Week 41 in Review – 2009

Events Related:

• FRHACK01 copy of presentations – professionalsecuritytesters.org
  A list of the slides from the recent French conference
• Things I Learned at SecTor 2009 – preachsecurity.blogspot.com
• SecTor 2009 thoughts and insights
  • SecTor 2009 Wrapup – spywareguide.com
  • My Sector ’09 Experience – anti-virus-rants.blogspot.com

Tools:

• VIPER Lab’s VAST Live Distro for VOIP security assessment – vipervast.sourceforge.net
  The distro includes VoIP security assessment tools such as UCsniff, VoipHopper, and more.
• SFDumper 2.1 has been released – sfdumper.sourceforge.net
  This is an Open Source free computer forensics useful tool written in Bash Script for Linux systems.
• DVWA v1.0.6 – dvwa.co.uk
  Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
• Code Crawler 2.4 Beta Release – codecrawler.codeplex.com
  A tool aimed at assisting code review practitioners.
• Top 15 free SQL Injection Scanners – rochakchauhan.com
  A list of free SQL Injection Scanners that will be of value to both web application developers and professional security auditors.
• Netsparker – The Final Beta! – mavitunasecurity.com
  The latest and final beta build bakes in better performance, improved engines, among others.
• Metasm – Assembly Manipulation Suite – metasm.cr0.org
  Metasm is a cross-architecture assembler, disassembler, compiler, linker and debugger.
• IMA Project : Identity Management Auditor Project – xmcopartners.com/ima
  IMA provides a simple way to audit Identity Management, is composed of several dedicated modules.
• Burp v1.2.17 – portswigger.net
  Burp Scanner now allows reporting of issues in XML format, to enable easy integration with other tools.
• sqlmap v0.8 – sqlmap.sourceforge.net
  Sqlmap is an open source command-line automatic SQL injection tool.
• Charles Proxy v3.4 – charlesproxy.com
  Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view traffic between their machine and the Internet.
• OpenSCAP v0.5.3 – open-scap.org
  It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP
• SSLScan – Fast SSL Scanner – sourceforge.net/projects/sslscan/
  SSLScan queries SSL services, such as HTTPS, in order to determine the ciphers that are supported.
• OpenVAS 3.0 Beta – wald.intevation.org
  OpenVAS 3.0 introduces a new architecture where openvas-libraries is now mandatory dependency for openvas-client.
• Windd 1.3 Final! (x86 and x64) – msuiche.net
  Windd is a free Windows utility which aims at being used as a swiss-knife to acquire physical memory.

Vendor/Software Patches:

• Microsoft plans monster Patch Tuesday next week – computerworld.com
  Unlucky 13 sets record as biggest-ever patch day, includes first-ever for Windows 7 RTM.

Other News:

• Hotmail passwords revealed online
  Over 10,000 email accounts have been posted online
  • Phishing attack targets Hotmail – bbc.co.uk
  • Up to 20,000+ Windows Live Hotmail account details leaked online – h-online.com
  • Phished or not, leaked passwords show lazy habits – cnet.com
  • Weak passwords dominate statistics for Hotmail’s phishing scheme leak – zdnet.com
  • The anatomy of a Hotmail phishing attack – neowin.net
  • 10k Hotmail Passwords – reusablesec.blogspot.com
  • Analysis of Hotmail Passwords by Other People – reusablesec.blogspot.com
• MoD ‘how to stop leaks’ document is leaked – telegraph.co.uk
  The 2,400-page restricted document has found its way on to Wikileaks
• Paypal evicts hacker for selling hacking tools
  PayPal suspended the account of a white-hat hacker on Tuesday after someone used his research to publish a counterfeit certificate.
  • PayPal Suspends Researcher’s Account for Distributing Hacking Tools – wired.com
  • Man banished from PayPal for showing how to hack PayPal – theregister.co.uk
• NIST maps out the emerging field of IT metrology – hackerscenter.com
  Are meaningful security metrics even achievable?
• Avert Labs Paper: Inside the Password Stealing Business:the Who and How of Identity Theft – hackerscenter.com
  The report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families.
• Jail chaos as lag hacker is left in charge of computer system – mirror.co.uk
  A jailed hacker shut down a prison’s entire computer system – after bosses gave him the job of programming it.
• Q&A: Worldwide surveillance and filtering – net-security.org
  In this interview, Rafal Rohozinski discusses international surveillance and filtering issues.
• Hackers Target Xbox Live – internetnews.com
  Network security issues are now popping up for game console owners.
• Some 100 people face 20 years in jail following a two-year investigation by the FBI. – itpro.co.uk
  US and Egyptian authorities have charged 100 people in “the largest international phishing case ever conducted”.
• Phishing Scam Spooked FBI Director Off E-Banking – washingtonpost.com
  Not long ago, the head one of our nation’s domestic agencies received an e-mail purporting to be from his bank.
• $3 Million In Click Fraud Over Two Weeks? Just The Beginning – gizmodo.com
  A recently disbanded click fraud ring in China racked up $3 million worth of clicks in two weeks.
• Wikileaks plans to make the Web a leakier place – itworld.com
  The new upload system will give potential whistleblowers around the world the ability to leak sensitive documents to an organization or journalist they trust over a secure connection.