Resources

  • Smart LSA Secrets Module – hackwhackandsmack.com
    Doug decided to take two modules and crash them together to add some automation to some tasks that he seem to pick up often. He took the LSA Secrets module and the Domain Group Enum module and combined them to be one module.
  • Symantec Intelligence Report: December 2013 – symantec.com
    Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. You can download December edition of the Symantec Intelligence report from here.

Techniques

  • Evading iOS Security – winocm.com
    Here’s some code. Here’s what happens when you run it on a device using evasi0n7.
  • How I Defeated LinkedIn’s 3rd-degree Profile Security – osandamalith.wordpress.com
    This is one of the best logical bugs ever researched by Osanda Malith. He explained the process from the beginning so that you can understand well.
  • SMB Attacks Through Directory Traversal – netspi.com
    Karl Fosaaen recently run into a number of web applications that allow for either directory traversal or filename manipulation attacks. This may not be mind-blowing new information, but hopefully this gives you some good ideas on other ways to utilize directory traversal vulnerabilities.
  • Xml eXternal Entity (XXE) Attack – secpod.org
    XXE attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. Here is an example which uses DTD (Document Type Definition) Entity.
  • Automated penetration testing in the Microsoft stack with OWASP ZAP – codeproject.com
    This article explains how we can do automated penetration testing in the Microsoft stack using OWASP ZAP in combination with Team Foundation Server (TFS) and C#. As a final result will have TFS builds running penetration tests against websites of our choice.

Vulnerabilities

  • HealthCare.gov security — ‘a breach waiting to happen’ – news.cnet.com
    The government’s problem-riddled Obamacare Web site may face further problems from hackers taking advantage of its many security holes. At least that’s the consensus of a group of security professionals who have analyzed the site.

    • We stand as one. Change INFOSEC now – trustedsec.com
      David Kennedy, who is CEO of computer security consulting firm TrustedSec and who is testifying before Congress on the security issues related to HealthCare.gov, outlined his concerns in this blog post.

Other News