7MS #219: News and Links Roundup
What follows are some of my favorite training opportunities, news bits, tools/scripts and humorous stories to send you into the weekend with!
- BHIS did a Webinar earlier today for developers. Per the email:
Sick and tired of having hackers and penetration testers find holes in your apps? Then join this session!
We will cover free and open source tools which should be in your SDLC to find the "easy" vulnerabilities.
We will be covering: Burp, ZAP, Nikto and other fun tricks.
It was good stuff. John did a nice job of explaining the challenges devs and pentesters face, and how to get them rooting/working for the same team.
CodeCombat was one of the training site John Strand mentioned on the BHIS pentest. Looks to possibly be even more fun than code.org!
Exploit-Exercises.com looks to be a great way to learn more about Linux privesc, memory corruption, heap exploitation...
- LastPass had some (sorta) bad publicity this week around a few vulnerabilities. Both, however, need somebody to trick you into going to a bad link. So...don't do that :-). And, the LastPass article reminds us of some important security best practices which are always worth repeating:
Beware of phishing attacks. Do not click on links from people you don’t know, or that seem out of character from your trusted contacts and companies.
Use a different, unique password for every online account.
Use a strong, secure master password for your LastPass account that you never disclose to anyone, including us.
Turn on two-factor authentication for LastPass and other services like your bank, email, Twitter, Facebook, etc.
Keep a clean machine by running antivirus and keeping your software up-to-date.
Need another reason to believe the Internet of Things is not ready/secure enough for the general public? Read what happens when ioT pet feeders fail.
A hacker downloaded all of Vine using some curiosity and a Shodan-like search.
This is not news but a good (and by good I mean terrifying) story about the disgruntled Citibank IT guy who had a bad review and then issued a command to nuke the configs on 10 core routers, disconnecting 90% of all Citibank networks across the country.
The truth is that the person hacking you may not be someone you’ve never met, wearing a hoody on the other side of the world. They could be sat right next to you, wearing a business suit.
- Happy SysAdmin day! If you need a flawless workflow to solve any conundrum, look at this. Or, on a slightly more serious note, check out these 5 tips. TLDR:
- Don't install untrusted apps on Android phones.
- Show file extensions on Windows.
- Turn on encryption & passcodes on mobile devices
- THANK YOUR SYSADMIN(S)!!!
A new version of Burp is out featuring Burp Infiltrator!
Rapid7 has a nice article on capturing network credentials using Metasploit modules instead of Responder like I usually do.
Remember cree.py at all? Looks like it's baaaaaaack!.
- ...have a great weekend!