7MS #205: News and Links Roundup

What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!

Training

  • BHIS has a Webcast coming up June 23rd from 2p-3p EST described as:

When your job is to act as a malicious attacker on a daily basis for the good of helping organizations, you can’t help but wonder “What if I decided to embrace the evil within?” What if one day we woke up evil? Every day as pentesters, we compromise organizations through a variety of ways. If I were to wake up one day and decide to completely throw ethics out the window, how profitable could we be, and could we avoid getting caught?

In this talk we will walk through a detailed methodology about how we go about exploiting organizations for fun and profit, this time not under the “white hat.” Non-attribution, target acquisition, exploitation, and profit will be the focal points. Blue teamers will get a peek into the mindset of a dedicated attacker. Red teamers will learn a few new techniques for their attack methodologies.

You can sign up here.

  • Tim Tomes PWAPT (Practical Web Application Penetration Testing) is coming to Boston on July 18-19. In Tim's invite he says:

I've added some new content to this edition of PWAPT. The new content includes advanced vulnerabilities such as Blind SQL Injection, DOM XSS, and Server-Side Template Injection to name a few. See my training page for more details and get signed up today!

  • Tradecraft Tuesday looks like a fun/interactive way to hear about the latest hacker techniques:

Every Tuesday at 12pm ET, Chris Bisnett and Kyle Hanslovan expose the techniques used by hackers. With their 20 combined years in offensive cyber security and digital forensics, Chris and Kyle cover a new topic each week in a LIVE video chat. These unrehearsed conversations allow anyone to join in, ask questions, and share their experiences from offensive and defensive perspectives. In case you miss an episode, each recorded session will be uploaded to Cybrary’s new CH4NN3L platform.


General News

  • A reminder to patch all your Microsoft things as this patch Tuesday was a big one:

  • 16 batch bundles addressing 40+ flaws - including BadTunnel which affects all versions of Windows going as far back as Win 95.

On a related note: this is cool - Shavlik does a monthly Webinar on Patch Tuesday.

As the announcement explained, the blooper was committed "via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email. The result was that recipients could see the email addresses of other recipients."

"Each email mistakenly contained the email addresses from the emails sent prior to it," added Let's Encrypt, "so earlier emails contained fewer addresses than later ones."

  • Speaking of letting emails slip, I got a goofy one from the UPS Store this week (listen to today's episode for more info).

  • There's a Flash 0-day floating around, so you should probably disable Flash if you haven't already. Who needs it? Not me! Anyway, keep an eye on Adobe's bulletin for the upcoming fix.

Update: it's fixed now, thanks Krebs!

"Attribution is hard—not always accurate, but in some cases doable," Weingarten said. "And who knows—maybe there were multiple hackers inside the DNC network."


Tools/Scripts

  • Pentesting a solid network? Use Nessus as a weapon.

  • It looks like you can get a 10-device license for Sophos Home for free. Note: this is not any kind of referral link and I'm not getting any perks/payment or anything like that. I signed up and haven't installed it yet, but looks to be legit!


Misc/Humor

  • A whole slew of Steam games and other goodies are on sale via a "pay what you want" offering from HumbleBundle.

  • I think we've all felt like Info Security Jerk at one time or another:

"Sometimes I just want to rip off the heads of the developers at work and crap down their necks. Sometimes I want to skip step one."

  • Coworkers leaving their computer unlocked? Maybe ruining their search history will teach them better.

  • 7ms.us has some BPATTY updates:

  • Table of contents (finally, I know ;-)

  • Added section on using SimpleHTTPServer with specific port

  • Added reminder to "make" aha before running it

  • Added SSH example to the Hydra section

  • Section on using cat to get a list of only unique values from a file

  • Started section on wget