- DEFCON posts
- Hacking the DefCon 17 Badges – wired.com
- DefCon 17 Mystery Challenge – wired.com
- Inside the World’s Most Hostile Network – wired.com
- BlackHat Posts
- A few Black Hat USA 2009 talks are available now – mcgrewsecurity.com
- BlackHat 2009 Day 2 – Bruce “Reconceptualizing” – chuvakin.blogspot.com
- All Around My (Black) Hat – h-online.com
- Blackhat, software, developers, and attacks – digitalbond.com
- Black Hat 2009 SSL Review: More Tricks For Defeating SSL In Practice (Moxie Marlinspike) – ivanristic.com
- Black Hat 2009 SSL Review: Black Ops of PKI (Dan Kaminsky) – ivanristic.com
- Black Hat 2009 SSL Review: Breaking the Myths of Extended Validation SSL Certificates (Alexander Sotirov and Mike Zusman) – ivanristic.com
- BlackHat 2009 Inspired – On Media Whoring – chuvakin.blogspot.com
- Blue Team Playbook – pauldotcom.com
It seems to me that every CTF/REBL event the Blue Team gets a bunch of un-patched systems.
- BITS Shared Assessments – Useful or Not – infosecalways.com
Is this another useless assessment methodology, great idea, or a platform for vendors to sell products?
- Louisville Metro InfoSec Conference – louisvilleinfosec.com
The official site of this Kentucky security event.
- Offensive Computing Twitter OComputing – offensivecomputing.net
Follow OComputing for all the malware and reverse engineering 140 characters can handle.
- Stoned Bootkit – stoned-vienna.com
Stoned Bootkit is a new Windows bootkit loaded before Windows starts and is memory resident thus Stoned gains access to the entire system.
- ViewStateViewer: A GUI Tool for deserializing/reserializing ViewState – neohapsis.com
ViewStateViewer seamlessly integrates into the Fiddler workflow, allowing a user to manipulate it just as they would any other variable in a HTTP request.
- Morpheus Beta – sourceforge.net/projects/morpheus-fwknop/
Morpheus is a windows client for fwknop, the Single Packet Authorization System.
- FakeIKEd v0.0.5 – roe.ch
Fiked can impersonate a VPN gateway’s IKE responder in order to capture XAUTH login credentials.
- Update: PDFiD Version 0.0.8 – didierstevens.com
The update packs in Flash detection in PDFs, new date format and more.
- Backtrack 4. MSF – Part 1 – synjunkie.blogspot.com
Using Backtrack and Metasploit together can lead to exciting results.
- A Beta Version of NPing has been released – professionalsecuritytesters.org
It generates network packets of a wide range of protocols, letting users to tune virtually any field of the protocol headers.
- Creating HTML Listeners with JSReg and Hackvertor – thespanner.co.uk
A proof of concept put together using JSReg and Hackvertor
- SSLSniff V0.6 – thoughtcrime.org
It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly.
- UC Sniffer 2.4 – sourceforge.net/projects/ucsniff/
A VoIP Sniffer and security tool with some new features!
- Websecurify – websecurify.com
Websecurify automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.
- iKAT Linux 2.0 – ikat.ha.cked.net
iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionality.
- Findbugs v1.3.9-RC1 – findbugs.sourceforge.net
FindBugs™ looks for instances of “bug patterns” and errors in Java programs.
- NetCut v2.0.8 – arcai.com
Basically NetCut is a tool that helps you admin your network by purely on ARP protocol.
- Quick Oracle/MSF Notes – carnal0wnage.attackresearch.com
A couple of notes on the Metasploit Oracle mixin.
- “Death of Anonymous Travel” – philosecurity.org
For security purposes, the public is generally not provided with detailed information about the management and use of mass surveillance systems.
- Defcon 17 Slides, Demos and Tools – notsosecure.com
A demo on exploiting PL/SQL injections, exploiting Oracle using Bsqlbf and Oracle SQL Worm POC
- Researchers Hack IP Video – darkreading.com
Researchers from Viper Lab showed how a criminal could tamper with an IP video surveillance system to cover up a crime.
- Moxie Marlinspike on SSL Attacks – threatpost.com
Dennis Fisher talks with researcher Moxie Marlinspike about the innovative research on attacking the inherent weaknesses in the SSL infrastructure.
- SMBEnum – ha.ckers.org
A way to enumerate certain types of files on Windows from within Internet Explorer.
- BlackHat 2009 and Defcon 17: EV SSL MITM Demo – schmoil.blogspot.com
The demo shows a MITM using a regular SSL certificate to intercept data sent to a site protected with an EV SSL certificate.
- Black Hat: PKI Hack Demonstrates Flaws in Digital Certificate Technology – darkreading.com
Researcher Dan Kaminsky illuminates flaws in X.509 authentication.
- ‘MonkeyFist’ Launches Dynamic CSRF Web Attacks – darkreading.com
Researchers release tool that automates cross-site request forgery attacks.
- Researcher Exposes Flaws In Certificate Authority Web Applications – darkreading.com
SSL certificate validation process easy “to game,” he says.
- BlackHat presentation demo vids: SalesForce ClickJacking – sensepost.com
The implication is that business-critical services and infrastructure maybe at risk due to a web developer’s mistake.
- BlackHat presentation demo vids: SugarSync – sensepost.com
In the following set of videos, we show how an attacker can generate a huge number of password reset links.
- BlackHat presentation demo vids: SalesForce Sifto – sensepost.com
Our proof-of-concept was to port Nikto into a Force.com application, and we named it Sifto.
