Week 14 In Review – 2017

Events Related

  • Cyphercon 2.0 Videos – www.irongeek.com
    These are the videos from the Cyphercon 2.0 conference.
  • DakotaCon – www.youtube.com
    South Dakota’s premier security event.

Resources

  • Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1) – googleprojectzero.blogspot.com
    It’s a well understood fact that platform security is an integral part of the security of complex systems. For mobile devices, this statement rings even truer; modern mobile platforms include multiple processing units, all elaborately communicating with one another.
  • How Long Does It Take to Crack Your Password? – blog.elcomsoft.com
    We hear the “how long will it take to break…” question all the time. The answer is always the same: “it depends”. In this article we’ll try to give a detailed explanation and a definite answer for as many possible combinations as possible.

Tools

  • USB Canary – github.com
    USB Canary is a Linux tool that uses pyudev to monitor USB devices either around the clock, or just while it’s locked. It can be configured to send you an SMS via the Twilio API, or notify a Slack channel with it’s inbuilt Slack bot.
  • nRF24 Playset – github.com
    The nRF24 Playset is a collection of software tools for wireless input devices like keyboards, mice, and presenters based on Nordic Semiconductor nRF24 transceivers, e.g. nRF24LE1 and nRF24LU1+.

Techniques

  • How I Hacked my Smart TV from My Bed via a Command Injection – www.netsparker.com
    It was one of those lazy evenings, just watching TV after a long day. I was tired but kept on thinking about a vulnerability I found earlier on in a router someone gave me. Finding a flaw in such a device is always quite fun because you often see things that aren’t meant to be seen by the users, except the developers and maybe the company’s tech support team.
  • Hacking the Belkin E Series OmniView 2-Port KVM Switch – blog.talosintelligence.com
    In this post, we demonstrate the possibility of modifying a standard KVM switch to include an Arduino based key logger. We show that this can be achieved using off-the-shelf tools and components by anyone with a minimum of electronic engineering and programming knowledge.

Vulnerabilities

  • Owning OnePlus 3/3T with a Malicious Charger: The Last Piece of the Puzzle – alephsecurity.com
    In this blog post we describe a new critical vulnerability CVE-2017-5622 in OnePlus 3/3T (OxygenOS 4.0.2 and below), which relaxes the attack prerequisites. Combining it with CVE-2017-5626 allows a malicious charger to own your device if it’s hooked-up while being powered off (the charger may also just wait until the battery is drained).
  • An Analysis of CVE-2017-5638 – blog.gdssecurity.com
    At GDS, we’ve had a busy few weeks helping our clients manage the risk associated with CVE-2017-5638 (S2-045), a recently published Apache Struts server-side template injection vulnerability. As we began this work, I found myself curious about the conditions that lead to this vulnerability in the Struts library code.

Other News

  • Congress just killed online privacy rules. Now what? (FAQ) – www.cnet.com
    As of Tuesday, both houses of Congress have voted to repeal regulations adopted last year by the Federal Communications Commission. The next step is a signature from President Donald Trump, who has already signaled he’s eager to get rid of the regulation.
  • The Purge is cancelled: Hackers unleash sirens of doom on Dallas – mashable.com
    Beginning around 11:44 p.m., all 156 of the outdoor warning sirens meant to alert the residents of Dallas (population 1.3 million) of impending disaster bellowed across the city. There was no immediate explanation, and the sirens didn’t stop.

Leave A Comment