Week 25 In Review – 2014

Resources

Circle City Con 2014 Videos – www.irongeek.com
These are the Circle City Con 2014 videos. You can watch and download all of the recordings from here.
OWASP Security Shepherd – owasp.org
Security Shepherd has been implemented with the aim of fostering and improving security awareness among a varied skill-set demographic. This project enables users to learn or to improve upon existing manual penetration testing skills.
Guide to building the Tastic RFID Thief – shubh.am
This guide assumes that you are doing constant testing of the circuit along the way. Whilst this guide itself isn’t so detailed and bullet proof, it definitely will act as a great reference and tutorial towards building the Tastic.

Tools

Discover – github.com
Formally BackTrack scripts. For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.
easy-creds – code.google.com
The easy-creds script is a bash script that leverages ettercap and other tools to obtain credentials during penetration testing. You can dowload it from here.

Techniques

USB Fuzzing Basics: From fuzzing to bug reporting – blog.quarkslab.com
This article first presents quarklabs team’s fuzzing approach followed by a practical example of a bug in Windows 8.1 x64 full-updated. The goal of this article is not to redefine state-of-the-art USB fuzzing, nor to give a full description of their fuzzing architecture, but rather to narrate a scenario which starts from fuzzing and ends up with a bug report.
Breaking Into iCloud: No Password Required – blog.crackpassword.com
This feature is mostly intended for law enforcement and forensic customers, as using a password-free entry into iCloud requires a binary authentication token that must be extracted from the suspect’s computer.
Xfinity Pineapple – blog.logrhythm.com
This post is simply a proof-of-concept to explore the risks of open wireless access points.

Vulnerabilities

Hacked Synology NAS systems used in big-profit cryptocurrency mining scheme – www.computerworld.com
A hacker exploited publicly known vulnerabilities to install malware on network-attached storage systems manufactured by Synology and used their computing power to generate Dogecoins, a type of cryptocurrency.
Columbia Engineering Team Finds Thousands of Secret Keys in Android Apps – engineering.columbia.edu
Jason Nieh and Nicolas Viennot reported that they have discovered a crucial security problem in Google Play, the official Android app store. The researchers used PlayDrone to recover app sources and, in the process, uncovered crucial security flaws.
CARISIRT: Yet Another BMC Vulnerability (And some added extras) – blog.cari.net
After reading a couple articles on the problems in IPMI by Rapid7’s HD Moore, Zachary W. discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152.