7MS #199: News and Links Roundup

What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!

Training

  • Tim Tomes PWAPT (Practical Web Application Penetration Testing) is coming to Boston on July 18-19. In Tim's invite he says:

I've added some new content to this edition of PWAPT. The new content includes advanced vulnerabilities such as Blind SQL Injection, DOM XSS, and Server-Side Template Injection to name a few. See my training page for more details and get signed up today!


General News

"The short version of the email is something like this: “Yup, they hacked us all right. And, in case you haven’t changed your password since 2012, we’ve cancelled those older passwords. We’re working with law enforcement to protect you.”

  • Dropbox was not breached (but Lifelock seemed to think so). And there was much chatter of a possible TeamViewer breach this week as well, but compromises of those accounts appear to be password reuse/abuse, as TeamViewer states. I actually like their statement from a few weeks ago as it uses user-shaming verbiage:

"TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side."

"Storing or caching of account credentials in your browser is yet another example of careless use."

"Following the huge debacle related to the LinkedIn data breach that came to light last week, Microsoft's Identity Protection team has decided to ban the usage of common or simple passwords that may be easy to guess or have already appeared in breach lists."

Basically if you pick a crappy password, you'll get a *Please choose a password that's harder for people to guess."

  • Passwords aren't cutting it, so Google plans on using biometrics to replace passwords:

"...instead of just relying on uniquely generated PINs, Google intends to use your biometrics data – like your typing patterns, your current location, and more – to strengthen the second layer of authentication with a better, automatic and trustworthy approach."

"script kiddies can do serious harm :P thanks to the enormous powers of google (or search engines in general. I guess bing or DDG would have performed just as well)"

"I just installed a plugin" isn't that lightweight. It really should involve a lot of security considerations. Disasters like this can and do happen in real life."

  • Would you like a 0-day that works on versions of Windows from 2k to fully patched Windows 10? It'll only set you back 90 grand! The vector is local privesc, so it won't be able to pwn a machine by itself, but helps overtake an already compromised system:

The zero-day vulnerability in question claims to be a Local Privilege Escalation (LPE) bug in Windows, which requires admin access to run malicious code on a victim's PC and is less dangerous than Remote Code Execution flaws that allow attackers to compromise systems remotely. Here's a demo:


Tools/Scripts


Misc/Humor

  • I passed my Kung Fu blue belt test ;-)

  • I love this video of Jimmy Fallon and Bradley Cooper unable to control themselves while talking about Cooper's role in a broadway play: