• Pwn2Own
• Lesson From Pwn2Own: Focus On Exploitability – darkreading.com

  The Pwn2Own contest earlier this month at the CanSecWest Conference showed off the speed with which knowledgeable security professionals can code exploits for known vulnerabilities.

• On the failings of Pwn2Own 2012 – scarybeastsecurity.blogspot.com

  This year’s Pwn2Own and Pwnium contests were interesting for many reasons. If you look at the results closely, there are many interesting observations and conclusions to be made.

• Outerz0ne 2011 Hacker Con (Hacking Illustrated Series InfoSec Tutorial Videos) – irongeek.com

  The following are videos of the presentations from the Outerzone 2011 hacker conference. Thanks to Skydog, Robin, Scott, SomeNinjaMaster and the Hacker Consortium crew for the con. Also thanks to Seeblind and others for doing AV. I’m looking forward to Skydogcon and working with the guys again at Derbycon.

Resources

• sqlitespy for Sqlite Database Analysis – blog.opensecurityresearch.com

  Sqlite is the ubiquitous database for iPad, iPhone and Android applications. It is also used by certain internet browsers, web application frameworks, and software products for their local storage needs. While doing penetration tests, we often see sensitive information like usernames, passwords, account numbers, SSN etc… insecurely stored in these databases. Thus, every penetration test requires comprehensive analysis of the local databases being used.

• The mystery of Duqu: Part Ten – securelist.com

  There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new “in-the-wild” driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.

• Introduction to Microsoft PowerShell Basics of RunningCmdlets – darkoperator.com

  You will notice that for the PowerShell commands I use the word Cmdlet, that is how Microsoft calls and spells the word. In a PowerShell shell you can execute regular windows commands in addition to the cmdlets and most work without any problem some may experience problems depending on the parameters used since PowerShell uses space as a delimiter so do keep this in mind when you are running local exe files.

• Skipfish Web Vulnerability Scanner – resources.infosecinstitute.com

  Web application security is a serious and an important topic to discuss nowadays, since hacking attacks are common. There are hundreds and thousands of tutorials available on blogs and forums that can help an attacker hack into a web application.

• Praeda version 0.02.0b is now available for download – foofus.net

  Updated release of Praeda 0.02.0b can be downloaded from HERE . This release contains a few new modules and an update to the dispatcher, allowing NMAP .gnmap as target input.

Tools

• OWASP Zaproxy
• ZAProxy 1.4.alpha.1 update – code.google.com

  “The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. ZAProxy provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.”

• OWASP Zaproxy v.1.3.4 released – code.google.com

  It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

• OWTF 0.13 “Trooper” update – github.com

  The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make penetration testing more efficient. The purpose of this tool is to automate the manual, uncreative part of penetration testing.

• Spooftooph v0.5 Spoofing Bluetooth – hackfromacave.com

  Spooftooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Address. Cloning this information effectively allows Bluetooth device to hide in plain site. Bluetooth scanning software will only list one of the devices if more than one device in range shares the same device information when the devices are in Discoverable Mode (specificaly the same Address).

• Wireshark v1.6.6 Released – wireshark.org

  Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

• SSLCop v1.0 Blocking CAs Released – security-projects.com

  SSLCop is a hardening tool that can block those CAs you don’t need, based in their geographical procedence. You can disable CAs sorted from countries and leave only those which make sense to you.

• Kautilya v0.2.0 payloads for Teensy Released – code.google.com

  Kautilya is a toolkit which provides various payloads for Teensy device which may help in breaking in a computer. The toolkit is written in Ruby and currently contains all Windows payloads written mostly in powershell.

• Creepy version 0.2 – github.com

  Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.

• OWASP WebGoat 1.2 – owasp.blogspot.com

  FYI, we released iGoat version 1.2 today. The primary change over 1.1 is the addition of a new keychain exercise, contributed by a newcomer to the team, Mansi Sheth.

Techniques

• iPhone
• Here’s How Law Enforcement Cracks Your iPhone’s Security Code (Video) – forbes.com

  Set your iPhone to require a four-digit passcode, and it may keep your private information safe from the prying eyes of the taxi driver whose cab you forget it in. But if law enforcement is determined to see the data you’ve stored on your smartphone, those four digits will slow down the process of accessing it by less than two minutes.

• iPhone passcode cracking is easier than you think – cnet.com

  A report came out last fall suggesting that repeating one number in the iPhone’s four-digit security PIN made for better protection than using all unique numbers. However, that little trick doesn’t seem to go very far with Micro Systemation, a Swedish security firm that helps police and military around the world crack digital security systems.

• Reading iPhone Backups – securitylearn.wordpress.com

  When iPhone is connected to a computer for the first time, iTunes automatically creates a subfolder with device UDID as the folder name and takes a backup of everything available on the iPhone.

• IPv6
• Identifying IPv6 Security Risks in IPv4 Networks: Tools – community.rapid7.com

  This post details some of the tools used in my recent IPv6 security testing webcast If you have any specific questions, please open a Discussion thread.

