Week 38 In Review – 2014

Events Related

  • A first-timers view of the “Hacker Summer Camp” – blog.c22.cc
    The big “Hacker Summer Camp” took place in Las Vegas this August. This get-together describes the occasion of Black Hat, for the Business sponsored InfoSec employee, BSides Las Vegas, for the techies, and DEF CON, which apparently became object of both type of folks already years ago, and many more little side conventions.
  • DEFCON 23 hotel block rate link is LIVE! – defcon.org
    The DEF CON rate is available at the following hotels: Paris, Bally’s, Ceasars Palace, Planet Hollywood, Flamingo and Quad. That’s out early!

Resources

  • Breaking av software – twitter.com
    Joxean Koret published his slides for 44con on twitter. You can download from here.
  • Transfer File Over DNS in Windows (with 13 lines of PowerShell) – breenmachine.blogspot.com
    Stephen Breen released the code for a Bash client and the Python server in his previous post. He is now releasing code for the (probably more useful to most people) Powershell client script, and it only ended up being 13 lines!
  • hostapd-wpe: Now with More Pwnage! – blog.opensecurityresearch.com
    hostapd-wpe provides a means to execute client side attacks on wired and wireless networks, and in this blog post Brad Antoniewicz will cover hostapd-wpe’s latest features. Enjoy!
  • Public release of the OWASP Testing Guide v4 – blog.mindedsecurity.com
    The OWASP Testing Guide includes a “best practice” penetration testing framework which users can implement in their own organizations and a “low level” penetration testing guide that describes techniques for testing most common web application and web service security issues.
  • 44CON 2014 – Meterpreter Internals, OJ Reeves – slideshare.net
    Let’s dive into the plumbing that makes Meterpreter tick. OJ Reeves will explain in relative detail its lifecycle, along with some of the ins and outs of topics such as Reflective DLL Injection and Migration. Bring your low-level knowledge and interest in technical details as we pop the hood of one of the most loved parts of Metasploit.

Tools

  • iLoot – github.com
    iLoot is an openSource tool for iCloud backup extraction. Using this CLI tool you can download backups of devices assigned to your AppleID.
  • 44con – github.com
    44CON 2014 Badge based on the dangerous prototypes bus pirate V3c. Bus Blaster v3 is an experimental, high-speed JTAG debugger for ARM processors, FPGAs, CPLDs, flash, and more.
  • IDA Sploiter – thesprawl.org
    IDA Sploiter is a plugin for Hex-Ray’s IDA Pro disassembler designed to enhance IDA’s capabilities as an exploit development and vulnerability research tool. You can download the tool from here.
  • StegExpose – Steganalysis Tool For Detecting Steganography In Images – darknet.org.uk
    StegExpose is a steganalysis tool specialized in detecting steganography in lossless images such as PNG and BMP. It has a command line interface and is designed to analyse images in bulk while providing reporting capabilities and customization which is comprehensible for non forensic experts.
  • SFileScanner.exe Part 2 – blog.didierstevens.com
    Didier’s new FileScanner tool allows you to use rules to scan files. Here is how you define rules.

Techniques

  • You found Wonka’s golden ticket! – bughardy.me
    Matteo Beccaro would like to speak with you about NFCulT, what is it, how it has been created and why. The hack become keeping the same number of rides and have a valid ticket, and this will remain the purpouse for all attacks.

Vulnerabilities

  • Major Android Bug is a Privacy Disaster (CVE-2014-6041) – community.rapid7.com
    After some of the usual testing and confirmation of the vulnerability, this module is available in all versions of Metasploit. This is a privacy disaster.
  • Freenode Global Notice – plus.google.com
    The freenode infra team noticed an anomaly on a single IRC server. They have identified that this was indicative of the server being compromised by an unknown third party.

Other News

  • The IT Security Conundrum – windowsitpro.com
    Doug Spindler has been in the IT industry for many years and watched as company after company leaks confidential information. He would like to share with you two stories from his career and ask you as IT professionals what you would do.
  • Why do Apple’s security questions still suck? – f-secure.com
    It’s been two weeks, so why do Apple’s security questions still suck? Here’s an example with full list of questions you’ll be asked when you create an Apple ID.
  • Breach at Goodwill Vendor Lasted 18 Months – krebsonsecurity.com
    C&K Systems Inc., a third-party payment vendor blamed for a credit and debit card breach at more than 330 Goodwill locations nationwide, disclosed this week that the intrusion lasted more than 18 months and has impacted at least two other organizations.
  • Home Depot breach bigger than Target at 56 million cards –reuters.com
    Home Depot Inc Thursday said some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than last year’s unprecedented breach at Target Corp.
2017-03-12T17:39:29-07:00 September 22nd, 2014|Security Conferences, Security Tools, Security Vulnerabilities, Week in Review|0 Comments

Leave A Comment