Events Related

Resources

  • Cisco Live links - grutz.jingojango.net/CiscoLive/
  • Windows 7 STIGS - iase.disa.mil
    Some versions of the STIGs exclude IAVM information. IAVM information is in the FOUO version available in the PKI-protected copy of the file. Thank you!
  • Post Exploitation With WCE Presentation – hexale.blogspot.com
    This presentation describes the techniques WCE brings to penetration testers and how these can be used in different scenarios. Although originally targeted to college students studying information security, you might find useful information you didn’t know about even if you are an experienced user of WCE or penetration tester.
  • /r/netsec’s Q3 Information Security Hiring Thread - reddit.com/r/netsec/comments/jn89s/rnetsecs_q3_information_security_hiring_thread/
    While we normally remove individual job listings when they are posted, a lot of you have asked for an opportunity to hire from the /r/netsec userbase. So if you have open positions at your company for information security professionals and would like to hire a fellow Redditor, please leave a comment with any open job listings at your company.

Tools

  • UPDATE: The Harvester v2.1 BlackHat Edition! – code.google.com/p/theharvester/downloads/list
    theHarvester is a tool for gathering e-mail accounts, subdomain names,virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

Techniques

  • LDAP injection CN/SN/UID/Mail Atack Payloads – zeroknock.blogspot.com
    LDAP injections are detected very less as compared to XSS attacks. However, every injection is critical from security point of view. Recently I came across one of the biggest educational university that has implemented LDAP for its directory services.
  • SSL MITM with an inserted CA and a DNS attack – seventhoctober.com
    Alright, so it’s time for my bi-annual blog post. The topic of this post is nothing new or shocking or deeply hi tech, but it’s cool and fun. Although I hear the dangers of trusting a fake certificate authority and the horrors of DNS spoofing talked about all the time, I almost never hear anyone talk about real ways to actually abuse them.
  • PDD Pocket Damp Decode - lovemytool.com
    PDD is an open source program by Srivats.
  • Dropbox for Android Vulnerability Program – intrepidusgroup.com
    Dropbox vulnerabilities are back and they’re mobile. This week Tyrone Erasmus released a vulnerability in the Android Dropbox client that allows other apps to access its content database allowing attackers to upload your files to the public. I wanted to break down this vulnerability because the lessons learned aren’t that Dropbox is vulnerable, it’s that bad Android programming practices are happening everywhere.
  • Exploiting a tricky SQL injection with SQL map – pentestmonkey.net
    Like many pentesters, I’m a fan of sqlmap.  It’s often the first and last tool I reach for when exploiting boolean or time-based SQL injection vulnerabilities. I wanted to briefly document a slightly tricky SQL injection issue I encountered recently and a few of the sqlmap features that impressed me most.

Vulnerabilities

  • AES proved vulnerable by Microsoft Researchers – computerworld.com
    Researchers from Microsoft and Belgian Katholieke Universiteit Leuven have discovered a way to break the widely used Advanced Encryption Standard (AES), the encryption algorithm used to secure most all online transactions and wireless communications.

Other News

  • Juicejacking: An Introduction
    As close criminal relations, you’ll also have heard of carjacking, shipjacking and truckjacking. You’ll probably also have heard of analogous computer-related mischief, such as sidejacking, sheepjacking, pagejacking and clickjacking. Well, now there’s a new one. Juicejacking.
  • GAO Calls Out FDIC For Lax Infosecurity Tools - threatpost.com
    A GAO report called the government corporation out for neglecting to use strong passwords, review user access and encrypt sensitive financial information. The report raises serious questions about the security of a key government regulatory body amidst reports of sophisticated attacks aimed at financial institutions.
  • July #SecHat Recap Security Conferences – blogs.mcafee.com
    Last month, we hosted our monthly #SecChat on Security Conferences – what makes them worthwhile and how they can be improved. We wanted to gain insight from you, the attendees and presenters, into what conference organizers are doing right and wrong, and how mainstream security events will need to evolve in order to stay relevant in a web 2.0 world.
  • Hackers Are Focusing More On Smartphones – itbusinessedge.com
    Last week, I wrote about how mobile devices are being released with security flaws. The news crossing my desk today put an exclamation point on why smartphone security has to be a priority at every level — from manufacturing to security software development to smart security policies among users: Hackers are salivating over the chance to attack your phone.
  • Exclusive: leaked RSA Dump Appears Authentic – risky.biz
    A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal. The Pastebin dump, dated August 15, lists around 850 entries containing domain names and IP addresses, supposedly leaked by “RSA Employee #15666″. The dump asserts the IP addresses and domain names listed are used in command and control operations by a cyber-espionage ring.
  • The Pastebin Trend (cont.) – research.zscaler.com
    In June during some of the LulzSec pastes, I published a briefblog post on our sister blog (Scrapbook). In that post, I discussed a spike in Pastebin web transactions due to the LulzSec information drops and other controversial news within the information security community. To get a more precise view of when the spikes occurred, why and the general increase in Pastebin transactions, I wrote a script to automate the process of collecting daily statistics from our web transaction logs to Pastebin. Below are the results.