• Finding v6 hosts by efficiently mapping ip6.arpa – 7bits.nl

  A technique for quickly finding existing reverse (PTR) entries in ip6.arpa-zones occurred to me recently. A cursory internet search reveals little about the subject, suggesting nobody else may have connected these dots before.

Vendor/Software Patches

• MS12-020
• Understand MS12-020 – auntitled.blogspot.com

  I saw many misunderstanding about MS12-020 bug. Here is my quick explanation (hope it is clear). There are 2 bugs for this bulletin. One is RCE (CVE-2012-0002). Another one is DoS (CVE-2012-0152). I use the diff result from work of people in IRC (freenode#MS12-020) http://pastie.org/private/4egcqt9nucxnsiksudy5dw.

• A Tool Exploiting MS12-020 Vulnerabilities – f-secure.com

  Since the public release of Microsoft’s MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called “RDPKill by: Mark DePalma” that was designed to kill targeted RDP service.

• DNS
• DNS Changer – circleid.com

  One fine night in November 2011 I got an opportunity to get my hands dirty, working on a project for the United States Federal Bureau of Investigation (FBI). They were planning to seize a bunch of computing assets in New York City that were being used as part of a criminal empire that we called “DNS Changer” since that was the name of the software this gang used to infect a half million or so computers. I work for Internet Systems Consortium (ISC), a small non-profit company headquartered in California.

• Weekly Metasploit Update: DNS payloads, Exploit-DB, and More – community.rapid7.com

  This week we’ve got a nifty new shellcode delivery scheme, we’ve normalized on Exploit-DB serial numbers, and a pile of new modules, so if you don’t have Metasploit yet, you can snag it here.

• New Java Attack Rolled into Exploit Packs – krebsonsecurity.com

  If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.

• New exploit uses old Office vulnerability for OS X malware delivery – reviews.cnet.com

  While this means of exploiting Mac systems via Microsoft Office is old and has been patched, this marks the first time Office documents have been used to exploit OS X systems.

Vulnerabilities

• Microsoft
• Microsoft Raids Tackle Internet Crime – nytimes.com

  Microsoft employees, accompanied by United States marshals, raided two nondescript office buildings in Pennsylvania and Illinois on Friday, aiming to disrupt one of the most pernicious forms of online crime today — botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers.

• Microsoft Takes Down Dozens of Zeus, SpyEye Botnets – krebsonsecurity.com

  Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.

• Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets – technet.com

  Cybercriminals have built hundreds of botnets using variants of Zeus malware. For this action – codenamed Operation b71 – we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages.

• Credit Card Processor Breach
• MasterCard, VISA Warn of Processor Breach – krebsonsecurity.com

  VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

• Hackers Breach Credit Card Processor; 50K Cards Compromised – wired.com

  Global Payments Inc, an Atlanta-based processor, has been breached by hackers, leaving more than 50,000 card accounts potentially compromised.

• Hackers steal passwords from military dating site – news.cnet.com

  Hackers broke into the database for a military dating Web site and stole passwords, e-mail addresses, and other information from nearly 171,000 accounts, according to a post on the Pastebin site this weekend

• Command Injection Attacks, Automated Password Guessing On The Rise – darkreading.com

  Spam and several of the most common vulnerabilities are on the decline, according to a report issued this week, but there has been a marked increase in new types of attacks, such as shell command injection and automated password guessing.

• LulzSec hacks CSS Corp – zdnet.com

  LulzSec has hacked CSS Corp and released the company’s e-mail database to the public. The hacktivist group is also asking followers to join #LulzSecReborn on Anonymous’ IRC channel.

• Critical Security Update for Adobe Flash Player – krebsonsecurity.com

  Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

Other News

• China on Hacking
• Inside a Commission Hearing on the Chinese Threat – taosecurity.blogspot.com

  This morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities. In the picture taken by Mrs Bejtlich (thanks for attending!) I’m seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey.

• China Hacked RSA, U.S. Official Says – darkreading.com

  Until this week, no one has ever confirmed publicly what everyone has suspected all along: that China was behind the advanced attack against RSA’s SecurID systems last year. That was the revelation by the head of the U.S. Cyber Command in a Congressional hearing on Tuesday.

• TSA asks congressional panel to uninvite critic Bruce Schneier – news.cnet.com

  Bruce Schneier, a vocal critic of security measures used by the Transportation Security Administration, was asked to testify before Congress about TSA’s security screening initiatives but then was “formally uninvited” after the agency complained.

• NSA Chief: Agency Wants to Provide Malware Signatures, Not Enter Private Networks – wired.com

  The NSA continued to downplay its role in the cyberdefense of private networks when Gen. Keith Alexander told a Senate committee Tuesday that his intelligence agency absolutely did not want to be lurking in private networks monitoring data for threats.

• Satellite-jamming becoming a big problem in the Middle East and North Africa – arstechnica.com

  The Arab Spring has had yet another consequence—satellite jamming, and the practice is serious enough to threaten the satellite operators’ business. Two operators, Arabsat and Nilesat, complained about the jamming in the Satellite 2012 Conference in Washington, D.C. last week, according to an article in Space News.

• Draft EU Law Proposes 2 Year Minimum Sentence for Hackers – techweekeurope.co.uk

  The proposed directive, which was backed by 50 votes at the European Parliament’s Civil Liberties Committee compared to one against, would mean the UK would no longer rely on the Computer Misuse Act that currently has a maximum sentence of two years for a single breach of systems.

• U.S. Outgunned in Hacker War – online.wsj.com

  The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

• Richard Clarke on Who Was Behind the Stuxnet Attack – smithsonianmag.com

  America’s longtime counterterrorism czar warns that the cyberwars have already begun—and that we might be losing.

• EU legislation – Digging below the FUD line – blog.c22.cc

  Yesterday I started to see some chatter on Twitter about new/updated EU legislation dealing with “cyber” attacks.

• CanSecWest
• CanSecWest evolving – blog.securiteam.com

  Let me say, right off the top, that I love CanSecWest. I am tired of “vendor” conferences, where you pay outrageous fees for the privilege of sitting through a bunch of sales pitches. At least CanSecWest has real information, as opposed to virtual information.

• CanSecWest Day 1 Pen testing, social authentication, APR and Duqu – nakedsecurity.sophos.com
  A wrap-up of the news and talks from CanSecWest 2012 in Vancouver. I highlight talks on pen testing, social authentication, vulnerability mitigation and the Duqu command and control servers.
• CanSecWest Day 2 Smartphones, mobile security, iOS 5 and NFC – nakedsecurity.sophos.com
  Day 2 at CanSecWest was dominated by mobile security talks. The highlights included anti-rooting technologies used in Android, iOS and a look at NFC enabled mobile phone security.
• Playing with Network Layers to Bypass Firewalls Filtering Policy – home.regit.org
  The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.
• RSA Conference
• B-Sides SF and RSAC 2012 Summary – rants.effu.se
  One of the consistent themes I heard from attendees of B-Sides SF and RSAC this year was “this was the best year yet!” That is a huge turn-around from the cynicism that was so prevalent last year.
• Invasion of the Risk Managers: Altering the Complexion of Security” – readwriteweb.com
  Article about the discussion panel on risk.

Resources

• M-Trends: The One Threat Report You Need to Read – blog.mandiant.com
  Today is a big day. If you’ve followed us for a while you know that once a year we step back and take stock of what we’ve seen on the front lines battling targeted attacks. What is the advanced persistent threat (APT) up to?

Tools

• TaskManager.xls V0.1.2 Update – blog.didierstevens.com
  This is a new version of TaskManager.xls with memory usage statistics, with code given to me by sciomathman.
• Zscaler tool can find unprotected embedded web servers – zdnet.com
  The web-based tool can scan IP ranges to find multi-function printers and photocopiers, VOIP devices and video-conferencing systems that are currently.
• Introducing Adobe SWF Investigator – adobe.com
  Today I am launching a beta of a tool on Adobe Labs called, Adobe SWF Investigator. This Adobe AIR-based application is a suite of tools that may be useful to SWF developers, quality engineers, and security researchers.
• Ettercap v0.7.4.1 Lazarus Released – ettercap.sourceforge.net
  Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
• Wireshark and Pcap-ng – blog.wireshark.org
  When Wireshark 1.8.0 is released in the next few months it will introduce two major features: the ability to capture from multiple interfaces at once and the ability to annotate packets.
• Mole v0.3 (2012-03-02) – themole.nasel.com.ar
  Command line sql injection tool
• WCE v1.3beta 32bit released – hexale.blogspot.com

  WCE v1.3beta 32bit released.

Techniques

• Testing the Security of Virtual Data Centers – community.rapid7.com
  If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much more fun.
• Why Security Assessments Must Cover IPv6, Even In IPv4 Networks – community.rapid7.com

  What’s your company doing to prepare for IPv6? Probably not an awful lot. While 10% of the world’s top websites now offer IPv6 services, most companies haven’t formulated an IPv6 strategy for the network.

• Foot printing – Finding your target… – sensepost.com
  Network foot printing is, perhaps, the first active step in the reconnaissance phase of an external network security engagement. This phase is often highly automated with little human interaction as the techniques appear, at first glance, to be easily applied in a general fashion across a broad range of targets.

Vulnerabilities

• Google Chrome Hacked
• Pwn2Own 2012: Google Chrome browser sandbox first to fall – zdnet.com

  Exploit writers at VUPEN take special pleasure in attacking Google’s Chrome browser, using a pair of zero-day flaws to defeat the browser.

• CanSecWest Pwnium: Google Chrome hacked with sandbox bypass – zdnet.com

  The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome.

• Chrome Finally Breached in Google’s $1 Million Hackathon- gizmodo.com

  Google recently offered up prizes totaling $1 million for those capable of exploiting its browser Chrome. Now, at Google’s own competition called Pwnium, a student has walked away with one of the top prizes, earning $60,000 by hacking a PC running Chrome.

