Resources

  • SLouisville Infosec 2014 Videos – irongeek.com
    Here are the videos from the Louisville Infosec 2014 conference. You can download the videos from here.
  • Derbycon 2014 Videos – irongeek.com
    These are the videos of the presentations from Derbycon 2014. You can watch and download the videos from here.
  • Shellshocker! – Episode 029a – in-security.org
    You might have head something about Shellshock as the details unravel so InSecurityShow are trying to give you some insight into what you might be hearing in this important message from your friendly computer information security podcast producers on the nature, threats & solutions to the new Shellshock exploit.

  • tinyCTF 2014 write-ups – github.com
    This is a tiny “Capture The Flag” game that PoeRhiza put together, since it’s so hard to explain what a (jeopardy style) CTF really feels like. You will enjoy some of the challenges. All flags have a format of flag{%s} % (funny_key_here). Gotta catch ’em all!
  • Anatomy of a Compromised Site: 7,000 Victims in Two Hours – blog.trendmicro.com
    Earlier this year trendmicro blog discussed how Gizmodo’s Brazilian site was compromised and used to spread online banking malware to approximately 7,000 victims in a two-hour span. The video here describes how the attack was carried out.

Tools

Techniques

  • NoSQL SSJI Authentication Bypass – blog.imperva.com
    Following Barry Shteiman’s previous post on SSJI, he received many questions requesting more details and techniques on how applications that use a big data back end may be vulnerable and If he could give some viable examples. Here is the techniques.
  • Do You Trust Your Computer? – blog.logrhythm.com
    Greg Foss is not going to talk about getting shells or pivoting in this post, Instead, he wants to look into other abuses of functionality that are possible in the enterprise. One of his favorite attack vectors is imitating a legitimate service, program, etc. and using this to gain privileged access to resources.

Vendor/Software patches

  • Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and ’78) – lcamtuf.blogspot.com
    The patch that implements a prefix-based way to mitigate vulnerabilities in bash function exports has been out since last week and has been already picked up by most Linux vendors (plus by Apple). So, here’s a quick overview of the key developments along the way, including two really interesting things: proof-of-concept test cases for two serious, previously non-public RCE bugs tracked as CVE-2014-6277 and CVE-2014-6278.

    • VMware Begins to Patch Bash Issues Across Product Line – threatpost.com
      Virtualization firm VMware issued a progress report on fixes for four different types of products as they relate to the bug on Monday. According to yesterday’s security advisory, it’s currently in the middle of developing a patch for all but one of 38 different virtual appliance products, all of which run on Linux and are shipped with an affected version of Bash./li>

Vulnerabilities

  • Shellshock/Bash Bug vulnerability
    Inside Shellshock: How hackers are using it to exploit systems – blog.cloudflare.com
    On Wednesday of last week, details of the Shellshock bash bug emerged. This bug started a scramble to patch computers, servers, routers, firewalls, and other computing appliances using vulnerable versions of bash. CloudFlare immediately rolled out protection for Pro, Business, and Enterprise customers through their Web Application Firewall.

    • OpenVPN Vulnerable To Shellshock Exploit – darknet.org.uk
      A certain combination of circumstances and configuration options can leave OpenVPN vulnerable to Shellshock. The OpenVPN systems will only be vulnerable if /bin/sh points to /bin/bash and if they don’t use an alternative (more suitable) shell like ash/dash.
    • OpenVPN ShellShock PoC – pastebin.com
      OpenVPN ShellShock PoC based on Fredrik Strömberg’s HN post, verified by @fj33r.

Other News

  • JPMorgan Chase Hacking Affects 76 Million Households – dealbook.nytimes.com
    A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.

  • The Unpatchable Malware That Infects USBs Is Now on the Loose – wired.com
    It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack.
  • Cops Are Handing Out Spyware to Parents—With Zero Oversight – wired.com
    Police departments around the country have been distributing thousands of free copies of spyware to parents to monitor their children’s activity, a fact that’s come to light in the wake of a federal indictment this week against the maker of one commercial spyware tool on wiretapping charges.