Events Related

Resources

  • Recon 2011 Hardware Stuff for Software People – archive.org/details/HardwareStuffForSoftwarePeople
    This talk will be an introduction to doing “hardware stuff” stuff, for people accustomed to plying their trade against software. I will discuss how to build tools (and use existing tools) to sniff/spy on a variety of hardware communications channels from UART Serial (the kind in your computer) to the very ubiquitous SPI/I2C serial busses used in virtual everything (from EEPROM in your portable DVD player to the HDMI/VGA cables between your computer and monitor).
  • Welcome to WS-Attacks.org! – clawslab.nds.rub.de
    WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today’s web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.
  • GFIRST 2011 Presentation Slides, Code, and Thoughts – chrissanders.org
    I’m sitting in my hotel room after just finishing my last session at US-CERT GFIRST in Nashville, TN. This was my first time at GFIRST both as an attendee and presenter, and I really had a great time. Where I’m originally from in Kentucky isn’t too far from Nashville so I am familiar with the area and the venue choice, the Gaylord Opryland Hotel, is a beautiful facility and top-notch for this kind of conference.

Tools

  • UPDATE: BeEF v0.4.2.8-alpha! – code.google.com/p/beef/downloads/list
    BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which exploit and at which target.
  • Oracle query support in Nmap – cqure.net
    I’ve just committed an updated version of the TNS library to Nmap, adding support for running Oracle database queries from Nmap scripts. I’ve put a considerable amount of work into trying to understand how the protocol works, due to the lack of documentation, and think that I’ve finally succeeded.
  • I’ve ported mbenum to Nmap – cqure.net
    Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.
  • MoonSols Dumpit released…for free! – isc.sans.edu
    The people over at MoonSols have made their amazing one-click memory dump tool Dumpit available for free download. Dumpit vastly simplifies memory acquisition. Effectively Dumpit combines win32dd and win64dd into one tool and is so simple to use even a non-technical user could do acquisition from a USB key. The dump can then be analyzed using conventional tools such as Redline or Volatility.
  • FireCat 2.0 Released – firecat.fr/download.html
    FireCAT: Firefox Catalog of Auditing exTensions version 2.0 has just been released. It contains 90 addons divided in 7 categories further subdivided in 19 sub-categories. A new Protection subcategory (in Misc) has been added to protect Navigation with TrackMeNot, NoScript, cookieSafe, TrackerBlock and Adblock Plus.
  • Kinectasploit – Metasploit Hacking using Kinect in Blender 3D Environment – kinect.dashhacks.com
    The idea is to hack into your own systems while in a 3D, first person shooter style environment that interfaces with the Kinect sensor. The game engine was built using blender and looks to be one of the most pleasing ways of uncovering your own systems architectural/networking vulnerabilities.
  • Wfuzz 2.0 released! – edge-security.blogspot.com
    After Christian presentation at BlackHat/2011 Tools Arsenal, I’m pleased to announce  a new version of WFuzz! It is now more flexible, dynamic and extensible than ever! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections, bruteforce Forms parameters (User/Password), Fuzzing,etc.

Vendor/Software Patches

Vulnerabilities

Other News

  • GPRS Hack
    A cryptographer has devised a way to monitor cellphone conversations by exploiting security weaknesses in the technology that forms the backbone used by most mobile operators.
  • Security Flaws In Feds’ Radios Make For Easy Eavesdropping – blogs.wsj.com
    While studying the technology, researchers from the University of Pennsylvania overheard conversations that included descriptions of undercover agents and confidential informants, plans for forthcoming arrests and information on the technology used in surveillance operations.
  • Office equipment open to hacker attacks – usatoday.com
    Researchers from Web security firm Zscaler ran a simple search and easily located 118,194 Hewlett-Packard printer-scanners, 9,431 Cannon photocopiers and 3,554 D-Link webcams equipped as Internet-connected Web servers.
  • Hacking Water Meters Is Easier Than It Should Be – venturebeat.com
    The smarter water meters become, the easier they’re getting to hack. Like many things in electronics, water meters become easier for hackers to break into and misuse when they are upgraded to include wireless and computer technology.
  • Fuzzing at Google – googleonlinesecurity.blogspot.com
    One of the exciting things about working on security at Google is that you have a lot of compute horsepower available if you need it. This is very useful if you’re looking to fuzz something, and especially if you’re going to use modern fuzzing techniques.
  • Attacks on open-source web apps growing – theregister.co.uk
    An attack targeting sites running unpatched versions of the osCommerce web application kept growing virally this week, more than three weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users.