each IBAN has a predefined length (depending the country it belongs to).
- Each IBAN has a country prefix.
- The IBAN should not contain spaces when processed electronically (or the word 'IBAN').

In case someone needs this information, I will just leave that list below :)

Ticketbleed (CVE-2016-9244)

A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.

F5 published article K05121675 addressing this vulnerability. You can read the story of how Ticketbleed was found and a complete technical walkthrough on the Filippo.io blog.

Test
You can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/

Alternatively, you can test for Ticketbleed yourself with a Go script: here

Fixes and mitigation
The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available.

Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.

Reproduced here are the instructions provided by F5 and available at the link above.

1. Log in to the Configuration utility
2. Navigate on the menu to Local Traffic > Profiles > SSL > Client
3. Toggle the option for Configuration from Basic to Advanced
4. Uncheck the Session Ticket option to disable the feature
5. Click Update to save the changes

Source: https://filippo.io/Ticketbleed/

Guest Speaker for University of South Wales (Information Security Research Group) - InfoSec Community; Stepping into the security industry

I had the pleasure to be invited as a guest speaker to the University of South Wales by the Information Security Research Group (ISRG). The talk was about the Information Security community and more specifically how young professionals can step into the security industry.

During this talk, the students (graduates & postgraduates) had the opportunity to understand and discuss what they can do today in order to ensure they are well prepared when it comes to stepping into the security industry.

The talk included an introduction to what is considered to be a security oriented mindset, provided a number of quick tips, mentioned several online resources, and last but not least how to prepare for an interview. The students among a number of subjects that were raised during the talk, were also introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and a brief comparison between Vulnerability Assessments and Penetration Testing was given.