- FRHACK01 copy of presentations – professionalsecuritytesters.org
A list of the slides from the recent French conference
- Things I Learned at SecTor 2009 – preachsecurity.blogspot.com
- SecTor 2009 thoughts and insights
- All about Website Password Policies – jeremiahgrossman.blogspot.com
Some simple guidelines when implementing password protection in a site.
- Web Application Security Scanner Evaluation Criteria v1.0 – webappsec.org
WASSEC is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities.
- VIPER Lab’s VAST Live Distro for VOIP security assessment – vipervast.sourceforge.net
The distro includes VoIP security assessment tools such as UCsniff, VoipHopper, and more.
- SFDumper 2.1 has been released – sfdumper.sourceforge.net
This is an Open Source free computer forensics useful tool written in Bash Script for Linux systems.
- DVWA v1.0.6 – dvwa.co.uk
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- Code Crawler 2.4 Beta Release – codecrawler.codeplex.com
A tool aimed at assisting code review practitioners.
- Top 15 free SQL Injection Scanners – rochakchauhan.com
A list of free SQL Injection Scanners that will be of value to both web application developers and professional security auditors.
- Netsparker – The Final Beta! – mavitunasecurity.com
The latest and final beta build bakes in better performance, improved engines, among others.
- Metasm – Assembly Manipulation Suite – metasm.cr0.org
Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger.
- IMA Project : Identity Management Auditor Project – xmcopartners.com/ima
IMA provides a simple way to audit Identity Management, is composed of several dedicated modules.
- Burp v1.2.17 – portswigger.net
Burp Scanner now allows reporting of issues in XML format, to enable easy integration with other tools.
- sqlmap v0.8 – sqlmap.sourceforge.net
Sqlmap is an open source command-line automatic SQL injection tool.
- Charles Proxy v3.4 – charlesproxy.com
Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view traffic between their machine and the Internet.
- OpenSCAP v0.5.3 – open-scap.org
It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP
- SSLScan – Fast SSL Scanner – sourceforge.net/projects/sslscan/
SSLScan queries SSL services, such as HTTPS, in order to determine the ciphers that are supported.
- OpenVAS 3.0 Beta – wald.intevation.org
OpenVAS 3.0 introduces a new architecture where openvas-libraries is now mandatory dependency for openvas-client.
- Windd 1.3 Final! (x86 and x64) – msuiche.net
Windd is a free Windows utility which aims at being used as a swiss-knife to acquire physical memory.
- Oracle Password Benchmarks – red-database-security.com
Dennis Yurichev has published details about his FPGA based Oracle (DES) password cracker.
- Oracle Security Worst Practices – petefinnigan.com
Pete talks about how to audit for future security issues and bad practices.
- Real World Stories: How Pen Tests Complement Vulnerability Scans – coresecurity.com
Vulnerability scans when used in cooperation with penetration tests become significantly more useful in calibrating issues of risk.
- Creating wordlists with JTR – carnal0wnage.attackresearch.com
Some research on creating a word list for password brute forcing
- SMB2: 351 Packets from the Trampoline – metasploit.com
Some code related to Trampoline and SMB 2.0
- 60 million password hashes/second Oracle password cracker available – petefinnigan.com
Dennis Yurichev has finally finished up his cracker and has added a web based front end to the hardware that is accessible from his website.
- Teaching John The Ripper how to Crack MD5 Hashes and more – disenchant.ch
A fix to the guide on how to use John the Ripper for cracking hashes
- Penetration testing, targeted malware attacks and the future – perpetualhorizon.blogspot.com
Some thoughts on pentesting and malware
- Cyber Security Awareness Month – Day 9 – Port 3389/tcp (RDP) – isc.sans.org
Microsoft’s RDP and its associated “terminal service” client and server apps have been widely used since Windows 2000 days for Windows server administration.
- Cyber Security Awareness Month – Day 11 – RPCBind aka Portmapper – isc.sans.org
A review on port scanners and how to secure open ports.
- Cyber Security Awareness Month – Day 12 Ports 161/162 Simple Network Management Protocol (SNMP) – isc.sans.org
SNMP is used to monitor network connected devices.
- Sqlninja & Metasploit Demo – radajo.com
A pentesting demo to be presented during a course lesson in London
- Burp Tip of the Day – Nikto DB Import – room362.com
An export of the list of checks to a text file so that they could be used over and over in Intruder.
- Evil Maid goes after TrueCrypt! – theinvisiblethings.blogspot.com
The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids.
- Adobe’s recent PDF flaw
Another flaw has risen on Adobe’s flagship reader
- Adobe Reader and Acrobat issue – adobe.com
- New Adobe PDF flaw under attack; Patch coming Tuesday – zdnet.com
- Microsoft plans monster Patch Tuesday next week – computerworld.com
Unlucky 13 sets record as biggest-ever patch day, includes first-ever for Windows 7 RTM.
- Hotmail passwords revealed online
Over 10,000 email accounts have been posted online
- Phishing attack targets Hotmail – bbc.co.uk
- Up to 20,000+ Windows Live Hotmail account details leaked online – h-online.com
- Phished or not, leaked passwords show lazy habits – cnet.com
- Weak passwords dominate statistics for Hotmail’s phishing scheme leak – zdnet.com
- The anatomy of a Hotmail phishing attack – neowin.net
- 10k Hotmail Passwords – reusablesec.blogspot.com
- Analysis of Hotmail Passwords by Other People – reusablesec.blogspot.com
- MoD ‘how to stop leaks’ document is leaked – telegraph.co.uk
The 2,400-page restricted document has found its way on to Wikileaks
- Paypal evicts hacker for selling hacking tools
PayPal suspended the account of a white-hat hacker on Tuesday after someone used his research to publish a counterfeit certificate.
- PayPal Suspends Researcher’s Account for Distributing Hacking Tools – wired.com
- Man banished from PayPal for showing how to hack PayPal – theregister.co.uk
- NIST maps out the emerging field of IT metrology – hackerscenter.com
Are meaningful security metrics even achievable?
- Avert Labs Paper: Inside the Password Stealing Business:the Who and How of Identity Theft – hackerscenter.com
The report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families.
- Jail chaos as lag hacker is left in charge of computer system – mirror.co.uk
A jailed hacker shut down a prison’s entire computer system – after bosses gave him the job of programming it.
- Q&A: Worldwide surveillance and filtering – net-security.org
In this interview, Rafal Rohozinski discusses international surveillance and filtering issues.
- Hackers Target Xbox Live – internetnews.com
Network security issues are now popping up for game console owners.
- Some 100 people face 20 years in jail following a two-year investigation by the FBI. – itpro.co.uk
US and Egyptian authorities have charged 100 people in “the largest international phishing case ever conducted”.
- Phishing Scam Spooked FBI Director Off E-Banking – washingtonpost.com
Not long ago, the head one of our nation’s domestic agencies received an e-mail purporting to be from his bank.
- $3 Million In Click Fraud Over Two Weeks? Just The Beginning – gizmodo.com
A recently disbanded click fraud ring in China racked up $3 million worth of clicks in two weeks.
- Wikileaks plans to make the Web a leakier place – itworld.com
The new upload system will give potential whistleblowers around the world the ability to leak sensitive documents to an organization or journalist they trust over a secure connection.