Transcript of "Secuirty News Bytes-Bangalore may 2014 "
By Anant Shrivastava
Major news of the month
● Turkey Uprest
● Thailand Coup
● Ebay Hacked and fake DB sold on ebay
● Reflection attacks continue
● Heartbleed rated as 5/10 on CVSS2
● USA charges 5 chinese national for cyber-espinoge
● Silverlight Exploits are on the rise
● Multitude of Defacements and lots of hacks
● Few interesting tools / updates released
● Ebay Hack
– Reportedly hacked in 2013
– DB Stolen
– Someone sold fake userdb on ebay.
– users' email addresses, encrypted passwords, API keys
and OAuth tokens
– 1.3 million user db (name,email,phone)
ATS Failure : Memory exhaustion
● As aircraft flew through the region, the $2.4 billion system made by
Lockheed Martin Corp, cycled off and on trying to fix the error, triggered by
a lack of altitude information in the U-2's flight plan, according to the
sources, who were not authorized to speak publicly about the incident.
● FAA spokeswoman Laura Brown said the computer had to examine a large
number of air routes to "de-conflict the aircraft with lower-altitude flights".
● She said that process "used a large amount of available memory and
interrupted the computer's other flight-processing functions".
● The FAA later set the system to require altitudes for every flight plan and
added memory to the system, which should prevent such problems in the
future, Brown said.
● Ref :
● Voicemail based 2FA Bypass
– If password is exposed
– Request 2FA while making sure the owner is on call.
– Request goes to voicemail, hack and retrieve
● Ad network based RCE attack
– RCE in “Yahoo“, “Microsoft MSN“, And “Orange“
– Hosted ad network flaw
● CA system vulnerable to heartbleed
● Rated as 5/10 in CVSS version 2
● Certification drama
● STONED by bitcoin
– Someone embedded STONED virus signature in bitcoin blockchain.
● CTF Guide
● Owning network using PUT
● Oauth Security by Egor Homokov
● IOS CheatSheet
● Facebook launched its own SDCARD Encryption library for
● Microsoft Outlook stores plain text emails on android device
● PDFium is opensource
● Github allows username forging via global user.email
● XML Attacks : http://packetstormsecurity.com/files/126764
● Skype stores in plaintext data
– In Linux: /home/user/.Skype/skypename/
– In Mac OS X: /Users/user/Library/Application
– In Windows :
● ios 7.1.1 claimed to be jailbroken by ionic
● Telegram authentication bypass :
● iTunes and HP OfficeJet 6700 drivers forgot to
qoute there binaries :
● Sudo Gone Wrong :
● Sandcat opensourced : https://github.com/felipedaragon/sandcat
● iGoat Version 2.1 released :
● AppSensor Guide v2 : The AppSensor project defines a
conceptual framework and methodology that offers prescriptive
guidance to implement intrusion detection and automated
response into an existing application.
● Tails v1.0 – The Amnesic Incognito Live System Released :
● Exploit DB :
– 15 : Remote Exploit
– 6 : Local Exploit
– 17 : Web Exploits
– 8 : DoS Exploits
– 9 : Whitepapers
● Hackernews (hackersnews and ycombinator)
● Sans Blogs
● Tools Watch
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.