Events Related:

Resources:

Tools:

  • w3af: Better, Stronger, Faster – blog.rapid7.com
    By downloading this release you’ll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan.
  • R-U-Dead-Yet version 2.2 – chaptersinwebsecurity.blogspot.com
    I forgot the fact that people develop hunger for features and bug fixes even when software is open-source and free. Oh well, I guess that’s a responsibility that comes with the will to satisfy your end users.
  • AutoDiff Online – marcoramilli.blogspot.com
    AutoDiff is a project which performs automated binary differential analysis between two executable files.
  • MS Attack Surface Analyzer Release
    Microsoft unveiled a new tool this week in conjunction with the Blackhat DC conference — the Attack Surface Analyzer.

Techniques:

  • Who’s who of bad password practices – troyhunt.com
    But what happens when the website won’t allow you to create a secure password? Or at least when they severely constrain your ability to create long, random, unique passwords?
  • Share your nmap parameters! – reddit.com
    What parameters do you usually use in your nmap scans? Any interesting combinations? I usually go with: nmap -v -A -p1-65535 -O2 -T4 ipaddress
  • Quickpost: Checking ASLR – blog.didierstevens.com
    Some people asked me for a simple way to check shell extensions for their ASLR support. You can do this with Process Explorer.
  • Finding AES keys - jessekornblum.livejournal.com
    Today I’m publishing a little utility to search for AES keys. It was originally intended for searching memory images, but you can use it to search anything really.
  • How To Crack Just About Any Mac App – lifehacker.com
    By walking through how I can hack your app with only one Terminal shell, I hope to shed some light on how this is most commonly done, and hopefully convince you to protect yourself against me.
  • Episode 266 – pauldotcom.com
    PaulDotCom Security Weekly – Episode 226 – for Thursday January 13th, 2011.
  • Return of the Sprayer - h-online.com
    If they jumped to code injected onto the stack or heap, “just like in the good old days”, data execution prevention (DEP) would trigger an interrupt and the system would terminate the carefully pwned process before it could cause any damage.
  • Exploit in the wild for MS06-014 – research.zscaler.com
    Although 0day vulnerabilities receive all the attention, it’s not unusual to see attackers still taking advantage of old vulnerabilities to attack end users
  • Unrestricted File Download V1.0 – soroush.secproject.com
    I do not want to talk about Insecure Direct Object References without any protection as they are obviously exploitable; Instead, I want to talk about bypassing the protected ones!
  • Exploiting Smartphone-USB connectivity for fun and profit - docs.google.com
    Unfortunately, these new capabilities  coupled with the inherent trust users place on the USB physical connectivity and the lack of any protection mechanisms render the USb an insecure link, prone to exploitation.
  • Mobile Device Security and Android File Disclosure – blog.metasploit.com
    Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it’s still fairly serious.

Vulnerabilities:

Vendor/Software Patches:

Other News:

  • Keyless cars vulnerable to hack, theft - cnet.com
    Keyless car entry and start systems make it easy to get on the road, but they could also make it easier for criminals to take off with your car. And strong encryption won’t solve the problem.
  • Stuxnet vs. Iran nuclear enrichment
    Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload.

  • ATM Skimmers, Up Close – krebsonsecurity.com
    Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers.
  • Coming soon: a new way to hack into your smartphone - itworld.com
    More than three years after the iPhone was first hacked, computer security experts think they’ve found a whole new way to break into mobile phones — one that could become a big headache for Apple, or for smartphone makers using Google’s Android software.
  • Two Charged in AT&T hack of iPad Customer Data - wired.com
    Two suspects have been charged with federal crimes for allegedly hacking AT&T’s website last year to obtain the personal data of more than 100,000 iPad owners.
  • Why you should always encrypt your smartphone – arstechnica.com
    Last week, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF), holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant.
  • Hacking with USBs
    Two researchers have figured out a way to attack laptops and smartphones through an innocent-looking USB cable.

  • Online banking trojan developing fast – h-online.com
    Trojan construction kit Carberp, which first emerged in the autumn, appears to be undergoing rapid development, according to reports from sources that include security services provider Seculert.
  • Android Trojan captures credit card details – thinq.co.uk
    The team, comprised of Roman Schlegel from the City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and Xiao Feng Wang from the Indiana University Bloomington, call their creation ‘Soundminer’ – and its implications are far-reaching.