Resources

Tools

  • site-inspector-ruby – github.com
    Ben Balter built a small tool called Site Inspector in September 2011. Nearly three years later, he resurrected that tool, albiet a bit smarter, and, using the latest list, thought he’d take a look at how things have changed in the time since.
  • Introducing Windows Exploit Suggester – blog.gdssecurity.com
    After searching online for a Window’s “exploit suggester” tool, Sam Bertram was surprised to find that none existed! Without further ado, he introduce “Windows Exploit Suggester” or for short “winsploit”, a tool created to automate the privilege escalation exploitation process targeting unpatched systems.

  • MITMf – github.com
    Framework for Man-In-The-Middle attacks. This tool is completely based on sergio-proxy https://code.google.com/p/sergio-proxy/ and is an attempt to revive and update the project.

Vendor/Software patches

  • Microsoft, Adobe Push Critical Fixes – krebsonsecurity.com
    Adobe issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.

    • July 2014 Security Bulletin Release – blogs.technet.com
      This month’s release includes six new security bulletins, addressing 29 Common Vulnerability and Exposures (CVEs) in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, three are rated Important, and one rated Moderate in severity.

Vulnerabilities

  • Abusing JSONP with Rosetta Flash – miki.it
    In this blog post Michele Spagnuolo presents Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site.

    • “Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al. – arstechnica.com
      A serious attack involving a widely used Web communication format is exposing millions of end users’ authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.Almost four hours after this article went live, a Tumblr spokeswoman e-mailed Ars to say the site has been patched against the Rosetta Flash attack.
    • Adobe Patches Flash Vulnerability Exploited by Rosetta Flash Tool – threatpost.com
      Popular websites such as Instagram, eBay, Tumblr and others using JSON with Padding or JSONP remain vulnerable to an exploit tool released today as a proof of concept against a vulnerability in Adobe Flash Player.
  • Password Manager Security – LastPass, RoboForm Etc Are Not That Safe – darknet.org.uk
    Some researchers have ganged up and are taking a really close look at some of the popular password management solutions and password manager security. Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.
  • Beware Keyloggers at Hotel Business Centers – krebsonsecurity.com
    The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

Other News