Events Related

  • Black Hat USA 2015 Course Review – Adaptive Red Team Tactics from Veris Group – www.redblue.team
    Black Hat has something for everyone (across the defensive and offensive spectrum) and after considerable delibaration I decided to register for Adaptive Red Team Tactics from Veris Group. This is an interesting team in that a lot of the core members burst onto the scene a few years ago with very high skill sets and seemingly no prior social media presence or history.
  • SECT-2015 Talk Slides – colinoflynn.com
    A talk about open-source power analysis and glitching projected called ChipWhisperer at SEC-T.

Resources

  • iOSAppReverseEngineering – github.com
    iOS App Reverse Engineering is the world’s 1st book of very detailed iOS App reverse engineering skills. The book consists of 4 parts, i.e. concepts, tools, theories and practices.
  • Internet-Wide Scan Data Repository – scans.io
    The Internet-Wide Scan Data Repository is a public archive of research data collected through active scans of the public Internet. The repository is hosted by the ZMap Team at the University of Michigan.

Tools

  • Microsoft Attack Surface Analyzer (ASA): It’s for defenders too! – community.rapid7.com
    Attack Surface Analyzer, a tool made by Microsoft and recommended in their Security Development Lifecycle Design Phase, is meant primarily for software developers to understand the additional attack surface their products add to Windows systems.
  • FruityWifi – www.fruitywifi.com
    FruityWifi is an open source tool to audit wireless networks. It allows the user to deploy advanced attacks by directly using the web interface or by sending messages to it.

Techniques

  • The iOS Get out of Jail Free Card – blog.ioactive.com
    If you have ever been part of a Red Team engagement, you will be familiar with the “Get out of Jail Free Card”. In a nutshell, it’s a signed document giving you permission to perform the activity you were caught doing.

Vulnerabilities

  • Denial of Service and Code-Level Application Flaws – www.astechconsulting.com
    What is a Denial of Service Attack? Generally speaking, it is a type of attack on a network or application intended to cripple or render it unresponsive by flooding it with traffic. The exact nature of a Denial of Service Attack (DoS) can vary widely depending on the target system.
  • D-Link blunder by releasing private keys of certificates – translate.google.com
    D-Link had accidentally private keys for certificates signed by which software is released. The keys were to distill out of open-source firmware packages of the manufacturer. Criminals had certificates thereby exploit.
  • Issuance of Certificates
    On September 14, around 19:20 GMT, Symantec’s Thawte-branded CA issued an Extended Validation (EV) pre-certificate for the domains google.com and www.google.com. This pre-certificate was neither requested nor authorized by Google.

Other News

  • A CISO Perspective On The Fireeye Controversy – www.peerlyst.com
    As a CISO, I’d want to know I was using security solutions that are not lemons. I’d also want to know that they make my attack surface smaller, not larger. If I was defending an organization that has APT actors including nation states as a realistic threat in my threat modelling, I’d also want to know that my security tools cannot be used as pivot points for APT’s.
  • Microsoft partners with NATO to shore up European cybersecurity – blogs.microsoft.com
    Microsoft is a long-term partner for many governments around the world seeking to build a safe and trusted digital environment. As such, we are excited to announce today that we have signed our newest Government Security Program (GSP) agreement with the NATO Communications and Information Agency (NCI Agency).
  • TSA Doesn’t Care That Its Luggage Locks Have Been Hacked – theintercept.com
    In a spectacular failure of a “back door” designed to give law enforcement exclusive access to private places, hackers have made the “master keys” for Transportation Security Administration-recognized luggage locks available to anyone with a 3D printer.
  • S. and China Seek Arms Deal for Cyberspace – www.nytimes.com
    The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime, according to officials involved in the talks.
  • Creepy Smartwatch Spies What You Type on a Keyboard – news.softpedia.com
    Researchers have created an app that follows the micro-movements of your smartwatch and is able to detect what keys you’re pressing with your left hand and thus guess what words you may be typing on a keyboard.