• Elderwood Project
    • ‘Elderwood’ Crew, Tied to Google Aurora Attack, Targeting Defense, Energy, Finance Companies –
      The same team that attacked Google in the Aurora campaign in 2009 is still active and has been conducting a long-term campaign targeting defense contractors, financial services companies, energy companies, human rights organizations and government agencies using a seemingly inexhaustible supply of zero day vulnerabilities. The crew is using a variety of techniques to go after its targets, most notably compromising legitimate Web sites frequented by employees of the targeted organizations and then delivering exploits for one or more of their stockpiled zero-day bugs, researchers say.
    • The Elderwood Project –
      In 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We’ve been monitoring the attacking group’s activities for the last three years as they’ve consistently targeted a number of industries.
    • The Elderwood Project (Infographic) –
      Symantec Security Response have published a research paper revealing details about a series of attacks perpetrated by a highly organized and well funded group using the “Elderwood” Attack Platform. This platform is a series of tools and infrastructure used by this group to perform attacks against targets in a speedy and efficient manner.
  • New Oracle Security Presentation – Identity In The Database –
    The paper “Identifying Yourself in the Oracle Database” is available as a pdf to download from my Oracle security white papers page.
  • Penetration Testing for iPhone Applications – Part 3 –
    In the first part of this article, we have discussed the iPhone application traffic analysis. The second part of the article covered the privacy issues and property list data storage. In this part, we will make an in-depth analysis of the keychain data storage.
  • On the (provable) security of TLS: Part 1 –
    If you sit a group of cryptographers down and ask them whether TLS is provably secure, you’re liable to get a whole variety of answers. Some will just giggle. Others will give a long explanation that hinges on the definitions of ‘prove’ and ‘secure’. What you will probably not get is a clear, straight answer.
  • x86 Intel Hardware Assisted Virtualization Training Class –
    I’ve uploaded slides (PDF) and lab code for my x86 virtualization training class. This class teaches how to write a toy virtual machine monitor (VMM) while showing how the famous BluePill and Vitriol attacks are possible.


  • Manually Exploiting Tomcat Manager –
    Apache Tomcat is a very popular open source implementation for handling JavaServer Pages. However, Apache Tomcat is often deployed with default or weak credentials protecting the web accessible Tomcat Manager functionality. Tomcat Manager allows administrators (and attackers) to upload and publish Web application ARchive (WAR) files remotely.
  • Password cracking, part II: when does password cracking matter? –
    Yesterday, I took a critical look at the difficulty of interpreting progress in password cracking. Today I’ll make a broader argument that even if we had good data to evaluate cracking efficiency, recent progress isn’t a major threat the vast majority of web passwords.
  • Completely In-Memory Mimikatz with Metasploit –
    Executing WCE.exe in memory as demoed by Egypt here: has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won’t do. 2. There is this DLL called WCEAUX.dll that gets written for the briefest second to disk.
  • PenTesting: From Low Risk Issues to Sensitive Data Compromising –
    Well, I am going to enumerate the top 4 techniques I use when I get in an environment without the common vulnerabilities that are usually discussed in other articles.

Vendor/Software Patches

  • Skipfish-2.09b Update –
    Skipfish is a fully automated, active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
  • Update & Split: TaskManager.xls Version 0.1.4 –
    This is a small fix for TaskManager suggested by goglev: he had 2 network drives pointing to the same share, and this triggered a bug.
  • UPDATE: NOWASP Mutillidae 2.3.5 –
    NOWASP (Mutillidae) is a free, open source web application provided to allow security enthusiast to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux,Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a webserver. It is already installed on SamuraiWTF and Rapid7Metasploitable-2. The existing version can be updated on either.
  • oclHashcat-plus v0.09 –
    We are proud to present oclHashcat-plus v0.09! Lots of new features and algorithms have been added, and many bugs have been fixed.

Other News

  • Sniffing open WiFi networks is not wiretapping, judge says –
    A federal judge in Illinois has ruled that intercepting traffic on unencrypted WiFi networks is not wiretapping. The decision runs counter to a 2011 decision that suggested Google may have violated the law when its Street View cars intercepted fragments of traffic from open WiFi networks around the country.
  • WhatsApp is using IMEI numbers as passwords –
    As you probably already heard in recent news, 1,000,001 Apple UDID’s were leaked. It’s unfortunate that so many apps use UDID’s to identify users since it’s extremely insecure.