Events Related

  • BruCON 0×05 Wrap Up -blog.rootshell.be
    Here is Xavier’s quick wrap-up of  BruCON 0×05. Actually it’s not a wrap-up about the talks. He gives some statistics about the visitors.

Resources

  • One Weird Trick for Finding More Crashes – www.cert.org
    CERT Vulnerability Analysis Team announced the release of updates to both of their fuzzing tools, the CERT Basic Fuzzing Framework (BFF) version 2.7 and the CERT Failure Observation Engine (FOE) version 2.1. In this blog entry they described some of the major changes with these tools.
  • Ruxcon Mc’Gavin – youtube.com
    All Ruxcon 2012 videos have been posted here.
  • H1 2013 Threat Report – f-secure.com
    F-secure’s H1 2013 Threat Report is now online and a pdf download link is available.
  • SSL/TLS Deployment Best Practices – ssllabs.com
    SSL/TLS is a deceptively simple technology. It is easy to deploy but it turns out that it is not easy to deploy correctly. To ensure that SSL provides the necessary security, users must put more effort into properly configuring their servers.This document is a first step toward addressing that problem.
  • Characters, Symbols and the Unicode Miracle – Computerphile – youtube.com
    Representing symbols, characters and letters that are used worldwide is no mean feat, but unicode managed it – how? Tom Scott explains how the web has settled on a standard.

  • DerbyCon Keynote Presentation – Kinetic Pwnage – pen-testing.sans.org
    This morning, Ed Skoudis had the honor of presenting at DerbyCon. His talk focused on the ability to cause physical impact through hacking computers and networks. Download the DerbyCon keynote slides from here.
  • Welcome to Project Sonar! – community.rapid7.com
    Project Sonar is a community effort to improve security through the active analysis of public networks. This includes running scans across public internet-facing systems, organizing the results, and sharing the data with the information security community.

Tools

  • Kvasir: Penetration Test Data Management – github.com
    Kurt Grutzmacher created a new open source tool called Kvasir. Download it from here.

    • Kvasir: Penetration Data Management for Metasploit and Nexpose – community.rapid7.com
      As a penetration tester with Cisco’s Advanced Services, kgrutzma created a new open source tool called Kvasir that integrates with Metasploit Pro, Nexpose, and a bunch of other tools he used regularly to aggregate and manage the data he needed. In this blog post, kgrutzma would like to give you a quick intro what Kvasir does – and to invite you to use it with Metasploit Pro.
    • Introducing Kvasir – blogs.cisco.com
  • Nccgroup/scenester – github.com
    Scenester is a simple Java application to discover different web application front ends based on web browser user-agents. Download the tool from here.

Techniques

  • Cracking WatchGuard passwords – funoverip.net
    WatchGuard firewall appliances use the (good old) NTLM algorithm to protect the Firebox-DB passwords. Foip did a Good job reversing the hashing algorithm.
  • Change the Theme, Get a Shell: Remote Code Execution with MS13-071 – community.rapid7.com
    Recently Security street team have added an exploit for MS13-071 to Metasploit. Rated as “Important” by Microsoft, this remote code execution, found by Eduardo Prado, for Windows XP and Windows 2003 environments is achieved by handling specially crafted themes. In this blog post they would like to discuss the vulnerability and give some helpful tips for exploiting it from Metasploit.
  • Blind SQLi -> SQLi -> Command Execution -> Meterpreter – Based On A True Story – breenmachine.blogspot.com
    In a recent test, Stephen Breen took the extra time to take it all the way to a Meterpreter shell manually and would like to document that process here. It involved one new trick he hadn’t seen before, so here we go.

Vulnerabilities

  • Data Broker Giants Hacked by ID Theft Service – krebsonsecurity.com
    An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.
  • Chaos Computer Club breaks Apple TouchID – www.ccc.de
    The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID.

    • iPhone Fingerprint Scanner Hacked; Should You Care? – forbes.com
      A group called the Chaos Computer Club has posted a video in which they demonstrate what appears to be the ability to fool the fingerprint sensor in Apple’s new iPhone 5S. While the method is a bet convoluted, the fact is that it doesn’t involve any special technology.

Other News

  • UK to create new cyber defence force – www.bbc.co.uk
    The UK is to create a new cyber unit to help defend national security, the defence secretary has announced.
  • Barclays Bank Branch Bugged In £1.3m Breach – techweekeurope.co.uk
    Crooks managed to tap into a Barclays Bank machine to make off with £1.3 million, using a remarkably crude yet highly effective method. Barclays said no customers had suffered financial loss as a result of the hack.