Secuirty News Bytes-Bangalore may 2014
Upcoming SlideShare
Loading in...5
×
 

Secuirty News Bytes-Bangalore may 2014

on

  • 526 views

null Bangalore Chapter - May 2014

null Bangalore Chapter - May 2014

Statistics

Views

Total Views
526
Views on SlideShare
270
Embed Views
256

Actions

Likes
0
Downloads
3
Comments
0

1 Embed 256

http://null.co.in 256

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014 Presentation Transcript

  • News Bytes By Anant Shrivastava
  • Major news of the month ● Turkey Uprest ● Thailand Coup ● Ebay Hacked and fake DB sold on ebay ● Reflection attacks continue ● Heartbleed rated as 5/10 on CVSS2 ● USA charges 5 chinese national for cyber-espinoge ● Silverlight Exploits are on the rise ● Multitude of Defacements and lots of hacks ● Few interesting tools / updates released
  • Major hacks ● Ebay Hack – Reportedly hacked in 2013 – DB Stolen – Someone sold fake userdb on ebay. ● Bit.ly – users' email addresses, encrypted passwords, API keys and OAuth tokens ● Orange – 1.3 million user db (name,email,phone)
  • ATS Failure : Memory exhaustion ● As aircraft flew through the region, the $2.4 billion system made by Lockheed Martin Corp, cycled off and on trying to fix the error, triggered by a lack of altitude information in the U-2's flight plan, according to the sources, who were not authorized to speak publicly about the incident. ● FAA spokeswoman Laura Brown said the computer had to examine a large number of air routes to "de-conflict the aircraft with lower-altitude flights". ● She said that process "used a large amount of available memory and interrupted the computer's other flight-processing functions". ● The FAA later set the system to require altitudes for every flight plan and added memory to the system, which should prevent such problems in the future, Brown said. ● Ref : http://www.reuters.com/article/2014/05/12/us-airtraffic-bug-exclusive-idUS BREA4B02320140512
  • Interesting Read's ● Voicemail based 2FA Bypass – If password is exposed – Request 2FA while making sure the owner is on call. – Request goes to voicemail, hack and retrieve – http://blog.shubh.am/how-i-bypassed-2-factor-authentication-on- google-yahoo-linkedin-and-many-others/ ● Ad network based RCE attack – RCE in “Yahoo“, “Microsoft MSN“, And “Orange“ – Hosted ad network flaw – http://www.sec-down.com/wordpress/?p=409
  • Heartbleed Updates ● CA system vulnerable to heartbleed http://seclists.org/fulldisclosure/2014/May/76 ● Rated as 5/10 in CVSS version 2 ● Certification drama
  • Interesting Bits ● STONED by bitcoin – Someone embedded STONED virus signature in bitcoin blockchain. ● CTF Guide – https://trailofbits.github.io/ctf/ ● Owning network using PUT – http://niiconsulting.com/checkmate/2014/04/owning-enterprise-http-put / ● Oauth Security by Egor Homokov – http://www.oauthsecurity.com/ ● IOS CheatSheet – https://www.owasp.org/index.php/IOS_Application_Security_Testing _Cheat_Sheet
  • Interesting Bits ● Facebook launched its own SDCARD Encryption library for Android – https://facebook.github.io/conceal/ ● Microsoft Outlook stores plain text emails on android device – http://blog.includesecurity.com/2014/05/mobile-app-data-privacy- outlook-example.html ● PDFium is opensource – https://code.google.com/p/pdfium/ ● Github allows username forging via global user.email ● XML Attacks : http://packetstormsecurity.com/files/126764
  • Interesting Bits ● Skype stores in plaintext data – In Linux: /home/user/.Skype/skypename/ – In Mac OS X: /Users/user/Library/Application Support/Skype/skypeuser – In Windows : C:UsersUsernameAppDataRoamingSkypeskyp e.id ● ios 7.1.1 claimed to be jailbroken by ionic
  • Full Disclosure ● Telegram authentication bypass : http://seclists.org/fulldisclosure/2014/Apr/293 ● iTunes and HP OfficeJet 6700 drivers forgot to qoute there binaries : http://seclists.org/fulldisclosure/2014/May/0 ● Sudo Gone Wrong : http://seclists.org/fulldisclosure/2014/May/64
  • Tools ● Bradasma : Radamsa for burp intruder : https://github.com/ikkisoft/bradamsa ● newer version of ZAP : http://code.google.com/p/zaproxy ● Ankur released Online APK Manifest Decoder : http://tools.ankurbhargava.com/APK_Manifest_Converter/ ● PoC : MitM RDP over SSL : http://diablohorn.wordpress.com/2014/04/21/quick-poc-to-mitm-rdp-ssl/ ● Hook Analyser Malware Tool 3.1 ● Heartbleed anaylsis Deamon : http://packetstormsecurity.com/files/126470/Heartbleed-Analysis-Daem on-1.0.html & https://blog.curesec.com/article/blog/32.html
  • Tools ● Sandcat opensourced : https://github.com/felipedaragon/sandcat ● iGoat Version 2.1 released : http://www.toolswatch.org/2014/04/igoat-v2-1-released/ : https://code.google.com/p/owasp-igoat/ ● AppSensor Guide v2 : The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. https://www.owasp.org/index.php/OWASP_AppSensor_Project ● Tails v1.0 – The Amnesic Incognito Live System Released : https://tails.boum.org
  • Exploit-db stats ● Exploit DB : – 15 : Remote Exploit – 6 : Local Exploit – 17 : Web Exploits – 8 : DoS Exploits – 9 : Whitepapers
  • References ● Twitter ● Hackernews (hackersnews and ycombinator) ● Sans Blogs ● Tools Watch