Events Related:
- Presentation Materials from HITB Dubai available for Download – hitb.org
Presentation materials from the 4th annual Hack In The Box Security Conference are now available for download! - Black Hat Europe 2010 Media Archives – blackhat.com
Presentations, video, papers and other media from this Barcelona event. - Security BSides Boston on Flickr – flickr.com
Pictures of this security event.
Resources:
- OWASP Top 10 for 2010 – owasp.org
The Open Web Application Security Project (OWASP) today issued the final version of its new Top 10 list of application security risks. - vSphere 4.0 Hardening Guide Released – vmware.com
This version incorporates the extensive feedback from the VMware community on the previous draft release. - NIST on Protecting Personally Identifiable Information – schneier.com
Just published: Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).” - HITB Ezine – Issue #002 – hackinthebox.org
The people of Hack In the Box, decided to make the ezine available for free in the continued spirit of HITB in “Keeping Knowledge Free”. - Hakin9 Magazine now FREE in Digital Format – hakin9.org
All you need to do in order to get a new issues each month is subscribe to our newsletter.
Tools:
- Fuzzdb – code.google.com/p/fuzzdb/
A comprehensive set of fuzzing patterns for discovery and attack during highly targeted brute force testing of web applications. - ReFrameworker v1.1 – appsec.co.il
ReFrameworker performs the required steps of runtime manipulation by tampering with the binaries containing the framework’s classes. - Sandcat v4.0 – syhunt.com
Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes. - OWASP Code review Guide v2.7 – codecrawler.codeplex.com
A tool aimed at assisting code review practitioners. - OpenSCAP v0.5.9 – open-scap.org
It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP. - Xplico v0.5.6 – xplico.org
Xplico is an open source Network Forensic Analysis Tool (NFAT). - Security Ninja security tool, more than a sneak preview! – securityninja.co.uk
This idea was inspired by the Application Security Portfolios blog post that Nick Coblentz published in 2009. - Blazentoo – gdssecurity.com
Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. - Skipfish v1.33B – skipfish.googlecode.com
Skipfish is an active web application security reconnaissance tool. - SIP Inspector – sites.google.com/site/sipinspectorsite/
SIP Inspector is a tool written in JAVA to simulate different SIP messages and scenarios. - Aircrack-ng v1.1 – aircrack-ng.org
It implements the standard FMS attack along with some optimizations like KoreK attacks.
Techniques:
- PDF Ownage: It is getting ugly out there – intrepidusgroup.com
he current news is that the Zeus botnet is being used to push a malicious PDF that attempts to abuse /Launch actions. - Stuffing Javascript into DNS names – skullsecurity.org
If you’ve installed nbtool, you may have noticed that, among other programs it comes with, one of them is called dnsxss. - Metasploit Express posts
We will be introducing Metasploit Express, an easy to use security solution that is designed to bring penetration testing capabilities to security professionals everywhere.- Approaching Metasploit 3.4.0 and Metasploit Express – metasploit.com
- Metasploit Express – metasploit.com
- Optimizing John the Ripper’s “Single” Mode for Dictionary Attacks – reusablesec.blogspot.com
I decided to optimize John the Ripper’s “Single” mode word mangling rules for use in normal dictionary based attacks. - Near Real-Time Detection (NRT) – labs.snort.org
Today’s client side attack threats represent a boon for the attacker in ways to obfuscate, evade, and hide their attacks methods. - A New Detection Framework – vrt-sourcefire.blogspot.com
I worked on deep parsing and detection on PDF files and Patrick worked on ways to provide me the full file data. - OWASP NYNJMetro – Pentesting Adobe Flex Applications – gdssecurity.com
I’ve uploaded my slides from the presentation I gave last week at the OWASP NYC Chapter on Pentesting Adobe Flex Applications. - Black Hat Presentation: Abusing Adobe PDF Reader memory management – fortinet.com
The slides include a real-world case study, involving a “former-zero-day” vulnerability (CVE-2010-1241, previously CVE-2010-2000). - Optimizing JtR’s Single Mode Follow Up – reusablesec.blogspot.com
One of my concerns though has always been over-training my password cracking techniques. - Manual Verification of SSL/TLS Certificate Trust Chains using Openssl – sans.org
Firefox 3.6.3 (the latest available version) displayed a digital certificate error when accessing the ISC login page through SSL/TLS. - Using Meterpreter to control netcat and third party exploits – pauldotcom.com
Metasploit has A LOT of exploits, but from time to time you will very likely need to use exploits that are not part of the framework.
Vulnerabilities:
- Security gone awry: IE 8 XSS filter exposes sites to XSS attacks – zdnet.com
The cross-site scripting filter on Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites otherwise be immune to this threat. - McAfee security breach causes chaos for users
McAfee’s “DAT” file version 5958 is causing widespread problems with Windows XP SP3.- How to fix the McAfee SVCHOST crash from the virus definition update – brianseekford.com
- McAfee DAT 5958 Update Issues – sans.org
- How McAfee turned a Disaster Exercise Into a REAL Learning Experience… – sans.org
- A Long Day at McAfee – mcafee.com
Vendor/Software Patches:
- PayPal Patches Critical Security Vulnerabilities – darknet.org.uk
A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal’s business and premier reports back-end system.
