Events Related:
- Pwn2Own 2010
Now in its fourth year, the Pwn2Own competition will award up to $100,000 for exploits that successfully penetrate various hardware and software systems.- Contest offers $100,000 for smartphone, browser hacks – theregister.co.uk
- Pwn2Own 2010 – tippingpoint.com
Resources:
- 2010 SANS Top 25 Most Dangerous Programming Errors Released – cgisecurity.com
This is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. - Security Scoreboard – securityscoreboard.com
Think about a Zagat for security products, that is what it is.
Tools:
- MacNikto 1.1.1 – informationgift.com
It provides easy access to a subset of the features available in the Open Source, command-line driven Nikto web security scanner. - Harden SSL/TLS – Tool release – g-sec.lu
It allows locally and remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites. - Pyrit 0.3.0 – code.google.com/p/pyrit/
Pyrit allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff - Browser Rider v20090204 Released – engineeringforfun.com
The project aims to provide a powerful, simple and flexible interface to any client side exploit. - Websecurify v0.5 Beta 1 – code.google.com/p/websecurify/
Techniques:
- Self-Inflicted SQL Injection – don’t quote me ! – mikesmithers.wordpress.com
But how can you be attacked when the attacker isn’t even around at the time ? - Integrating Core Impact Pro With the Metasploit Project – coresecurity.com
Today we announced that CORE IMPACT Pro will be integrated with Metasploit in our next scheduled product release. - Scriptable Processor modules – hexblog.com
One of the new features we are preparing for the next version of IDA is the ability to write processor modules using your favorite scripting language. - Abusing WCF to Perform Remote Port Scans – gdssecurity.com
The first step in establishing a session with WSDualHttpBinding requires the client and server to negotiate the duplex connection. - Screen Unlock Meterpreter Script – relentless-coding.blogspot.com
The script needs SYSTEM privileges and patches the msv1_0.dll loaded by lsass.exe so that every password will be accepted to unlock the screen.
Vulnerabilities:
- Google Buzz Security Flaw – ha.ckers.org
It’s yet another example of bad input validation/output encoding by your favorite advertising overlords at Google.
Vendor/Software Patches:
- Adobe fixes Reader and Acrobat Flaws
This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.- Security updates available for Adobe Reader and Acrobat – adobe.com
- Adobe plugs more gaping holes in PDF Reader – zdnet.com
- Adobe Plugs Critical PDF Code Execution Flaw – threatpost.com
- Security Updates for Adobe Reader, Acrobat – krebsonsecurity.com
- Mozilla security updates
Firefox and Seamonkey get a few bug fixes.- SeaMonkey 2.0.3 - seamonkey-project.org
- Firefox 3.5 Release Notes – mozilla.com
- Firefox 3 Release Notes v3.0.18 – mozilla.com
Other News:
- Reverse-engineering a smart meter – root.org
A software bug, typo at the control center, or hacker could potentially turn off my power and gas. - Electronic key impressioning – hackaday.com
Apparently, a handheld impressioning device is about to hit the market that can tell you the key codes for a lock in a matter of seconds. - China Home to Most Hacked Computers, Says Report – inc.com
In the last three months of 2009, about 1,095,000 computers in China were hacked. - Criminal hacker ‘Iceman’ gets 13 years – computerworld.com
Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning in Pittsburgh on charges of wire fraud and identity theft. - A Comparison of DBIR with UK breach report – verizonbusiness.com
The following is a high-level comparison of DBIR findings to the 7Safe report from the UK. - Even Kingston Knocks Off Kingston microSD Cards? – gizmodo.com
Bunnie Huang of the famous Chumby encountered some Kingston microSDs appeared to be dysfunctional counterfeits. - Mock cyber attack shows US unpreparedness – net-security.org
The simulated cyber attack in Washington showed that the US is still not ready to deflect or mitigate such an attack. - Hackers, Troops Rejoice: Pentagon Lifts Thumb-Drive Ban (Updated) – wired.com
U.S. Strategic Command has lifted its ban on the tiny drives, memory sticks, CDs and other “removable flash media” on military networks.
No comments yet.