Techniques

  • Hacking Unicorns with Web Bluetooth – www.contextis.com
    Researchers discovered an unsecured MongoDB server that exposed sensitive CloudPets customer data. My research focused on the toy itself, in particular some issues we found with its Bluetooth LE connectivity and features.
  • Still Passing the Hash 15 Years Later – passing-the-hash.blogspot.com
    So I first thought about it when the HAK5 turtle showed up (link here: https://lanturtle.com/) ….  I thought to myself  “oh yeah, I totally know how to stop that, I aught to write up a blog post about it…” and then life happened….  then Mubix posted something that at the time about using  a USB armory to do similar stuff

Vulnerabilities

  • Ok Google, Give Me All Your Internal DNS Information! – www.rcesecurity.com
    Among all the available tools, there is one called “Dig” which – on Linux – can be used to query a DNS server for its records of a given domain, just like A- or MX records. In this case Google implemented a nice web interface for that tool to visually lookup DNS information.
  • Yahoo says forged cookie attack accessed about 32M accounts – www.cnet.com
    The company said in a regulatory filing Wednesday that the cookie caper is likely connected to the “same state-sponsored actor” thought to be behind a separate, 2014 breach that resulted in the theft of user information from 500 million user accounts.

Other News

  • Bill Would Legalize Active Defense Against Hacks – www.onthewire.io
    Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.