- BlackHat presentation demo vids: Amazon – sensepost.com
This video demonstrates three separate attacks against EC2 that permit an attacker to boot up massive numbers of machines, steal computing time/bandwidth from other users and steal paid-for AMIs.
- BlackHat presentation demo vids: MobileMe – sensepost.com
This final installment showcases weaknesses in the password reset feature for Apple’s MobileMe service as well as publicizing an XSS vulnerability in the application.
- Release of the Tor Backdoor – carnal0wnage.attackresearch.com
I hope people find it useful, if nothing else as a place to start for a more robust backdoor.
- Switch hardening on your network – isc.sans.org
Badly configured switches and internal routers are almost as common as blank SA passwords on MSSQL databases.
- Security Reputation Monitoring – hexesec.wordpress.com
A client had recently had their web site scraped and placed under a similar domain.
- [BONSAI] SQL Injection in CS-Cart <= 2.0.5 – ethicalhack3r.co.uk
The research consisted of vulnerability assessing commercial and open source ecommerce web applications over a 2 week period.
- Save a kitten, write SCAP content – guerilla-ciso.com
A presentation on Security Content Automation Protocol and Web Application Security, plus some other stuff.
- Protect Your Computer Against ARP Poison Attack netCut – raymond.cc
Attacking computers with netCut seemed to be fun for script kiddies but the person who got cut is no fun at all.
- All about the ActiveX vulnerability
Some comments on this new vulnerability in Microsoft Windows
- Adobe patches vulnerability in Reader and Acrobat – h-online.com
The updates fix critical security vulnerabilities that can be exploited to inject and execute malicious code.
- WordPress 2.8.3 Fixes Security Holes – blogsecurity.net
Also, the WordPress 2.0.x branches are now deprecated and will therefore no longer be maintained.
- Firefox gears up to 3.5.2 and 3.0.13 for more fixes
The new version fixes some bugs relating to certificate regexp parsing, SSL protection and DNS data corruption.
- Firefox Updates – isc.sans.org
- Firefox 3.5.2 and 3.0.13 fix security vulnerabilities – h-online.com
- August 2009 Advance Notification – technet.com
Microsoft plans to release 9 security bulletins this August 11th.
- Gaming execs: Despite reports, hackers didn’t touch ATMs – lasvegassun.com
In fact, the ATM in question in the hotel’s convention lobby was deactivated as a security precaution.
- Feds at DefCon Alarmed After RFIDs Scanned – wired.com
It was part of a security-awareness project by a group of security researchers and consultants to highlight privacy issues around RFID.
- Hanging with hackers can make you paranoid – cnet.com
At a hacker conference no one is safe.
- Hackers turn Wii controller into tool for disabled – yahoo.com
The WiiAssist project tweaks the Wii remote’s infrared sensors to help persons with disability have better computer access.
- DefCon Badge Hack Fools Facial Recognition Systems With Pulsing Light – gizmodo.com
The pulsing series of LEDs embedded in the bill of the cap confuses facial recognition systems.
- Attackers Took Shots at Wi-Fi Network at Black Hat – eweek.com
According to Aruba Networks, attackers were up to their usual tricks.
- Apple keyboard gets hacked like a ripe papaya, perp caught on video – engadget.com
A hacker going by K. Chen using HIDFirmwareUpdaterTool injected malicious code into the keyboard’s firmware.
- Exclusive Interview: Hacking The iPhone Through SMS – tomshardware.com
An interview about an iPhone vulnerability that would allow a malicious hacker to take control of it through a series of carefully crafted SMS messages.
- Black Hat: San Francisco meters hacked for free parking – infosecurity-us.com
Researchers have revealed how the security of San Francisco’s plans to become a showcase for the US on computerised parking has been compromised.
- New Hardened Thumb Drive Self-Destructs When Breached – darkreading.com
IronKey’s new S200 includes strong encryption, anti-malware controls, and security policy management.
- The US Cyber Challenge Wants You – techbuddha.wordpress.com
This program aims to develop the next generation of technically advanced cyber warriors and security specialists.
- 40 Million Identities For Sale Online – absolute.com
The information available for sale includes sensitive financial information (credit card / bank details, some PINs).
- Twitter denied, Facebook downed
The skinny on what really happened and why Twitter and Facebook went down.
- Twitter DOS – isc.sans.org
- Serious Twitter Outage Ongoing, Denial Of Service Attack (Updated) – techcrunch.com
- Twitter crippled by denial-of-service attack – cnet.com
- How Did Hackers Cripple Twitter? – time.com
- Twitter, Facebook attack targeted one user – cnet.com
- Security researchers zero in on Twitter hackers – computerworld.com
- Student Arrested for Jailbreaking Game Consoles — Update – wired.com
The Cal State Fullerton liberal arts student is accused of hiring himself out to circumvent copyrighted encryption technology.
- New Cyber-Sec Institute Cuts on CAG – eweek.com
The CAG is making a list of security practices and controls for agencies to help address the continued issues of electronic infiltration and data leakage.
- UK national ID card cloned in 12 minutes – computerweekly.com
The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning.
- Domain hijacking by ISPs
While not an uncommon practice, certain ISPs are profiting from redirects to unresolved URLs to the ire of some users.
- Bell Starts Hijacking NX Domain Queries – slashdot.org
- Comcast adopts DNS hijacking, imposes irritating opt-out – arstechnica.com
- Has SBN Stopped Being Useful? – computerdefense.org
Some thoughts on the Security Bloggers Network.