Week 29 In Review – 2014

Resources

• BGA talk slides – twitter.com
  Marshall twitted his BGA talk slides on twitter. You can download the pdf from here.
• Building a Modern Security Engineering Organization – slideshare.net
  Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes.
• Car Hacker’s Handbook – opengarages.org
  Here you can download the book in several different formats for free!
• CONFidence 2014 video from our talk on CTFs – gynvael.coldwind.pl
  The video from j00ru’s and Gynvael’s talk from this year’s CONFidence edition is now online. The talk was called “On the battlefield with the Dragons” and consisted of a selection of interesting CTF task solutions with some useful tips and trick near the end.
• Slides from my HOPE/X Talk – zdziarski.com
  Enjoy the slides and the paper; it’s solid academic quality research.

Tools

• Introducing Burpbuddy – blog.liftsecurity.io
  burpbuddy exposes Burp Suites’s extender API over the network through various mediums, with the goal of enabling development in any language without the restrictions of the JVM.

Techniques

• Real world exploitation of a misconfigured crossdomain.xml – Bing.com – sethsec.blogspot.com
  Seth Art was only able to really exploit the overly permissive crossdomain.xml file and gain access to the sensitive information. If Bing told authenticated users to use ssl.bing.com/profile/history or get lost, he would not have had a very exciting demo.

Vulnerabilities

• Active Directory Vulnerability Disclosure: Weak encryption enables attacker to change a victim’s password without being logged – www.aorato.com
  As part of Aorato’s ongoing research on advanced attacks, they expose a critical Active Directory flaw which enables an attacker to change the victim’s password. Since 95% of all Fortune 1000 companies have an Active Directory deployment, they consider this vulnerability highly sensitive.

Other News

• Chinese hackers may have breached the federal government’s personnel office, U.S. officials say – washingtonpost.com
  Hackers may have breached the Office of Personnel Management’s network, a Department of Homeland Security official confirmed Thursday. Another U.S. official who was briefed on the investigation said the intrusion has been traced to China, although it is not clear that the Chinese government is involved.
• Commentary: What I Learned, and What You Should Know, After I Published My Twitter Password – blogs.wsj.com
  Christopher was able to learn from cybersecurity consultant Michael B. Williams a tremendous amount about how hackers work and how to defend oneself against them. William helped him lock down his own online life, and now, hopefully, you can use his insights to lock down yours.