Week 30 In Review – 2015

Resources

  • Jailbreak or Root Detection: A False Sense of Security, Part 1 – bluebox.com
    Mobile management vendors have ingrained in the industry that jailbroken and rooted devices are bad: automatically deny all access. There is a widespread fear in the industry that these “compromised” devices jeopardize enterprise networks and are prone to leaking corporate secrets.
  • Best Reverser Write-Up: Analyzing Uncommon Firmware – blog.ptsecurity.com
    While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.

Tools

  • 10 Places to Stick Your UNC Path – blog.netspi.com
    UNC paths are one of my favorite things to use during a pen test. Once I force an account to authenticate to me over SMB, I have two options: Capture and Crack the hash or Relay the hash on to another computer.
  • GPS-SDR-SIM – github.com
    GPS-SDR-SIM generates GPS baseband signal data streams, which can be converted to RF using software-defined radio (SDR) platforms, such as bladeRF, HackRF, and USRP.
  • ODAT – github.com
    Oracle Database Attacking Tool
  • HackRF 2015.07.1 – github.com
    This release contains fixes for CMake configuration bugs
  • bettercap – bettercap.org
    A complete, modular, portable and easily extensible MITM framework.
  • mitmproxy: release v0.13 – corte.si
    This is a slightly late announcement of the release of mitmproxy v0.13, which was pushed out the door earlier this week by my esteemed compatriots

Vendor / Software Patches

Vulnerabilities

  • vsftpd-3.0.3 released and the horrors of FTP over SSL – scarybeastsecurity.blogspot.com
    The exception to things getting very stable and calming down seems to be SSL over FTP, which has been a constant source of, uh, joy, for some time now. Some issues fixed relate to security and warrant describing here because I think they are interesting.

Other News

  • Lifelock Once Again Failed at Its One Job: Protecting Data – wired.com
    Customers who hired the infamous ID theft-protection firm Lifelock to monitor their identities after their data was stolen in a breach were in for a surprise. It turns out Lifelock failed to properly secure their data.
  • Online Cheating Site AshleyMadison Hacked – krebsonsecurity.com
    Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information.

Leave A Comment