Events Related

  • HITB Amsterdam Wrap-Up Day #1 – blog.rootshell.be
    The HITB crew is back in the beautiful city of Amsterdam for a new edition of their security conference. Here is Xavier’s wrap-up for the first day!

Resources

  • New Research: Some Tough Questions for ‘Security Questions’ – googleonlinesecurity.blogspot.ca
    Elie Bursztein and his research team analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. Their findings, summarized in a paper that they recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.
  • Cyber insurance: Only fools rush in – itworld.com
    With prominent corporations from across the economy bleeding customer data and paying through the nose for it, “cyber insurance” has become a hot topic in corporate boardrooms and the media.
  • mitmproxy: release v0.12 and some project news – corte.si
    Before getting to the new release, Aldo Cortesi would like to give a quick update on some internal project developments.
  • ZAP as a Service (ZaaS) – zaproxy.blogspot.com
    At OWASP AppSec EU in Amsterdam this year Simon Bennetts announced ZAP as a Service (ZaaS). The slides are here and the video will be available soon.
  • Meet ‘Tox’: Ransomware for the Rest of Us – blogs.mcafee.com
    McAfee Labs found Tox on May 19. It was updated on May 21 with a new FAQ and an updated design. But the core did not change.
  • Index of/hitbsecconf2015ams/materials – conference.hitb.org
    The materials of HITB Conference 2015 Amsterdam are available now. You can download the pdf’s from here.

Tools

  • EvilAP_Defender – github.com
    Protect your Wireless Network from Evil Access Points! You can download the tools from here.

Techniques

  • Hacking Starbucks for unlimited coffee – sakurity.com
    This is a story about how Egor Homakov found a way to generate unlimited amount of money on Starbucks gift cards to get life-time supply of coffee or steal a couple of $millions.
  • Side-Channel Power Analysis of AES Core in Project Vault – colinoflynn.com
    There is a problematic statement, as side-channel power leakage isn’t just one simple fix. In this case there is effectively no difference from an unprotected implementation for side-channel power analysis. More on that inside.

Vulnerabilities

  • Exploit Kit Using CSRF to Redirect SOHO Router DNS Settings – threatpost.com
    Attacks targeting small office and home router DNS settings, long a target for network intruders seeking to redirect web traffic to malicious sites, have for the first time been included in an exploit kit—one that specializes in cross-site request forgery attacks.

  • Attackers use email spam to infect point-of-sale terminals with new malware -itworld.com
    Cybercriminals are targeting employees who browse the Web or check their email from point-of-sale (PoS) computers, a risky but unfortunately common practice.
  • Recent Breaches a Boon to Extortionists – krebsonsecurity.com
    The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade.
  • Hackers stole personal information from 104,000 taxpayers, IRS says – washingtonpost.com
    The IRS says data thieves used social security numbers and addresses that they had already gathered on individuals to access personal information including past tax returns through the IRS Web site.
  • Clueless Clause: Insurer Cites Lax Security in Challenge to Cottage Health Claim – securityledger.com
    In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data.
  • Bug in iOS Unicode handling crashes iPhones with a simple text – appleinsider.com
    A peculiar iOS bug apparently that allows pranksters to crash a victim’s iPhone by sending a text message from their own iPhone containing what appears to be a single line of seemingly innocuous Arabic script.
  • News and updates from the Project Zero team at Google -googleprojectzero.blogspot.be
    This blog post describes an unfixed bug in Windows 8.1 which allows you to escape restrictive job objects in order to help to develop a sandbox escape chain in Chrome or similar sandboxes.
  • The Empire Strikes Back Apple – how your Mac firmware security is completely broken – reverse.put.as
    If you are a rootkits fan the latest Chaos Communication Congress (CCC) in 2014 brought us two excellent presentations, Thunderstrike by Trammell Hudson and Attacks on UEFI security, inspired by Darth Venami’s misery and Speed Racer by Rafal Wojtczuk and Corey Kallenberg. Trammell on his presentation mentioned the possiblity that Macs could also be vulnerable to the Dark Jedi attack.
  • PeopleSoft Vulnerabilities Elevate ERP Security Issues – threatpost.com
    Enterprise resource planning systems are the unexplored continent of vulnerability research, in spite of the fact that these massive, critical business systems support the inner workings of many large corporations and IT organizations.

Other News

  • Sniffing and tracking wearable tech and smartphones – net-security.org
    Researchers at Context Information Security have demonstrated how easy it is to monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, wearable devices and iBeacons, including the iPhone and leading fitness monitors, raising concerns about privacy and confidentiality.
  • Why changes to Wassenaar make oppression and surveillance easier, not harder – addxorrol.blogspot.com
    While the goal of restricting intrusive surveillance by governments is laudable, the changes to Wassenaar threaten to achieve the opposite of their intent — with detrimental side effects for everybody. The changes need to be repealed, and national implementations of these changes rolled back.