What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!

Training

Check out this How to Hack and Defend Your Website course. It was one of my first introductions to Webapp pentesting and started me on the path I’m on today.
The Webinar for the BHIS webinar on Active Defense Harbinger Distribution was going to be today, but has been pushed to Tue, July 19 at 1 p.m. CST.

General News

TP-Link loses control of two important domains (tplinkextender.net and tplinklogin.net). You can have one of them for just a cool $2.5 mil!
Do you use Symantec AV? It’s probably time to switch.

"These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," said Project Zero lead Tavis Ormandy in a blog post.

Here’s a great guide for removing crapware from your machine once and for all! Microsoft is developing their own tool(not out yet) to deal with this as well.
Here’s yet another reason I won’t hook up any video cams in my house until the ioT is a bit more mature…don’t want Lizard squad turning it into a botnet!
Want to learn how to attack Keepass during your next pentest? Harmj0y’s got an awesome article on it (bookmark this site!). In summary, harmj0y says:

Using KeePass (or another password database solution) is significantly better than storing everything in passwords.xls, but once an attacker has administrative rights on a machine it’s nearly impossible to stop them from grabbing the information they want from the target. With a few PowerShell one-liners and some WMI, we can quickly enumerate KeePass configurations and set monitors to grab necessary key files.

An icky Mac malware could give someone total control of your machine. Here’s a nice PDF write-up with screenshots and more details.

TL;DR: Don’t download the EasyDoc Converter App. And remember, sometimes to get infected with this stuff you have to lower your security settings, in which case, good luck to you:

Because the app hasn’t been signed by Apple, security researchers recommend changing your Mac’s security setting to only allow apps downloaded from the Mac App Store and identified developers.

NIST has a nifty guide to securing Apple OSX 10.10 for IT pros.

Tools/Scripts

Sn1per was recently updated with some new tools, modes and a reporting interface. This might just take the place of Sparta as my favorite enum tool!

Misc/Humor

If you’re looking for a guide to help your technically challenged friends/family secure their machines and networks DON’T SEND THEM THIS ONE.
Love recording Adele when you see her live? A new Apple patent might block you from doing that in the future.

Written by: Brian Johnson

Share on socials:

7MS #212: News and Links Roundup

Training

General News

Tools/Scripts

Misc/Humor

Recent Posts:

7MS #620: Securing Your Mental Health – Part 5

7MS #619: Tales of Pentest Pwnage – Part 56

7MS #618: Writing Savage Pentest Reports with Sysreptor

About Us

Services

Resources