Resources

  • Hot or Not? The Benefits and Risks of IoS Remote Hot Patching – www.fireeye.com
    In this series of articles, FireEye mobile security researchers examine the security risks of iOS apps that employ these alternate solutions for hot patching, and seek to prevent unintended security compromises in the iOS app ecosystem.
  • Moving to a Plugin-Free Web – blogs.oracle.com
    By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies.

Tools

  • Scan for AXFR DNS replies – scans.io
    AXFR is a feature of DNS that is usually not meant to be publicly accessible. However a large number of DNS servers answer to AXFR requests, most of them probably due to misconfiguration.
  • cve-search – github.com
    A tool to perform local searches for known vulnerabilities
  • Yara-Scanner – github.com
    Yara-Scanner is a Python-based extension that integrates a Yara scanner into Burp Suite.

Techniques

  • Damn Vulnerable Safe – www.insinuator.net
    The Damn Vulnerable Safe (DVS) is based on a little black safe we bought on the Internet. It has a 12 button pad (0-9, #, *), three hardwired LEDs, a knob for opening the safe and (it had) a physical lock for back up access.

Vulnerabilities

  • Amazon’s customer service backdoor – medium.com
    As a security conscious user who follows the best practices like: using unique passwords, 2FA, only using a secure computer and being able to spot phishing attacks from a mile away, I would have thought my accounts and details would be be pretty safe? Wrong.

Other News

  • Coordinating Vulnerabilities in IoT Devices – insights.sei.cmu.edu
    The CERT Coordination Center (CERT/CC) has been receiving an increasing number of vulnerability reports regarding Internet of Things devices and other embedded systems. We’ve also been focusing more of our own vulnerability discovery work in that space.
  • Why J.P. Morgan Chase & Co. Is Spending A Half Billion Dollars On Cybersecurity – www.forbes.com
    “J.P. Morgan is going to spend a half-billion dollars on security this year, and we still feel challenged,” Andy Cadel, general counsel, IP and data protection for J.P. Morgan Chase told a crowd of IT professionals at a recent conference titled “Future Ready: The Business of Tomorrow-Today,” which took place at Bloomberg LP headquarters in Manhattan, according to an article in Bloomberg’s Big Law Business.