Subscribe to Infosec Events
Infosec Events Feed Stay up to date with all of the latest security news by subscribing to our RSS Feed. Alternatively, you can have updates sent directly to your email address.

Week 26 in Review 2010

Published: July 4th, 2010 | Category: Hacking Contests, Security Conferences, Security Tools, Security Training, Vendor News

Events Related:

  • Third SHB Workshop –
    This is a two-day gathering of computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others.
  • HiTB News
    HiTB  organizes conferences for a while in Dubaï and Kuala Lumpur but this is the first time that an event is held in Europe and not too far from Belgium.

  • Notes from OWASP Bay Area Security Summit –
    However the portion on dynamic identification and quarantine of malicious scripts was very interesting.
  • Hacking the Next Hope Badge –
    The following are some notes that will help enterprising neighbors to hack these badges, which will be running an MSP430 port of the OpenBeacon firmware.


  • Comparing web application scanners, part 2 –
    Scanners were scored based on their ability to identify different types of vulnerabilities in different scanning modes.
  • Cisco IOS Auditing –
    Earlier this month Tenable released a new policy compliance plugin for Nessus that allows auditing of Cisco router and switch configuration.
  • Third-Party Web Widget Security FAQ –
    Millions of websites such as online news, blogs, e-commerce, banks, webmail, social networking and more utilize third-party hosted content on their webpages in the form of JavaScript, Adobe Flash, Microsoft Silverlight, HTML IFrames, and images.
  • securityacts it security e-zine issue 3 –
    If you’re looking for a new security-related e-zine to read, check out SecurityActs.
  • New AMTSO guidelines –
    Anti-Malware Testing Standards Organization (AMTSO), which F-Secure is a member of, had a meeting in Helsinki in May.


  • BackTrack
    BackTrack started as a personal side project well over 5 years ago and by now has been downloaded over 5 million times.

  • Autoruns and Dead Computer Forensics –
    It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon.
  • Netsparker Community Edition Released –
    There are not many new features in Community Edition but this release addresses the most common issues and includes several improvements.
  • Skipfish 1.46beta –
    A fully automated, active web application security reconnaissance tool.
  • FxCop – .NET Framework Security Analysis Tool –
    FxCop is an application that analyzes managed code assemblies.
  • bsqlbf v. 2.6 –
    The new addition is the execution of any metasploit payload after executing OS code against Oracle database server by exploiting SQL Injection from web apps.
  • upSploit – Press Release –
    This Vulnerability Advisory Gateway (VAG) should break down the barriers for security researchers and professionals to pass details of vulnerabilities to vendors in a structured easy to follow process.
  • SandKit –
    SandKit is a toolset that is intended to assist with the investigation of Sandbox technologies.
  • IDA Pro 5.7 highlights –
    We have released a IDA Pro 5.7 few days ago.
  • WinPcap –
    The latest stable WinPcap version is 4.1.2.
  • ostinato 0.1.1 –
    Ostinato is an open-source, cross-platform packet/traffic generator and analyzer with a friendly GUI.


  • Got database access? Own the network! –
    The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world.
  • SSL gives point-to-point, not end-to-end security –
    SSL provides good point-to-point privacy and integrity protection. However, there is no guarantee to upper layers that SSL is indeed in use.
  • HCP Vulnerability Exploited in the Wild –
    This vulnerability disclosure has fueled an intense debate amongst security professionals on responsible disclosure, as the Google researcher only allowed Microsoft 5 days before going public with the flaw details.
  • The curious case of JBoss Hacking –
    It is not so rare seeing jboss where the jmx-console is not password protected.
  • Linux buffer overflow II –
    In the first edition of my tutorial tutorial explains berbuffer 400-byte buffer overflow.
  • Set Wallpaper Meterpreter Script –
    Certainly nothing to fuss over, but I’ve had a fascination with setting my target’s wallpaper as sort of a calling card for years now.
  • Vulnerability Assessment Testing Automation Part I –
    In my SANSFire presentation I described how and why to automate parts of the security testing process.
  • V3rity has released a redo log mining tool to extract DDL from redo logs –
    V3rity is the new company founded by David Litchfield in March 2010 since he left NGS and until recently his site had little on it.
  • Full-Disclosure, Our Turn –
    No Web applications, no forms, no log-in, no user-supplied input where XSS can hide.
  • Social Security Number Format –
    First, for those of you who live under a rock, or across the pond, a social security number is in the format of xxx-xx-xxxx.
  • CSRF flaws that pack a punch –
    A year after DEFCON 17, cross-site request forgery (still one of my favorite bugs) continues to present itself in some mighty interesting places.
  • Wifi Security Slides –
    There are a few canned video demos in the PPT version that are obviously not in the PDF version and the PPT version contains copious notes, not found in the PDF.
  • Memory acquisition and the pagefile(s) –
    The easiest way to do this with Memoryze is to use the MemoryDD.bat script from the command line or to use the UI, Audit Viewer.
  • sqlmap and SOAP based web services –
    Last week a sqlmap user, Chilik Tamir, provided me with a patch to add basic support for SOAP based requests to the tool.
  • Lessons from criminals – Good passwords matter –
    Unless this is an elaborate public relations stunt, it appears the integrity of AES-256 as a military-grade encryption standard has been proven in a rather public way.
  • more with rpcclient –
    Got asked to help remotely locate local admins on boxes on a network.
  • You want the BlackBerry Event Log? beg damnit! –
    If I succeeded at understanding this topic, I would be able to directly connect to a BlackBerry device and collect all the information that I wanted.
  • Twitter updates
    • Looks like it’s possible to infinitely brute force Windows passwords without hitting lockout policy using “Change Passwd” Is that old news? – ax0n
    • Arduino + MetaSploit + USB wireless presenter dongle == VNC remote access on the box. – hdmoore
    • @ax0n you have to be authenticated to the domain to access the SAM function though right? Once you have an account, it works – hdmoore
  • How to write shellcode –
    I previously had written an article about buffer overflow, it is time I wrote an article how to write shellcode.
  • Secunia Survey of DEP and ASLR –
    At the FIRST conference last month, Dave Aitel said something to the effect that DEP and ASLR are the only two noteworthy technologies produced by Microsoft since starting their security initiative.
  • Hacking wireless presenters with an Arduino and Metasploit –
    Someone in the audience can control the slides and can send any keystroke you want to the victim, as if they were sitting at the keyboard.
  • CiscoWorks TFTP directory traversal exploit –
    So far I have not seen any details published so I decided to see if I could find the bug.

Vendor/Software Patches:

Other News:

Be Sociable, Share!

    Tags: , , , ,

    RSS feed | Trackback URI

    1 Comment »

    Name (required)
    E-mail (required - never shown publicly)
    Your Comment (smaller size | larger size)
    You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

    Trackback responses to this post

    © Godai Group 2014
    Home - Calendar - Communities - Training - Archives - Contact