7MS #212: News and Links Roundup

What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!

Training

  • Check out this How to Hack and Defend Your Website course. It was one of my first introductions to Webapp pentesting and started me on the path I'm on today.

  • The Webinar for the BHIS webinar on Active Defense Harbinger Distribution was going to be today, but has been pushed to Tue, July 19 at 1 p.m. CST.


General News

"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," said Project Zero lead Tavis Ormandy in a blog post.

  • Here's a great guide for removing crapware from your machine once and for all! Microsoft is developing their own tool(not out yet) to deal with this as well.

  • Here's yet another reason I won't hook up any video cams in my house until the ioT is a bit more mature...don't want Lizard squad turning it into a botnet!

  • Want to learn how to attack Keepass during your next pentest? Harmj0y's got an awesome article on it (bookmark this site!). In summary, harmj0y says:

Using KeePass (or another password database solution) is significantly better than storing everything in passwords.xls, but once an attacker has administrative rights on a machine it’s nearly impossible to stop them from grabbing the information they want from the target. With a few PowerShell one-liners and some WMI, we can quickly enumerate KeePass configurations and set monitors to grab necessary key files.

TL;DR: Don't download the EasyDoc Converter App. And remember, sometimes to get infected with this stuff you have to lower your security settings, in which case, good luck to you:

Because the app hasn’t been signed by Apple, security researchers recommend changing your Mac’s security setting to only allow apps downloaded from the Mac App Store and identified developers.

  • NIST has a nifty guide to securing Apple OSX 10.10 for IT pros.

Tools/Scripts

  • Sn1per was recently updated with some new tools, modes and a reporting interface. This might just take the place of Sparta as my favorite enum tool!

Misc/Humor

  • If you're looking for a guide to help your technically challenged friends/family secure their machines and networks DON'T SEND THEM THIS ONE.

  • Love recording Adele when you see her live? A new Apple patent might block you from doing that in the future.