Security Stack Sheet #15

Word of the week “Synesthesia”

Detecting Screen Content via Remote Acoustic Side Channels – And you thought you were safe behind your laptop screen…

We show that subtle acoustic noises emanating from within computer screens can be used to detect the content displayed on the screens. This sound can be picked up by ordinary microphones built into webcams or screens, and is inadvertently transmitted to other parties, e.g., during a videoconference call or archived recordings. It can also be recorded by a smartphone or “smart speaker” placed on a desk next to the screen, or from as far as 10 meters away using a parabolic microphone. Empirically demonstrating various attack scenarios, we show how this channel can be used for real-time detection of on-screen text, or users’ input into on-screen virtual keyboards. We also demonstrate how an attacker can analyze the audio received during video call (e.g., on Google Hangout) to infer whether the other side is browsing the web in lieu of watching the video call, and which web site is displayed on their screen

Links HERE and HERE and HERE


Word of the week special “Franken-algorithms”

The deadly consequences of unpredictable code




PWA – Progressive web application



The best name for digging up developer errors still is: Christopher Null






Crypto challenge of the week

Remember: Praetorian security challenges – solve and get hired

Few false ideas have more firmly gripped the minds of so many intelligent people than the one that, if they just tried, they could invent a cipher that no one could break.

The objective of this challenge is to make your way through our eight crypto challenges. These levels cover a wide range of topics, from steganography to cryptographic attacks




May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE

June 30th: TLS1.1 mandatory for PCI-DSS compliance  BEWARE!


Now: TLS1.2 mandatory for proper security

Now: HTTPS mandatory

HTTPS Is Easy!

Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare

Link HERE What Cloudflare says HERE and HERE Reasons to switch? HERE

HTTPS everywhere HERE

August – Holidays over!!

September 21st: SEC Bitcoin ETF

March 29th 2019: Brexit

Sept 2019: PSD2 security mandatory


Comic of the week


Some OWASP stuff first

-OWASP London meetup today (news next week) and next week again 

The event next week hosted by Facebook:

  • “Bug Hunting Beyond” – Jack Whitton

Facebook’s Whitehat bug bounty program receives 1000’s of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook’s Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of “”.

  • Lightning Talk – “Open Source for Young Coders” – Hackerfemo

Inspirational 12 year old Hackerfemo will tell us all about how open source helps him run coding and robot workshops for 10-16 year olds throughout the world.

  • “Reviewing and Securing React Applications” – Amanvir Sangha

As developers start using front-end frameworks such as React they must be made aware of any related security issues. Whilst React provides developers with proactive measures such as output encoding, there still exist edge cases which can lead to cross-site scripting issues. This talk explores common security issues in the framework and how to defend against them

  • Ligthning Talk – “Introducing OWASP Amass Project” – Jeff Foley (remote)

Jeff will introduce the OWASP Amass project – a tool which obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. All the information is then used to build maps of the target networks

Links HERE and HERE

-Bugcrowd University

Welcome to Bugcrowd University! Join us for free and begin your journey to become a white hat hacker. Bugcrowd University was created to help you learn the basics of hacking and bug bounty hunting


-CONFidence Poland 2018 presentations – thanks to Sylwester


DevSecOps (in PL), XSS in Google services, Cyber Awareness, HoneyPots, and Spear Phishing (in PL)


-Cloudsec2018 in London

CLOUDSEC is back and the rise of AI, and its challenge to human intelligence, is the theme of the day. Will machines out-smart their creators?


-Black Hat USA 2018 Best Practices Videos

Scaling a Vulnerability Management Program While Reducing Network Impact

How to Build a Successful Vulnerability Management Program for Medical Devices

How to Reboot Vulnerability Management for Modern IT and Mature Business Needs

Using Asset Tags to Increase Effectiveness of Your VM Program

Native Integration of Real-Time Network Analysis with the Qualys Cloud Platform

Endpoint Breach Prevention by Reducing Attack Surfaces

Qualys Container Security – Visibility and Security for Containers from Build to Deployments

The Art of Vulnerability Management: from Running Scans to Managing Risk

Get Full Visibility of Both Certificates and Underlying SSL/TLS Configurations and Vulnerabilities

