This week, we discuss the lack of information and where you might find more information about certain vulnerabilities. Seems like many companies fail to give out necessary and actionable information without paying an arm and a leg.
We also go over our DerbyCon CTF walkthrough, and discuss the steps to solve it.
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2017-030-vulnerability_OSINT-derbycon_CTF_walkthrough.mp3
Ms. Berlin is going to be at Bsides Wellington! Get your Tickets NOW!
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
Comments, Questions, Feedback: email@example.com
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
NCC group talks in Seattle
NIST guidelines - no security questions, no SMS based 2fa
Sites have information like Spokeo…
Take Java for example (CVE-2017-10102): info is sparse
Other sites have more
https://tools.cisco.com/security/center/viewAlert.x?alertId=54521 - worse than Oracle’s site (impressive crappery)
Some are better: RHEL is fairly decent
Ubuntu has some different tidbits
Arch has info
Point is, just because you use a specific OS, don’t limit yourself… other OSes may contain more technical info. Some maintainers like to dig, like you.
https://vuldb.com/ - gives value of finding such a PoC for a vuln (5-25K USD for 2017-10102)
Derbycon CTF walkthrough
Looking for an instructor for an ‘intro to RE’ course.
Dr. Pulaski = Diana Maldaur
Dr. Crusher = Gates McFadden