Subscribe to Infosec Events
    Infosec Events Feed Stay up to date with all of the latest security news by subscribing to our RSS Feed. Alternatively, you can have updates sent directly to your email address.

    Recent Articles

    Week 42 in Review – 2010

    Published: October 25th, 2010 | Category: Local Meetings, Security Conferences, Security Tools, Security Training, Security Vulnerabilities, Security Workshops

    Events Related:

    • Save the date: 23 & 24 Sept 2011 – brucon.org
      For those who like to plan ahead, keep Friday and Saturday 23 & 24 September 2011 free.
    • BSidesOttawa Schedule Confirmed! – andrewhay.ca
      BSides Ottawa is fast approaching and today we can share the schedule of superb talks that cover a broad spectrum of Information Security subjects.
    • WACCI Digital Forensics (Part 2) – sans.org
      The day began with a light breakfast followed by a few conference announcements.  There were to be no keynote speeches that day, so next up were the breakout sessions.

    Resources:

    • CIS Apple iPhone Benchmark v.1.2.0 – cisecurity.org
      This document, Security Configuration Benchmark for Apple iOS 4.1.0, provides prescriptive guidance for establishing a secure configuration posture for the Apple iOS version 4.1.0.
    • Free Online Course & Downloads – benchmarkdevelopment.mitre.org
      The PowerPoint briefing slides below are used in MITRE’s E-Learning Benchmark Development Course.
    • Verizon PCI Report is Out – chuvakin.blogspot.com
      Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).
    • Cross-site scripting explained (video) – itsecuritylab.eu
      Actually it’s a live scenario of persistent XSS exploitation, so may be quite interesting for you to watch as well.
    • DEF CON 18 Talks – Video is Live! – djtechnocrat.blogspot.com
      DEF CON 18 talks with the speaker video and slides has been processed and posted.
    • The Open Checklist Interactive Language (OCIL) – scap.nist.gov
      The Open Checklist Interactive Language (OCIL) defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions.
    • Security Checklists – disa.mil
      STIGs, and checklists

    Tools:

    Techniques:

    • Java DSN Rebinding + Java Same IP Policy = The Internet Mayhem – mindedsecurity.com
      Consider the following points: Java DNS Rebinding: an attacker can point a controlled host to any IP of the web. Java applet same IP Host access: an attacker can read the response of any host which points to the same IP the applet originates.
    • Adobe Shockwave player rcsL – exploit-db.com
      There is a 4bytes value in the undocumented rcsL chunk in our sample director movie and it may be possible to find similar rcsL chunks in other director samples.
    • Upstream Attacks from Distributed Devices – digitalbond.com
      Control4 doesn’t necessarily fall into the category of a device that has upstream connectivity but there are some parallels about the device design that I think are going to present some security challenges for those that do need to communicate back to the local utility company.
    • Cracking 14 Character Complex Passwords in 5 Seconds – cyberarms.wordpress.com
      One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds.
    • Decoding Javascript Hex Encoding – securityonion.blogspot.com
      So how does it work? “xxd -r -p” converts from hex to ASCII, but it’s expecting the hex digits to be space delimited.
    • [0Day] Moxa MDM Tool 2.1 Buffer Overflow – reversemode.com
      The 0day I’m releasing today took exactly 2 minutes to find it out. Any decent code review or blackbox pentest would had uncovered it so I assume it didn’t happen before releasing the product.
    • In Memory Fuzzing – corelan.be
      In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit-in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable.
    • How to Add XSSF to Metasploit Framework? – pentestit.com
      It contains some interesting payloads (if we may call it!) – .pdfs that exploit different vulnerabilities to launch cmd.exe on unpatched systems, JAVA vulns and clones of GMail and Facebook.
    • Integrating Hydra with Nessus Video – tenablesecurity.com
      When installing Hydra on Ubuntu-based systems, here are a few tips to get all of the modules working properly.
    • PDF RCE et al. (CVE-2010-3625, CVE-2010-0191, CVE-2010-0045) – xs-sniper.com
      Naturally, when a string that looks like URI is encountered one of the first things that’s attempted is to point the URI value to a file:// location and observe whether the local file is opened.
    • Analysis of multiple exploits – zscaler.com
      The JavaScript code is heavily obfuscated. It cannot be de-obfuscated by a simple copy-paste of the code into Malzilla, some of the decoding has to be done by hand.
    • Checking for user-agent header SQL injection vulns – holisticinfosec.blogspot.com
      As I analyze various web applications in the name of fun or fortune, I am sometimes treated to those little reminders that result in a “doh!”.
    • PenTestIT Post Of The Day: Automated detection of CSRF-worthy HTML forms through 4-pass reverse-Diff analysis! – pentestit.com
      In general, the majority of vulnerability detection techniques depend on fairly simple injections of strings and subsequent blind pattern matching of the body of the induced HTTP response.
    • Peach + someawesome.xml + xml.XmlAnalyzer == Free Pits? – l1pht.com
      Fuzzing is a lazy man’s game.  We’re like toothless hill people, sitting on the porch of our minds in a rocking chair, a shotgun loaded with crackable data resting soundly on our filthy little laps.  Waiting.
    • Malicious USB Devices: Is that an attack vector in your pocket or are you just happy to see me? – irongeek.com
      Programmable HID USB Keyboard Dongle Devices along with detection and mitigation techniques involving GPO (Windows) and UDEV (Linux) settings.
    • Java Applet Same IP Host Access – mindedsecurity.com
      By taking advantage of this design issue, if an attacker can control at least one host on a virtual server pool (uploading an applet), it will be possible for the attacker to use an applet against a legit user and read every information from the other domains on the same IP.

    Vulnerabilities:

      Other News:

      Be Sociable, Share!

        Tags: , ,

        RSS feed | Trackback URI

        Comments »

        No comments yet.

        Name (required)
        E-mail (required - never shown publicly)
        URI
        Your Comment (smaller size | larger size)
        You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

        Trackback responses to this post

          Sponsors
          CanSecWest Applied Security Conference       Bloggers' Rights at EFF
          Categories
          Popular Tags
          Adobe Android AppSec Black Hat blackhat Black Hat USA Black Hat USA 2008 Black Hat USA 2009 Black Hat USA 2012 BruCON BSides Calendar CanSecWest CanSecWest 2008 DeepSec DEFCON DNS Hacker Halted Hack in the Box HITB HOPE IEEE information security iOS ISSA Jeremiah Grossman Microsoft Microsoft Security Bulletin Nmap Oracle OWASP pwn2own RSA RSA Conference RSA Conference 2008 RUXCON SANS Security BSides ShmooCon shmoocon 2010 SyScan The Last HOPE ToorCon USENIX WhatWorks
          Recent Commentators
          Recent Visitors
          Favorite Links
          © Godai Group 2013
          Home - Calendar - Communities - Training - Archives - Contact