Resources

  • HackerOne Connects Hackers With Companies, and Hopes for a Win-Win – nytimes.com
    HackerOne is a San Francisco tech start-up that aims to become a mediator between companies with cybersecurity issues and hackers who are looking to solve problems rather than cause them. They hope their outfit can persuade other hackers to responsibly report security flaws, rather than exploit them, and connect those “white hats” with companies willing to pay a bounty for their finds.
  • A DBIR Attack Graph Web App! – securityblog.verizonenterprise.com
    The DBIR Attack Graph Web App is meant to make analyzing DBIR attack graphs simple enough anyone can do it! To learn about the DBIR Attack Graph Web App, watch the tutorial video here.
  • AppSecEU 2015 – youtube.com
    These are the videos from AppSec Europe 2015 in Amsterdam, Netherlands. You can watch and download the videos from here.
  • ShowMeCon 2015 Videos – irongeek.com
    These are the videos ShowMeCon 2015. You can watch and download the videos from here.
  • What exactly is Duqu 2.0? – community.rapid7.com
    Duqu, a very complex and modular malware platform thought to have gone dark in late 2012, has made its appearance within the environment of Kaspersky Labs. Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware represents a high level of sophistication, skill, funding and motivation seen by nation-sponsored actors.
  • Wassenaar Arrangement – Frequently Asked Questions – community.rapid7.com
    The purpose of this post is to help answer questions about the Wassenaar Arrangement. You can find the US proposal for implementing the Arrangement and an accompanying FAQ from the Bureau of Industry and Security (BIS) here.

Tools

  • NOPC version 0.4.5 released – labs.portcullis.co.uk
    NOPC, the Nessus-based offline Unix patch checker has had some changes made and been made available in the tools section. This article discusses the new features in detail and provides some working examples.

Techniques

  • Blind Return Oriented Programming – nccgroup.trust
    In this blog post you will have a look at some important steps of the Blind Return Oriented Programming (BROP), a state-of-the-art exploitation technique.

Vendor/Software patches

  • Escaping VMware Workstation through COM1 – docs.google.com
    These bugs are subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will be made available to the public.
  • PowerShell ♥ the Blue Team – blogs.msdn.com
    In this post, PowerShell Team will discuss some important advances they have made in scripting security and protection in the preview versions of PowerShell version 5, and Windows 10.
  • Adobe, Microsoft Issue Critical Security Fixes – krebsonsecurity.com
    Adobe released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.

Vulnerabilities

  • This code can hack nearly every credit card machine in the country – money.cnn.com
    An attacker can gain complete control of a store’s credit card readers, potentially allowing them to hack into the machines and steal customer’s payment data. This latest discovery comes from researchers at Trustwave, a cybersecurity firm.
  • Kaspersky Lab cybersecurity firm is hacked – bbc.com
    One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers. Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.
  • Security Advisory: Object Injection Vulnerability in WooCommerce – blog.sucuri.net
    During a routine audit for Sucuriblog’s WAF, they discovered a dangerous Object Injection vulnerability which could, in certain contexts, be used by an attacker to download any file on the vulnerable server.
  • Serious iOS bug makes it easy to steal users’ iCloud passwords – arstechnica.com
    A security researcher has published attack code he said makes it easy to steal the iCloud passwords of people using the latest version of Apple iOS for iPhones and iPads. Researcher publishes proof-of-concept code demonstrating how attack works.

Other News