Assess All Web Applications and APIs for Better Security Hygiene

Incorporate Visibility of Inaccessible or Sensitive Assets into Your Overall Vulnerability and Compliance Program

A 360-degree Approach to Securing Public Clouds

Building Bridges and Not Walls – A Shift to Get into DevSecOps


-Alexa Top 1 Million – Additional Analysis

Last week I published my Alexa Top 1 Million crawl for August 2018 and there was some really interesting data in there along with several new metrics covered in the report. Over the months I’ve managed to use my crawler data for further analysis outside the scope of the report and I wanted to cover…


-Modern Security Series: Security In The Land of Microservices


-AppSec Pipeline as Toolbox (S04E05)

This week, we’re joined by Matt Tesauro, a co-lead for the AppSec Pipeline Project. He explains how they began building this project and some ways for you to start using this in your organization




Incidents in the world last week

Other source HERE Find your country

Map of Threat Actors HERE Trends for threats HERE Insider threats? HERE

Home router vulnerabilities exploited for banking credentials

In early August, personal and sensitive information was obtained from customers of Brazil’s largest bank after their home routers were ‘hijacked’.

Victims were unlikely to have been aware of any change resulting from the attack. They selected what appeared to be the correct web page, and were redirected to a convincing fake banking page

Marap and Hermes malware delivered by phishing emails 

Two high-profile phishing campaigns have been recently reported in open sources.

Marap, distributed by the Necurs1 botnet, is a new piece of malware, with modular functions allowing it to download further capabilities after infecting a victim. The phishing emails used to infect users have featured malicious attachments like Word documents or PDF files. To date, Marap has mostly targeted financial institutions


Troy Hunt weekly update



Global ALERT level

BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.

Incidents detail

The Difference Between Sandboxing, Honeypots & Security Deception

A deep dive into the unique requirements and ideal use cases of three important prevention and analysis technologies


Facebook Bug Turned Off SMS 2FA When User Changed Privacy Settings

Journalist Louise Matsakis discovered that a bug in the way Facebook manages privacy setting changes turned off her SMS two-factor authentication (2FA). Matsakis received a notification from Facebook informing her that because her mobile phone number was removed from her account, the company turned off SMS 2FA to prevent her from being locked out. The problem was, Matsakis had not removed her phone number, so she assumed that her account had been hacked. With help from a colleague, Matsakis determined that her account appeared to be fine, and so she switched to a different form of account security. Later, she learned that Facebook has turned off SMS 2FA on her account after she changed the privacy level of her phone number so that it was visible only to her. The bug caused Facebook to believe she had deleted the phone number altogether. Facebook has since addressed the issue.


Any changes to phone numbers or addresses should be confirmed out of band to both the new and the old. Failure to receive an expected message (e.g., one time password) should be viewed as suspicious


The untold story of notpetya, the most devastating cyberattack in history


T-Mobile Hacked — 2 Million Customers’ Personal Data Stolen


Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft

Link HERE Oldie NATO OSINT Handbook HERE What does Google know about you HERE Security in multi-cloud HERE

Ubuntu and CentOS Are Undoing a GNOME Security Feature

Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year.

The feature’s name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME’s thumbnail parsers in July 2017


Google found a major security flaw in the Android Fortnite installer, but it has already been fixed


Details of Cosmos Bank Theft

An in-depth look at the theft of $13.5 million USD from India’s Cosmos Bank earlier this month revealed that the thieves used malware not only to steal the institution’s SWIFT transaction codes, but also to steal customer account information. The theft occurred in several waves; funds were withdrawn from ATMs worldwide, through debit card transactions across India, and were transferred to Hong Kong through fraudulent SWIFT transactions. Researchers from Securonix suggests that North Korea may be behind the thefts


Hacker Discloses Unpatched Windows Zero-Day Vulnerability (With PoC)

Link HERE Acknowledged HERE

Data from 316 million real-world attacks in AWS and Azure environments


Struts POC Exploit Code on GitHub

Proof-of-concept exploit code for the Apache Struts 2 vulnerability disclosed last week has been posted to GitHub. The improper data input validation flaw affects Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The vulnerability appears to be easier to exploit than the Struts flaw that was used in the Equifax breach.


