Events Related:
- DEFCON posts
- Hacking the DefCon 17 Badges – wired.com
- DefCon 17 Mystery Challenge – wired.com
- Inside the World’s Most Hostile Network – wired.com
- Social Zombies Slides and DEFCON Updates – spylogic.net
- The Dark Cough – DEFCON 17 – thedarkvisitor.com
- Flickr photosets from DEFCON – flickr.com
- DefConPics – defconpics.org
- Adam Savage : FAILURE – Defcon 17 Talk – vimeo.com
- Hacking, Lock-Picking, Booze and Bacon: DefCon 17 In Review – wired.com
- BlackHat Posts
- A few Black Hat USA 2009 talks are available now – mcgrewsecurity.com
- BlackHat 2009 Day 2 – Bruce “Reconceptualizing” – chuvakin.blogspot.com
- All Around My (Black) Hat – h-online.com
- Blackhat, software, developers, and attacks – digitalbond.com
- Black Hat 2009 SSL Review: More Tricks For Defeating SSL In Practice (Moxie Marlinspike) – ivanristic.com
- Black Hat 2009 SSL Review: Black Ops of PKI (Dan Kaminsky) – ivanristic.com
- Black Hat 2009 SSL Review: Breaking the Myths of Extended Validation SSL Certificates (Alexander Sotirov and Mike Zusman) – ivanristic.com
- BlackHat 2009 Inspired – On Media Whoring – chuvakin.blogspot.com
- Blue Team Playbook – pauldotcom.com
It seems to me that every CTF/REBL event the Blue Team gets a bunch of un-patched systems. - BITS Shared Assessments – Useful or Not – infosecalways.com
Is this another useless assessment methodology, great idea, or a platform for vendors to sell products? - Louisville Metro InfoSec Conference – louisvilleinfosec.com
The official site of this Kentucky security event.
Resources:
- Offensive Computing Twitter OComputing – offensivecomputing.net
Follow OComputing for all the malware and reverse engineering 140 characters can handle.
Tools:
- Stoned Bootkit – stoned-vienna.com
Stoned Bootkit is a new Windows bootkit loaded before Windows starts and is memory resident thus Stoned gains access to the entire system. - ViewStateViewer: A GUI Tool for deserializing/reserializing ViewState – neohapsis.com
ViewStateViewer seamlessly integrates into the Fiddler workflow, allowing a user to manipulate it just as they would any other variable in a HTTP request. - Morpheus Beta – sourceforge.net/projects/morpheus-fwknop/
Morpheus is a windows client for fwknop, the Single Packet Authorization System. - FakeIKEd v0.0.5 – roe.ch
Fiked can impersonate a VPN gateway’s IKE responder in order to capture XAUTH login credentials. - Update: PDFiD Version 0.0.8 – didierstevens.com
The update packs in Flash detection in PDFs, new date format and more. - Backtrack 4. MSF – Part 1 – synjunkie.blogspot.com
Using Backtrack and Metasploit together can lead to exciting results. - A Beta Version of NPing has been released – professionalsecuritytesters.org
It generates network packets of a wide range of protocols, letting users to tune virtually any field of the protocol headers. - Creating HTML Listeners with JSReg and Hackvertor – thespanner.co.uk
A proof of concept put together using JSReg and Hackvertor - SSLSniff V0.6 – thoughtcrime.org
It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. - UC Sniffer 2.4 – sourceforge.net/projects/ucsniff/
A VoIP Sniffer and security tool with some new features! - Websecurify – websecurify.com
Websecurify automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies. - iKAT Linux 2.0 – ikat.ha.cked.net
iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionality. - Findbugs v1.3.9-RC1 – findbugs.sourceforge.net
FindBugs™ looks for instances of “bug patterns” and errors in Java programs. - NetCut v2.0.8 – arcai.com
Basically NetCut is a tool that helps you admin your network by purely on ARP protocol.
Techniques:
- Quick Oracle/MSF Notes – carnal0wnage.attackresearch.com
A couple of notes on the Metasploit Oracle mixin. - “Death of Anonymous Travel” – philosecurity.org
For security purposes, the public is generally not provided with detailed information about the management and use of mass surveillance systems. - Defcon 17 Slides, Demos and Tools – notsosecure.com
A demo on exploiting PL/SQL injections, exploiting Oracle using Bsqlbf and Oracle SQL Worm POC - Researchers Hack IP Video – darkreading.com
Researchers from Viper Lab showed how a criminal could tamper with an IP video surveillance system to cover up a crime. - Moxie Marlinspike on SSL Attacks – threatpost.com
Dennis Fisher talks with researcher Moxie Marlinspike about the innovative research on attacking the inherent weaknesses in the SSL infrastructure. - SMBEnum – ha.ckers.org
A way to enumerate certain types of files on Windows from within Internet Explorer. - BlackHat 2009 and Defcon 17: EV SSL MITM Demo – schmoil.blogspot.com
The demo shows a MITM using a regular SSL certificate to intercept data sent to a site protected with an EV SSL certificate. - Black Hat: PKI Hack Demonstrates Flaws in Digital Certificate Technology – darkreading.com
Researcher Dan Kaminsky illuminates flaws in X.509 authentication. - ‘MonkeyFist’ Launches Dynamic CSRF Web Attacks – darkreading.com
Researchers release tool that automates cross-site request forgery attacks. - Researcher Exposes Flaws In Certificate Authority Web Applications – darkreading.com
SSL certificate validation process easy “to game,” he says. - BlackHat presentation demo vids: SalesForce ClickJacking – sensepost.com
The implication is that business-critical services and infrastructure maybe at risk due to a web developer’s mistake. - BlackHat presentation demo vids: SugarSync – sensepost.com
In the following set of videos, we show how an attacker can generate a huge number of password reset links. - BlackHat presentation demo vids: SalesForce Sifto – sensepost.com
Our proof-of-concept was to port Nikto into a Force.com application, and we named it Sifto. - BlackHat presentation demo vids: Amazon – sensepost.comThis video demonstrates three separate attacks against EC2 that permit an attacker to boot up massive numbers of machines, steal computing time/bandwidth from other users and steal paid-for AMIs.
