Event Related

  • Blackhat Europe 2013 Arsenal Tools Event Wrap-up – toolswatch.org
    I finally found time to write a wrap-up about the activities of the Arsenal Tools Event during the last session of Blackhat Amsterdam Europe 2013.
  • IPv6 Focus Month: IPv6 over IPv4 Preference – isc.sans.edu
    Initially, most IPv6 deployments will be “Dual Stack”. In this case, a host will be able to connect via IPv4 and IPv6. This brings up the question which protocol will be preferred, and if multiple addresses are possible, which source and destination address are used.
  • Digital cameras easily turned into spying devices, researchers prove – net-security.org
    In this presentation from Shmoocon 2013, they explained in detail how they managed to mount the attacks, and have also offered advice for users on how to secure their cameras and connections against these and similar attacks.

Resources

  • Web for Pentester – pentesterlab.com
    This exercise is a set of the most common web vulnerabilities.
  • Eavesdropping on a wireless keyboard – windytan.blogspot.se
    To investigate this, I bought an old Logitech iTouch PS/2 cordless keyboard at an online auction. It’s dated July 2000.
  • Windows Hardening Guide – 0xdabbad00.com
    This guide is focused on Windows Vista, 7 and 8 systems for personal use. This guide is not concerned with the following.

Tools

  • YoNTMA (You’ll Never Take Me Alive!) – isecpartners.com
    Enter YoNTMA! YoNTMA (You’ll Never Take Me Alive!) is a tool designed to enhance the protection of encrypted data. YoNTMA runs as a background service and begins monitoring your computer any time the screen is locked.
  • Psexec Python Rocks! – pen-testing.sans.org
    Python rocks! PSEXEC rocks! So, what could be better than psexec written in Python?
  • Passpat, Password Pattern Identifier – digininja.org
    It is generally accepted that most passwords in common use are based on dictionary words however, some people decide to use keyboard patterns instead and to try to spot these I’ve created Passpat.
  • Announcing Mercury v2.2 – mwrinfosecurity.com
    Today, Mercury v2.2 is available for download. Well, it’s nearly easter, and whilst we are packing up for the long weekend we wanted to give you a little present.
  • Introducing dumpmon – raidersec.blogspot.com
    I created a Twitter-bot which monitors multiple paste sites for different types of content (account/database dumps, network device configuration files, etc.). You can find it on Twitter and on Github.

Techniques

  • Buffer Overflows with Crossbow
  • mongodb – SSJI to RCE – blog.scrt.ch
    Trying some server side javascript injection in mongodb, I wondered if it would be possible to pop a shell.
  • Network Testing 101: If Your Name’s Not Down, You’re Not Getting In – blog.gdssecurity.com
    The thing is how do we get these usernames? A few basic network pentesting tricks are listed here.
  • How I became a password cracker – arstechnica.com
    My journey into the Dark-ish Side began during a chat with our security editor, Dan Goodin, who remarked in an offhand fashion that cracking passwords was approaching entry-level “script kiddie stuff.”
  • Cisco IOS Patching: Defense and Offense – blog.didierstevens.com
    First PoC is how changing the canary value 0xFD0110DF to another value can provide defense against exploits like FX explained in this paper. I changed the appropriate instructions so that IOS uses canary value OxFC0220CF.
  • Cracking IKE Mission:Improbable (Part 1) – blog.spiderlabs.com
    All too often during pen tests I still find VPN endpoints configured to allow insecure Aggressive Mode handshakes. Fortunately, gaining access to the internal network as a result of this vulnerability remains a fairly complex task.

Vulnerabilities

Other News

  • DDos Attack
    • The DDoS That Almost Broke the Internet – blog.cloudfare.com
      The New York Times this morning published a story about the Spamhaus DDoS attack and how CloudFlare helped mitigate it and keep the site online. The Times calls the attack the largest known DDoS attack ever on the Internet. We wrote about the attack last week.
    • Answers about recent DDoS attack on Spamhaus – spamhaus.org
      At this time The Spamhaus Project is getting more press enquiries than we can personally respond to. Below is a list with the most frequently asked questions, along with our answers.
  • FBI wants real-time Gmail, Dropbox spying power. – slate.com
    Despite the pervasiveness of law enforcement surveillance of digital communication, the FBI still has a difficult time monitoring Gmail, Google Voice, and Dropbox in real time.
  • Firm Is Accused of Sending Spam, and Fight Jams Internet – nytimes.com
    A squabble between a group fighting spam and a Dutch company that hosts Web sites said to be sending spam has escalated into one of the largest computer attacks on the Internet, causing widespread congestion and jamming crucial infrastructure around the world.