Week 24 In Review – 2016

Resources

  • Typosquatting programming language package managers – incolumitas.com
    Typosquatting is the malicious registering of a domain that is lexically similar to another, often highly frequented, website. Typosquatters would for instance register a domain named Gooogle.com instead of the well known Google.com. Then they hope that people mistype the website name in the browser and accidentally arrive on the wrong site.

Techniques

  • Vulnerability Disclosure Info: Symantec Encryption Management Server – blog.gdssecurity.com
    During a security assessment project in 2015 GDS encountered a fully patched Symantec Encryption Management Server appliance. This product provides secure messaging both between users of the organization and with external users. Each server is managed via an administrative web interface.
  • From radio waves to packets with software defined radio – reaktor.com
    Radio waves are used to transfer information all around us. They are used in mobile phones, WLANs, all kinds of remote controls, traditional AM/FM radio stations, satellite communications, and numerous other places. Utilising radio technology is one of those things we take for granted in our everyday life, but we don’t necessarily know how everything works under the hood.
  • Window hijacking – github.com
    A demo of altering an opened tab after a timer
  • DeadUpdate: Kickin’ it bigtime – gist.github.com
    I would like to stress something: I’m not saying “Don’t buy an ASUS device” — I see a lot of people who want to lambaste ASUS for this and boycott their hardware. This isn’t what I want people to be doing by any stretch. Stupidly, I like the ASUS hardware I have (it’s nice for the price) and I would rather see a pressure on ASUS as an OEM to stop shipping “value added software” to consumers.

Vulnerabilities

Other News

  • Password Re-user? Get Ready to Get Busy – com
    In the wake of megabreaches at some of the Internet’s most-recognized destinations, don’t be surprised if you receive password reset requests from numerous companies that didn’texperience a breach: Some big name companies — including Facebook and Netflix — are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users.
  • Email Address Disclosures, Preliminary Report, June 11 2016 – community.letsencrypt.org
    On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email.
2017-03-12T17:39:13-07:00 June 12th, 2016|Security Vulnerabilities, Site News, Week in Review|0 Comments

Leave A Comment