Subscribe to Infosec Events
    Infosec Events Feed Stay up to date with all of the latest security news by subscribing to our RSS Feed. Alternatively, you can have updates sent directly to your email address.

    Recent Articles

    Week 43 in Review – 2010

    Published: November 1st, 2010 | Category: Hacking Contests, Local Meetings, Security Conferences, Security Tools, Security Training, Security Vulnerabilities, Security Workshops, Vendor News

    Events Related:

    Resources:

    • Pentesting with Burp Suite: Taking the Web Back From Automated Scanners – securityaegis.com
      Thanks to everyone at Toorcon who attended our talk: “Pentestng with Burp Suite, Taking the web back from automated scanners”.
    • Hack3rcon 2010 Videos – irongeek.com
      Below are videos of the presentations from Hack3rcon 2010.
    • Nmap Scripting and Pcap Analysis – securityaegis.com
      There were a lot of really great talks at Toorcon and two of my best friends, David Shaw of Redspin and Nate Drier of Spiderlabs were kind enough to send me their video and slides.
    • Hardware Will Cut You (video) – adafruit.com
      The hardware design process is fraught with pitfalls, from library component sketchiness, parts availability, erroneous data sheets, underestimates of complexity and long lead times.
    • pci dss v2.0 released – terminal23.net
      The PCI Council has released PCI DSS v2.0 along with a doc of the changes.
    • Exploitation 101 – cryptocity.net
      This week’s homework is to find and exploit the security vulnerability in homework.exe, which is a simple server very similar to the demo.exe from class.
    • Security Talks – ucla.edu
      A list of security talks at UCLA

    Tools:

    Techniques:

    • More about ATI 6XXX – golubev.com
      It turns out that even Catalyst 10.6 can compile code for mysterious ISA id=15 and resulting disassembly looks very interesting — T unit indeed gone from ATI’s thread processors and XYWZ units now can process instructions they weren’t able to handle before, like 32-bit integer multiplies.
    • ZigBee Lab – digitalbond.com
      We purchased the ETRX3DVKA357 Developers Kit from Telegesis. It contains a number of ZigBee modules, a ZigBee USB adapter, three developer (dev) boards and software.
    • Pentesting with Burp Suite: Taking the Web Back from Automated Scanners http://bit.ly/cl60yJ preso, ty @joelparish & @portswigger – twitter.com@Jhaddix
    • Integrating Nikto with Nessus Video – tenablesecurity.com
      A new video has been uploaded to the Tenable Security YouTube Channel titled, “Integrating Nikto with Nessus”.
    • Analysis of a UDP worm – sensepost.com
      From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate.
    • BIOS Password Backdoors in Laptops – dogber1.blogspot.com
      When a laptop is locked with password, a checksum of that password is stored to a sector of the FlashROM – this is a chip on the mainboard of the device which also contains the BIOS and other settings, e.g. memory timings.
    • iPhone, meet Wireshark – Capturing Traffic from Mobile Devices – mudynamics.com
      I wanted to see what the apps on my iPhone do and as I searched around, most of the current methods seem to involve jail-breaking, setting up hubs and access points and other such cumbersome nastiness.
    • Exploitation using publicly available Base64 encode/decode code – zscaler.com
      Recently, we have seen additional malicious JavaScript hosted on one website, using another publicly available Base64 encode/decode scheme.
    • JSREG BYPASSES – thespanner.co.uk
      Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn’t expect an array to be used in this context so this would effectively bypass the sandbox

    Vulnerabilities:

    Vendor/Software Patches:

    • Critical Fixes for Shockwave, Firefox – krebsonsecurity.com
      Adobe Systems pushed out a critical security update for its Shockwave Player that fixes nearly a dozen security vulnerabilities.

    Other News:

    • iPhone Jailbreak Tool Sets Stage for Mobile Malware – threatpost.com
      The success of a group of hackers in compromising the security of Apple’s iPhone may set the stage for more malware for the popular handset, including rootkit-style remote monitoring tools and data stealing malware.
    • SCADA Vendors Still Need Security Wake Up Call – threatpost.com
      Speaking at the ToorCon Security Conference in San Diego, Jeremy Brown, a vulnerability researcher at security firm Tenable said that many SCADA software vendors lag far behind other IT firms in vulnerability research and lack even a basic awareness of modern security principles.
    • Researchers hack toys, attack iPhones at ToorCon – cnet.com
      One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched.
    • Report: China hijacked U.S. Internet data – cnet.com
      In several cases, Chinese telecommunications firms have disrupted or impacted U.S. Internet traffic, according to the excerpts.
    • Impact of Artificial “Gummy” Fingers on Fingerprint Systems – cryptome.org
      Potential threats caused by something like real fingers, which are called fake or artificial fingers, should be crucial for authentication based on fingerprint systems.
    • Expert Advises Caution on SCADA Security Hysteria – threatpost.com
      But the concern about spontaneous utility outages and surreptitiously poisoned food supplies are overblown and largely misplaced, an expert says.
    • The Long Tail of Information Security – secmaniac.com
      I wanted to blog about it because the talk itself resonated with me and directly correlates to a previous post on the current state of penetration tests.
    Be Sociable, Share!

      Tags: , ,

      RSS feed | Trackback URI

      Comments »

      No comments yet.

      Name (required)
      E-mail (required - never shown publicly)
      URI
      Your Comment (smaller size | larger size)
      You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.

      Trackback responses to this post

        Sponsors
        CanSecWest Applied Security Conference       Bloggers' Rights at EFF
        Categories
        Popular Tags
        Adobe Android AppSec Black Hat blackhat Black Hat USA Black Hat USA 2008 Black Hat USA 2009 Black Hat USA 2012 BruCON BSides Calendar CanSecWest CanSecWest 2008 DeepSec DEFCON DNS Hacker Halted Hack in the Box HITB HOPE IEEE information security iOS ISSA Jeremiah Grossman Microsoft Microsoft Security Bulletin Nmap Oracle OWASP pwn2own RSA RSA Conference RSA Conference 2008 RUXCON SANS Security BSides ShmooCon shmoocon 2010 SyScan The Last HOPE ToorCon USENIX WhatWorks
        Recent Commentators
        Recent Visitors
        Favorite Links
        © Godai Group 2013
        Home - Calendar - Communities - Training - Archives - Contact