Other News:
- WebOS hacked thru SMS
Security researchers have hacked into Palm’s new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities.- Palm Pwned: Researchers Hack WebOS With Text Messages – threatpost.com
- Palm’s WebOS hacked via SMS message – neowin.net
- Network Solutions mass hack attack revealed
Network Solutions’ security team is battling a mysterious attack that has silently infected a “huge” number of the websites it hosts with malicious code.- Network Solutions customers hit by mass hack attack – theregister.co.uk
- corpadsinc.com redirecting Network Solutions customers again – stopmalvertising.com
- Network Solutions sites hacked again – computerworld.com
- We feel your pain and are working hard to fix this – networksolutions.com
- Network Solutions Again Under Siege – krebsonsecurity.com
- Network Solutions Cleaning Up After Second Round Of Attacks – darkreading.com
- Truth in Caller ID Act posts
The bill aims to prevent misrepresentation of the called-from number on voice calls through any channel.- House Passes Bill Outlawing Caller-ID Spoofing – ecommercetimes.com
- Caller ID Spoofing Ban is Bad for Business – pcworld.com
- Follow up stories about the Google hack last December
The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December.- Cyberattack on Google Said to Hit Password System – nytimes.com
- Google CEO: ‘We’re now paranoid’ about security – cnet.com
- Mozilla Disables Insecure Java Plugin in Firefox – krebsonsecurity.com
Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a Java security hole. - Second-hand photocopiers might be carrying sensitive information on your company
Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.- Digital Photocopiers Loaded With Secrets – cbsnews.com
- Health Insurer Notifies More Than 409,000 Of Potential Breach – darkreading.com
- Stored images on photocopiers a security risk – h-online.com
- PasswordCard Hides Mentally Encrypted Passwords in Your Wallet – lifehacker.com
The PasswordCard itself is printed in color, and has different symbols heading each column, and a different color for each row. - Gmail accounts hit by spammers
Google is investigating a growing number of reports that hackers are breaking into legitimate Gmail accounts and then using them to send spam messages.- Drug-dealing Spammers Hit Gmail Accounts – pcworld.com
- Checking if your Gmail has been breached – google.com
- Dmitry Naskovets of CallService.biz, Meet the FBI – garwarner.blogspot.com
When the FBI designed to take over the management of the CallService.biz website, they did a little relocation first. - Microsoft Recommends NoScript – hackademix.net
The technical core of this research is very worth reading, if you’re interested in XSS attack and defense techniques. - Someone might be able to hack into your cellphone privacy
The first part of the operation involves getting a target’s cell phone number from a public database that links names to numbers for caller ID purposes. - Why Employees Break Security Policy (And What You Can Do About It) – darkreading.com
Companies that monitor network behavior say many employees still break rules in order to get their jobs done. - Researcher Demonstrates How To Counterattack Against A Targeted Attack – darkreading.com
Proof-of-concept turns the tables on attackers who wage targeted attacks on enterprises. - Hundreds of high profile sites unprotected from domain hijacking – zdnet.com
A MarkMonitor review shows that less than 10% of the top 300 most highly trafficked sites were protected using it. - Local computer security expert investigates police practices – seattlepi.com
Rachner discovered through sleuthing that police had withheld video-recorded evidence in his case. - Can America win a cyberwar – newsweek.com
The United States economy depends on the Internet more than any other developed country in the world. - Blippy Reveals Credit Card Numbers On Google – gizmodo.com
It’s a huge, huge privacy concern, and if you have a Blippy account I’d recommend taking immediate action. - HP researchers propose human-centric web app security tests – searchsecurity.techtarget.com.au
Two application security experts are working on a way to improve the testing of Web applications by incorporating application data flow maps. - Microsoft pulls faulty patch, plans re-release – cnet.com
A patch for the hole, which could allow an attacker to take control of a system, was released during Patch Tuesday last week. - Facebook hacker claims to be in NZ – nzherald.co.nz
A Russian hacker who says he is living in New Zealand attempted to sell the login details of millions of Facebook users. - Peeking Into Users’ Web History – technologyreview.com
A team of European researchers found that they were able to hijack Google’s personalized search suggestions to reconstruct users’ Web search histories. - Facebook checked out, 1.5 million accounts overdue for password changes? – eset.com
It remains to be seen if so many accounts have indeed been breached or if Kirllos the criminal hacker is perhaps running an audacious scam on fellow fraudsters. - A New Law Could Change the Way You Build Database Applications – sqlmag.com
Massachusetts recently passed a sweeping new data security law that will have a profound impact on the way the United States manages and develops data-centric applications.
Tags: Black Hat Europe, Hack in the Box, HITB, Security BSides
