7MS #193: News and Links Roundup

What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!

Training

  • The recording of the BHIS Webinar about hardware hacking is now up - here's the YouTube video and slide deck.

  • Another BHIS Webcast is coming up May 24 from 3 p.m. - 4 p.m. EST, described as:

The vast majority of attacks originate from the outside of your network. Be it remote attacks, email attacks or social engineering the external attacks are getting good.. Or bad... Or.. Look, it is hard to tell. Perspective matters. Lets just say that it is a great time to be an attacker. Either a professional pentester or a bad guy.

In this webcast Ed and John will talk about their favorite ways to gain external access to internal networks. We will cover AV bypass, creating trojans and other fun/scary attack vectors.

Look interesting? Register here.

  • I'm still working on the CCSP but have switched gears from ITPro.tv training to the Cybrary.it offering and I love it. The modules are concise, straight to the point and only a few minutes per episode. I'm working on a down n' dirty study guide that I'll share when complete!

  • Ed Skoudis has a fantastic presentation (from Derbycon 2014) on how to give the best pentest of your life. Moral of the story: focus less on pwnage, and more on providing value to the target organization. Some must haves:

  • Great documentation

  • Compliment them on something they're doing well

  • Got 0-days? Burn 'em on the pentest if you got 'em!

  • Perform client-side attacks (if it's PCI, you need to test both sides of the client environment, so try some client-side attacks to pop a box that can get into the card environment)

  • Play the "0-day card" and get access to one client machine. Alternatively, ask them to model a user who can run an app or apps (av evasion). Or ask for a general account and demonstrate breaking out of it.

  • Stay within scope, but ask for scope creep if deemed valuable to the pentest & org.

  • Clean up after yourself - closing down listening tools and ports, etc.

  • Learn how to hack from the hacker behind The Hacking Team...uh, hack. Wow, that was a lot of the word hack in one sentence. Anyway, looks to be an awesome video if you can find it (it's been yanked from YouTube).


General News

  • Lots 'o breaches, as appears to be the norm these days!

  • Noodles

  • Wendy's

  • LinkedIn's breach from 2012 has expanded. It was originally thought that 6.5 million accounts were compromised, but it looks like we're more in the 117 million neighborhood. Ugh. Change your password!

  • Symantec Antivirus has a big vulnerability allowing remote code execution. This was discovered by Google researcher Travis Ormandy. Softpedia's article on the matter notes:

Ormandy says the issue can be exploited in a very simple manner. Because the flaw resides in the scanning engine itself, which opens and reads ANY file, not just those the user manually selected for a scan, the crook can simply send an exploit package via email or a link pointing to a Web-hosted exploit.

Symantec has issued a statement and recommended all users run LiveUpdate (um, yeah!).


Tools/Scripts]

The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.

Sigh...there's no way I'd be allowed to have a third party site manage/capture this data. I'll wish and hope for a self-hosted version.

  • Gobuster looks to be an interesting DNS/file/folder brute-forcer. Why build another one? According to the author:

"... something that didn't have a fat Java GUI (console FTW).

... to build something that just worked on the command line.

... something that did not do recursive brute force.

... something that allowed me to brute force folders and multiple extensions at once.

... something that compiled to native on multiple platforms.

... something that was faster than an interpreted script (such as Python).

... something that didn't require a runtime.

... use something that was good with concurrency (hence Go).

... to build something in Go that wasn't totally useless."

"This app shows detailed information about your device and running apps from a security point of view. One of the app’s unique features is a jailbreak and anomaly detection that can help security concerned users to check for potential privacy issues and security threats."

However, with the release of iOS 9.3.2, the app has been banned because, as quoted by Apple:

..."provides potentially inaccurate and misleading diagnostic functionality for iOS devices"

"Currently, there is no publicly available infrastructure to support iOS diagnostic analysis"

"Therefore your app may report inaccurate information which could mislead or confuse your users."

The developer, however, thinks that Apple just doesn't want to give...

..."the impression iOS could have security holes".

  • Phone battery not making it through the day? These 5 apps might be sucking too much juice.

Misc/Humor