Events Related
- The MiTM Mobile Contest: GSM Network Down at PHDays V – blog.ptsecurity.com
The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.
- SHAKACON
SHAKACON was a well-run and friendly conference with about 300 attendees and high quality talks over 2 days.- SHAKACON Day 1 – digitalbond.com
- SHAKACON Day 2 & Go/No Go – digitalbond.com
- OISF 2015 Videos – irongeek.com
Educating users both IT and non-IT in the importance of Security.
- RV4Sec
- RV4sec Videos: Michelle Schaffer/Tim Wilson & Bill Weinberg – rvasec.com
- RV4sec Videos: Virginia Governor Terry McAuliffe – rvasec.com
- RV4sec Videos: Pete Herzog/Dave Lauer & Jason Smith – rvasec.com
- RV4sec Videos: Schuyler Towne & Mark Painter – rvasec.com
Resources
- VMware Multiple Products – Privilege Escalation – nettitude.co.uk
This article summarises the findings and the impact of a vulnerability that we recently discovered in three major VMware Windows products. The affected products are ‘VMware Workstation’, ‘Horizon Client’ (with Local Mode Option), and ‘Player’.
- Hacking and Hiking – webbreacher.com
A collection of information security, outdoors and other random things that I find helpful or interesting.
Tools
- canbus-utils release v0.2.0 – digitalbond.com
Quick post to announce an updated release for the Digital Bond Labs CANBus utilities repository.
- IVRE – github.com
IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including two modules for passive recon (one p0f-based and one Bro-based) and one module for active recon (mostlyNmap-based, with a bit of ZMap).
Techniques
- Anti-Virus Bypass with Shellter 4.0 on Kali Linux – cyberarms.wordpress.com
Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program!
- Hacking the PS Vita – yifan.lu
The posts not only detail the exploit I found but also the thought process that led me to it. I intended to publish it as soon as the exploit was patched by Sony or after someone found another exploit on the system by examining the memory dumps.
- Stealing Lastpass Passwords With Clickjacking – thehackerblog.com
LastPass, a popular password management service with addons for Firefox, Chrome, and Internet Explorer suffered from a clickjacking vulnerability which can be exploited on sites without the proper X-Frame-Options headers to steal passwords.
Vendor / Software Patches
- Adobe To Fix Zero-Day
Adobe Systems Inc. says its plans to issue a patch on Wednesday to fix a zero-day vulnerability in its Flash Player software that is reportedly being exploited in active attacks. The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups.- Adobe to Patch Hacking Team’s Flash Zero-Day – krebsonsecurity.com
- Third Hacking Team Flash Zero-Day Found – krebsonsecurity.com
- Adobe To Fix Another Hacking Team Zero-Day – krebsonsecurity.com
- Adobe, MS, Oracle Push Critical Security Fixes – krebsonsecurity.com
This being the second Tuesday of the month, it’s officially Patch Tuesday. But it’s not just Microsoft Windows users who need to update today: Adobe has released fixes for several products, including a Flash Player bundle that patches two vulnerabilities for which exploit code is available online. Separately, Oracle issued a critical patch update that plugs more than two dozen security holes in Java.
Vulnerabilities
- I accidentally recorded your phone calls – mnxsolutions.com
A new customer called me and mentioned he was being billed for calls that he wasn’t making on his Asterisk based PBX system. I knew right away that his system had likely been compromised, and this wasn’t anything out of the ordinary for us to tackle.
Other News
- Hacking Team incident
Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.- Hacking Team hacked, attackers claim 400GB in dumped data – csoonline.com
- Hacking Team Asks Customers to Stop Using Its Software After Hack – motherboard.vice.com
- Hacking Team hacked: Spyware source code torrent blurts govt customers – theregister.co.uk
- Hacking Team Breach Shows a Global Spying Firm Run Amok – wired.com
- Trading stopped on New York Stock Exchange due to ‘technical issue’ (update) – engadget.com
It has been quite a day for tech problems. Trading on the New York Stock Exchange was halted due to a “technical issue” at around 11:30 AM ET this morning. On its status page, the NYSE posted that all trading had been suspended and any open orders would be cancelled — with a more detailed explanation to follow.
- Finnish teen convicted of more than 50,000 computer hacks – bbc.com
A teenager involved in series of high profile cyber attacks has been convicted for his crimes in Finland. Julius Kivimaki was found guilty of 50,700 “instances of aggravated computer break-ins”.
- Shared Passwords And No Accountability Plague Privileged Account Use – darkreading.com
As the winds of the cloud scatter corporate data across the globe and beyond any IT boundaries, identity management continues to grow in importance. But a new survey out from Centrify shows that even those that should know better do not engage in secure account management practices.
- United Airlines Hands Out Million-Mile Bug Bounty – threatpost.com
Wiens, who founded a security company in Florida called Vector 35 and not too long ago worked for a government contractor, submitted what he thought were a couple of “lame” bugs to United’s two-month-old bug bounty program—his first commercial bounty submission. The payoff was anything but weak.
- What Happened At OPM? – emergentchaos.com
I want to discuss some elements of the OPM breach and what we know and what we don’t. Before I do, I want to acknowledge the tremendous and justified distress that those who’ve filled out the SF-86 form are experiencing.
Leave A Comment