Events Related
- Circle City Con 2016 Videos – www.irongeek.com
- Area41 – 2016 – confseclive.wordpress.com
I had the opportunity this year to attend Area41 conference in Zurich. The conference is organised by the DEFCON Switzerland group and the talks are mainly technical.
- ShowMeCon 2016 Videos – www.irongeek.com
- Recordings of talks and speakers at Security Fest 2016 – securityfest.com
Resources
- ActBlue CSRF Security Vulnerability – rajk.me
ActBlue is a non-profit that organizes fundraising efforts for Democratic causes; so far they have facilitated over a billion dollars in donations. This page details a security vulnerability in the ActBlue donation system.
Tools
- THC-Hydra 8.2 – Network Logon Cracker – www.thc.org
This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.
Techniques
- TrustZone Kernel Privilege Escalation (CVE-2016-2431) – bits-please.blogspot.com
In this blog post we’ll continue our journey from zero permissions to code execution in the TrustZone kernel. Having previously elevated our privileges to QSEE, we are left with the task of exploiting the TrustZone kernel itself.
Vendor/Software Patches
- Verizon Patches Serious Email Flaw That Left Millions Exposed – threatpost.com
The flaw, found by Randy Westergren, a senior software developer with XDA Developers, impacted any of Verizon’s estimated 7 million FiOS subscribers who depended on their Verizon.net email accounts. Westergren initially reported the vulnerability to Verizon on April 14. The vulnerability was fixed by Verizon on May 12. Public disclosure of the flaw was Monday.
- Adobe Update Plugs Flash Player Zero-Day – krebsonsecurity.com
Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.
Vulnerabilities
- ASUS UEFI Update Driver Physical Memory Read/Write – codeinsecurity.wordpress.com
A short while ago, slipstream/RoL dropped an exploit for the ASUS memory mapping driver (ASMMAP/ASMMAP64) which was vulnerable to complete physical memory access (read/write) to unprivileged users, allowing for local privilege escalation and all sorts of other problems.
- Critical Adobe Flash bug under active attack currently has no patch – arstechnica.com
The active zero-day exploit works against the most recent Flash version 21.0.0.242 and was detected earlier this month by researchers from antivirus provider Kaspersky Lab, according to ablog post published Tuesday by Costin Raiu, the director of the company’s global research and analysis team.
- BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions – news.softpedia.com
The research of Yang Yu, founder of Tencent’s Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.
Other News
- The average cost of a data breach is now $4 million – www.helpnetsecurity.com
Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014. As these threats become more complex, the cost to companies continues to rise. In fact, the study found that companies lose $158 per compromised record.
- Episode 17 – grugq.github.io
- Hackers Find Security Gaps in Pentagon Websites – abcnews.go.com
The so-called white-hat hackers were turned loose on five public Pentagon internet pages and were offered various bounties if they could find unique vulnerabilities. The Pentagon says 1,410 hackers participated in the challenge and the first gap was identified just 13 minutes after the hunt began.
[…] post Week 25 In Review – 2016 appeared first on Infosec […]