68 minutes | Oct 18th 2019

Legit Shhgit

In this episode Bill and Gavin talk about dismantling hotel lamps for fun and profit, multiple router Vulnerabilities and keeping track of private information in repositories. Bill is also joined by Ryan and Scott from the research team to discuss a couple of major zero days affecting Exim and vBulletin.

  1. Keeping track of all your assets is hard
    1. https://github.com/eth0izzle/shhgit/
    2. https://www-vice-com.cdn.ampproject.org/c/s/www.vice.com/amp/en_us/article/ywanev/thousands-of-cloud-computing-servers-could-be-owned-with-very-simple-attack-researchers-say
  2. Cisco has lots of things needing patching
    1. https://www.theregister.co.uk/2019/10/04/cisco_patches/
    2. tieing it  to this d-link vulnerability https://www.zdnet.com/article/d-link-routers-contain-remote-code-execution-vulnerability/
  3. Do you know the game - “never have I ever”?
    1. https://www.verdict.co.uk/wework-data-security-ipo/
  4. Are people thinking about BYOD anymore
    1. https://arstechnica.com/information-technology/2019/10/attackers-exploit-0day-vulnerability-that-gives-full-control-of-android-phones/
  5. Is it me, or could this have been the plan along, too good be true is often…
    1. https://threatpost.com/bug-in-nsas-ghidra/148787/
  6. With all that is going on - could this be a thing that makes you go hmmm
    1. https://www.darkreading.com/vulnerabilities---threats/facebook-patches-critical-whatsapp-security-flaw/d/d-id/1335993 and signal had a nasty bug as well https://thenextweb.com/security/2019/10/07/signal-patches-android-bug-that-allowed-hackers-to-answer-calls-on-your-behalf/
  7. Here take my charger, please
    1. https://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-sold
  8. Tenable research
    1. https://www.tenable.com/blog/cve-2019-16928-critical-buffer-overflow-flaw-in-exim-is-remotely-exploitable
    2. https://www.tenable.com/blog/critical-zero-day-pre-authentication-remote-code-execution-exploit-published-for-5-x-versions