Week 46 In Review – 2015

Events Related

• SecureWV2015 Videos – www.irongeek.com
  These are the videos of the presentations from Secure West Virginia 2015.

• HouSecCon v6 2015 Videos – www.irongeek.com

• New 4G LTE Hacks Punch Holes In Privacy – www.darkreading.com
  Black Hat Europe researchers to demonstrate newly found flaws in 4G mobile that expose privacy and disrupt phone service.

• Black Hat Europe 2015
  • Black Hat Europe 2015 Wrap-Up – blog.rootshell.be
  • Black Hat Europe 2015 Briefings – www.blackhat.com

Resources

• Jailbreak or Root Detection: A False Sense of Security, Part 2 – bluebox.com
  In this post, we take a closer look at threats posed by non-jailbroken and non-rooted devices. We focus primarily on iOS devices because many organizations assume that these devices provide higher security.

• Microsoft Security Bulletin Summary for November 2015 – technet.microsoft.com

• EMV Protocol Fuzzer – labs.mwrinfosecurity.com
  As a result of this research we are pleased to present an EMV protocol fuzzer that can be used as a tool to evaluate the security integrity of a device under test (DUT). This solution includes a Python interface to facilitate control of the EMV fuzzer, in effect allowing on-the-fly monitoring and emulation of an EMV stream with the DUT.

• New Research: Encouraging trends and emerging threats in email security – googleonlinesecurity.blogspot.com
  We’re constantly working to help make email more secure for everyone. These efforts are reflected in security protections like default HTTPS in Gmail as well as our Safer Email Transparency report, which includes information about email security beyond just Gmail.

Tools

• fathomless – github.com
  A collection of different programs that work together, related to infosec.

• PowerCat – github.com
  A PowerShell TCP/IP swiss army knife that works with Netcat & Ncat.

Vendors / Software Patches

• Critical Fixes for Windows, Adobe Flash Player – krebsonsecurity.com
  For the third time in a month, Adobe has issued an update to plug security holes in its Flash Player software. The update came on Patch Tuesday, when Microsoft released a dozen patches to fix dozens of vulnerabilities in Windows, Internet Explorer, Skype and other software.

Vulnerabilities

• Adobe Flash Vulnerability CVE-2015-7663 and Mitigating Exploits – www.endgame.com
  The vulnerability exists due to the improper tracking of freed allocations associated with a “Renderer” object when handling multiple progress bar additions. This can be forced to overflow a Bitmap object corrupting adjacent memory.

• Comodo Issues Eight Forbidden Certificates – threatpost.com
  Certificate authority Comodo admits it incorrectly issued eight certificates that include forbidden internal server names or reserved IP addresses.

• Hidden Virus Discovered in Martel Police Body Camera – www.goipower.com
  iPower Technologies, a Boca Raton based network integrator, discovered the following security vulnerability in the Martel Frontline Camera with GPS.  This product is sold and marketed as a body camera for official police department use.

• Self-encrypting drives are hardly any better than software-based encryption – www.cio.com
  Companies relying on self-encrypting drives (SEDs) to secure data stored on their employees’ laptops should be aware that this technology is not immune to attack and should carefully consider whether they want to use this rather than software-based approaches.

• Mac App Store apps ‘damaged’ following security certificate bug – thestack.com
  Overnight Mac users experienced trouble when using apps bought or downloaded from the App Store, after the security certificate Apple uses as an anti-piracy measure expired. Five years after the certificate’s creation, the tech giant had not prepared an immediate alternative.

• Latest Android phones hijacked with tidy one-stop-Chrome-pop – www.theregister.co.uk
  PacSec Google’s Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine.

• One BadBarcode Spoils Whole Bunch – threatpost.com
  Barcodes’ pervasiveness in retail, health care and other service industries notwithstanding, hackers really haven’t paid much attention to these tiny lines of data.

Other News

• It’s Way Too Easy to Hack the Hospital – www.bloomberg.com
  In the fall of 2013, Billy Rios flew from his home in California to Rochester, Minn., for an assignment at the Mayo Clinic, the largest integrated nonprofit medical group practice in the world. Rios is a “white hat” hacker, which means customers hire him to break into their own computers.

• How Paris ISIS Terrorists May Have Used PlayStation 4 To Discuss And Plan Attacks – www.forbes.com
  Following Friday night’s terrorist attacks in Paris which killed at least 127 people and left more than 300 injured, authorities are discovering just how the massacre was planned. And it may involve the most popular gaming console in the world, Sony ’s PlayStation 4.

• Clearing the Air on Wi-Fi Software Updates – www.fcc.gov
  The comments and replies are largely supportive of the Commission’s proposals, but one particular element generated thousands of comments from individuals concerned that the proposal would encourage manufacturers to prevent modifications or updates to the software used in devices such as wireless local area networks (e.g., Wi-Fi routers).