• After the pwnage: Critical Google Chrome hole plugged in 24 hours – arstechnica.com

  Underscoring the nimbleness of Google’s patching cycle, Chrome developers fixed a complex series of bugs less than 24 hours after they were demoed at a hacker conference.

• Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest – wired.com

  A teenage hacker known as Pinkie Pie pokes a hole in Google’s Chrome browser, an unlikely winner who’s taking home $60K and a possible job at the search giant.

• How Google set a trap for Pwn2Own exploit team – zdnet.com

  Here’s the story of how a unique signature was used to figure out if exploit writers would take aim at the Flash Player plugin in Google Chrome

• Pwn2Own Hacking Contest
• Charlie Miller skipping Pwn2Own as new rules change hacking game – zdnet.com

  The annual Pwn2Own hacker contest kicks off today with new rules, controversy over disclosure and the absence of a regular participant.

• Pwn2Own 2012: IE 9 hacked with two 0day vulnerabilities – zdnet.com

  The code execution attack, which required no user action beyond browsing to a rigged web site, also works on Internet Explorer v10.

• How to Pwn the Pwn2Own Contest – wired.com

  Finding zero-day exploits to win a hacking contest can be really hard work these days. So sometimes the better strategy is just to game the game.

• The Ruby/GitHub hack: translated – erratasec.blogspot.com
  The underlying issue is an “Insecure Direct Object Reference”, #4 on the OWASP Top 10 list of most important web-application vulnerabilities. It means that that a hacker can change what’s in the website database without having permission.

Other News

• Uncle Sam: If It Ends in .Com, It’s Seizable – wired.com

  The U.S. government says it has the right to seize any .com, .net and .org domain name because the companies that have the contracts to administer them are based on United States soil, according to Nicole Navas, an Immigration and Customs Enforcement spokeswoman.

• Sabus sordid story detailed in FBI indictment – nakedsecurity.sophos.com

  Hector Xavier Monsegur may have portrayed the exploits of Anonymous and LulzSec as a glamorous fight against “the man”, but the dark criminal realities of their exploits were exposed in his indictment. It appears he wasn’t just in it for the lulz.

• Dropbox Abused by Spammers – symantec.com

  Recently we noticed spammers abusing Dropbox, a popular cloud-based, file-hosting and synchronization tool, to spread spam. Dropbox accounts have a public folder where files can be placed and made publicly available. This function is useful to spammers, as it effectively turns Dropbox into a free hosting site.

Hackfest Optimized: November 4 to November 5 in Quebec

BSides DFW: November 5 to November 6 in Irving

BSides Atlanta: November 4 in Atlanta

BSides Delaware: November 1 to November 12 in New Castle

SC Congress: November 16 in New York

And here are the information security events in the other parts of the world:

Kiwicon V: November 4 to November 6 in Wellington

PACSEC Tokyo: November 9 to November 10 in Tokyo

SANS Paris 2011: November 14 to November 18 in Paris

SANS Geneva: November14 to November 19 in Geneva

SOURCE Barcelona: November 14 to November 17 in Barcelona

e-Crime India: November 9 in Mumbai

e-Crime Abu Dhabi: November 23 in Abu Dhabi

• Crack Me If You Can DefCon 2011 Insidepro team – contest.korelogic.com
  First of all, I must say that this year’s contest was a big improvement over last year. Not that last year was boring, far from that, but the feedbacks given last year were well understood and rectified this year. The weighted points depending on the hashing algorithm made much more sense. The bonuses and the challenges added a lot more spice and need for strategies.
• Rootcon 5: A Summary – sunbeltblog.blogspot.com
  I’m not saying all of my trips go horribly wrong, but exploding toilets, 1984 style televisions, badges that make no sense, surprises in alleyways and emergency fuel dumps could perhaps convince you otherwise. You’ll be pleased to know Rootcon 5 went off without a hitch (well, besides the earthquake drill, the eleven hours at Guangzhou airport and the lady with the foot in her face) and a great time was had by all.

Tools

• XCat: Exploit Boolean XPath Injections! - github.com/orf/xcat/downloads
  Prior to getting acquainted with XCat, let’s know what an XPath Injection actually is. XPath is a language for addressing parts of an XML document, designed to be used by both XSLT and XPointer.
• Multiple Dictionaries or Wordlists Using John The Ripper – room362.com
  John the ripper only takes one word list at a time. There are plenty of docs out there that show you how to cat all of your dictionaries into John’s stdin function but I like to run rules against my lists and I didn’t see any how-tos on doing this. Here is my way.
• UPDATE: BeEF v0.4.2.9 alpha! - code.google.com/p/list/downloads/list
  BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which exploit and at which target.
• UPDATE: NetworkMiner 1.1! – sourceforge.net/projects/networkminer/files/networkminer
  NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files
• UPDATE: BodgeIT v1.2.0!- code.google.com/p/bodgeit/download/list
  The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
• Lilith Web Application Security Tool – darknet.org.uk
  LiLith is a tool written in Perl to audit web applications. This tool analyses webpages and looks for html form tags , which often refer to dynamic pages that might be subject to SQL injection or other flaws. It works as an ordinary spider and analyses pages, following hyperlinks, injecting special characters that have a special meaning to any underlying platform.
• Open Source Tool Enables Security Tests For Chip Cards – h-online.com
  At this year’s Black Hat Conference, crypto expert Karsten Nohl of SRLabsdemonstrated the degate tool that can be used to take a closer look at applications stored on smartcards, such as credit cards and SIM cards.

Techniques

• Remote Windows SAM retrieval with VBScript – ox90.co.uk
  There’s no denying that PSExec and FGDump are useful tools on a infrastructure penetration test. FGDump is a problem however, in the fact that it needs to inject into a running process (lsass.dll) and therefore is often blocked by antivirus.
• DB2 SQL Injection: Select With Nth Row Without Cursors – pentesterconfessions.blogspot.com
  Well I’ve looked all over the net for this solution and I could not find the answer so after much trial an error I was able to build my own solution. Lets say you need to query one row at a time from DB2 and you cannot use cursors and specifically you need to query sysibm.systables. I came up with this solution and there may be a more elegant way but this worked.
• Reverse Shell One Liners – bernardodamerle.blogspot.com
  Inspired by the great blog post by pentestmonkey.net, I put together the following extra methods and alternatives for some methods explained in the cheat sheet. There is nothing cutting edge, however you may find this handy during your penetration tests.
• Pentesting WP7 Apps Part 1 – intrepidusgroup.com
  With over 30,000 apps in the marketplace within a year of launch, Microsoft’s Windows Phone 7 platform seems to grabbing consumer attention slowly but steadily. Though the installed user base is nowhere close to that of Android or iOS, Gartner’s predictions notwithstanding, in the last few months we’ve seen an increasing interest from companies on this new mobile platform.
• Who is Logged In? A Quick Way To Pick Your Targets – room362.com
  Say you go for the 500+ shells on an internal test or your phishing exersice goes way better than you thought. Well you need to get your bearings quickly and going into each shell and doing a ps, then looking through the list for all the users logged in is a bit of a pain and defintely not ideal.
• Exploiting The WordpPress Extension Repos – spareclockcycles.org
  Today’s post is kind of long, so I thought I should warn you in advance by adding an additional paragraph for you to read. I also wanted to provide download links for those who’d rather just read the code. It isn’t the cleanest code in the world, so I apologize in advance. I discuss what all of these are for and how they work later on in the post, so if you’re confused and/or curious, read on.

Vendor/Software Patches

• Adobe Closes 14 Holes In Reader and Acrobat – h-online.com
  Adobe has released new versions of Reader and Acrobat to close several critical security holes. Versions 10.x, 9.x and 8.x of both products for Windows, Linux and Mac are affected. Adobe recommends that Reader X and Acrobat X users update to version 10.1.1 as this version offers added protection under Windows through its sandbox.

Other News

• Certificate hacker probably paid by Iran, say victimized firms - computerworld.com
  The CEO of a certificate-issuing company that was hacked in March is even more certain now that a wave of attacks against similar firms is backed by the Iranian government.
• U.S. Agencies Making Progress In Cybercrime – computerworld.com
  U.S. government agencies are getting better at sharing information about cyberattacks with private companies, but cybercrime shows no signs of slowing down, cybersecurity experts told lawmakers Wednesday.
• Seven Ways You Give Thieves Dibs On Your Database – darkreading.com
  Every new data breach that hits the headlines snowballs the embarrassment for the IT security community, especially because this constant follies show revolves around recurring themes.
• U.S. and Australia to add cyber-realm in defense pact – news.cnet.com
  Cyberattacks are about to carry even more weight, with the United States and Australia expected to include them in a mutual defense treaty.The two nations will declare the cyber realm to be part of the 60-year-old treaty tomorrow, Reuters reports. The inclusion will mean that a cyberattack on one country could lead to a response by both.
• Italian Researcher Finds More SCADA Holes – news.cnet.com
  An Italian researcher has uncovered at least a dozen security flaws in software used in utilities and other critical infrastructure systems, prompting security advisories from the U.S. government.

• DefCon 2011
  Leftover notes and resources five weeks after.
• Crack Me If You Can teams – contest.korelogic.com
• Crack Me If You Can InsidePro – contest.korelogic.com
• Crack Me If You Can team john users – contest.korelogic.com
• The Art of Exploiting Lesser Known Injection Flaws Revealed At BlackHat – penetration-testing.7safe.com
  The audience at Black Hat, Las Vegas were recently engaged by an interactive workshop titled ‘The Art of Exploiting Lesser Known Injection Flaws’ presented by 7Safe renowned security researchers Sumit Siddarth and Aleksander Gorkowienko.

Resources

• OWASP Goatdroid - code.google.com/p/owasp-goatdroid/
  The OWASP GoatDroid Project pays homage to the OWASP WebGoat Project. It is a fully functional and self-contained environment for learning more about vulnerabilities and security issues for the Android platform.
• Identifying And Detecting Security Breaches – usa.visa.com
  Visa has a slidedeck posted Identifying and Detecting Security Breaches. Sounds fun! If you’ve been around security for a while, nothing will be new in this deck, but it’s a nice and short to breeze through for ideas if something is missing in your enterprise security posture. Every bullet point also makes for a decent item to review or ask your team (if you have one) to describe how it is handled. (I do believe in role-playing!)
• The Big Fat Metasploit Post – securityaegis.com
  A while ago we tried to identify a core toolset that every pentester should start with or couldn’t live without. The first article focused on Nmap, The second on our list is none other than the exploit framework Metasploit. Instead of reinventing the wheel with Metasploit guides we decided to take all the disparate info on using Metasploit and put it into one place, starting from the basics all the way to advanced testing.

Tools

• The Zaproxy files – code.google.com/p/zaproxy/downloads/list
  An easy to use penetration testing tool.
• WCE v1.2 64-bit version released – hexale.blogspot.com
• The ERPScan WEBXML Checker! – erpscan.com/products
  As all of us know the importance of SAP (short for Systems, Applications and Products) systems. We also know that with increased exposure to new technologies, newer vulnerabilities are found. ERPScan WEBXML Checker, is a new tool from who we consider as a leading entity involved with discovering new SAP related vulnerabilities.

Techniques

• A deeper look at ms11 – 058 – skullsecurity.org
  Two weeks ago today, Microsoft released a bunch of bulletins for Patch Tuesday. One of them – ms11-058 – was rated critical and potentially exploitable. However, according to Microsoft, this is a simple integer overflow, leading to a huge memcpy leading to a DoS and nothing more. I disagree.
• Password Tracking In Malicious iOS Apps – software-security.sans.org
  In this article, John Bielich and Khash Kiani introduce OAuth, and demonstrate one type of approach in which a malicious native client application can compromise sensitive end-user data.
• Apache HTTPD Killer Remote Denial of Service – eromang.zataz.com
  Kingcope has release, the 19 August, on Full disclosure mailing-list a perl script named “killapache.pl“ how can cause to Apache HTTPD Web server a remote denial of service (DoS). The DoS could be done by the attacker with a low requirement of ressources (CPU, memory and bandwidth) causing the targeted Web server to consume a big amount of ressources (CPU and memory). Apache HTTPD 2.0 and 2.2 series are affected by this vulnerability.
• Setting up a persistent trusted CA in an Android emulator - intrepidusgroup.com
  Setting up a persistent trusted CA in the Android emulator is a common problem, encountered any time we assess an application within an emulator, that use SSL properly. The goal is to man-in-the-middle (MITM) traffic from an application running in the Android emulator.
• IIS Search Verb Directory Listing – room362.com
• My Flash 9 Workflow - www.l1pht.com/2011/08/my-flash-9-workflow/
  Just recently I’ve tested a number of web applications that made heavy use of Adobe Flash. Considering I didn’t find a whole lot when I was searching I thought I’d document my current workflow.
• SSH Cheat Sheet – pentestmonkey.net
  SSH has several features that are useful during pentesting and auditing.  This page aims to remind us of the syntax for the most useful features.

Vendor/Software Patches

• Microsoft Releases New Versions of Software Security Tools – threatpost.com
  Microsoft has released new versions of several of its software security tools, including itsThreat Modeling Tool and a pair of fuzzers. All of the tools are part of the company’s Security Development Lifecycle program, which it has been sharing with external organizations for a few years now.

Other News

• BART, Anonymous, and a girl hacker
  The purported hacker who infiltrated the BART’s Police Officers Association website today claims to be a French girl (“Humiliating, huh?”) who executed her first hack, SF Weekly has learned. SF Weekly chatted online with someone who claimed to be the mind behind today’s attack.
• BART Police Website Hacker Claims To Be French Girl On First Hack part 1 – blogs.sfweekly.com
• BART Police Website Hacker Claims To Be French Girl On First Hack part 2 - blogs.sfweekly.com
• Randomly generated passwords at myBART – lightbluetouchpaper.org
• The Great RSA Hack
  The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn’t do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack.
• How We Found The File That Was Used To Hack RSA - f-secure.com
• Researchers Recover RSA Phishing Attack, Hiding In Plain Sight - wired.com
• Android Malware Explodes, iOS Remains Safe – wired.com
  According to a report by antivirus software maker McAfee, Android is now the “most attacked mobile operating system,” with a jump in malware attacks of 76 percent in the last quarter. This impressive win is even more so when you consider that Android “outpaces second place Java ME threefold”.

