Events Related:

Resources:

  • Pentesting with Burp Suite: Taking the Web Back From Automated Scanners – securityaegis.com
    Thanks to everyone at Toorcon who attended our talk: “Pentestng with Burp Suite, Taking the web back from automated scanners”.
  • Hack3rcon 2010 Videos – irongeek.com
    Below are videos of the presentations from Hack3rcon 2010.
  • Nmap Scripting and Pcap Analysis – securityaegis.com
    There were a lot of really great talks at Toorcon and two of my best friends, David Shaw of Redspin and Nate Drier of Spiderlabs were kind enough to send me their video and slides.
  • Hardware Will Cut You (video) – adafruit.com
    The hardware design process is fraught with pitfalls, from library component sketchiness, parts availability, erroneous data sheets, underestimates of complexity and long lead times.
  • pci dss v2.0 released – terminal23.net
    The PCI Council has released PCI DSS v2.0 along with a doc of the changes.
  • Exploitation 101 – cryptocity.net
    This week’s homework is to find and exploit the security vulnerability in homework.exe, which is a simple server very similar to the demo.exe from class.
  • Security Talks – ucla.edu
    A list of security talks at UCLA

Tools:

Techniques:

  • More about ATI 6XXX – golubev.com
    It turns out that even Catalyst 10.6 can compile code for mysterious ISA id=15 and resulting disassembly looks very interesting — T unit indeed gone from ATI’s thread processors and XYWZ units now can process instructions they weren’t able to handle before, like 32-bit integer multiplies.
  • ZigBee Lab – digitalbond.com
    We purchased the ETRX3DVKA357 Developers Kit from Telegesis. It contains a number of ZigBee modules, a ZigBee USB adapter, three developer (dev) boards and software.
  • Pentesting with Burp Suite: Taking the Web Back from Automated Scanners http://bit.ly/cl60yJ preso, ty @joelparish & @portswigger – twitter.com@Jhaddix
  • Integrating Nikto with Nessus Video – tenablesecurity.com
    A new video has been uploaded to the Tenable Security YouTube Channel titled, “Integrating Nikto with Nessus”.
  • Analysis of a UDP worm – sensepost.com
    From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate.
  • BIOS Password Backdoors in Laptops – dogber1.blogspot.com
    When a laptop is locked with password, a checksum of that password is stored to a sector of the FlashROM – this is a chip on the mainboard of the device which also contains the BIOS and other settings, e.g. memory timings.
  • iPhone, meet Wireshark – Capturing Traffic from Mobile Devices – mudynamics.com
    I wanted to see what the apps on my iPhone do and as I searched around, most of the current methods seem to involve jail-breaking, setting up hubs and access points and other such cumbersome nastiness.
  • Exploitation using publicly available Base64 encode/decode code – zscaler.com
    Recently, we have seen additional malicious JavaScript hosted on one website, using another publicly available Base64 encode/decode scheme.
  • JSREG BYPASSES – thespanner.co.uk
    Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn’t expect an array to be used in this context so this would effectively bypass the sandbox

Vulnerabilities:

Vendor/Software Patches:

  • Critical Fixes for Shockwave, Firefox – krebsonsecurity.com
    Adobe Systems pushed out a critical security update for its Shockwave Player that fixes nearly a dozen security vulnerabilities.

Other News:

  • iPhone Jailbreak Tool Sets Stage for Mobile Malware – threatpost.com
    The success of a group of hackers in compromising the security of Apple’s iPhone may set the stage for more malware for the popular handset, including rootkit-style remote monitoring tools and data stealing malware.
  • SCADA Vendors Still Need Security Wake Up Call – threatpost.com
    Speaking at the ToorCon Security Conference in San Diego, Jeremy Brown, a vulnerability researcher at security firm Tenable said that many SCADA software vendors lag far behind other IT firms in vulnerability research and lack even a basic awareness of modern security principles.
  • Researchers hack toys, attack iPhones at ToorCon – cnet.com
    One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched.
  • Report: China hijacked U.S. Internet data – cnet.com
    In several cases, Chinese telecommunications firms have disrupted or impacted U.S. Internet traffic, according to the excerpts.
  • Impact of Artificial “Gummy” Fingers on Fingerprint Systems – cryptome.org
    Potential threats caused by something like real fingers, which are called fake or artificial fingers, should be crucial for authentication based on fingerprint systems.
  • Expert Advises Caution on SCADA Security Hysteria – threatpost.com
    But the concern about spontaneous utility outages and surreptitiously poisoned food supplies are overblown and largely misplaced, an expert says.
  • The Long Tail of Information Security – secmaniac.com
    I wanted to blog about it because the talk itself resonated with me and directly correlates to a previous post on the current state of penetration tests.