Week 26 In Review – 2015

Resources

  • The $300 ‘PITA’ steals encryption keys with radio waves – engadget.com
    Your computer is leaking information. It’s not from the usual suspects: WiFi, Bluetooth or ethernet, but from radio waves originating from your processor. Researchers at Tel Aviv University and Israel’s Technion research institute have built a $300 device that captures those electromagnetic waves and uses them to decrypt RSA and ElGamal data from up to 19 inches away.
  • The Secret Life of SIM Cards – ehacking.net
    SIM or subscriber identity module is essential in mobile communication, SIM is a microchip or an electronic circuit that stores IMSI and other authentication and identification code. The foremost objective of SIM is to give the identification of its owner in the mobile communication network, it also carries the network signals that can hacked to control a mobile phone.

Tools

Techniques

  • Security Cheatsheets – github.com
    A collection of cheatsheets for various infosec tools and topics.
  • Offensive Interview – github.com
    Interview questions to screen offensive (red team/pentest) candidates
  • The House of Force – gbmaster.wordpress.com
    As you can see from the recipe, this technique is strongly based on the top chunk (a.k.a. thewilderness): as you can remember from the first article on heap overflows, the top chunk is a very peculiar one.

Vendor / Software Patches

Vulnerabilities

  • Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign – fireeye.com
    In June, FireEye’s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe Flash Player zero-day vulnerability (CVE-2015-3113). The attackers’ emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113.
  • Cisco SSH Key Flaw Has Echoes of Earlier Vulnerabilities – threatpost.com
    When Cisco released a patch for several of its security appliances Thursday that eliminated the presence of hard-coded SSH host and private keys, the advisory had a distinct air of familiarity about it. That’s because the company released a patch for the same problem in one of its other major products almost exactly one year ago.

Other News

  • Breach of Government Employee Records
    Government officials have been vague in their testimony about the data breaches—there was apparently more than one—at the Office of Personnel Management. But on Thursday, officials from OPM, the Department of Homeland Security, and the Department of the Interior revealed new information that indicates at least two separate systems were compromised by attackers within OPM’s and Interior’s networks.
    o “EPIC” fail—how OPM hackers tapped the mother lode of espionage data – arstechnica.com
    o Report: Hack of government employee records discovered by product demo – arstechnica.com
  • Part 3: The cyberbomb is detonated – fortune.com
    From the outset, the management and employees at Sony Pictures didn’t have a clue as to what hit them—or what was on the way. The studio’s initial public comment on Nov. 24 was a marvel of understatement: “We are investigating an IT matter.”

Leave A Comment