Week 3 In Review – 2016

Events Related

• ShmooCon
  • ShmooCon Firetalks 2016 – www.irongeek.com
  • ShmooCon Pres – www.gitbook.com

Tools

• TrendMicro node.js HTTP server listening on localhost can execute commands – www.trendmicro.com
  Trend Micro™ Password Manager software manages all your website login IDs (user names and passwords) in one secure location, so you only need to remember one password.

Techniques

• SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 – seclists.org

Vulnerabilities

• Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears – arstechnica.com
  Less than a month after Juniper Network officials disclosed an unauthorized backdoor in the company’s NetScreen line of firewalls, researchers have uncovered highly suspicious code in older software from Juniper competitor Fortinet.

• Steal your Wi-Fi key from you doorbell?IoT WTF! – pentestpartners.com
  The Ring is a Wi-Fi doorbell that connects to your home Wi-Fi. It’s a really cool device that allows you to answer callers from your mobile phone, even when you’re not home.

• Nest Thermostat Glitch Leaves Users in the Cold – nytimes.com
  The Nest Learning Thermostat is dead to me, literally. Last week, my once-beloved “smart” thermostat suffered from a mysterious software bug that drained its battery and sent our home into a chill in the middle of the night.

• OpenSSH Patches Critical Flaw That Could Leak Private Crypto Keys – threatpost.com
  OpenSSH today released a patch for a critical vulnerability that could be exploited by an attacker to force a client to leak private cryptographic keys.

Other News

• 26-Year-Old Hacker Sentenced to Record 334 Years in Prison – thehackernews.com
  Named Onur Kopçak, the hacker was arrested in 2013 for operating a phishing website that impersonated bank site, tricking victims into providing their bank details including credit card information.

• The Evolution of the Wireless Penetration Test – immunityservices.blogspot.com
  Times have quickly changed. Access points (from an unauthenticated standpoint, anyway) are much more resilient to outside attacks but wireless networks themselves are made up of more than just an access point – and they are still just as vulnerable.

• Casino Sues Security Firm for Failing to Contain Malware Infection – news.softpedia.com
  US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity’s servers, which led to the escalation of a previous card breach.