Week 44 In Review – 2014

Events Related

• Inside BlackHat Europe 2014 – blog.fortinet.com
  The conference started with Adi Shamir’s keynote. Axelle Apvrille was really happy to listen to such a brilliant mind like Adi Shamir. In this blog post, Axelle has given his personal opinion on some of the best talks he attended.

Resources

• Social-Engineer, Inc. Releases Annual Report on DEF CON 22 Social Engineering Capture the Flag (SECTF) Contest – social-engineer.org
  Social-Engineer, Inc., the leader in social engineering security testing, awareness and training, announced the release of the fifth annual Social-Engineer Capture the Flag Report, compiled from the Social-Engineer Capture the Flag competition at DEF CON 22. You can download the report from here.
• Bsidesdc – twitter.com
  Tim twiitted the first half of the #sdr class from @bsidesdc. 100 MB archive of GRC files, and a worksheet. You can download it from here.
• CurrentC Is The Big Retailers’ Clunky Attempt To Kill Apple Pay And Credit Card Fees – techcrunch.com
  A company called MCX (Merchant Customer Exchange), spearheaded by Walmart, was started to build a mobile payment solution that would become an app called CurrentC that’s preparing to launch, but is already in the app stores.
• Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide – firstlook.org
  When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. First Look Media are publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team.
• Inside Spying-FinSpy for Android – twitter.com
  Morgan Mayhem twitt: Presentation from #hacklu shows FinFisher victim hijack and fake server technique.

Tools

• In AppSec, ‘Fast’ Is Everything – darkreading.com
  The SAST and DAST tools that were invented over a decade ago are no longer viable approaches to application security. The future is unquestionably going to demand better application security, and that means that software development organizations must cultivate a culture and technology stack that encourages developers and security specialists to work together to build great software. And that means tools must be “fast.”

Techniques

• How to leak sensitive data from an isolated computer (air-gap) to a near by mobile phone – AirHopper – cyber.bgu.ac.il
  Security researcher Mordechai Guri with the guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel presented at the 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), at Puerto Rico, a breakthrough method (“AirHopper) for leaking data from an isolated computer to a mobile phone without the presence of a network.
• Detecting and Exploiting the HTTP PUT Method – smeegesec.com
  This blog post will be going over various ways to detect if a web server accepts the PUT method, how to successfully complete a PUT request, and how to set up a test web server which accepts PUT.

Vulnerabilities

• R7-2014-15: GNU Wget FTP Symlink Arbitrary Filesystem Access – community.rapid7.com
  GNU Wget is a command-line utility designed to download files via HTTP, HTTPS, and FTP. Wget versions prior to 1.16 are vulnerable a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target. The issue was discovered by HD Moore of Rapid7, and was disclosed to both the upstream provider of Wget and CERT/CC as detailed here.
• Hackers swipe e-mail addresses from Apple Pay-competitor CurrentC – arstechnica.com
  Merchant Customer Exchange (MCX), a retailer-backed consortium, received a lot of attention this weekend when CVS and Rite Aid suddenly stopped accepting payments from systems like Google Wallet and Apple Pay. MCX, which is developing its own mobile payments system called CurrentC. On Wednesday, however, people who signed up to be on the forefront of the CurrentC launch were sent an e-mail saying that their e-mail addresses had been stolen.
• Attackers Exploit Drupal Vulnerability – inforisktoday.co.uk
  A mass, automated attack has potentially compromised a vulnerability that exists in the majority of all websites that run the popular Drupal content management system. Drupal further warns website administrators that if they didn’t apply the patch – but somehow find themselves running the patched version – that means attackers have compromised the machine and installed the update themselves.
• Reversing D-Link’s WPS Pin Algorithm – devttys0.com
  While perusing the latest firmware for D-Link’s DIR-810L 80211ac router, Craig found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers.
• Password hash disclosure in Linksys Smart WiFi routers – sijmen.ruwhof.net
  This is Sijmen Ruwhof’s tale about reporting a specific security vulnerability in a major product, just to give some insight in how responsible disclosures are handled by a security researcher and various software companies (Cisco, Linksys and Belkin). he performed a security assessment on the router and immediately saw a security weakness.

Other News

• Hackers Breach White House Network – bankinfosecurity.com
  Hackers have breached an unclassified network used by the White House. The White House has confirmed the breach, saying in a statement released Oct. 28 that it “identified activity of concern on the unclassified EOP network.”
• Newspaper outraged after FBI creates fake Seattle Times page to nab suspect – arstechnica.com
  In 2007, the FBI wrote a fake news story about bomb threats in Thurston County, Washington, and then sent out e-mail links “in the style of the Seattle Times.” The details have now been published by that very same newspaper, which today carries a story including outraged quotes from a Seattle Times editor.