While the specific code has not been confirmed as a working exploit, this reduces the effort needed to develop exploits that do work, re-enforcing the need to patch your struts environment now. Analysis of alternative model-view-controller frameworks should be conducted. Before switching, verify active development and flaw remediation practices are in place


British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents

A shadowy GCHQ unit used several Twitter accounts to try to influence protests in Iran and across the region since 2009


How I recorded user behaviour on my competitor’s websites

Link HERE New online tracking techniques HERE

Smart homes can be easily hacked via unsecured MQTT servers


Stealing Certificates with Apostille

During that talk, they quickly touched on a tool written by Rogan Dawes another @Sensepost-er’s tool called “Apostille”. It is esentially a certificate stealing (cloning? faking? doppelganger-ing?) tool. However, that over simplifies what it does


MITRE CVE refresh

Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding.

After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved

Link HERE and HERE


Research of the week

-The DevOps Guide to Application Security

In this white paper, we’ll describe the high points of who does what and how you can tune or implement an effective Appsec program for DevOps. Elements of a successful Appsec program include:


-Semi-annual balance of mobile security

For Android, malware detections were down 27% compared to the first half of 2017; for iOS, they decreased 15% compared to the same period last year



Tool of the week

-Remember: DefenseCode Web Security Scanner Community Edition


-Instagram Adds 3 New Security Tools to Make its Platform More Secure


-Intercepter-NG – Android App For Hacking


-Using Passport, Bcrypt, Express, & Handlebars in a Nodejs Full-Stack App for User Authentication


-How I Finally Fixed My Parents Dodgy Wifi With AmpliFi




Other interesting articles

Code Review Review is the Manager’s Job

In the classic management book High Output Management Andy Grove argues that “training is the manager’s job” because it’s the highest leverage activity a manager can do to increase the output of their organisation.

It’s still great advice for managers applicable across most teams, but for the manager of the modern software development team the fulcrum point has shifted.

Link HERE How do we code review HERE


Software Architecture: Architect Your Application with AWS

Nowadays, cloud computing has become a central part of any tech company, that includes every company now since most of them can be categorized under “Software as a Service” (SaaS). In this post, I will try to simplify the most important Amazon cloud/web services known as AWS

Link HERE Amazon site HERE


Who owns application security?

In July 2018, F5 released its first annual Application Protection Report. As part of the report, F5 commissioned Ponemon to survey of 3,135 IT security practitioners across the world. The survey collected information about respondent’s application security processes. A key question asked for respondents to name their organization’s primary owner of application risk.

In theory, one would hope that the CISO was the number one answer by far. In reality, the CISO came in fifth place. The top owners of app security were: the CIO/CTO at 26%, Head of Application Development at 21%, and Business Units tying with “no one” at 18%. Surprisingly, CISOs received only 10% of the responses for the application security risk owner. The only choices lower than CISO were Compliance at 5% and Quality Assurance at 1%



Add It Up: DevOps Security Needs More Tooling



Secure your open source components automatically, continuously, and silently

&##GoASQ: General Open Architecture Security Questionnaire

GoASQ is intended to be used as a part of an AppSec (Application Security) review process for applications before they are deployed to production

Links HERE and HERE Oldie HERE Solutions HERE State of open source security HERE


And finally, how to encrypt your entire life in less than an hour

Andy Grove was a Hungarian refugee who escaped communism, studied engineering, and ultimately led the personal computer revolution as the CEO of Intel. He died earlier this year in Silicon Valley after a long fight with Parkinson’s disease.

When one of the most powerful people in the world encourages us to be paranoid, maybe we should listen.

And Grove isn’t the only powerful person urging caution. Even the director of the FBI — the same official who recently paid hackers a million dollars to unlock a shooter’s iPhone — is encouraging everyone to cover their webcams.

But you obey the law. What do you have to worry about? As the motto of the United Kingdom’s surveillance program reminds us, “If you’ve got nothing to hide, you’ve got nothing to fear.”

Well, law-abiding citizens do have reason to fear. They do have reasons to secure their devices, their files, and their communications with loved ones




AppSec Ezine

Must see


Description: How I Hacked BlackHat 2018.


Description: Phone Call to XXE via Interactive Voice Response.

Link HERE and credits to HERE

Leave a Reply

Your email address will not be published. Required fields are marked *