How to Intercept Security Camera Footage Using the New Hak5 Plunder Bug
In a previous guide, I demonstrated how to extract images from a security camera over Wi-Fi using Wireshark, provided you know the password. If you don't know the password, you can always get physical with the Hak5 Plunder Bug. Using this small LAN tap, we can intercept traffic like images…
How Microsoft found a Huawei driver that opened systems to attack
Enlarge (credit: Valentina Palladino) Huawei MateBook systems that are running the company's PCManager software included a driver that would let unprivileged users create processes with superuser privileges. The insecure driver was discovered by Microsoft using some of the new monitoring features added to Windows version 1809 that are monitored by…
How to Spy on Network Relationships with Airgraph-Ng
What if you could easily visualize which access point every Wi-Fi device nearby is connected to in a matter of seconds? While programs like Airodump-ng can intercept this wireless information, making it easy for hackers to use and understand is another challenge. Fortunately, a tool called Airgraph-ng can visualize the…
Alleged Child Porn Lord Faces US Extradition
In 2013, the FBI exploited a zero-day vulnerability in Firefox to seize control over a Dark Web network of child pornography sites. The alleged owner of that ring – 33-year-old Freedom Hosting operator Eric Eoin Marques – was arrested in Ireland later that year on a U.S. warrant and has been…
A Full CI/CD Pipeline for Workers with Travis CI
In today’s post we’re going to talk about building a CI/CD pipeline for Cloudflare Worker’s using Travis CI. If you aren’t yet aware, Cloudflare Workers allow you to run Javascript in all 165 of our data centers, and they deploy globally in about 30 seconds. Learn more here. There are…
Playing with TLS-Attacker
In the last two years, we changed the TLS-Attacker Project quite a lot but kept silent about most changes we implemented. Since we do not have so much time to keep up with the documentation (we are researchers and not developers in the end), we thought about creating a small…
Social Warfare Plugin Zero-Day: Details and Attack Data
In our earlier post, we issued a warning to users of the Social Warfare plugin regarding a zero-day vulnerability affecting their sites. At this time, the plugin’s developers have issued a patch for the flaw. All users are urged to update to version 3.5.3 immediately. Vulnerability Details The plugin features…
Locking Down Linux: Harden Sudo Passwords to Defend Against Hashcat Attacks
Hacker's are always looking for new ways to exploit systems and exfiltrate passwords, even in hashed form. Sophisticated brute-force attacks powered by high-end GPUs can perform millions of password attempts per second. But Ubuntu and Debian users aren't completely helpless. There are ways to harden the hashed password to better…
How to Hijack Chromecasts with CATT to Display Images, Messages, Videos, Sites & More
Giving up your Wi-Fi password can be giving up more control than you think. Because of the way Chromecast and other IoT devices communicate, anyone on the same Wi-Fi network as your device can often make it do whatever they want. With a script called "Cast All the Things," we…
Unpatched Zero-Day Vulnerability in Social Warfare Plugin Exploited In The Wild
Earlier today, an unnamed security researcher published a full disclosure of a stored Cross-Site Scripting (XSS) vulnerability present in the most recent version of popular WordPress plugin Social Warfare. The plugin, which was subsequently removed from the WordPress.org plugin repository, has an active install base of over 70,000 sites. The…
Managed Google Play earns key certifications for security and privacy
Posted by Mike Burr, Android Enterprise Platform Specialist[Cross-posted from the Android Enterprise Keyword Blog]With managed Google Play, organizations can build a customized and secure mobile application storefront for their teams, featuring public and private applications. Organizations' employees can take advantage of the familiarity of a mobile app store to browse…
The Serverlist Newsletter: Serverless Benchmarks, Workers.dev, security implications of serverless cloud computing, and more
Check out our third edition of The Serverlist below. Get the latest scoop on the serverless space, get your hands dirty with new developer tutorials, engage in conversations with other serverless developers, and find upcoming meetups and conferences to attend.Sign up below to have The Serverlist sent directly to your…
Microsoft ships antivirus for macOS as Windows Defender becomes Microsoft Defender
Microsoft is bringing its Windows Defender anti-malware application to macOS—and more platforms in the future—as it expands the reach of its Defender Advanced Threat Protection (ATP) platform. To reflect the new cross-platform nature, the suite is also being renamed to Microsoft Defender ATP, with the individual clients being labelled "for…
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this…
Writing an API at the Edge with Workers and Cloud Firestore
We’re super stoked about bringing you Workers.dev, and we’re even more stoked at every opportunity we have to dogfood Workers. Using what we create keeps us tuned in to the developer experience, which takes a good deal of guesswork out of drawing our roadmaps.Our goal with Workers.dev is to provide…