• OWASP AppSec 2011
  Capture The Flag briefings
• Capture The Flag – www.appsecusa.org/ctf.html
• AppSecUSA CTF! Another Write Up – notsosecure.com

Resources

• Whitepaper “Python Arsenal For Reverse Engineering” - dsecrg.com
  This whitepaper (beta release) is a collection of various Python engines, extensions, libraries, shells, that aids in the job code for understanding, analyzing and sometimes breaking. The collection consists of more than 40 projects. This document is intended to show the power of Python for RE and also an attempt to systematize a knowledge of the python for RE. This document is useful for beginners and advanced professionals of RE.
• Australian Department of Defence –  iOS Hardening Configuration Guide – djtechnocrat.blogspot.com
  Parts of this guide refer to features that require the engagement of the technical resources of your telephony carrier, firewall vendor, or Mobile Device Management vendor. While every effort has been made to ensure content involving these third party products is correct at the time of writing, you should always check with these vendors when planning an implementation.
• Smartphone Whitepapers - iase.disa.mil/stigs/net_perimeter/wireless/smartphone.html
  Smartphone (iOS, Android, Blackberry, Windows)  guidance documents.

Tools

• Skipfish
  Skipfish is a fully automated, active we application security reconnaissance tool. Its key features are high speed, ease of use, and cutting edge security logic.
• UPDATE: Skipfish 2.01b! – code.google.com/p/skipfish/downloads/list
• UPDATE: Skipfish 2.02b! – code.google.com/p/skipfish/downloads/list
• UPDATE: SQLNinja 0.2.6-rc1! – sourceforge.net/projects/sqlninja/files/sqlninja/
  Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
• UPDATE: Risu v1.4.5! – github.com/hammackj/risu/archives/master
  Risu is a Nessus parser, that converts the generated reports into a ActiveRecord database, this allows for easy report generation and vulnerability verification.
• UPDATE:  BeEF v0.4.2.7-alpha! – code.google.com/p/beef/downloads/list
  BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes. It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target. The user of BeEF will control which browser will launch which exploit and at which target.
• UPDATE: ZAProxy v1.3.1! - code.google.com/p/zaproxy/downloads/list
  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
• Vega – Open Source Cross Platform Web-Application Security Assessment Platform – darknet.org.uk
  Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
• TLSSLed v1.1 – blog.taddong.com
  A few weeks ago we released TLSSLed v1.0 with the goal of helping organizations to test their SSL/TLS (HTTPS) implementation for common flaws and misconfigurations. Today, we release an updated version, v1.1, that includes some additional tests.
• Durandal: A Distributed CPU/GPU Hashcracker! – durandal-project.org/download.html
  Durandal is a distributed GPU/CPU computingsoftware that aims to crack passwords. Mostly written in C++ with the Boost library, it works on many systems, however it is only built for Windows and GNU/Linux for the moment x64 platforms.
• Sniffer files - github.com/sirg3/Sniffer
  Sniffer is an unoriginally-named packet sniffer with the unique ability of determining which application a packet is coming from (or going to). At the moment it is little more than a prototype to prove that the idea works.
• WebSurgery: A Web Application Secuity Toolkit – www.surgeonix.com/blog/downloads/websurgery/websurgery.zip
  It is a suite of tools for security testing of web applications. It is designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Brute forcer and Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injections, Cross site scripting (XSS), Brute force for login forms.
• Twitter Archiver - blog.stalkr.net
  Twitter is great to get and share information, quickly. But it is all web 2.0 and you cannot use a simple cat or grep to view or search your tweets. I would like to have tweets saved in simple text format: date, user, text – one per line. So here comes Twitter Archiver, a small python script using PTT to archive any public timeline of tweets, in simple text format. Script: archiver.py, patch: archiver.diff.

Techniques

• Shellcode Anatomy
  Hackers are becoming more sophisticated and are investing resources to evade anti-malware detection. As recent breaches have shown, hackers are already seeing the fruits of their labor. In these spear-phishing attacks, the hacker gained access by sending out files (whether PDF, Excel or Word docs) to company employees. All that was needed was a single individual to open that file – and the attacker penetrated the organization.
• Part I of IV – blog.imperva.com
• Part II of IV – coming next week!
• Detecting LDAP Injections – rapid7.com
  It all started to go wrong when Web applications started to replace internal desktop applications in many companies around the globe and one manager proposed: “We should authenticate access to this application using our Active Directory!”
• Reversing Jailbreakme.com 4.3.3 - intrepidusgroup.com
  Wednesday, @comex came out with a new user-level jailbreak available on jailbreakme.com. I wanted to understand exactly how this exploit is able to get root so easily. Here is my workflow, and preliminary analysis of the exploit.
• Decoding Data Exfiltration – Reversing XOR Encryption – crucialsecurityblog.herris.com
  One of the first and most important questions that intrusion analysts are asked after a network attack is “did they steal anything?”. And if so, “what did they take?”. Often, this is also one of the most challenging questions to answer when the analyst only has a post-intrusion forensic image to work with. Frequently, the analyst’s primary objective becomes identifying and locating data exfiltration files.
• SRF Exploit for Joomla 1.6.3 or Lower – sectechno.com
  New exploit has been published that are targeting Joomla 1.6.3 or lower version the vulnerability  allow an attacker to create a specially crafted URL that would execute arbitrary script code on  victim’s browser.
• Injecting O2 into another .NET Process (in this case NUnit.exe) – o2platform.wordpress.com
  Here is a pretty powerful example of what can be done with O2′s .NET reflection APIs. The objective is to start NUnit under the control of an O2 script and to add a new feature to NUnit (in this case a new error viewer)
• Hacking With JSP Shells – netspi.com
  Most enterprise datacenters today house at least a few web servers that support Java Server Pages (JSP). In my experience, at least one will suffer from vulnerabilities that can be leveraged to upload JSP shells and execute arbitrary commands on the server (this especially seems to be the case with preconfigured appliances).
• JavaScript Obfuscation in Metasploit – community.rapid7.com
  As of this writing, Metasploit has 152 browser exploits. Of those, 116 use javascript either to trigger the vulnerability or as a means to control the memory layout of the browser process [1]. Right now most of that javascript is static. That makes it easier for anti-virus and IDS folks to signature. That makes it less likely for you to get a shell.

