Events Related
- HITB Amsterdam Wrap-Up Day #1 – blog.rootshell.be
The HITB crew is back in the beautiful city of Amsterdam for a new edition of their security conference. Here is Xavier’s wrap-up for the first day!- HITB Amsterdam Wrap-Up Day #2 -blog.rootshell.be
This is Xavier’s quick wrap-up for the second day of Hack in the Box!
- HITB Amsterdam Wrap-Up Day #2 -blog.rootshell.be
Resources
- New Research: Some Tough Questions for ‘Security Questions’ – googleonlinesecurity.blogspot.ca
Elie Bursztein and his research team analyzed hundreds of millions of secret questions and answers that had been used for millions of account recovery claims at Google. Their findings, summarized in a paper that they recently presented at WWW 2015, led us to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. - Cyber insurance: Only fools rush in – itworld.com
With prominent corporations from across the economy bleeding customer data and paying through the nose for it, “cyber insurance” has become a hot topic in corporate boardrooms and the media. - mitmproxy: release v0.12 and some project news – corte.si
Before getting to the new release, Aldo Cortesi would like to give a quick update on some internal project developments. - ZAP as a Service (ZaaS) – zaproxy.blogspot.com
At OWASP AppSec EU in Amsterdam this year Simon Bennetts announced ZAP as a Service (ZaaS). The slides are here and the video will be available soon. - Meet ‘Tox’: Ransomware for the Rest of Us – blogs.mcafee.com
McAfee Labs found Tox on May 19. It was updated on May 21 with a new FAQ and an updated design. But the core did not change. - Index of/hitbsecconf2015ams/materials – conference.hitb.org
The materials of HITB Conference 2015 Amsterdam are available now. You can download the pdf’s from here.
Tools
- EvilAP_Defender – github.com
Protect your Wireless Network from Evil Access Points! You can download the tools from here.
Techniques
- Hacking Starbucks for unlimited coffee – sakurity.com
This is a story about how Egor Homakov found a way to generate unlimited amount of money on Starbucks gift cards to get life-time supply of coffee or steal a couple of $millions. - Side-Channel Power Analysis of AES Core in Project Vault – colinoflynn.com
There is a problematic statement, as side-channel power leakage isn’t just one simple fix. In this case there is effectively no difference from an unprotected implementation for side-channel power analysis. More on that inside.
Vulnerabilities
- Exploit Kit Using CSRF to Redirect SOHO Router DNS Settings – threatpost.com
Attacks targeting small office and home router DNS settings, long a target for network intruders seeking to redirect web traffic to malicious sites, have for the first time been included in an exploit kit—one that specializes in cross-site request forgery attacks.- An Exploit Kit dedicated to CSRF Pharming -malware.dontneedcoffee.com
An exploit kit has been spotted by French researcher Kafeine, who on Friday published research about the attacks.
- An Exploit Kit dedicated to CSRF Pharming -malware.dontneedcoffee.com
- Attackers use email spam to infect point-of-sale terminals with new malware -itworld.com
Cybercriminals are targeting employees who browse the Web or check their email from point-of-sale (PoS) computers, a risky but unfortunately common practice. - Recent Breaches a Boon to Extortionists – krebsonsecurity.com
The recent breaches involving the leak of personal data on millions of customers at online hookup site Adult Friend Finder and mobile spyware maker mSpy give extortionists and blackmailers plenty of ammunition with which to ply their trade. - Hackers stole personal information from 104,000 taxpayers, IRS says – washingtonpost.com
The IRS says data thieves used social security numbers and addresses that they had already gathered on individuals to access personal information including past tax returns through the IRS Web site. - Clueless Clause: Insurer Cites Lax Security in Challenge to Cottage Health Claim – securityledger.com
In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. - Bug in iOS Unicode handling crashes iPhones with a simple text – appleinsider.com
A peculiar iOS bug apparently that allows pranksters to crash a victim’s iPhone by sending a text message from their own iPhone containing what appears to be a single line of seemingly innocuous Arabic script. - News and updates from the Project Zero team at Google -googleprojectzero.blogspot.be
This blog post describes an unfixed bug in Windows 8.1 which allows you to escape restrictive job objects in order to help to develop a sandbox escape chain in Chrome or similar sandboxes. - The Empire Strikes Back Apple – how your Mac firmware security is completely broken – reverse.put.as
If you are a rootkits fan the latest Chaos Communication Congress (CCC) in 2014 brought us two excellent presentations, Thunderstrike by Trammell Hudson and Attacks on UEFI security, inspired by Darth Venami’s misery and Speed Racer by Rafal Wojtczuk and Corey Kallenberg. Trammell on his presentation mentioned the possiblity that Macs could also be vulnerable to the Dark Jedi attack. - PeopleSoft Vulnerabilities Elevate ERP Security Issues – threatpost.com
Enterprise resource planning systems are the unexplored continent of vulnerability research, in spite of the fact that these massive, critical business systems support the inner workings of many large corporations and IT organizations.
Other News
- Sniffing and tracking wearable tech and smartphones – net-security.org
Researchers at Context Information Security have demonstrated how easy it is to monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, wearable devices and iBeacons, including the iPhone and leading fitness monitors, raising concerns about privacy and confidentiality. - Why changes to Wassenaar make oppression and surveillance easier, not harder – addxorrol.blogspot.com
While the goal of restricting intrusive surveillance by governments is laudable, the changes to Wassenaar threaten to achieve the opposite of their intent — with detrimental side effects for everybody. The changes need to be repealed, and national implementations of these changes rolled back.- Why The World’s Top Security Pros Are Furious About Exploit Export Rules -www.forbes.com
Over the long weekend, rather than taking a break, the hacker community was up in arms about proposed rules that would restrict the free and open use of attack tools and software exploits invaluable for their work. - Wassenaar Restrictions on Speech – emergentchaos.com
This post also addresses the free speech issue by Adam. - Some notes about Wassenaar – blog.erratasec.com
So, Wassenaar has infected your timeline for the past several days. Robert Graham thought he’d explain what the big deal is. - Security Researchers Sound Off on Proposed US Wassenaar Rules – threatpost.com
With the two-month comment period for the proposed U.S. Wassenaar Arrangement rules barely under way, a cast of influential security researchers has wasted no time preparing and submitting their thoughts on the controversial proposal.
- Why The World’s Top Security Pros Are Furious About Exploit Export Rules -www.forbes.com
Leave A Comment