7MS #187: Infosec News and Links Roundup
A few weeks ago BHIS did a Webcast on "0-day/stunt hacking" and the recording of the presentation is now up here.
On Thursday, May 12 at 2 p.m. EST BHIS will do a "We can hardware hack! And you can too!" Webinar that you can sign up for here.
- PwnedList got pwned. You can see my mini tweet thread with InfoArmor, and in my opinion, they're downplaying the issue. But their Web site makes it seem like a slightly bigger deal:
"Thank you for being a subscriber and letting us help alert you of any risks related to your personal credentials. PwnedList launched in 2012 and quickly become the leader in open-source compromised data aggregation. In 2013 PwnedList was acquired by InfoArmor, Inc. a provider of enterprise based services. As part of the transition, the PwnedList Website has been scheduled for decommission on May 16, 2016. If you are interested in obtaining our commercial identity protection, please go to infoarmor.com for more information. It has been our pleasure to help you reduce your risk from compromised credentials."
ImageMagick has a nasty vuln making it susceptible to remote code execution. All it takes is tinkering with the "magic bytes" (first few bytes used to identify a file as gif, jpeg, etc.). Check out the PoC. And also bookmark ImageTragick for updates as they become available, because at the time of this writing a patch was not available, but the ImageMagick team did dev a workaround.
Satoshi Nakamoto, a.k.a. Craig Wright, steps forward! Well...kinda. To prove it, the article says several users were going to:
"send small amounts of Bitcoin to the address used in the first ever transaction. Then he would send it back, in what would be the first outgoing transactions from the block since January 2009."
However, this never happened, and a weird post on his blog says:
"I believed that I could do this. I believed that I could put the years of anonymity and hiding behind me. But, as the events of this week unfolded and I prepared to publish the proof of access to the earliest keys, I broke. I do not have the courage. I cannot."
- PCI DSS 3.2 is out, and Tenable does a nice job of summarizing what you need to know.
If you've ever wanted to slurp down the entire Web history of your domain's existence, the Waybackpack tool will do the job.
For seasoned travelers, this list of wireless passwords from airports around the world could be handy. Most entries looked to be in the Europe area, but still, cool stuff!
PowerShell Empire now has a Web interface!
- Prisoner takes selfies in police van and posts them on FB! The prisoner in question, Shane Holbrook, had...
..."been accused of shooting a man during a robbery in February. Police say he approached a vehicle, pulled a gun on three men, demanded money, and shot one of the men in the thigh."
So where did he get the phone?! Holbrook says:
"I think there might have been a cell phone involved. It might have been a cell phone involved in taking the pictures. That’s about as much as I can say on that."