From Security Weekly WikiJump to navigationJump to search
, 19:55, 25 November 2014
#[http://securityvulns.com/news/Apple/TV/1411.html Apple TV multiple security vulnerabilities] - I really want to see an attack against a platform like this. Put some code on it, use it to harvest credentials, even credit card info? Not sure if that's possible, but I always wonder.
#[http://threatpost.com/remote-code-execution-in-popular-hikvision-surveillance-dvr/109552 Remote Code Execution in Popular Hikvision Surveillance DVR] - RTSP has some buffer overflows, oh and then there is this: "the devices also ship with a default username (admin) and a default password (‘12345′)". I need a drink. We're all doomed. Its a hacker's playground out there, stock up on booze.
#[http://www.darkreading.com/dont-discount-xss-vulnerabilities/d/d-id/1317706 Don't Discount XSS Vulnerabilities] - Great article on XSS, Johannes is quoted as stating that XMLRPC requests
are being used to bypass same origin. Great point. And people tend to give a much lower priority to XSS, likely because the attack success depends largely on the context of the vulnerability. Sometimes its not likely to be exploited. Other times it can be used to dive deep into your web site and results in root. The trick is figuring out the difference. From a defense standpoint, apply your patches. Likely a patch for XSS will not blow up your site, it could, but in all the years of maintaining web sites, I still recommend to apply those patches. Unfortunately, this means upgrading the entire application, where you get bug fixes, security fixes, and "features". Which could lead to more vulnerabilities. So, get good at upgrading...
#[http://www.spgedwards.com/2014/11/regin-when-did-protection-start.html Regin: When did protection start?]
#[http://windowsitpro.com/blog/strength-numbers-why-layered-network-protection-priority Strength in numbers: Why layered network protection is priority] - So A/V, Patch and "web protections". While all those things will help, you need to go so much deeper. Patch and configuration and process go hand-in-hand. Endpoint protection is important, and relying on A/V is so 7 years ago. EMET comes to mind, as does a good strategy for re-imaging. Web applications comes down to educating developers and having a good testing process. And so. much. more.