Week 22 In Review – 2014

Events Related


  • Testing your Cisco ASA appliance for vulnerabilities with Nmap – cqure.net
    The scripts make use of the new Cisco AnyConnect library that was part of the commit and test for the (almost) recent vulnerabilities outlined in this Cisco advisory. The easiest way to test the scripts is to run the SVN version of Nmap.
  • What You Need To Know to Become a Penetration Tester – pentesticles.com
    There is some good information for those who wish to break into Penetration testing. The post by Lawrence Munro has provided a useful amount of information to aspiring Penetration testers.
  • How Anything Can Be Hacked: Phreaked Out (Trailer) – youtube.com
    In this three-part documentary series titled “Phreaked Out”, Motherboard meets face-to-face with today’s most talented security researchers and white hat hackers to get a firsthand schooling on the various ways to breach their most commonly used devices.

    • Unlocking L.A.’s Traffic Grid: Phreaked Out (Episode 1) – youtube.com
      In the debut episode of three-part series, Motherboard took a retrospective look at one day in August of 2006, when two Los Angeles traffic engineers, Kartik Patel and Gabriel Murillo, remotely accessed the city’s traffic control system and tampered with the light sequences at four main intersections of the city, as part of a labor union protest.
  • TROOPERS14 – Keynote – FX – youtube.com
    Troopers14 (IT Security Conference) video is available on YouTube now. You can watch and download it from here.
  • Truecrypt-archive – github.com
    Archive of (almost) all truecrypt releases. Most of the files are from different collections that people have provided.
  • OWASP PCI Project – owasp.org
    OWASP PCI project related presentation, repository and other related important links are available here.
  • Slides from Infiltrate 2014 on Analytics, Scalability and UEFI exploitation – prosauce.org
    Prosauce will keep track of what capabilities and tools are released throughout this presentation.


  • OpenSSL tips and tricks – commandlinefanatic.com
    OpenSSL, however, in addition to providing a library for integration, includes a useful command line tool that can be used for effectively every aspect of SSL/PKI administration. It’s a bit under-documented though; this post doesn’t aim to fully document it, but Joshua Davies come across some fairly useful shortcuts that he thought he’d share with us, in “cookbook” style format.
  • Locate and Attack Domain SQL Servers without Scanning – netspi.com
    In this blog Scott Sutherland will share a new PowerShell script that uses Service Principal Name (SPN) records from Active Directory to identify and attack SQL Servers on Windows domains without having to perform discovery scanning.
  • Mimikatz Against Virtual Machine Memory Part 1 – carnal0wnage.attackresearch.com
    Someone will drop some new way of doing something and then you get to reflect on all those missed opportunities on previous engagements. CG remembered when MC showed him all the Oracle stuff and he reminisced about the missed shells. This post and part 2 is like that for him.


  • ProTip: Use Apple? Turn Passcode On! – f-secure.com
    Interesting Apple security news was  reported on Tuesday, Apparently some Apple devices had  hijacked via Apple’s “Find My iPhone” feature. How? Likely via poorly defended iCloud accounts, i.e., iCloud accounts with weak passwords.

    • Australian Apple iDevices hijacked, held to ransom – smh.com.au
      It is likely hackers are using the unusual name as a front to get money from people. A real Oleg Pliss is a software engineer at tech company Oracle.
    • The mechanics of the iCloud “hack” and how iOS devices are being held to ransom – troyhunt.com
      This is predominantly impacting Aussie iCloud users and to date, there’s no clear reason why, rather troyhunt have 23 pages of reported hacks and general speculation on the Apple Support Community website. But of course it all begs the question – how is this attack happening? Isn’t iCloud “secure”? With no hard evidence we can only speculate, but there are some likely suspects.
  • Unencrypted cookies make WordPress accounts vulnerable over open networks – neowin.net
    People accessing the Internet over open WiFi networks are now vulnerable to having their WordPress webpage hijacked even with two-step authentication enabled. This new vulnerability was found by Yan Zhu, a staff technologist with the Electronic Frontier Foundation.
  • True Goodbye: ‘Using TrueCrypt Is Not Secure’ – krebsonsecurity.com
    The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.
  • Vulnerability found in the All in One SEO Pack WordPress Plugin – blog.sucuri.net
    If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk, so you have to update the plugin now.

Other News

  • OpenSSL to get a security audit and two full-time developers –arstechnica.com
    A Linux Foundation project inspired by the Heartbleed security flaw announced that it will fund a security audit for the OpenSSL code base and the salaries of two full-time developers. $5.4M plan to help open source funds OpenSSL, OpenSSH, and Network Time Protocol.
  • US cybercrime laws being used to target security researchers –theguardian.com
    Some of the world’s best-known security researchers claim to have been threatened with indictment over their efforts to find vulnerabilities in internet infrastructure, amid fears American computer hacking laws are perversely making the web less safe to surf.
  • Security experts in high demand at major US companies –cnet.com
    Big companies including JPMorgan Chase and Pepsi are bringing on chief information security officers to limit their exposure to major hacks. The recent rash of corporate hacks has scared major companies into investing more into security experts, a new report from Reuters says.

Leave A Comment