Week 27 In Review – 2015

Events Related

• REcon Recap: Here’s What Caught My Eye – researchcenter.paloaltonetworks.com
  A few weeks ago I was fortunate enough to attend REcon in Montreal, Canada. This conference focuses on reverse engineering and exploitation techniques and has been going on for roughly a decade.

• PHDays V Highlights: Signs of GSM Interception, High Time to Hack Wi-Fi, Future of Encryption – blog.ptsecurity.com
  Technological singularity is expected in 15 years at best, but Positive Hack Days transition is happening right now. The fifth forum had a record attendance – over 3,500 visitors, which is comparable to the leading international hacker conferences, and the number of talks, sessions, and various activities surpassed one hundred.

 Resources

• Course Review: eLearnSecurity WAPTX (WebApp PenTesting Extreme) – ethicalhacker.net
  The past few years were a sort of lull for me. While I’ve continued to read and review books, watch and listen to webcasts and podcasts and do my best to stay ‘fresh’ on the pentesting front, I’ve not had a good opportunity to squeeze in any more ‘structured’ training courses.

• Educational Series: How lost or stolen binary applications expose all your intellectual property – vimeo.com
  If you have to distribute binaries, for example in an app store, a abfuscater can be used to jumble up the decompiled source code, but that will only marginally slow down a foe, and of course if you are sending a binary to a 3rd party for analysis, you obviously won’t be using obfuscation, so the binary can be decompiled and read easily.

Tools

• CMSmap – The ultimate CMS Scanner to Hack 75% of Websites – terminatio.org
  CMSmap is a simple Python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs. The main purpose of CMSmap is to integrate common vulnerabilities for different types of CMSs in a single tool.

Techniques

• Windows kerberos ticket theft and exploitation on other platforms – mikkolehtisalo.wordpress.com
  In the past there has been a lot of talk about pass the hash, but surprisingly little about different methods for exploiting kerberos tickets. Besides the discussion focused on golden tickets the Kerberos has not really ever been a major target for abuse.

 Vulnerabilities

• Hacking Wireless Ghosts Vulnerable For Years – blog.ioactive.com
  Is the risk associated to a Remote Code Execution vulnerability in an industrial plant the same when it affects the human life? When calculating risk, certain variables and metrics are combined into equations that are rendered as static numbers, so that risk remediation efforts can be prioritized.

 Other News

• The 414s: The Original Teenage Hackers – edition.cnn.com
  CNN Films presents “The 414s: The Original Teenage Hackers,” a look at an unexpected group of hackers who forever changed the idea of cybersecurity. In the early 1980s, this group of Milwaukee teenagers broke into dozens of prominent computer systems, including the Los Alamos National Laboratory and the Sloan-Kettering Cancer Center, sparking landmark legislation that impacts how we use technology today.

• Team GhostShell: Back with a bang and after your data – zdnet.com
  Team GhostShell, well-known for a string of high-profile hacks in the past, has taken itself off hiatus and returned with hacks and database pillaging. The hacking group claims to have hacked a long list of websites in the past 24 hours.

• The Quest to Rescue Security Research From the Ivory Tower – wired.com
  Stolen Credit Card numbers. Stolen passwords. The personal information of about 4 million federal workers hacked. We know all too well that computers are dreadfully insecure.