Week 36 In Review – 2014

Resources

• iCloud keychain and iOS 7 Data Protection – slideshare.net
  If you are concerned about cloud security, read this presentation by Andrey Belenko Sr. Security Engineer @ viaForensics and Alexey Troshichev @hackappcom founder.
• Leveraging WMI for shells – secabstraction.com
  secabstraction always try to think about how he might get something done by leveraging WMI, since it’s usually always on and available. When he read that somebody had beat him to the punch he decided to start writing a powershell implementation.
• Alberto’s GSoC 2014 Project for ZAP: SOAP Scanner Add-On – zaproxy.blogspot.com
  this summer, Alberto Verza, a 23 year student from Spain have participated in Google Summer of Code 2014. His project was the SOAP Scanner Add-On for ZAP, in which he worked during all the Program. Here is an explanation of the features it includes.
• What the InfoSec Skills Gap Means for the Future – blog.whitehatsec.com
  One of the biggest challenges – if not the biggest challenge – facing information security is the lack of skilled talent. Cisco’s 2014 Annual Security Report says, “it’s estimated that by 2014, the
  [IT Security] industry will still be short more than a million security professionals across the globe.”
• Hackertainment – hackertainment.net
  This is a list of puzzles, challenges, games, CTFs, and other entertainment via coding. It can include everything from ACM-style competitions to challenges designed to teach specific languages or programming paradigms.

Tools

• ibrute:AppleID bruteforce p0c – github.com
  Here is appleID password bruteforce pOc. It’s only p0c, so there is no multiThreading feature, Save-State-On-Exception feature. do it yourself. Before you start, make sure it’s not illegal in your country.
• Lynis v1.6.0 Released – cisofy.com
  Security auditing tool for Linux, Mac and Unix based systems. Scan your systems in a matter of minutes and know what can be improved.
• Nmap v6.47 Released – nmap.org
  Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. You can download Nmap v6.47 from here.

Vulnerabilities

Apple’s iCloud breach
• Nude Photos Of Jennifer Lawrence And Kate Upton Leak: Five Important Lessons For All of Us – forbes.com
  The current breach represents a serious crime and violation of privacy; There are, however, several important lessons that we should all learn from this incident.
• This could be the iCloud flaw that led to celebrity photos being leaked (Update: Apple is investigating) – thenextweb.com
  An alleged breach in Apple’s iCloud service may be to blame for countless leaks of private celebrity photos this week. Apple said that the celebrity photo breaches were a targeted attack unrelated to iCloud, but did not address the vulnerability discussed here.
• Tim Cook Says Apple to Add Security Alerts for iCloud Users – online.wsj.com
  Apple CEO Denies a Lax Attitude Toward Security Allowed Hackers to Post Nude Photos of Celebrities.
• Banks: Credit Card Breach at Home Depot – krebsonsecurity.com
  Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
  • Data: Nearly All U.S. Home Depot Stores Hit -krebsonsecurity.com
    New data gathered from the cybercrime underground suggests that the apparent credit and debit card breach at Home Depot involves nearly all of the company’s stores across the nation.
• Critical Security Vulnerability Found in WordPress Slider Revolution Plugin, Immediate Update Advised -wptavern.com
  The security team at Sucuri publicized a critical vulnerability found in the WordPress Slider Revolution plugin recently. The bug has since been patched, but the development team for Slider Revolution kept silent about it and did not notify their users of the importance of updating.

Other News

• Urgent security warning that may affect all internet users – community.namecheap.com
  Back in August, The Register reported that the largest ever quotient of email addresses, usernames and passwords had been put together by groups of Russian hackers. These hackers collected this data over many months, gaining access to these user credentials through vulnerable/poorly secured databases and backdoors/malware installed on insecure computers around the world.
• Home Depot, Other Retailers Get Social Engineered – darkreading.com
  Famed annual contest reveals how many retailers lack sufficient defenses against social engineering.
• Obamacare site hacked but nothing taken, HHS says – money.cnn.com
  Hackers silently infected a Healthcare.gov computer server this summer. But the malware didn’t manage to steal anyone’s data, federal officials say.
• Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted – threatpost.com
  When Firefox 32 shipped this week, Mozilla also officially ended its support of 1024-bit certificate authority certificates in its trusted store. Still, such a move does involve some cost and angst to websites running older certificates.
• The FBI Finally Says How It ‘Legally’ Pinpointed Silk Road’s Server – wired.com
  As the trial of alleged Silk Road drug market creator Ross Ulbricht approaches, the defense has highlighted the mystery of how law enforcement first located the main Silk Road server in an Icelandic data center, despite the computer being hidden by the formidable anonymity software Tor. he FBI claims to have found the server’s location without the NSA’s help, simply by fiddling with the Silk Road’s login page until it leaked its true location.