Events Related
- BSides Indy 2017 Videos – www.irongeek.com
These are the videos from the BSides Indy conference.
Tools
- Worried about Strutshock (CVE-2017-5638)? – www.tinfoilsecurity.com
Quick check to see if your website is vulnerable
Techniques
- PlaidCTF 2012 – Traitor (200 pts) – int3pids.blogspot.com
The challenge is supposed to be very straightforward, because we only have a recorded audio file of someone typing in a keyboard. Assuming that each key emits a different sound when pressed, if we have enough keystrokes, theoretically we should be able to infer the text being typed, making some assumptions (like the expected language and so on).
- Root your box with W3TC and Nginx – blog.tarq.io
Several guides for integrating everybody’s favorite caching plugin for WordPress with Nginx tell you to include something like this in your nginx configuration.
- DIY Smart Home Security? Meh.. – blog.seekintoo.com
Fueled by the rise of the Internet of Things, do it yourself alarm systems have become a multi-billion dollar industry that is increasingly disrupting traditional alarm companies share of the home security market. One area of concern with IoT is the security of these ubiquitous devices. So I thought it would be a fun project to examine the security of these systems.
Vulnerabilities
- Apache Struts 2
Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory.- Content-Type: Malicious – New Apache Struts2 0-day Under Attack – blog.talosintelligence.com
- Apache Struts 2 Under Zero-Day Attack, Update Now – www.bankinfosecurity.com
- Apache Struts Vulnerability (CVE-2017-5638) Exploit Traffic – community.rapid7.com
- Critical vulnerability under “massive” attack imperils high-impact sites [Updated] – arstechnica.com
- Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities – buer.haus
We recently started participating in Airbnb’s bounty program on HackerOne. We heard a lot about this company in the past but had never used their service before. Overall they have a pretty solid website, but we were still able to discover a handful of issues. There is one vulnerability that we wanted to write about because of the level of protection in front of it. The goal of this write-up is to show others that sometimes it takes a little bit of creativity to discover potential flaws and fully exploit them.
- Nearly 200,000 WiFi Cameras Open to Hacking Right Now – www.bleepingcomputer.com
What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking. The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.
Other News
- Consumer Reports to consider cyber security in product reviews – www.reuters.com
Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products.
- Vault 7
WikiLeaks has published what it claims is the largest ever release of confidential documents on the CIA. It includes more than 8,000 documents as part of ‘Vault 7’, a series of leaks on the agency, which have allegedly emerged from the CIA’s Center For Cyber Intelligence in Langley.
Leave A Comment