Hello, welcome to the Wednesday, June 7th, 2017 edition of the Sands and at Storm Center's

Stormcast. My name is Johannes Orich, and today I'm recording from Washington, D.C.

Yesterday, D.D.D.A. promised a second part to his Ex-Or diary. Now, today he delivered on this promise,

and he provided a Python script that will help you

extract the XR key used to encode binaries. Now this was written mostly with PE executables in mind,

but I believe the script can actually work for other binaries as well, since it sort

of tries to look for these repeating patterns that typically show up when you are using

an XR key to encode a file that contains several parts that are all null.

So give it a try and let the DA know how it works for you. It will

actually give you multiple possible keys if it can't really figure out one particular key

that definitely works. Now it was a few years ago that sightjacking was a big deal and became really sort of a very popular exploit with the

Firefox Fire Sheep extension, if anybody remembers.

Sidejacking refers to the idea where the login page itself is using HTTP, but later,

of course, a cookie is used to authenticate the user and

if this cookie is sent over HTTP, someone can easily intercept it and use it.

Fire Sheep was the Firefox extension that really made this tag mainstream and very

easy to perform. Well since then most sites like

Facebook for example which was a big target went to all HDPS where every single

request is supposed to use HTTP or so you thought well appears that

Facebook and Instagram aren't really all

HTTP. Turns out that Instagram stories, which have gotten popular recently, are transmitted

from mobile devices via HTTP, not HTTP. This is in particular interesting since Instagram stories were in part being introduced

...