Word of the week “Synesthesia”
Detecting Screen Content via Remote Acoustic Side Channels – And you thought you were safe behind your laptop screen…
We show that subtle acoustic noises emanating from within computer screens can be used to detect the content displayed on the screens. This sound can be picked up by ordinary microphones built into webcams or screens, and is inadvertently transmitted to other parties, e.g., during a videoconference call or archived recordings. It can also be recorded by a smartphone or “smart speaker” placed on a desk next to the screen, or from as far as 10 meters away using a parabolic microphone. Empirically demonstrating various attack scenarios, we show how this channel can be used for real-time detection of on-screen text, or users’ input into on-screen virtual keyboards. We also demonstrate how an attacker can analyze the audio received during video call (e.g., on Google Hangout) to infer whether the other side is browsing the web in lieu of watching the video call, and which web site is displayed on their screen
Word of the week special “Franken-algorithms”
The deadly consequences of unpredictable code
PWA – Progressive web application
The best name for digging up developer errors still is: Christopher Null
Crypto challenge of the week
Remember: Praetorian security challenges – solve and get hired
Few false ideas have more firmly gripped the minds of so many intelligent people than the one that, if they just tried, they could invent a cipher that no one could break.
The objective of this challenge is to make your way through our eight crypto challenges. These levels cover a wide range of topics, from steganography to cryptographic attacks
May 25th: GDPR Live! See incidents section below – Data breaches and GDPR HERE
June 30th: TLS1.1 mandatory for PCI-DSS compliance BEWARE!
Now: TLS1.2 mandatory for proper security
Now: HTTPS mandatory
HTTPS Is Easy!
Probably the easiest guide on how to add HTTPS to your website for free using @Cloudflare
HTTPS everywhere HERE
August – Holidays over!!
September 21st: SEC Bitcoin ETF
March 29th 2019: Brexit
Sept 2019: PSD2 security mandatory
Comic of the week
Some OWASP stuff first
-OWASP London meetup today (news next week) and next week again
The event next week hosted by Facebook:
- “Bug Hunting Beyond facebook.com” – Jack Whitton
Facebook’s Whitehat bug bounty program receives 1000’s of security bug reports annually, covering a wide range of issues and products. Come listen to some of the interesting bugs Facebook’s Whitehat program team handled over the past year, and some pro-tips when looking for bugs outside of “facebook.com”.
- Lightning Talk – “Open Source for Young Coders” – Hackerfemo
Inspirational 12 year old Hackerfemo will tell us all about how open source helps him run coding and robot workshops for 10-16 year olds throughout the world.
- “Reviewing and Securing React Applications” – Amanvir Sangha
As developers start using front-end frameworks such as React they must be made aware of any related security issues. Whilst React provides developers with proactive measures such as output encoding, there still exist edge cases which can lead to cross-site scripting issues. This talk explores common security issues in the framework and how to defend against them
- Ligthning Talk – “Introducing OWASP Amass Project” – Jeff Foley (remote)
Jeff will introduce the OWASP Amass project – a tool which obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. All the information is then used to build maps of the target networks
Welcome to Bugcrowd University! Join us for free and begin your journey to become a white hat hacker. Bugcrowd University was created to help you learn the basics of hacking and bug bounty hunting
-CONFidence Poland 2018 presentations – thanks to Sylwester
-Cloudsec2018 in London
CLOUDSEC is back and the rise of AI, and its challenge to human intelligence, is the theme of the day. Will machines out-smart their creators?
-Black Hat USA 2018 Best Practices Videos
-Alexa Top 1 Million – Additional Analysis
Last week I published my Alexa Top 1 Million crawl for August 2018 and there was some really interesting data in there along with several new metrics covered in the report. Over the months I’ve managed to use my crawler data for further analysis outside the scope of the report and I wanted to cover…
-Modern Security Series: Security In The Land of Microservices
-AppSec Pipeline as Toolbox (S04E05)
This week, we’re joined by Matt Tesauro, a co-lead for the AppSec Pipeline Project. He explains how they began building this project and some ways for you to start using this in your organization
Incidents in the world last week
Other source HERE Find your country
Home router vulnerabilities exploited for banking credentials
In early August, personal and sensitive information was obtained from customers of Brazil’s largest bank after their home routers were ‘hijacked’.
Victims were unlikely to have been aware of any change resulting from the attack. They selected what appeared to be the correct web page, and were redirected to a convincing fake banking page
Marap and Hermes malware delivered by phishing emails
Two high-profile phishing campaigns have been recently reported in open sources.
Marap, distributed by the Necurs1 botnet, is a new piece of malware, with modular functions allowing it to download further capabilities after infecting a victim. The phishing emails used to infect users have featured malicious attachments like Word documents or PDF files. To date, Marap has mostly targeted financial institutions
Troy Hunt weekly update
Global ALERT level
BLUE or GUARDED indicates a general risk of increased hacking, virus, or other malicious activity. The potential exists for malicious cyber activities, but no known exploits have been identified, or known exploits have been identified but no significant impact has occurred.
The Difference Between Sandboxing, Honeypots & Security Deception
A deep dive into the unique requirements and ideal use cases of three important prevention and analysis technologies
Facebook Bug Turned Off SMS 2FA When User Changed Privacy Settings
Journalist Louise Matsakis discovered that a bug in the way Facebook manages privacy setting changes turned off her SMS two-factor authentication (2FA). Matsakis received a notification from Facebook informing her that because her mobile phone number was removed from her account, the company turned off SMS 2FA to prevent her from being locked out. The problem was, Matsakis had not removed her phone number, so she assumed that her account had been hacked. With help from a colleague, Matsakis determined that her account appeared to be fine, and so she switched to a different form of account security. Later, she learned that Facebook has turned off SMS 2FA on her account after she changed the privacy level of her phone number so that it was visible only to her. The bug caused Facebook to believe she had deleted the phone number altogether. Facebook has since addressed the issue.
