Events Related

  • The MiTM Mobile Contest: GSM Network Down at PHDays V – blog.ptsecurity.com
    The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.
  • SHAKACON
    SHAKACON was a well-run and friendly conference with about 300 attendees and high quality talks over 2 days.

  • OISF 2015 Videos – irongeek.com
    Educating users both IT and non-IT in the importance of Security.

Resources

  • VMware Multiple Products – Privilege Escalation – nettitude.co.uk
    This article summarises the findings and the impact of a vulnerability that we recently discovered in three major VMware Windows products. The affected products are ‘VMware Workstation’, ‘Horizon Client’ (with Local Mode Option), and ‘Player’.
  • Hacking and Hiking – webbreacher.com
    A collection of information security, outdoors and other random things that I find helpful or interesting.

Tools

  • canbus-utils release v0.2.0 – digitalbond.com
    Quick post to announce an updated release for the Digital Bond Labs CANBus utilities repository.
  • IVRE – github.com
    IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including two modules for passive recon (one p0f-based and one Bro-based) and one module for active recon (mostlyNmap-based, with a bit of ZMap).

Techniques

  • Hacking the PS Vita – yifan.lu
    The posts not only detail the exploit I found but also the thought process that led me to it. I intended to publish it as soon as the exploit was patched by Sony or after someone found another exploit on the system by examining the memory dumps.
  • Stealing Lastpass Passwords With Clickjacking – thehackerblog.com
    LastPass, a popular password management service with addons for Firefox, Chrome, and Internet Explorer suffered from a clickjacking vulnerability which can be exploited on sites without the proper X-Frame-Options headers to steal passwords.

Vendor / Software Patches

  • Adobe To Fix Zero-Day
    Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks. The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.

  • Adobe, MS, Oracle Push Critical Security Fixes – krebsonsecurity.com
    This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.

Vulnerabilities

  • I accidentally recorded your phone calls – mnxsolutions.com
    A new customer called me and mentioned he was being billed for calls that he wasn’t making on his Asterisk based PBX system.  I knew right away that his system had likely been compromised, and this wasn’t anything out of the ordinary for us to tackle.

Other News

  • Trading stopped on New York Stock Exchange due to ‘technical issue’ (update) – engadget.com
    It has been quite a day for tech problems. Trading on the New York Stock Exchange was halted due to a “technical issue” at around 11:30 AM ET this morning. On its status page, the NYSE posted that all trading had been suspended and any open orders would be cancelled — with a more detailed explanation to follow.
  • Shared Passwords And No Accountability Plague Privileged Account Use – darkreading.com
    As the winds of the cloud scatter corporate data across the globe and beyond any IT boundaries, identity management continues to grow in importance. But a new survey out from Centrify shows that even those that should know better do not engage in secure account management practices.
  • United Airlines Hands Out Million-Mile Bug Bounty – threatpost.com
    Wiens, who founded a security company in Florida called Vector 35 and not too long ago worked for a government contractor, submitted what he thought were a couple of “lame” bugs to United’s two-month-old bug bounty program—his first commercial bounty submission. The payoff was anything but weak.
  • What Happened At OPM? – emergentchaos.com
    I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing.