From Security Weekly Wiki
Jump to navigationJump to search
1 byte removed ,  19:55, 25 November 2014
#[ Apple TV multiple security vulnerabilities] - I really want to see an attack against a platform like this. Put some code on it, use it to harvest credentials, even credit card info? Not sure if that's possible, but I always wonder.
#[ Remote Code Execution in Popular Hikvision Surveillance DVR] - RTSP has some buffer overflows, oh and then there is this: "the devices also ship with a default username (admin) and a default password (‘12345′)". I need a drink. We're all doomed. Its a hacker's playground out there, stock up on booze.
#[ Don't Discount XSS Vulnerabilities] - Great article on XSS, Johannes is quoted as stating that XMLRPC requests are being used to bypass same origin. Great point. And people tend to give a much lower priority to XSS, likely because the attack success depends largely on the context of the vulnerability. Sometimes its not likely to be exploited. Other times it can be used to dive deep into your web site and results in root. The trick is figuring out the difference. From a defense standpoint, apply your patches. Likely a patch for XSS will not blow up your site, it could, but in all the years of maintaining web sites, I still recommend to apply those patches. Unfortunately, this means upgrading the entire application, where you get bug fixes, security fixes, and "features". Which could lead to more vulnerabilities. So, get good at upgrading...
#[ Regin: When did protection start?]
#[ Strength in numbers: Why layered network protection is priority] - So A/V, Patch and "web protections". While all those things will help, you need to go so much deeper. Patch and configuration and process go hand-in-hand. Endpoint protection is important, and relying on A/V is so 7 years ago. EMET comes to mind, as does a good strategy for re-imaging. Web applications comes down to educating developers and having a good testing process. And so. much. more.


Navigation menu