Interested in Pen Test - Check out these 10 slide decks

1. Crazy Sexy Hacking - Mark Baggett
2. Hacking in Meatspace - Matt Linton
3. Hacking to Get Caught - Raphael Mudge
4. How To Give the Best Pen Test of Your Life - Ed Skoudis
5. iOS Game Hacking - How I Ruled the Worl^Hd and Built Skills for AWESOME Mobile App Pen Tests - Josh Wright
6. Kicking the Guard Dog of Hades - Attacking Microsoft Kerberos - Tim Medin
7. Penetration Testing is Dead - Katie Moussouris
8. Pentesting Web Frameworks - Justin Searle
9. Secret Pen Testing Techniques, Part 2 - David Kennedy
10. The State of the Veil Framework - Will Schroeder and Chris Truncer
11. Use of Malware by Penetration Testers - Wesley McGrew

Follow this link for additional details:

http://pen-testing.sans.org/blog/pen-testing/2014/12/02/pen-test-hackfest-talks-some-great-reads

A chain is only as strong as its weakest link, - You (Example :- JP Morgan) will get hacked even if you spend $250 Million every year

There are two thinks I always remember

1. A chain is only as strong as its weakest link (So, know what you want to protect and then find the the right method (simple is always best) to protect it)
2. Security is Part philosophy (Sometimes what you think and believe may not be the best method of protection so, listen well and adapt quickly)

From the Article

Big corporations like JPMorgan spend millions — $250 million in the bank’s case — on computer security every year to guard against increasingly sophisticated attacks like the one on Sony Pictures. But the weak spot at JPMorgan appears to have been a very basic one.

JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme (2 Factor) , the people briefed on the matter said. That left the bank vulnerable to intrusion.

Follow this link for additional details:

http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?_r=0

If you shopped in STAPLES - Keep an eye on your credit card activity

Target is old news - STAPLES is the latest - 1.2Million Credit Card information lost

From the Article

“At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014,” 

While the Staples breach is dwarfed in the number of lost records by Home Depot and Target, the common link is poorly secured point-of-sale systems and effective malware targeting those platforms and stealing payment card data before it is encrypted.

Follow this link for additional details:

http://threatpost.com/staples-confirms-1-2-million-cards-lost-in-breach/110030

SS7 Vulnerability - Be careful about what you say on your Cell Phone,

From the Article

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. 

• In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function -- a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.
• 
  
• The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Follow this link for additional details:

http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/18/german-researchers-discover-a-flaw-that-could-let-anyone-listen-to-your-cell-calls-and-read-your-texts/

Another short-n-sweet advice from Schenier - Lessons from the Sony Hack

If one can condense the wisdom from an entire book then this article would be it.




From the Article

To understand any given episode of hacking, you need to understand who your adversary is, I've learned to separate opportunistic attacks from targeted ones.

You can characterize attackers along two axes: skill and focus

Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

Follow this link for additional details:
https://www.schneier.com/blog/archives/2014/12/lessons_from_th_4.html

Ever heard of "Certificate Transparency"

Certificate Transparency is a proposal from engineers at Google that would help resolve some of the issues with certificate authorities, fraudulent certificates and stolen certificates. The framework would provide a public log of every certificate that’s issued by compliant CAs and also would provide proof to users’ browsers when each certificate is presented. Google is planning to implement CT in Chrome, and now Mozilla officials say that the company will implement in Firefox, but the process will be a gradual one.


Follow the link below for more details

http://threatpost.com/mozilla-to-support-certificate-transparency-in-firefox/109819

Scary Statement: “The malware authors are flashing the malware variants onto the firmware of phones headed to consumers."

A new Chinese Trojan?


According to the article

DeathRing is disguised as a ringtone app but in reality downloads SMS and WAP content from its command-and-control server to the victim’s phone, according to mobile security vendor Lookout.

This enables the attackers to phish personal information via fake texts or prompt the victim to download more malware disguised in APKs, the firm claimed.


More details below:
http://www.infosecurity-magazine.com/news/deathring-chinese-trojan-preloaded