Issue 57

 

Flaw found in LastPass’ Authenticator app

This blogpost details a flaw in Lastpass' Google auth-like app (not their main vault application). They took over 6 months to fix it. In a blogpostLastpass says that's because this app isn't part of the standard bug bounty program, which means no process was available for vulnerability reports. Way to go guys.
hackernoon.com

 

Ancestry.com related RootsWeb service exposed user data

It was found that 300,000 passwords, email addresses and usernames were leaked. They've taken the site offline for now until they can fix it.
threatpost.com

 

Flaws found in Sonos and Bose smart speakers

The speakers expose their status and configuration pages to the outside world, meaning someone on your Wifi or online (if you expose your speaker to the Internet for some weird reason) could use it for reconnaissance. Or pranks apparently, by playing ghost noises for example ^^
bleepingcomputer.com

 

Snowden-backed app 'Haven' turns your phone into a security system

It's an app that alerts you of things like movement and sound. It's meant, for example, to monitor the safety of the hardware you left in your hotel room.
wired.com

 

Opera 50 to come with cryptocurrency mining blocker

More and more websites embed scripts that trigger the visitor to mine cryptocurrencies for them (also known as 'cryptojacking'). Opera will add a feature, dubbed 'NoCoin', to prevent this.
hackread.com

 

Twitter adds Google Auth-like two-factor authentication

Good news, as they previously only supported SMS-based 2fa, which can be subject to spoofing.
tripwire.com

 

Troy Hunt: HTTPS on your landing page is important

He makes the excellent point that even if your login page is HTTPS secured, your landing page needs to be as well if you don't want a man-in-the-middle attack to redirect the 'login' button to a phishing site. Seems obvious, because it is, but easy to neglect.
troyhunt.com

 

7 ways admins can help secure accounts against phishing in G Suite

Great list of security measures one can take in GSuite to prevent phishing attacks. Including some I didn't know about yet, like a Chrome extension that detects the use of Google credentials on non-Google sites.
blog.google

 

DerbyCon 2017 CTF write-up

An older article, but I found it a fun read to get an idea how one tackles a CTF (Capture The Flag) exercise in a hacker conference.
nettitude.com

 

GAUNTLT - Security testing framework

This seems like a pretty cool thing to try out. It's a framework where you essentially write feature tests for your application, but focused on security. Things like "when I launch an nmap scan, I should see <x>".
gauntlt.org

 

Sponsorship

Exploiting blind XSS and second order SQL injection vulnerabilities

Watch this technical demo by Netsparker's CEO Ferruh Mavituna, during which he explains the blind XSS and second order vulnerabilities and also shows how attackers can exploit them.
netsparker.com