Any changes to phone numbers or addresses should be confirmed out of band to both the new and the old. Failure to receive an expected message (e.g., one time password) should be viewed as suspicious
The untold story of notpetya, the most devastating cyberattack in history
T-Mobile Hacked — 2 Million Customers’ Personal Data Stolen
Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft
Ubuntu and CentOS Are Undoing a GNOME Security Feature
Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year.
The feature’s name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME’s thumbnail parsers in July 2017
Google found a major security flaw in the Android Fortnite installer, but it has already been fixed
Details of Cosmos Bank Theft
An in-depth look at the theft of $13.5 million USD from India’s Cosmos Bank earlier this month revealed that the thieves used malware not only to steal the institution’s SWIFT transaction codes, but also to steal customer account information. The theft occurred in several waves; funds were withdrawn from ATMs worldwide, through debit card transactions across India, and were transferred to Hong Kong through fraudulent SWIFT transactions. Researchers from Securonix suggests that North Korea may be behind the thefts
Hacker Discloses Unpatched Windows Zero-Day Vulnerability (With PoC)
Data from 316 million real-world attacks in AWS and Azure environments
Struts POC Exploit Code on GitHub
Proof-of-concept exploit code for the Apache Struts 2 vulnerability disclosed last week has been posted to GitHub. The improper data input validation flaw affects Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The vulnerability appears to be easier to exploit than the Struts flaw that was used in the Equifax breach.
While the specific code has not been confirmed as a working exploit, this reduces the effort needed to develop exploits that do work, re-enforcing the need to patch your struts environment now. Analysis of alternative model-view-controller frameworks should be conducted. Before switching, verify active development and flaw remediation practices are in place
British Spies Used a URL Shortener to Honeypot Arab Spring Dissidents
A shadowy GCHQ unit used several Twitter accounts to try to influence protests in Iran and across the region since 2009
How I recorded user behaviour on my competitor’s websites
Smart homes can be easily hacked via unsecured MQTT servers
Stealing Certificates with Apostille
During that talk, they quickly touched on a tool written by Rogan Dawes another @Sensepost-er’s tool called “Apostille”. It is esentially a certificate stealing (cloning? faking? doppelganger-ing?) tool. However, that over simplifies what it does
MITRE CVE refresh
Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding.
After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved
Research of the week
-The DevOps Guide to Application Security
In this white paper, we’ll describe the high points of who does what and how you can tune or implement an effective Appsec program for DevOps. Elements of a successful Appsec program include:
-Semi-annual balance of mobile security
For Android, malware detections were down 27% compared to the first half of 2017; for iOS, they decreased 15% compared to the same period last year
Tool of the week
-Remember: DefenseCode Web Security Scanner Community Edition
-Instagram Adds 3 New Security Tools to Make its Platform More Secure
-Intercepter-NG – Android App For Hacking
-Using Passport, Bcrypt, Express, & Handlebars in a Nodejs Full-Stack App for User Authentication
-How I Finally Fixed My Parents Dodgy Wifi With AmpliFi
Other interesting articles
Code Review Review is the Manager’s Job
In the classic management book High Output Management Andy Grove argues that “training is the manager’s job” because it’s the highest leverage activity a manager can do to increase the output of their organisation.
It’s still great advice for managers applicable across most teams, but for the manager of the modern software development team the fulcrum point has shifted.
Software Architecture: Architect Your Application with AWS
Nowadays, cloud computing has become a central part of any tech company, that includes every company now since most of them can be categorized under “Software as a Service” (SaaS). In this post, I will try to simplify the most important Amazon cloud/web services known as AWS
Who owns application security?
In July 2018, F5 released its first annual Application Protection Report. As part of the report, F5 commissioned Ponemon to survey of 3,135 IT security practitioners across the world. The survey collected information about respondent’s application security processes. A key question asked for respondents to name their organization’s primary owner of application risk.
In theory, one would hope that the CISO was the number one answer by far. In reality, the CISO came in fifth place. The top owners of app security were: the CIO/CTO at 26%, Head of Application Development at 21%, and Business Units tying with “no one” at 18%. Surprisingly, CISOs received only 10% of the responses for the application security risk owner. The only choices lower than CISO were Compliance at 5% and Quality Assurance at 1%
Add It Up: DevOps Security Needs More Tooling
Secure your open source components automatically, continuously, and silently
&##GoASQ: General Open Architecture Security Questionnaire
GoASQ is intended to be used as a part of an AppSec (Application Security) review process for applications before they are deployed to production
And finally, how to encrypt your entire life in less than an hour
Andy Grove was a Hungarian refugee who escaped communism, studied engineering, and ultimately led the personal computer revolution as the CEO of Intel. He died earlier this year in Silicon Valley after a long fight with Parkinson’s disease.
When one of the most powerful people in the world encourages us to be paranoid, maybe we should listen.
And Grove isn’t the only powerful person urging caution. Even the director of the FBI — the same official who recently paid hackers a million dollars to unlock a shooter’s iPhone — is encouraging everyone to cover their webcams.
But you obey the law. What do you have to worry about? As the motto of the United Kingdom’s surveillance program reminds us, “If you’ve got nothing to hide, you’ve got nothing to fear.”
Well, law-abiding citizens do have reason to fear. They do have reasons to secure their devices, their files, and their communications with loved ones
HACKING, TOOLS and FUN – CHECK BELOW!
Description: How I Hacked BlackHat 2018.
Description: Phone Call to XXE via Interactive Voice Response.