Infosec Digest – February 2017

--

@author Randy Gingeleski

@since 03/05/2017

@see infosec digest

--

a.k.a. random stuff we bookmarked + notes we took in February

“If they can’t extract a new camera’s firmware some other way, they’ll install a module that iterates through memory until they find the address that controls the LED, then they’ll blink the firmware out one bit at a time.” – best_of_badgers via /r/netsec

Bypassing passwords on older OS (<= Win7) using Direct Memory Access (need physical access to the machine) – https://lamehackersguide.blogspot.com/2013/03/planting-code-in-memory-how-to-bypass.html

Disguising PostScript as PDF to achieve remote code execution in a file conversion service – https://lamehackersguide.blogspot.com/2017/02/weaponizing-postscript.html

“Blockchain is a distributed DB that maintains records of digital data/events in a way that makes them tamper-resistant. While many users may access, inspect, or add to the data, they can’t change or delete it. The original information stays put, leaving a permanent or public information trail, or chain, of transactions.” – Dawn Beyer, PhD (Lockheed Martin)

AWS put up a cloud security challenge… it’s gamified AWS-specific issues – http://flaws.cloud/

Get a stream of red team bounty work via Synack if you have teh skillz (recommended by Zombiehelp54) – https://www.synack.com/red-team/

Also credited to Zombiehelp54, here’s an XSS dork to carpet bomb research targets with…

'"><img src=x onerror=alert(2) x=