- Hackito Ergo Sum 2012
- TALKS // Hackito Ergo Sum 2012 – 2012.hackitoergosum.org
In this presentation we will cover critical aspects of web applications, and how these techniques can be used on real life scenario on big (and highly “secured”) websites. These bugs and methods will be able to assist you in your next bug-hunting in your pentest or (god-forbid) bounty program.
We will reveal several vulnerabilities found on real big scale and important websites.
- Hackito Ergo Sum 2012 – breakingcode.wordpress.com
The event took place at the headquarters of the French Communist Party, and I have to say the conference room was quite impressive. It was an underground dome all covered with white metallic plates and lamps behind, giving a peculiar visual effect.
- Notacon 9 (2012) Videos (Hacking Illustrated Series InfoSec Tutorial Videos) – irongeek.com
These are the videos from the 9th Notacon conference held April 12th-15th, 2012. Not all of them are security related, but I hope my viewers will enjoy them anyway.
- SOURCE Boston Security Conference and Training 2012 Day 2 – Dan Geer Keynote, Android Modding and Cloud Security – securelist.com
Dan Geer’s fantastic Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks also were Jeremey Westerman’s “Covering *aaS – Cloud Security Case Studies for SaaS, PaaS and IaaS”, and Dan Rosenberg’s “Android Modding for the Security Practitioner”.
- Troy Hunt: 5 interesting security trends from Verizons 2012 data breach report
This report is based on 855 incidents in 2011 (don’t be confused by the year in the title!) and because Verizon does this each year, there’s lots of data on how trends are changing.
- VLAN Network Segmentation and Security- Chapter 5 – resources.infosecinstitute.com
In this chapter, we step through a description of VLAN technology, how to secure it (including basic switch security), and how to control packets to increase the overall strength of attack surface defense. I use the term packet instead of frame to refer to transmission entities at both the network and the data link layers.
- Penetration Testing for iPhone Applications- Part 2 – resources.infosecinstitute.com
Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker.
- From LOW to PWNED  Intro – carnal0wnage.attackresearch.com
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
- Analysis of the Eleonore exploit pack shellcode – blogs.technet.com
‘Eleonore’ is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run.
- InteractiveSieve – blog.didierstevens.com
Interactive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant.
- Ra.2 is Blackbox DOM-based XSS Scanner tool – code.google.com
Ra.2 is a new Blackbox DOM-based XSS Scanner an approach towards finding a solution to the problem of detecting DOM-based Cross-Site Scripting vulnerabilities in Web-Application automatically, effectively and fast.
- DOE Lab Releases Open-Source Attack Intelligence Tool – darkreading.com
The U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.
- NfSpy ID-spoofing NFS Client Tool Mount NFS Shares Without Account – darknet.org.uk
We wrote about this tool originally last year – NfSpy – ID-spoofing NFS Client – Falsify NFS Credentials – and a new version just came out!
- SQL Server 2012 Best Practices Analyzer – blogs.msdn.com
I’m pleased to announce that SQL Server 2012 Best Practices Analyzer (BPA) has been released and is available for download at http://www.microsoft.com/download/en/details.aspx?id=29302.
- Hack Tips: Good for Enterprise Exploitation – blog.opensecurityresearch.com
Good for Enterprise™ is a suite of powerful mobile device management tools that bring military-grade security, end-to-end data loss prevention, and collaboration features to today’s most popular smartphones and tablets — without compromising IT security and control.
- XSS Shortening Cheatsheet – labs.neohapsis.com
In the course of a recent assessment of a web application, I ran into an interesting problem. I found XSS on a page, but the field was limited (yes, on the server side) to 20 characters.
- Extracting AES keys from iPhone – securitylearn.wordpress.com
The iPhone application processor comes with two built-in encryption keys – UID, GID. OS running on the device cannot read the hardcoded keys but it can use the keys to generate other encryption keys used for data protection, media encryption and keychain encryption. The hardcoded keys can only be used from bootloader and kernel mode.
- Oracle patch day addresses 88 vulnerabilities – h-online.com
Oracle has released 88 security patches as part of its scheduled April Critical Patch Update (CPU), ten more than on its last patch day in January.
- Monitor OS X LaunchAgents folders to help prevent malware attacks – reviews.cnet.com
While malware scanners can detect threats once definitions for them are available, you can monitor or lock your systems’ launch agents folders to more proactively prevent attacks on your system.
- 15-year-old arrested for hacking 259 companies – zdnet.com
A 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of three websites per day.
- 3 million bank accounts hacked in Iran – zdnet.com
First, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks.