Default password lists

I’ve decided to centralize the default password lists for multiple vendors. I’m making this a sticky post and will update this list when as I find these types of sites:

* http://bit.ly/2S6SToW – NETGEAR Default Password List
* http://bit.ly/2S37j9u – Linksys Default Password List
* http://bit.ly/2S3gPJV – D-Link Default Password List
* http://bit.ly/2S8KWzJ – Cisco Default Password List
* http://bit.ly/2S37FwQ – Default Router Usernames and Passwords (multiple vendors)
* http://bit.ly/2HrgT3O – Telnet, MySQL and other Linux and Windows service passwords courtesy of n0tazombie.

Always available CTF Labs

I have identified the following CTF labs which are 24/7 and most if not all are free:

To everyone that made me aware of these thank you!

Heap Overflow in Sudo (CVE-2021-3156)

Security researchers at the cybersecurity firm Qualys have discovered a heap overflow in the sudo command on Linux. According to their blog posting about it:

“The vulnerability itself has been hiding in plain sight for nearly 10 years. It was introduced in July 2011 (commit 8255ed69) and affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration.”

Qualys blog post: http://bit.ly/36kZHsL

Google releases details about an active exploit chain for Chrome and Windows

Google’s Project Zero recently published information on a series of exploits that is actively being used to gain privileged access on Windows via the Chrome browser as well as any browser based off of the Chromium engine. There is a vulnerability (CVE-2020-15999) in Chrome that allows for remote code execution and the code then takes advantage of a vulnerability (CVE-2020-17087) in Windows cryptographic device driver (cng.sys) to escape the Chrome sandbox. The vulnerability in Chrome has already been patched, however the vulnerability in Windows won’t be patched until November’s Patch Tuesday which will be on November 10th.

Links:

Popular Adblocker extension found to be malicious

Nano Adblocker and Nano Defender is installed in 300,000 web browsers was abandoned by it’s author Hugo Xu because he lacked time to maintain it.¬† The new authors, according to uBlock Origin developer Raymond Hill, introduced malicious code that will “…surreptitiously upload your browsing data in a remotely configurable way. Remotely configurable means that there was no need to update the extensions to modify the list of websites whose data would be stolen. In fact, the list of websites is unknown at this time as it was remotely configured. There are many reports of users’ Instagram accounts being affected, however.

Link:

Apple, Amazon, Google, and Zigbee Alliance Standard for Smart Home Technology on Track for 2021 Release

Last year, Apple, Amazon, Google, and the Zigbee Alliance, which includes Ikea, Samsung, and Philips, announced a new working group known as “Project Connected Home over IP” that set about developing an IP-based open-source connectivity standard for smart home products, with a focus on increased compatibility, security, and simplified development for manufacturers. The group has today announced a major update on the project, stating that development is ongoing, and that work is on track for a 2021 release.

Links: