Week 13 In Review – 2014

Resources

  • iOS Application Security Part 32 – Automating Tasks With iOS Reverse Engineering Toolkit (iRET) – highaltitudehacks.com
    In this article, we will talk about a new tool named iOS Reverse Engineering Toolkit (iRET) that has just been released to assist penetration testers in automating most of the tasks involved in a iOS penetration test. The project is developed and maintained by @S3Jensen.
  • New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers – community.rapid7.com
    Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing the total module count up to 1,974.
  • Using FuzzDB for Testing Website Security – blog.mozilla.org
    After posting an introduction to FuzzDB amuntner received the suggestion to write more detailed walkthroughs of the data files and how they could be used during black-box web application penetration testing. This article highlights some of his favorite FuzzDB files and discusses ways he’ve used them in the past.
  • iManual for (pen)testing the security of IPv6 – www.tno.nl
    This report is meant as a starting point for IPv6 penetration tests and provides an overview of possible weeknesses and vulnerabilities that an implementation can be tested for.
  • Hack whack and smack – hackwhackandsmack.com
    A platform for pentesting, scripting and other fun.
  • BlackHat Asia USB Physical Access – nccgroup.com
    NCC Group Research Director Andy Davis presented ‘USB Attacks Need Physical Access Right? Not Any More…’ at this year’s BlackHat Asia in Singapore. Download it from here.
  • Unmasking “Free” Premium WordPress Plugins – blog.sucuri.net
    In this post, Denis Sinegubko talked about “patched” malicious premium plugins. He’ll talk about what they do, how they work, and about websites that build their businesses around stolen WordPress themes and plugins.
  • Cursory Evaluation of the Tesla Model S: We Can’t Protect Our Cars Like We Protect Our Workstations – dhanjani.com
    The purpose of this document is to outline the mechanisms by which the Tesla Model S communicates with car owners and the Tesla infrastructure using a variety of TCP/IP mechanisms. The goal of this document is to advise the owners on security issues they should be aware of as well as to kick off a dialogue between security researchers and Tesla Motors that will ultimately drive deeper analysis and assurance.

Vulnerabilities

  • Microsoft: 0Day Exploit Targeting Word, Outlook – krebsonsecurity.com
    Microsoft warned today that attackers are exploiting a previously unknown security hole in Microsoft Word that can be used to foist malicious code if users open a specially crafted text file, or merely preview the message in Microsoft Outlook.
  • Prezi Got Pwned: A Tale of Responsible Disclosure – engineering.prezi.com
    For purposes of reference, Prezi runs a Bug Bounty Program that invites attacks like the one detailed here.
  • WiFi Bug Plagues Philips Internet-Enabled TVs – threatpost.com
    Some versions of Philips’ internet-enabled SmartTVs are vulnerable to cookie theft and a mélange of other tricks that abuse a lax WiFi setting.The vulnerability allows anyone within range of the device’s WiFi adapter to connect to the TV and access its many features.
  • GUI Vulnerabilities Expose Information Disclosure, Privilege Escalation – threatpost.com
    Developers are creating countless information disclosure and privilege escalation vulnerabilities by misusing elements of various graphical user interfaces as a mechanisms for access control, according to a new research paper from the Northeastern University College of Computer and Information Science.
  • JCE Joomla Extension Attacks – blog.spiderlabs.com
    Spiderlab’s web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability.You can read SpiderLabs’ full analysis here.

    • JCE Joomla Extension Attacks in the Wild – blog.sucuri.net
      Sucuri team have been tracking this vulnerability, and exploit attempts related to it, in the “Wild” for a while and after reading the SpiderLabs report they exported their data for it and generated a quick graph where they could see a big bump in the number of exploit attempts over the last few weeks.

Other News

  • ATM Attack Uses SMS To Dispense Cash – techweekeurope.co.uk
    Cyber-attackers have developed a technique for robbing ATMs of cash using a piece of code that can be activated simply by sending a text message, according to security firm Symantec.The technique targets a particular brand of ATM that Symantec didn’t identify, but the company warned that such techniques are part of a wider problem.
  • In rare move, banks sue Target’s security auditor – csoonline.com
    Two banks that claim to have suffered losses from the recent data breach at Target have sued Trustwave Holdings Inc., the company that was responsible for validating Target’s compliance with the Payment Card Industry Data Security Standard.
  • Full Disclosure List Rises From the Ashes For Fresh Start – threatpost.com
    Fyodor, the creator of the Nmap network scanner, has stepped in and started a new version of Full Disclosure that will carry on in the same vein as the original list.
2017-03-12T17:39:32-07:00 March 31st, 2014|Security Tools, Security Vulnerabilities, Site News, Week in Review|0 Comments

Leave A Comment