Resources

  • BSides Chicago 2014 Videos – www.irongeek.com
    These are the videos from the BSides Chicago conference. You can watch and download all the videos from here.
  • Q1 2014 Mobile Threat Report – www.f-secure.com
    f-secure’s Mobile Threat Report for Q1 2014 is out! Here’s a couple of the things they cover in it.

Techniques

  • Egress Testing using PowerShell – labofapenetrationtester.com
    Imagine that you pwned a box during a pen test. You want to know if it is possible to acess the internet/other network on any port. This is what egress testing is. You can use the scripts this way.
  • Corrupting the ARM Exception Vector Table – doar-e.github.io
    This article is going to describe how the ARM Exception Vector Table (EVT) can aid in kernel exploitation in case an attacker has a write what-where primitive. It will be covering a local exploit scenario as well as a remote exploit scenario.

Vendor/Software patches

  • Adobe Update Nixes Flash Player Zero Day – krebsonsecurity.com
    Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.
  • Microsoft Issues Fix for IE Zero-Day, Includes XP Users – krebsonsecurity.com
    Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited.

Vulnerabilities

  • New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks -fireeye.com
    FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.
  • Critical Holes in OAuth, OpenID Could Leak Information, Redirect Users -threatpost.com
    A serious vulnerability in the OAuth and OpenID protocols could lead to complications for those who use the services to log in to websites like Facebook, Google, LinkedIn, Yahoo, Microsoft, PayPal among many others. The vulnerability, discovered by Wang Jing, a PhD student in mathematics at the Nanyang Technological University in Singapore, could allow attackers to steal personal data from users and redirect them to questionable sites.

    • Security Flaw Found in OAuth and OpenID, Here’s What It Means for You -lifehacker.com
      A bug has been found in OpenID and OAuth 2.0, two authentication programs that let you log into web sites using your Google, Facebook, and other major accounts. Here’s what you need to know about the security flaw.
    • How Facebook Connect (And Other Social Logins) Can Expose You To Hackers -readwrite.com
      Because of the flaw, an attacker can trick a user into thinking he or she is signing in via Facebook or Google and then redirect them to a malicious website. From there, depending on the level of access granted, it can expose your personal information, your contacts, your friends list, or in the case of Google Apps, stored data.
  • What Apple Missed to Fix in iOS 7.1.1 -andreas-kurtz.de
    Andreas noticed that email attachments within the iOS 7 MobileMail.app are not protected by Apple’s data protection mechanisms. he reported these findings to Apple. They responded that they were aware of this issue.

Other News

  • Hackers Can Mess With Traffic Lights to Jam Roads and Reroute Cars -www.wired.com
    According to one researcher, parts of the vehicle traffic control system installed at major arteries in U.S. cities and the nation’s capital are so poorly secured they can be manipulated to snarl traffic or force cars onto different streets. Cesar Cerrudo, an Argentinian security researcher with IoActive who examined the systems and plans to present his findings at the upcoming Infiltrate conference in Florida.
  • It’s Insanely Easy to Hack Hospital Equipment -www.wired.com
    In a study spanning two years, Erven and his team found drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients.