Resources
- SLouisville Infosec 2014 Videos – irongeek.com
Here are the videos from the Louisville Infosec 2014 conference. You can download the videos from here. - Derbycon 2014 Videos – irongeek.com
These are the videos of the presentations from Derbycon 2014. You can watch and download the videos from here. - Shellshocker! – Episode 029a – in-security.org
You might have head something about Shellshock as the details unravel so InSecurityShow are trying to give you some insight into what you might be hearing in this important message from your friendly computer information security podcast producers on the nature, threats & solutions to the new Shellshock exploit.- Interesting comments about this podcast – reddit.com
- tinyCTF 2014 write-ups – github.com
This is a tiny “Capture The Flag” game that PoeRhiza put together, since it’s so hard to explain what a (jeopardy style) CTF really feels like. You will enjoy some of the challenges. All flags have a format of flag{%s} % (funny_key_here). Gotta catch ’em all! - Anatomy of a Compromised Site: 7,000 Victims in Two Hours – blog.trendmicro.com
Earlier this year trendmicro blog discussed how Gizmodo’s Brazilian site was compromised and used to spread online banking malware to approximately 7,000 victims in a two-hour span. The video here describes how the attack was carried out.
Tools
- iSniff-GPS – Passive Wifi Sniffing Tool With Location Data – darknet.org.uk
iSniff GPS is a passive wifi sniffing tool which sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. You can download iSniff-GPS here.
Techniques
- NoSQL SSJI Authentication Bypass – blog.imperva.com
Following Barry Shteiman’s previous post on SSJI, he received many questions requesting more details and techniques on how applications that use a big data back end may be vulnerable and If he could give some viable examples. Here is the techniques. - Do You Trust Your Computer? – blog.logrhythm.com
Greg Foss is not going to talk about getting shells or pivoting in this post, Instead, he wants to look into other abuses of functionality that are possible in the enterprise. One of his favorite attack vectors is imitating a legitimate service, program, etc. and using this to gain privileged access to resources.
Vendor/Software patches
- Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and ’78) – lcamtuf.blogspot.com
The patch that implements a prefix-based way to mitigate vulnerabilities in bash function exports has been out since last week and has been already picked up by most Linux vendors (plus by Apple). So, here’s a quick overview of the key developments along the way, including two really interesting things: proof-of-concept test cases for two serious, previously non-public RCE bugs tracked as CVE-2014-6277 and CVE-2014-6278.- VMware Begins to Patch Bash Issues Across Product Line – threatpost.com
Virtualization firm VMware issued a progress report on fixes for four different types of products as they relate to the bug on Monday. According to yesterday’s security advisory, it’s currently in the middle of developing a patch for all but one of 38 different virtual appliance products, all of which run on Linux and are shipped with an affected version of Bash./li>
- VMware Begins to Patch Bash Issues Across Product Line – threatpost.com
Vulnerabilities
- Shellshock/Bash Bug vulnerability
Inside Shellshock: How hackers are using it to exploit systems – blog.cloudflare.com
On Wednesday of last week, details of the Shellshock bash bug emerged. This bug started a scramble to patch computers, servers, routers, firewalls, and other computing appliances using vulnerable versions of bash. CloudFlare immediately rolled out protection for Pro, Business, and Enterprise customers through their Web Application Firewall.- OpenVPN Vulnerable To Shellshock Exploit – darknet.org.uk
A certain combination of circumstances and configuration options can leave OpenVPN vulnerable to Shellshock. The OpenVPN systems will only be vulnerable if /bin/sh points to /bin/bash and if they don’t use an alternative (more suitable) shell like ash/dash. - OpenVPN ShellShock PoC – pastebin.com
OpenVPN ShellShock PoC based on Fredrik Strömberg’s HN post, verified by @fj33r.
- OpenVPN Vulnerable To Shellshock Exploit – darknet.org.uk
Other News
- JPMorgan Chase Hacking Affects 76 Million Households – dealbook.nytimes.com
A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever.- JPMorgan hack affected 76 million households, 7 million SMBs – zdnet.com
Fresh details have been released concerning JPMorgan’s cyberattack — and it has been revealed the data breach is one of the largest in history.
- JPMorgan hack affected 76 million households, 7 million SMBs – zdnet.com
- The Unpatchable Malware That Infects USBs Is Now on the Loose – wired.com
It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. - Cops Are Handing Out Spyware to Parents—With Zero Oversight – wired.com
Police departments around the country have been distributing thousands of free copies of spyware to parents to monitor their children’s activity, a fact that’s come to light in the wake of a federal indictment this week against the maker of one commercial spyware tool on wiretapping charges.
Leave A Comment