Security News #0x5D
- Back in September, we mentioned a post of Tom Van Goethem where he was able to exploit older versions of WordPress by abusing the
unserialize()function. Now that some time has elapsed and systems have been patched, he is back with more details on how to make the attack work, including PoC code.
- MalWerewolf has a nice piece on proper techniques for input sanitization, focusing on a PHP web application. Remember students- "All input is EVIL".
- The topology for the Illinois CCDC event has been released.
- Google reports an issue, where ANSSI, a cyber security organization in the French government, has been spoofing certificates for various Google domains.
- Brian Krebs has a nice analysis where he estimates the number of zero days that are currently for sale in the open market. You should also take a look at the take of Kelly Jackson Higgins over at Dark Reading. Definitely worth reading!
- Threatpost reports on a move by the developers of FreeBSD to no longer user certain hardware random number generators on Intel and Via chips because of a fear of NSA implanted back doors.
- Ars Technica reports on how an online poker player left his laptop in his hotel room, only to discover later that it had been infected with a remote access trojan while he was out of the room. Full disk encryption friends!