7MS #209: News and Links Roundup
What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!
Are you in charge of securing Ubuntu servers? This first 10 minutes on a server primer should help you get it locked down right quick.
Need a good list of pentest-focused Twitter peeps to follow? This should do.
- Planatir, a data analysis firm, did a red team exercise that resulted in complete control of the Planatir network:
Repeatedly, the red team intruders followed a straightforward process: Find credentials for a high-level account, and then use those credentials to ferret out additional credentials that conferred even more access. They were able to “position themselves in the network for long-term persistence,” the report says.
Interestingly, the scenario was not setup such that the red team would try and breach the perimeter. Instead, they were let in intentionally to see if Planatir's cyber team could catch them in the act:
When it comes to cybersecurity, experts advise companies to fortify their internal defenses — to ensure an initial breach doesn’t become a total takeover. Hackers are so good at getting through the external wall, often using spear phishing, that cyber experts routinely just assume such attackers will get in, according to Anup Ghosh, CEO of cyber threat firm Invincea.
And in the end:
According to the Veris report, “the red team successfully evaded defenders up until the last day of the engagement.”
GoToMyPC was targeted with a very sophisticated password attack and is resetting user passwords immediately.
Google's CEO had his Twitter account hacked. According to the article:
OurMine has been targeting major tech execs of late, including Spotify’s Daniel Ek. It isn’t clear how the group is gaining access to their accounts, but it likely doesn’t involve system breaches of the social networks their targets have accounts with. Instead, the group claims that it uses various exploits to pull passwords from celebrities’ browsers.
The group said it was a flaw in Quora that allowed for the hack, but Quora (in a statement referenced in the article) denies that they were the vector.
Carbonite users are being asked to reset their passwords after a password reuse attack pounded the Carbonite servers.
Apple will let you delete annoying stock apps in iOS 10. Bye bye Compass, Find My Friends, iBooks, iCloud Drive, Calculat...well maybe I'll keep you, Calculator.
A researcher notified a company about unencrypted patient info on their FTP server. The company's response? Send 15 FBI agents with large guns.
Learning how to do incident response? Take this example from FIS Global and Guaranty Bank and Trust on how not to do it.
You might want to look at your Google activity to see/control how much they know about you.
I'm not trying to pick on Android, but when I hear there is malware out there about to root 90% of Android devices I get queasy.
Great pentesting cheatsheet from Highon.coffee that I don't think I'd linked to before.
A new version of THC-Hydra is out. I hope they fix the login form issue I talked about Monday, where you can't really tell Hydra "Hey, as you are brute-ing a form, whenever you get kicked back a page that's not a login form, it might be a successful login, so lemme know!"
Hashes.org has a great list of password hashes from various leaks/breaches.
I didn't know you could use macros for authenticated Burp tests but apparently you can!
Still don't think you should cover your Webcam? Maybe reading how a simple bash script can stealthily take pics every 60 seconds will convince you.
Want to do some traffic-sniffing via a wifi pentest? Wif-Eye looks interesting.
Evernote is hobbling its free service, so you might want to move to OneNote.
Half-dead fish comes back to life!
Work stressing you out? Maybe Terminal Parrot will relieve some stress.