Resources
- BSides Nashville 2014 Videos – www.irongeek.com
These are the videos of BSides Nashville 2014. You can download the videos from here. - Powershell’s Pastebin – pastebin.com
Pastebin is #1 paste tool. Here is a list of Powershell’s pastebin. - 2014 Trustwave Global Security Report Available Now – blog.spiderlabs.com
Trustwave released their annual 2014 Trustwave Global Security Report, an analysis of compromise and threat statistics that they gathered from 691 data breach investigations conducted across the world, telemetry pulled from their deployed technologies and 24/7 global security operations centers. - Effective NTLM / SMB Relaying – room362.com
Mubix tried finding all the original/semi original references about SMB (LM/NTLM) Relaying. The reference links and list of Tools are available here. - Welcome to Exploit Exercises – exploit-exercises.com
exploit-exercises.com provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues. - JailbreakCon – youtube.com
World’s first & only Jailbreak convention. Videos are available here.
Tools
- Tool: TinyMet – Tiny Meterpreter size “4k” – eldeeb.net
TinyMet is a small “4 kilobytes” flexible meterpreter stager. You can download the tool from here. - The Social-Engineer Toolkit (SET) v6.0 “Rebellion” Released – github.com
After a few months of work, the latest release of SET v6.0 codename “Rebellion” is available. This version expands on many of the attack vectors and improves on many of the existing attacks as well as introduces a new attack created by D4rk0 (@d4rk0s) which incorporates a full screen attack vector.
Techniques
- Dirty PowerShell WebServer – obscuresecurity.blogspot.com
The goal of the one-liners was to serve static files from the present working directory on port 8000. Since we know the goal is to have a small and dirty script, you can skip error-handling and use aliases. - Multi-Staged/Multi-Form CSRF – blog.opensecurityresearch.com
Exploiting a CSRF vulnerability that relies on a single request (GET/POST) is often a simple task, and tools like Burp make effort even easier. However, exploitation can become much more difficult when multiple requests are needed to exploit an CSRF vulnerability. - Even uploading a JPG file can lead to Cross Domain Data Hijacking (client-side attack)! – soroush.secproject.com
This post is going to introduce a new technique that has not been covered previously in other topics that are related to file upload attacks such as Unrestricted file upload and File in the hole.
Vulnerabilities
- When Networks Turn Hostile – blog.trendmicro.com
Clicking on any part of the site results in a malicious file, detected as TSPY_FAREIT.VAOV, being downloaded and run on the affected system. FAREIT malware is typically used to download other threats onto an affected system. So, how was this done? - The pitfalls of allowing file uploads on your website – blog.detectify.com
These days a lot of websites allow users to upload files, but many don’t know about the unknown pitfalls of letting users (potential attackers) upload files, even valid files. - eBay Inc. To Ask eBay Users To Change Passwords – ebayinc.com
eBay Inc. (Nasdaq: EBAY) said beginning later Wednesday it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data.- U.S. states probe eBay cyber attack as customers complain – news.yahoo.com
EBay Inc came under pressure on Thursday over a massive hacking of customer data as three U.S. states began investigating the e-commerce company’s security practices.EBay spokeswoman Amanda Miller declined to comment on the states’ actions, but said the company was working with authorities around the globe.
- U.S. states probe eBay cyber attack as customers complain – news.yahoo.com
- Why You Should Ditch Adobe Shockwave – krebsonsecurity.com
The author of this post was positively shocked this week to learn that this software introduces a far more pernicious problem: Turns out, it bundles a component of Adobe Flash that is more than 15 months behind on security updates, and which can be used to backdoor virtually any computer running it. - Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) – vupen.com
One of the vulnerabilities Vupen research team have exploited during the event was a use-after-free in Mozilla Firefox (MFSA2014-30 / CVE-2014-1512). This flaw was not easy to find and exploit because it required the browser to be in a specific memory state to reach the vulnerable code branch, this state is called by Mozilla: “memory-pressure”. - Hackers Bypass iOS Anti-Theft Feature, ‘Unbrick’ Devices – newsfactor.com
Once criminals have an iOS device in hand, they can plug it into a Windows computer and perform the attack. Exact details regarding the exploitation have yet to be released, but the attack has been described as a man-in-the-middle exploitation.
Other News
- BlackShades users targeted in 16-nation sweep; 97 arrested – computerworld.com
Law enforcement agencies from 16 countries on three continents last week arrested 97 people after executing raids targeting those suspected of creating, buying and using a notorious Trojan program called BlackShades. - US Justice Department to charge Chinese military officials with hacking – itworld.com
Five people said to work for the Chinese People’s Liberation Army are expected to be charged with hacking later Monday. - NSA Reform Bill Passes the House—With a Gaping Loophole – www.wired.com
The U.S. House of Representatives has passed a bill that would end the NSA’s mass collection of Americans’ phone records. Unfortunately, it may not end the NSA’s mass collection of Americans’ phone records. - US cyber-thief gets 20-year jail term – bbc.com
A US cyber-thief who helped run a website that dealt in stolen credit cards has been jailed for 20 years.
Leave A Comment