Week 35 In Review – 2015

Resources

  • Black Hat 2015 Wrap Up – Part I – nettitude.co.uk
    This year, Black Hat (BH) 2015 came, as it usually does, with major security flaws and some “dojos” aside from the major android vulnerabilities we were exposed to and other types of security issues that are much less talked about, but still expose serious problems.

Tools

  • Funtenna – www.funtenna.org
    Software which intentionally causes compromising emanation.
  • It’s Surprisingly Simple to Hack a Satellite – motherboard.vice.com
    At the Chaos Communication Camp, held in Zehdenick, Germany last week, the organizers did something different: they gave out 4500 rad1o badges. These software-defined radios are sensitive enough to intercept satellite traffic from the Iridium communications network.
  • hidemulation – github.com
    hid emulation tools for the usbarmory

Techniques

  • What I learned from cracking 4000 Ashley Madison passwords – pxdojo.net
    When the Ashley Madison database first got dumped, there was an interesting contingent of researchers talking about how pointless it would be to crack the passwords, since Ashley Madison was using salted bcrypt with a cost of 12.  I thought it might be a fun experiment to run the hashes on a cracking rig of mine to see what I could actually get out of it.
  • How to use Intel AMT and have some fun with Mainboards – www.insinuator.net
    I recently got in contact with Intel AMT for the first time. Surely I had heard about it, knew it was “dangerous”, it was kind of exploitable and had to be deactivated. But I hadn’t actually seen it myself. The following blogpost will be a set of features and instructions on how to own a device with an unconfigured copy of Intel AMT without using any complicated hacks or the famous magic!

Vulnerabilities

  • ColdFusion Bomb: A Chain Reaction From XSS to RCE – www.bishopfox.com
    During an audit of ColdFusion 10 and 11’s administration panel, I discovered a reflected, DOM-based cross-site scripting flaw, and in this blog post, I will show you how to leverage that vulnerability to gain remote code execution on the ColdFusion application server.

Other News

  • Answers to Your Burning Questions on the Ashley Madison Hack – www.wired.com
    For a site that touted itself as the premier cheating site for married people seeking partners for infidelity, Ashley Madison was relatively unknown until hackers broke into its servers and released more than 30 gigabytes of customer and company data this week, propelling it into the spotlight.
  • Court Says the FTC Can Slap Companies for Getting Hacked – www.wired.com
    For companies like the dating site Ashley Madison or the health insurer Anthem, financial loss, customer anger and professional embarrassment aren’t the only consequences of getting massively gutted by hackers. Now a court has confirmed that there’s a three-letter agency that can dish out punishment, too.
  • On the morals of network research and beyond – conspicuouschatter.wordpress.com
    This posts presents a quick opinion on a moral debate, that seems to have taken large proportions at this year’s SIGCOMM, the premier computer networking conference.
  • TSA Master Key Duplication & Why “Security Through (Not So) Obscurity” Fails – www.trustedsec.com
    Every lockpicker knows that the TSA approved Travel Sentry/Safe Skies locks are garbage, but if you don’t want your normal checked bags to have their locks cut off, there are only so many options (that said, sometimes they still cut them off). While it’s common knowledge to locksport enthusiasts how weak TSA approved locks are, the average traveler is mostly unaware of it.

Leave A Comment