Lawrence’s List 061016

Lawrence Hoffman //

ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.

It’s been one of those crazy busy weeks. I always feel like I didn’t get enough time to read articles, surf Reddit, and attempt to keep up with LKML (I know this can’t be done, but what can I say? I have a problem.) Also, the week ends with BSidesMSP. Which is awesome.

G&L

If you’re reading this on Friday or Saturday (June, 10/11), come chat with @GailMenius and I down at the BHIS / OCM booth.

I am super excited to see what security stories the IoT era will bring. I feel like this article is another small preview, imagine this kind of security failure in every important device you own.

https://www.pentestpartners.com/blog/hacking-the-mitsubishi-outlander-phev-hybrid-suv/

Mark Zuckerberg momentarily lost control of two of his accounts this week due to weak passwords. Not much more to say about that.

http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/

Domain typo squatting is an old trick. This article takes that to a new realm. The author had the bright idea to typo squat a package manager. I’ll admit this was much more successful than I’d suspected it would be. I’ll also admit that I’ve been nervously double checking package names since reading this article.

http://incolumitas.com/2016/06/08/typosquatting-package-managers/

While I don’t reverse engineer hardware myself, or even have access to the tools for that matter, I always like to read about hardware reversing efforts. There’s been a good series going since april over at jcjc-dev.com since April. The fourth part in the series was posted on Wednesday this week, it has made for some pretty informative and reading.

http://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/

The Core Infrastructure Initiative (CII) has announced a best practices badge for security. The badge is intended to give developers a checklist of lessons learned the hard way by other Free/Libre and Open Source Software (FLOSS) projects. By meeting the checklist of criteria, not only is a project earning an endorsement of sorts, but also creating climate of expected attention to good security practices within FLOSS software.

https://www.coreinfrastructure.org/news/announcements/2016/05/free-badge-program-signals-what-open-source-projects-meet-criteria

I’m wrapping this up at @BSidesMSP, if you’re here feel free to drop by the BHIS booth and see us.



Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand