Events Related:

  • The UCSB iCTF – uscb.edu
    The UCSB International Capture The Flag (also known as the iCTF) is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants.
  • Another #sectorca has come and gone – anti-virus-rants.blogspot.com
    It just so happens i took quite a few notes this year (pen&paper style – i’m still not taking a computing device to a hacker conference – come on) so i’ve got plenty of material (perhaps too much) to draw from for this post .

Resources:

  • Security Strategy: From Requirements To Reality – slashdot.org
    Anderson’s premise is that security technology needs to take a structured engineering approach to systems design, with detailed requirements and specification from start-up to development and implementation; just as those designing buildings and bridges do.
  • Cloud CERT: Protecting the Next Generation of IT (PDF) – cloudsecurityalliance.org
    Computer Emergency Response Team/Coordination Centers (CERT/CCs) form the cornerstone of coordinated incident response and computer security information sharing for governments and large enterprises around the world.
  • BSidesDE Slide Deck Posted – Hacking Your Way into an Infosec Career – novainfosecportal.com
    The talk wasn’t too technical obviously but I hope it helped a few people take that next step of turning a fun hobby into a life long career.
  • Slides & Code from OWASP Appsec DC Posted – gdssecurity.com
    The slides from the “Unlocking the Toolkit: Attacking Google Web Toolkit” talk I gave at OWASP Appsec DC last week is available for download on the OWASP Appsec DC Wiki Page.
  • @mubix A pdf of the talk : http://bit.ly/aBoMM2 – @purehate_, twitter.com
  • iPhone Forensics white paper – sans.org
    We reviewed 13 different tools and provide our thoughts on each as forensic analysts who regularly analyze smart phones.
  • Phrack Issue 67 – phrack.com
    Notes Concerning The Security, Design and Administration of Siemens DCO-CS, Dynamic Program Analysis and Software Exploitation and more.
  • (IN)SECURE Magazine issue 28 – pentestit.com
    In all 93 pages of security information! We recommend this to all security professionals.
  • Exchanging and sharing of assessment results – sans.org
    The sharing of pentest information can create a huge debate, just how much do you want to share?
  • CSO: Designing a Pragmatic Pen Testing Program – coresecurity.com
    It’s true, many consultants and experienced testers fail to overlook this fact that an efficient, useful pen test is one where almost as much work is done in planning, and afterwards in presenting results, as is done during the testing itself.

Tools:

  • NiX – Linux Brute Force 1.0.3 update has been released – seclists.org
    To those who want to ask, does it outperform Hydra? Yes it does,especially in basic auth and form mode.
  • Wireshark 1.4.2 and 1.2.13 Released – wireshark.org
    Vulnerabilities in the LDSS and ZigBee ZCL dissectors have been fixed.
  • Phreebird Suite v1.02 – pentestit.com
    Phreebird is a DNSSEC proxy that operates in front of an existing DNS server (BIND, Unbound, PowerDNS, Microsoft DNS, QIP) and supplements its records with DNSSEC responses.
  • Social Engineering Ninja v0.3 – pentestit.com
    S-E Ninja is a Social Engineering tool, with 20-25 popular sites fake pages and anonymous mailer via mail() function in PHP. It is a Phishing Web Application Written in PHP,XHTML,CSS,JS.
  • CUDA Multiforcer v0.72 – pentestit.com
    The Cryptohaze Multiforcer or the CUDA Multiforcer, is a high performance multihash brute forcer with support for per-position character sets, and very good performance scaling when dealing with large hash lists.
  • OWASPBWA v0.92rc2 – pentestit.com
    Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products.
  • skipfish – code.google.com/p/skipfish/
    A fully automated, active web application security reconnaissance tool
  • Agnitio v1.0.0 released today – securityninja.co.uk
    I decided to give the code review tool and facelift and a proper name before I completed anymore coding. I’m glad I did this because I can forget about the GUI design now and just focus on functionality.
  • Metasploit: Now with more commercial-grade-y-ness – metasploit.com
    A huge benefit of the commercial products is that we now have the resources to provide QA’d snapshots (see below).
  • FOCA Free 2.5.6 – informatica64.com/foca/
    FOCA, which stands for “Fingerprinting Organization with Collected Archives” is an automated tool for downloading documents published in websites, extracting metadata and analyzing data.
  • Nikto_2 – Revision 568: /trunk – assembla.com
    Nikto SVN version
  • DarunGrim: A Patch Analysis and Binary Diffing Tool – darungrim.org
    DarunGrim is a free diffing tool which provides binary diffing functionality.
  • SECmic v4.04 – pentestit.com
    Secmic is a Kubuntu based live security distribution that may be used by security professionals or for educational purposes.

Techniques:

Vulnerabilities:

Vendor/Software Patches:

Other News: