Week 25 In Review – 2016

Events Related

  • Area41 – 2016 – confseclive.wordpress.com
    I had the opportunity this year to attend Area41 conference in Zurich. The conference is organised by the DEFCON Switzerland group and the talks are mainly technical.

Resources

  • ActBlue CSRF Security Vulnerability – rajk.me
    ActBlue is a non-profit that organizes fundraising efforts for Democratic causes; so far they have facilitated over a billion dollars in donations. This page details a security vulnerability in the ActBlue donation system.

Tools

  • THC-Hydra 8.2 – Network Logon Cracker – www.thc.org
    This tool is a proof of concept code, to give researchers and security consultants the possiblity to show how easy it would be to gain unauthorized access from remote to a system.

Techniques

  • TrustZone Kernel Privilege Escalation (CVE-2016-2431) – bits-please.blogspot.com
    In this blog post we’ll continue our journey from zero permissions to code execution in the TrustZone kernel. Having previously elevated our privileges to QSEE, we are left with the task of exploiting the TrustZone kernel itself.

Vendor/Software Patches

  • Verizon Patches Serious Email Flaw That Left Millions Exposed – threatpost.com
    The flaw, found by Randy Westergren, a senior software developer with XDA Developers, impacted any of Verizon’s estimated 7 million FiOS subscribers who depended on their Verizon.net email accounts. Westergren initially reported the vulnerability to Verizon on April 14. The vulnerability was fixed by Verizon on May 12. Public disclosure of the flaw was Monday.
  • Adobe Update Plugs Flash Player Zero-Day – krebsonsecurity.com
    Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.

Vulnerabilities

  • ASUS UEFI Update Driver Physical Memory Read/Write – codeinsecurity.wordpress.com
    A short while ago, slipstream/RoL dropped an exploit for the ASUS memory mapping driver (ASMMAP/ASMMAP64) which was vulnerable to complete physical memory access (read/write) to unprivileged users, allowing for local privilege escalation and all sorts of other problems.
  • Critical Adobe Flash bug under active attack currently has no patch – arstechnica.com
    The active zero-day exploit works against the most recent Flash version 21.0.0.242 and was detected earlier this month by researchers from antivirus provider Kaspersky Lab, according to ablog post published Tuesday by Costin Raiu, the director of the company’s global research and analysis team.

Other News

  • The average cost of a data breach is now $4 million – www.helpnetsecurity.com
    Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014. As these threats become more complex, the cost to companies continues to rise. In fact, the study found that companies lose $158 per compromised record.
  • Hackers Find Security Gaps in Pentagon Websites – abcnews.go.com
    The so-called white-hat hackers were turned loose on five public Pentagon internet pages and were offered various bounties if they could find unique vulnerabilities. The Pentagon says 1,410 hackers participated in the challenge and the first gap was identified just 13 minutes after the hunt began.

 

One Comment

  1. Week 25 In Review – 2016 – sec.uno June 20, 2016 at 4:24 am

    […] post Week 25 In Review – 2016 appeared first on Infosec […]

Leave A Comment