- BlackHat presentation demo vids: MobileMe – sensepost.com
This final installment showcases weaknesses in the password reset feature for Apple’s MobileMe service as well as publicizing an XSS vulnerability in the application. - Release of the Tor Backdoor – carnal0wnage.attackresearch.com
I hope people find it useful, if nothing else as a place to start for a more robust backdoor. - Switch hardening on your network – isc.sans.org
Badly configured switches and internal routers are almost as common as blank SA passwords on MSSQL databases. - Security Reputation Monitoring – hexesec.wordpress.com
A client had recently had their web site scraped and placed under a similar domain. - [BONSAI] SQL Injection in CS-Cart <= 2.0.5 – ethicalhack3r.co.uk
The research consisted of vulnerability assessing commercial and open source ecommerce web applications over a 2 week period. - Save a kitten, write SCAP content – guerilla-ciso.com
A presentation on Security Content Automation Protocol and Web Application Security, plus some other stuff. - Protect Your Computer Against ARP Poison Attack netCut – raymond.cc
Attacking computers with netCut seemed to be fun for script kiddies but the person who got cut is no fun at all.
Vulnerabilities:
- All about the ActiveX vulnerability
Some comments on this new vulnerability in Microsoft Windows
Vendor/Software Patches:
- Adobe patches vulnerability in Reader and Acrobat – h-online.com
The updates fix critical security vulnerabilities that can be exploited to inject and execute malicious code. - WordPress 2.8.3 Fixes Security Holes – blogsecurity.net
Also, the WordPress 2.0.x branches are now deprecated and will therefore no longer be maintained. - Firefox gears up to 3.5.2 and 3.0.13 for more fixes
The new version fixes some bugs relating to certificate regexp parsing, SSL protection and DNS data corruption.- Firefox Updates – isc.sans.org
- Firefox 3.5.2 and 3.0.13 fix security vulnerabilities – h-online.com
- August 2009 Advance Notification – technet.com
Microsoft plans to release 9 security bulletins this August 11th.
Other News:
- Gaming execs: Despite reports, hackers didn’t touch ATMs – lasvegassun.com
In fact, the ATM in question in the hotel’s convention lobby was deactivated as a security precaution. - Feds at DefCon Alarmed After RFIDs Scanned – wired.com
It was part of a security-awareness project by a group of security researchers and consultants to highlight privacy issues around RFID. - Hanging with hackers can make you paranoid – cnet.com
At a hacker conference no one is safe. - Hackers turn Wii controller into tool for disabled – yahoo.com
The WiiAssist project tweaks the Wii remote’s infrared sensors to help persons with disability have better computer access. - DefCon Badge Hack Fools Facial Recognition Systems With Pulsing Light – gizmodo.com
The pulsing series of LEDs embedded in the bill of the cap confuses facial recognition systems. - Attackers Took Shots at Wi-Fi Network at Black Hat – eweek.com
According to Aruba Networks, attackers were up to their usual tricks. - Apple keyboard gets hacked like a ripe papaya, perp caught on video – engadget.com
A hacker going by K. Chen using HIDFirmwareUpdaterTool injected malicious code into the keyboard’s firmware. - Exclusive Interview: Hacking The iPhone Through SMS – tomshardware.com
An interview about an iPhone vulnerability that would allow a malicious hacker to take control of it through a series of carefully crafted SMS messages. - Black Hat: San Francisco meters hacked for free parking – infosecurity-us.com
Researchers have revealed how the security of San Francisco’s plans to become a showcase for the US on computerised parking has been compromised. - New Hardened Thumb Drive Self-Destructs When Breached – darkreading.com
IronKey’s new S200 includes strong encryption, anti-malware controls, and security policy management. - The US Cyber Challenge Wants You – techbuddha.wordpress.com
This program aims to develop the next generation of technically advanced cyber warriors and security specialists. - 40 Million Identities For Sale Online – absolute.com
The information available for sale includes sensitive financial information (credit card / bank details, some PINs). - Twitter denied, Facebook downed
The skinny on what really happened and why Twitter and Facebook went down.- Twitter DOS – isc.sans.org
- Serious Twitter Outage Ongoing, Denial Of Service Attack (Updated) – techcrunch.com
- Twitter crippled by denial-of-service attack – cnet.com
- How Did Hackers Cripple Twitter? – time.com
- Twitter, Facebook attack targeted one user – cnet.com
- Security researchers zero in on Twitter hackers – computerworld.com
- Student Arrested for Jailbreaking Game Consoles — Update – wired.com
The Cal State Fullerton liberal arts student is accused of hiring himself out to circumvent copyrighted encryption technology. - New Cyber-Sec Institute Cuts on CAG – eweek.com
The CAG is making a list of security practices and controls for agencies to help address the continued issues of electronic infiltration and data leakage. - UK national ID card cloned in 12 minutes – computerweekly.com
The prospective national ID card was broken and cloned in 12 minutes, the Daily Mail revealed this morning. - Domain hijacking by ISPs
While not an uncommon practice, certain ISPs are profiting from redirects to unresolved URLs to the ire of some users.- Bell Starts Hijacking NX Domain Queries – slashdot.org
- Comcast adopts DNS hijacking, imposes irritating opt-out – arstechnica.com
- Has SBN Stopped Being Useful? – computerdefense.org
Some thoughts on the Security Bloggers Network.
No comments yet.