7MS #166: Infosec News and Links Roundup
Training
-
BHIS released the recording of their Webcast on New and Improved Ransomware from last week. Here are my notes from the Webinar.
-
A great Hacking Webapps course is only $10 when you use the code TWITTER. This is one of the first Webapp hacking courses I ever took and was well worth the price.
-
BHIS has a Webinar called "Internal Pivot Pentest Go Kit" they'll be doing on Tuesday, Mar 22 at 11:00 a.m. CST. I definitely plan on attending.
General News
- This week was patch Tuesday so patch all your stuff. Many updates are for IE or Edge, which Shavlik says is proving to be a bit more secure as promised, but not by much:
Microsoft’s claim that Edge is more secure than IE seems to be holding out, albeit not by much. So far this year, Shavlik found, Edge has required 19 fixes versus IE’s 27.
If you patched Flash on Tuesday be sure to do it again as another emergency patch was released 3/11.
- Seagate W2 information got pwned. Ouch. How many records? According to the spokesperson:
“We’re not giving that out publicly — only to federal law enforcement,” he said. “It’s accurate to say several thousand. But less 10,000 by a good
amount.”
-
A researcher found a legitimate (but potentially slow and painful) way to hack any Facebook account and got paid $15k for bringing it to FB's attention. Oh, and the vuln is now fixed :-)
-
The Transmission Bittorrent client download was compromised for a short time last weekend, infecting about 6,500 users with a Mac ransomware called KeRanger. It lays dormant in a machine for a few days before contacting CnC servers and receiving specific instructions to encrypt files. Transmission released an update to block/remove the malicious install, and Apple has updated its software protections to prevent new infections from the bad image.
-
Amazon is removing encryption from their Fire tablets! OMG OMG OMG OMG! Oh wait...they have reversed the decision.
-
The Cachebleed vuln is kinda scary, but check out episode 550 of security now (about the last 30 minutes or so) to have some peace of mind. The sky isn't falling. Yet.
Tools/Scripts
-
testssl.sh is one of my new fav tools for checking SSL/TLS, and...
-
This is one of my go-to pages for testing SSL/TLS.
Misc/Humor
-
Remember when John McAfee said he could crack into the San Bernardino iPhone easy-peasy? Yeah, he probably can't and admits he just did it to get a "s***load of attention."
-
Seen that video about unlock an iPhone without the password using Siri? Yeah, that's bogus too.