Training

  • The BHIS 5 Months/Critical Controls Webcast recording slides are now available.

  • Tim Tomes is teaching a special edition of his Practical Web Application Pentesting course in Charleston and Spartanburg, SC. Check out his page for specific dates, but this offering is of particular interest because there’s an extra day of dev-focused content. I’d definitely go if I could!

General News

  • Badlock is out, but it’s more like Sadlock. The vuln’s biggest risks are MITM and DOS attacks, so you should still patch, but it appears to be more hype than pain.

  • Nothing interesting found on the San Bernardino shooter’s iPhone. According to the article:

…"it isn’t at all surprising, as the iPhone in question was one of three used by Farook and his wife. The FBI previously admitted that both of them had destroyed their personal iPhones that were found crushed and dumped in a trash at his house."

  • Do you use Quicktime for Windows? Uninstall it now as it’s unsupported and it has two new critical vulns.

  • It’s crucial that you take extreme caution when using the command rm -rf as a man running a Web hosting company essentially put himself out of business with those keystrokes. The Serverfault thread has been taken down but was amusing (and depressing…and ruthless).

  • Get your iDevices up to the 9.3.1 update ASAP, or you could get bricked on a rogue network.

  • Get your Kali 2 boxes updated! Kali 2 switches to "rolling" config, and after April 16, the existing repos won’t get updated. Head here for instructions. It’s pretty easy. Just make sure you have lots of time, patience and disk space.

Tools/Scripts

  • The "Textalyzer" could analyze your phone’s data after an accident and, if proven you were texting, you could be in big trouble! I’m all for this! And I better…ahem…change my habits a bit.

  • File.pizza is a cool way to send files encrypted, end-to-end, through a browser. I just haven’t been able to get it to work :-(.

  • Gladius combines Responder + Hashcat to make cred-cracking a bit more automated.

  • Burp Suite has introduced projects which look to be a great way to save and organize your pentest data.

Misc/Humor

  • Dude just beat Super Mario Bros in record time. This is a fun watch, and makes me incredibly nostalgic.

  • Remember Mike Tyson’s Punch-Out? An Easter egg was discovered revealing when you should punch Piston Honda. Can’t believe nobody found this after 20+ years!

  • Somebody turned an NES Duck Hunt gun into a glock!

  • Four US radio stations were hijacked with "furry" content due to public-facing Barix devices with weak passwords. According to the article, the Michigan Association of Broadcasters sent an advisory containing this warning:

"…MAKE SURE that your password is of sufficient strength! Barix Boxes will take up to 24 characters…. In at least two cases six character passwords were cracked.

Written by: Brian Johnson

Share on socials: