Events Related

  • BruCON – www.youtube.com
    Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker community.

Resources

  • Western Digital drives vulnerable: BadUSB, EvilMaid – firmwaresecurity.com
    Most news sites are reporting about bad security in Western Digital hard drives. As presented at Hardware.io the other week, and from the Full Disclosure mailing list from a few days ago.
  • BoringSSL – www.imperialviolet.org
    We recently switched Google’s two billion line repository over to BoringSSL, our fork of OpenSSL. This means that BoringSSL is now powering Chromium (on nearly all platforms), Android M and Google’s production services.
  • Advanced x86: Introduction to BIOS & SMM – opensecuritytraining.info
    John’s work led to the “BIOS Chronomancy” work (published at both BlackHat and ACM CCS), porting the team’s existing Timing-Based Attestation system from the kernel level down to the BIOS.
  • Wadi Fuzzer – www.sensepost.com
    One can see the importance of fuzzing as one of the techniques used to test software security against malformed input leading to crashes and in some cases exploitable bugs.
  • lte – github.com
    Presentation about the security features provided by the 3GPP specifications for LTE.

Tools

  • thc-ipv6 – github.com
    IPv6 attack toolkit
  • Win10Pcap-Exploit – github.com
    Exploit Win10Pcap Driver to enable some Privilege in our process token ( local Privilege escalation )
  • Mobile-Security-Framework-MobSF – github.com
    Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.

Vendor/Software Patches

Techniques

  • Retrospection & Full PCAP Reveal Instances of XcodeGhost Dating Back to April 2015 – www.protectwise.com
    Last month when news broke of XcodeGhost, the iOS malware that infected apps on the Apple App Store, we retrospected our haystack for evidence of this malware across our customers. We quickly discovered that more than half of our customers had affected devices on their networks, with infections dating as far back as April 25th, 2015 (much earlier than reported by several news outlets).

Vulnerabilities

  • X-Ray Scans Expose an Ingenious Chip-and-Pin Card Hack – www.wired.com
    The chip-enabled credit card system long used in Europe, a watered down version of which is rolling out for the first time in America, is meant to create a double check against fraud.In a so-called “chip-and-PIN” system, a would-be thief has to both steal a victim’s chip-enabled card and be able to enter the victim’s PIN.
  • Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access – www.trustwave.com
    Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

Other News

  • Hacking for Security, and Getting Paid for It – bits.blogs.nytimes.com
    Technology companies including Google, Facebook, Dropbox, Microsoft, Yahoo, PayPal and even the electric-car maker Tesla now offer hackers bounties for reporting the flaws they find in the companies’ wares.
  • Symantec Intelligence Report: September 2015 – www.symantec.com
    Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
  • Congress Is Trying to Ban Car Hacking In Every Possible Form – gizmodo.com
    Today, the House Energy and Commerce Committee began safety hearings with a proposed bill to reform the National Highway Traffic Safety Administration. That bill contains a provision which completely outlaws car owners from hacking their own cars.
  • Security researchers face wrath of spy agencies – www.theregister.co.uk
    Researchers tasked with revealing attacks by intelligence agencies are being harassed, locked out of tenders, and in some cases deported, Kaspersky researcher Juan Andrés Guerrero-Saade says.