Events Related

  • Kaminsky Creates Clickjacking-Killer – www.darkreading.com
    Renowned security expert Dan Kaminsky here this week unveiled his latest project: a solution to eradicate so-called clickjacking attacks that plague the Web.
  • Black Hat USA 2015 Highlights – www.tripwire.com
    The 18th annual Black Hat USA conference gathered thousands of professionals, researchers and enthusiasts to discuss not only the industry’s current trends and threats but also what we, as a community, can do to improve the security of ourselves, and of those around us.
  • The Lifecycle of a Revolution (Keynote) – www.youtube.com
    In the early days of the public internet, we believed that we were helping build something totally new, a world that would leave behind the shackles of age, of race, of gender, of class, even of law. Twenty years on, “cyberspace” looks a lot less revolutionary than it once did. Hackers have become information security professionals

Resources

  • Thunderstrike 2: Mac firmware worm details – trmm.net
    This is the annotated transcript of our DefCon 23 / BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple’s Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system’s motherboard.
  • Project Bitfl1p – bitfl1p.com
    Detect and analyze the frequency of bit flips for an average internet user through the use of bitsquatting.

Tools

  • Hackers Cut a Corvette’s Brakes Via a Common Car Gadget – www.wired.com
    Car hacking demos like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes.
  • OwnStar Wi-Fi attack now grabs BMW, Mercedes, and Chrysler cars’ virtual keys – arstechnica.com
    Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle.
  • QARK – github.com
    Quick Android Review Kit – This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
  • tpwn – github.com

Techniques

  • Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part II – Supremacy – blog.checkpoint.com
    In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web.
  • Domain Administrator in 17 seconds – blog.gojhonny.com
    Obtaining domain administrative privileges on a security assessment is a goal that many assessors seek. It is what fills us with excitement, as we know that the real fun is about to begin.
  • Black Hat USA 2015: The full story of how that Jeep was hacked – blog.kaspersky.com
    Recently we wrote about the now-famous hack of a Jeep Cherokee. At Black Hat USA 2015, a large security conference, researchers Charlie Miller and Chris Valasek finally explained in detail, how exactly that hack happened.

Vendor / Software Patches

  • Adobe, MS Push Patches, Oracle Drops Drama – krebsonsecurity.com
    Adobe today pushed another update to seal nearly three dozen security holes in its Flash Player software. Microsoft also released 14 patch bundles, including a large number of fixes for computers running its new Windows 10 operating system.

Vulnerabilities

Other News

  • .COM.COM Used For Malicious Typo Squatting – isc.sans.edu
    Our reader Jeff noted how domains ending in “.com.com” are being redirected to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous “com.com” domain name was sold by CNET to known typo squatter dsparking.com.
  • IoT Working Group Crafts Framework For Security, Privacy – www.darkreading.com
    An industry working group that includes members from Microsoft, Symantec, Target, and home security system vendor ADT today issued draft recommendations for locking down the privacy and security of home automation and consumer health and fitness wearable devices with security practices such as unique passwords, end-to-end encryption of sensitive and personal information, and a coordinated patching and update mechanism, as well as other measures.
  • S. Identifies Insider Trading Ring With Ukraine Hackers – www.bloomberg.com
    Exposing a new front in cybercrime, U.S. authorities broke up an alleged insider trading ring that relied on computer hackers to pilfer corporate press announcements and then profited by trading on the sensitive information before it became public.
  • ‘Banned’ article about faulty immobiliser chip published after two years – www.ru.nl
    In 2012, three computer security researchers at Radboud University discovered weaknesses in the Megamos chip, which is widely used in immobilisers for various brands of cars. Based on responsible disclosure guidelines, the scientists informed the manufacturer immediately, and they wrote a scientific article on the topic that was accepted for publication at a prestigious digital security symposium (USENIX 2013).