HITBGSEC

By: The Usual Suspects

Hack In The Box (HITB), known for its cutting-edge technical talks and trainings in computer security, is holding its 5th annual GSEC security conference in Singapore. Taking place at the InterContinental from August 26 to 30, HITB's GSEC security conference features a unique audience-voted line up of talks and a wide range of hacking games, exhibits and challenges, including its ever-popular HITB Capture The Flag (CTF) competition. The event precedes HITB+CyberWeek taking place in Abu Dhabi in October – set to be HITB's largest event this year.

Patrick Wardle, about whose discoveries we've written many times on Tom's Guide, last month analyzed a new strain of Mac malware called Windshift. He noticed that Apple had revoked the digital certificate that let the malware install on Macs. That's good.

It's one thing to report website vulnerabilities before they're used maliciously. It's another to blog about a vulnerability online.

Singapore authorities fined Zheng Dutao, an engineer at Chinese internet giant Tencent, S$5,000 (about $3,660) this week after discovering he hacked into a hotel's Wi-Fi system and shared sensitive information on his blog, ZDNet reported Tuesday.

Security researchers look at how macOS users can be remotely targeted using document handlers and custom URL schemes – which is behind the “Do you want to allow” popup seen in the above screenshot.

Patrick Wardle explains how a custom APT abuses URL schemes to remotely infect macOS targets

Apple Macs are rarely the target of digital espionage. But in recent years, a mysterious hacker crew called WindShift has targeted specific individuals working in government departments and critical infrastructure across the Middle East. And they’re exploiting weaknesses believed to affect all Apple Mac models.

L33tdawg: Christopher will also be at #HITBGSEC Singapore at the end of August.

When a room filled with hundreds of security professionals erupts into applause, it's notable. When that happens less than five minutes into a presentation, it's remarkable. But that's what transpired when security researcher Christopher Domas last week showed a room at Black Hat USA how to break the so-called ring-privilege model of modern CPU security.

Researchers from Positive Technologies — a provider of enterprise security solutions — have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs.

Intel ME is a separate processor embedded with Intel CPUs that runs its own operating system complete with processes, threads, memory manager, hardware bus driver, file system, and many other components.

Point-of-Sale systems from SAP had a vulnerability that allowed them to be hacked using a $25 Raspberry Pi or similar device, according to research unveiled at the Hack in the Box conference in Singapore last week.

Critical vulnerabilities in SAP's POS – since resolved – created a means for hackers not only to steal customers' card data but to gain unfettered control over the server, enabling them to change prices of goods with the help of a simple device, according to ERPScan.

Adam Donenfeld, a researcher with mobile security firm Zimperium, has published today proof-of-concept code for zIVA — a kernel exploit that affects iOS 10.3.1 and previous versions.

The zIVA exploit code allows an attacker to gain arbitrary RW (Read Write) and root access. Apple has addressed the eight vulnerabilities at the heart of this exploit package in a security patch it released in May. One affects the IOSurface kernel extension and seven others affect the AppleAVE Driver kernel extension.