Resources

  • Everything You Always Wanted to Know About iTunes and iCloud Backups But Were Afraid to Ask – blog.crackpassword.com
    Do you think you know everything about creating and using backups of Apple iOS devices? Probably not. Here Vladimir Bezmaly (MVP Consumer security, Microsoft Security Trusted Advisor) shares some thoughts, tips and tricks on iTunes and iCloud backups.
  • Published Beta version of “Thoughts on OWASP” eBook – blog.diniscruz.com
    This new eBook has 165 pages and is made of 67 blog posts published in the last couple years. You can download it for free, or you can also chose to pay a little bit.
  • SyScan2014 Conference Slides – www.syscan.org
    SyScan2014 conference slides are available now. Download all slides from here.
  • EELive Slides – devttys0.com
    For those interested, the slides for Craig’s talk, “Finding and Reverse Engineering Backdoors in Consumer Firmware” can be found here.
  • 7 Tips for Booking Your PCI 3.0 Penetration Testing Service (And Why Consultants Will Book Out Early This Year) – community.rapid7.com
    With the changes introduced in PCI DSS version 3.0, penetration tests will become more complex and longer in duration, and more companies will feel the need to run penetration tests in the first place. Given that it takes a lot of time and money to train new penetration testers, this will cause consultants to book out early, and probably even increase prices per day.
  • All You Wanted to Know About Social Engineering – checkmarx.com
    Social engineering is manipulating people into doing something, rather than using technical means. It is the art of gaining access to buildings, systems, or data by exploiting human psychology, rather than by using technical hacking techniques.
  • Steps to Make a Web Application Hacker’s Life Harder – trustedsec.com
    Following are a few (and brief) guidelines to make a webapp pentester’s life measurably harder. Here are the most common defense mechanisms that we encounter on a daily basis, and can cause quite the headache at times.

Tools

Techniques

  • Finding XML Entity Injection Problems – blog.websecurify.com
    XML is a wonderful specification but could be very insecure if misused. Entity injection is a known and very old trick, which allows an attacker to insert XML entities (a special mechanism in XML) into XML documents and as such access arbitrary resources.
  • AVM Fritz!Box root RCE: From Patch to Metasploit Module – I – breaking.systems
    This post illustrates the path from diffing the firmware versions and finding the interesting files via reverse engineering the patch through to finally writing an exploit (a Metasploit module) for the MIPS-based DSL-Router series by AVM.
  • How I Hacked Your Router – disconnected.io
    A friend, named Bill, in infosec asked Phikshun to do a strange thing. He asked Phikshun to hack him. All names and places have been changed to protect the innocent. Vendor names have been kept to incriminate the guilty.
  • “Hack Away at the Unessential” with ExpLib2 in Metasploit – community.rapid7.com
    Memory corruption exploitation is not how it used to be. With modern mitigations in place, such as GS, SafeSEH, SEHOP, DEP, ASLR/FASLR, EAF+, ASR, VTable guards, memory randomization, and sealed optimization, etc, exploit development has become much more complicated.

Other News