Events Related

Resources

  • Car Hacking 2: The Content – blog.ioactive.com
    Does everyone remember when those two handsome young gentlemen controlled automobiles with CAN message injection? However, what if you don’t have the resources to purchase a car, pay for insurance, repairs to the car, and so on?
  • HeartBleed slides – malwarejake.blogspot.com
    Better (more complete) slides and other material available here.
  • SOURCE Boston 2014: idb – iOS Blackbox Pentesting – speakerdeck.com
    More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this talk, Daniel’s team review common iOS mobile app flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications.
  • M-Trends 2014 Threat Report Revealed – www.mandiant.com
    The fifth installment of Mandiant’s annual threat report, M-Trends has arrived! You can download the latest report, “M-Trends: Beyond the Breach”, here.
  • Notacon 11 (2014) Videos – www.irongeek.com
    These are the videos from the 11th Notacon conference held April 10th-13st, 2014.

Tools

  • Capstone – www.capstone-engine.org
    Capstone is a lightweight multi-platform, multi-architecture disassembly framework.Their target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community.
  • OWASP ZAP 2.3.0 – wasp.blogspot.com
    OWASP ZAP 2.3.0 is now available. There are a large number of changes in this release, so this post will just give a high level overview of some of the most significant changes

Vulnerabilities

  • The Heartbleed Bug – heartbleed.com
    The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

    • Heartbleed test – filippo.io
      Enter a URL or a hostname to test the server for CVE-2014-0160.
    • Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping – arstechnica.com
      Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.
    • OpenSSL 1.0.1 Heartbleed Vulnerability –
      [Critical Vulnerability] – www.r00tsec.com
      The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
    • hb-test.py – gist.github.com
      Here is OpenSSL heartbeat PoC with STARTTLS support.
    • openssl_heartbleed.rb – github.com
      Here is a module about openssl heartbleed. This module requires Metasploit.
    • Yet Another HeartBleed – penturalabs.wordpress.com
      This Heartbleed Information Disclosure Vulnerability has pretty much been covered all over the internet on 8th April 2014. As a one-page-stop summary, please read this.
    • Heartbleed Bug Impacts Mobile Devices – bluebox.com
      Another SSL vulnerability has been disclosed and released to the public. This one is referenced as CVE-2014-0160 or as it is commonly be called the Heartbleed bug due the leaking of information from heartbeat messages an SSL/TLS connection produces. How does this relate to mobile devices?
    • Gaping SSL? My Heartbleeds – community.rapid7.com
      As you may already know, a vulnerability affecting OpenSSL was reported and it most likely affects your organization. The “Heartbleed” SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web-, email-, database- and chat-servers.
    • heartattack.py – bitbucket.org
      CVE-2014-0160 exploit PoC, Originally from test code by Jared Stafford (jspenguin@jspenguin.org), Adapted by Johan Nestaas.
    • Why you should care about the OpenSSL heartbleed vulnerability – research.zscaler.com
      researchers from Google and Codenomicon made quite a splash when they revealed details of a vulnerability in OpenSSL’s implementation of the heartbeat extension, which they have affectionately dubbed heartbleed. Why is this such a big deal?
    • Everything you need to know about the Heartbleed SSL bug – troyhunt.com
      Massive. Huge. Catastrophic. These are all headlines troyhunt had seen on april 9 that basically say we’re now well and truly screwed when it comes to security on the internet.
    • Why heartbleed doesn’t leak the private key [retracted] – blog.erratasec.com
      So as it turns out, Robert Graham completely messed up reading the code. He don’t see how, but he read it one way.
    • Heartbleed Bug Poses Serious Threat to Unpatched Servers – symantec.com
      Heartbleed, or the OpenSSL TLS ‘heartbeat’ Extension Information Disclosure Vulnerability (CVE-2014-0160), affects a component of OpenSSL known as Heartbeat. OpenSSL is one of the most widely used, open source implementations of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.
    • OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products – tools.cisco.com
      Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.
    • The Heartbleed Hit List: The Passwords You Need to Change Right Now – mashable.com
      An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook.
    • Heartbleed Bug Impacts Mobile Update – bluebox.com
      Bluebox Labs has updated the original Heartbleed Scanner application to determine if your Android applications or your Android OS are vulnerable to the Heartbleed bug.
    • WhiteHat Security Observations and Advice about the Heartbleed OpenSSL Exploit – blog.whitehatsec.com
      The Heartbleed SSL attack is one of the most significant, and media-covered, vulnerabilities affecting the Internet in recent years. According to Netcraft, 17.5% of SSL-enabled sites on the Internet were vulnerable to the Heartbleed SSL attack just prior to its disclosure.
    • How the heartbleed bug works. – xkcd.com
      Heartbleed explained in details here.
    • Hacker successfully uses Heartbleed to retrieve private security keys – theverge.com
      This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared.
    • Testing for Heartbleed vulnerability without exploiting the server. – blog.mozilla.org
      Heartbleed is a serious vulnerability in OpenSSL that was disclosed on Tuesday, April 8th, and impacted any sites or services using OpenSSL 1.01 – 1.01.f and 1.0.2-beta1.
    • 8 Tips For Dealing With Heartbleed Right Now – researchcenter.paloaltonetworks.com
      There’s a lot out there already about what Heartbleed means for the Web and beyond, and I’ll point you to our own analysis written by Scott Simkin or an essay by Dan Goodin over at ars technica for that explanation.