Resources
- A look at ASLR in Android Ice Cream Sandwich 4.0 – blog.duosecurity.com
For the uninitiated, ASLR randomizes where various areas of memory (eg. stack, heap, libs, etc) are mapped in the address space of a process. - The Ultimate OS X Hardening Guide Collection – isc.sans.edu
Many security professionals tend to use OS X systems. Maybe for the nice and shiny looks, or the Unix under pinnings that make it a great platform to run current tools. However, the operating system itself isn’t exactly “secure out of the box” and like all operating systems can profit from some additional hardening tricks. - White Hat Hacker Flowchart – dankaminsky.com
A white hat hacker flowchart by Dan Kaminsky.
Tools
- DPScan: Drupal Security Scanner – github.com
This small tool is public and accessible for our use. It may help other auditors or penetration testers do their job faster and gather more information. - DNSChef – thesprawl.org
DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka “Fake DNS”) is a tool used for application network traffic analysis among other uses. - Sqlmap plugin for BurpSuite – blog.buguroo.com
Today we present a free plugin, developed by me, so you can use the sqlmap from BurpSuite so really comfortable. - SIPVicious 0.2.7 – code.google.com
SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools. - Skipfish-2.04b – code.google.com
Skipfish is a fully automated, active web application security reconnaissance tool. - Social-Engineer Toolkit (SET) 3.0 released. – secmaniac.com
Greetings all. I’m excited to release the 3.0 version of the Social-Engineer Toolkit (SET) Codename “#WeThrowBaseballs”. - Metasploit 4.2 Released: IPv6, VMware, and Tons of Modules! – community.rapid7.com
Since our last release in October, we’ve added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads — that clocks in at just about 1.5 new modules per day since version 4.1.
Techniques
- Mobile App Permissions and Choice – pen-testing.sans.org
Recently we’ve seen a flurry of news articles identifying a weakness in the Apple iOS architecture where application developers have unrestricted access to contact book entries on your iPhone, iTouch or iPad. - Minimizing Vulnerabilities in Applications – Part 1 – resources.infosecinstitute.com
During my 20+ year career, I have seen many coding virtuosos which had only one problem – they did not pay any attention to the security of their code. - MindshaRE: a reversing tool – dvlabs.tippingpoint.com
MindshaRE is our periodic look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries by going through our blog history or querying a search engine for dvlabs mindshare.
Vulnerabilities
- iOS 5 Flaw Allows data access
- Paperclips pose security threat to iPhones – technolog.msnbc.msn.com
Under the right — though easily arranged — circumstances, a simple paperclip could allow someone to circumvent your iPhone’s passcode and access your voicemail, contacts, recent call list, and other data. - iOS 5 Flaw Allows Unfettered Access to User’s Contacts, Calls – threatpost.com
A passcode flaw in Apple’s iOS 5 could allow unauthorized access to an iPhone user’s contacts list, recent calls, voicemail, text messages and more, according to a recent blog post from CultofMac.com. - New Oracle ERP Vulnerabilities Unmasked – darkreading.com
Design flaws could allow attackers to access, alter, or take over ERP systems — but will enterprises do anything about the vulnerabilities?
Other News
- Plesk control panel bug left FTC sites (and thousands more) exposed to Anons – arstechnica.com
[needs validation]A critical vulnerability in Parallels’ Plesk Panel Web hosting administration tool left thousands of servers open to potential hijacking by hackers. And the recently hacked sites belonging to the Federal Trade Commission were among them, according to sources. - Note to self: Encrypt data, memorize password – news.cnet.com
In a case that serves as a reminder to: a) use encryption, and b) memorize the encryption pass-phrase, an appeals court has ruled that people have a constitutional right not to be forced to decrypt data that potentially includes evidence that could be used to prosecute them in court. - Researchers Reveal How Attackers Can Track Cell Phone Locations – threatpost.com
New research has found information leaked by cell towers can be used to determine your cell phone’s general location. - Does The Cybersecurity Act Of 2012 Mark The Beginning Of The War On Cyber-terrorism? – forbes.com
The Cybersecurity Act of 2012 is the latest effort by Congress to do something about the threat of cyber attacks and cyber crime. - NIST, Maryland Plan New Cybersecurity Center – threatpost.com
The US National Institute of Standards and Technology (NIST) announced plans Tuesday to break ground on a new center that will be committed to cybersecurity research.
Tags: cybersecurity act of 2012, drupal, iOS5, Oracle
No comments yet.