7MS #209: News and Links Roundup

What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!

Training

  • The BHIS recording for the "Fade from WhiteHat to Black" Webcast is up. The slides are here and video is here.

  • BHIS is also releasing the new version of ADHD and discuss it in a Webcast on Friday, July 8 at 2 p.m. EST. Register here.

  • Are you in charge of securing Ubuntu servers? This first 10 minutes on a server primer should help you get it locked down right quick.

  • Need a good list of pentest-focused Twitter peeps to follow? This should do.


General News

  • Planatir, a data analysis firm, did a red team exercise that resulted in complete control of the Planatir network:

Repeatedly, the red team intruders followed a straightforward process: Find credentials for a high-level account, and then use those credentials to ferret out additional credentials that conferred even more access. They were able to “position themselves in the network for long-term persistence,” the report says.

Interestingly, the scenario was not setup such that the red team would try and breach the perimeter. Instead, they were let in intentionally to see if Planatir's cyber team could catch them in the act:

When it comes to cybersecurity, experts advise companies to fortify their internal defenses — to ensure an initial breach doesn’t become a total takeover. Hackers are so good at getting through the external wall, often using spear phishing, that cyber experts routinely just assume such attackers will get in, according to Anup Ghosh, CEO of cyber threat firm Invincea.

And in the end:

According to the Veris report, “the red team successfully evaded defenders up until the last day of the engagement.”

OurMine has been targeting major tech execs of late, including Spotify’s Daniel Ek. It isn’t clear how the group is gaining access to their accounts, but it likely doesn’t involve system breaches of the social networks their targets have accounts with. Instead, the group claims that it uses various exploits to pull passwords from celebrities’ browsers.

The group said it was a flaw in Quora that allowed for the hack, but Quora (in a statement referenced in the article) denies that they were the vector.


Tools/Scripts

  • Great pentesting cheatsheet from Highon.coffee that I don't think I'd linked to before.

  • A new version of THC-Hydra is out. I hope they fix the login form issue I talked about Monday, where you can't really tell Hydra "Hey, as you are brute-ing a form, whenever you get kicked back a page that's not a login form, it might be a successful login, so lemme know!"

  • Hashes.org has a great list of password hashes from various leaks/breaches.

  • I didn't know you could use macros for authenticated Burp tests but apparently you can!

  • Still don't think you should cover your Webcam? Maybe reading how a simple bash script can stealthily take pics every 60 seconds will convince you.

  • Want to do some traffic-sniffing via a wifi pentest? Wif-Eye looks interesting.


Misc/Humor