Since 2017 and as a result of the Bangladesh Bank cyber heist, SWIFT established a Customer Security Programme which describes a set of mandatory and advisory security controls for participants. All customers need to re-attest and confirm full compliance with the mandatory security controls. As stated by SWIFT’s CEO in May 2016: The Bangladesh Bank hack was a watershed event for the banking industry. There will be a before and an after Bangladesh.
Dirk-jan Mollema, a pentester working for Foxit, found a very clever attack allowing any user, owning an Exchange mailbox, to obtain Domain Admin privileges. The attack has been unveiled last week, strangely without a lot of media coverage (but things seem to change, the daily blogpost of the SANS ISC covered the subject yesterday). As there is still no fix (think software patch to install) from Microsoft, the term “0day” is around.
RandoriSec was at the SSTIC conference in Rennes, France. SSTIC (Symposium sur la sécurité des technologies de l’information et des communications in French) is an old security conference which started in 2003 and the majority of the presentations are in French! This year it was the 16th (0x10) edition occurring at the Couvent des Jacobins, an old convent. Most of the slides and the videos are available at the SSTIC website:
RandoriSec was at the Amsterdam 2018 edition of Hack In The Box and… IT WAS A BLAST ! It has been over a month and many tweets, write-ups and even the full slides (https://conference.hitb.org/hitbsecconf2018ams/materials/) have been published so we won’t cover details here but we just wanted to say a few words about it. The agenda was great with two main conference tracks, one dedicated track for the labs and one additional, free and open to public, track:
Here at RandoriSec we like hacking and fixing all the things and as we highly promote information sharing we will use this blog to publish our researchs and findings. But first you need to know the Randori ! It is a term used in Japanese martial arts referring to a form of practice in which a designated person defends against multiple attackers in quick succession without knowing how they will attack or in what order.