Other News

• Exclusive first interview with key LulzSec hacker – newscientist.com
  It was early May when LulzSec’s profile skyrocketed after a hack on the giant Sony corporation. LulzSec’s name comes from Lulz, a corruption of LOL, often denoting laughter at the victim of a prank. For 50 days until it disbanded, the group’s unique blend of humour, taunting and unapologetic data theft made it notorious.
• iOpener: How Safe is your iPhone data! – h-online.com
  The greatest current risk for iPhone owners is not viruses or malicious web pages, it is the danger that the phone might fall into someone else’s hands. Although iPhones do offer elaborate security mechanisms, these mechanisms won’t stand up to an imaginative hacker.
• AusCERT jumps the gun on BIND bug release - risky.biz
  AusCERT has broken an embargo, accidentally and prematurely broadcasting a security bulletin pertaining to multiple vulnerabilities in the BIND DNS server earlier today.
• Vsftpd backdoor discovered in source code – update – h-online.com
  Chris Evans, aka Scary Beasts, has confirmed that version 2.3.4 of vsftpd’s downloadable source code was compromised and a backdoor added to the code. Evans, the author of vsftpd – which is described on its web site as “probably the most secure and fastest FTP server for Unix-like systems” – was alerted on Sunday to the fact that a bad tarball had been downloaded from the vsftpd master site with an invalid GPG signature. It is not known how long the bad code had been online.
• Cracking DES faster with John the Ripper – h-online.com
  Version 1.7.8 of John the Ripper, a free password cracker, promises to be up to 20 per cent faster when cracking the Data Encryption Standard (DES) algorithm. The increase in speed is achieved by improvements in the processing of S-box. Although AES (Advanced Encryption Standard) has long been the encryption standard of choice, encryption and decryption with (triple) DES remain useful techniques.
• Which Banks Are Enabling Fake AV Scams? – krebsonsecurity.com
  Fake antivirus scams and rogue Internet pharmacies relentlessly seek customers who are willing to trade their credit card numbers for a remedy. Banks and financial institutions become partners in crime when they process payments to fraudsters.
• Malware Exploit Found for iOS Devices By German Researchers – readwriteweb.com
  Germany’s Federal Office for Information Security issued a warning today that iPhones, iPads and the iPod Touch have “critical weaknesses,” the Associated Press reports. The malware is delivered by an infected PDF that can affect the user’s device without them knowing. The same result would occur when a user visits a website with an infected PDF.
• ‘Sophisticated Cyberattack’ Hits Pacific Northwest National Lab – darkreading.com
  Pacific Northwest National Labs, a research and development facility operated under contract to the Department of Energy, was attacked during the long holiday weekend and is still struggling to restore IT services.
• DHS: Imported Consumer Tech Contains Hidden Hacker Attack Tools – fastcompany.com
  A top Department of Homeland Security (DHS) official has admitted on the record that electronics sold in the U.S. are being preloaded with spyware, malware, and security-compromising components by unknown foreign parties.

• Defcon 19  Quals
  For the third year, I competed with team Shellphish in the Defcon quals. We pulled through with some amazing points at the end to finish in 8th place. My successful contributions, however, were really only with respect to Forensics 100 and 300
  • Defcon 19 Quals Forensics 100 and Forensics 300 solution – bryceboe.com
  • Defcon 19 CTF Pre-Quals: Binary 100 Challenge – blog.securestate.com
  • Defcon 19 CTF Quals: Forensic – 300 – blog.securestate.com
  • Defcon CTF Quals 2011 – Retro 400 – leetmore.ctf.su
  • Defcon CTF Quals 2011 – Pwnables 400 – leetmore.ctf.su
  • GB200 writeup DEFCON CTF quals – nonroot.blogspot.com
  • Quals files collection – daxnitro.com/quals/
  • Defcon 19 Quals Write-up List – rogunix.com/defconquals19.html
  • Pwntent Pwnables 200 Writeup – auntitled.blogspot.com
  • Shell-Storm CTF resources – repo.shell-storm.org/CTF

Resources

• AppSecEU Presentations
  • Brad Arkin of Adobe Corp
  • David Stubley’s APT in a nutshell
  • Giles Hogben INISA
  • Arian Evans on Whitehat Security
• Wordlists from Sownage – l1pht.com
  Here are a few cleaned up wordlists from the sownage files.  There are more than a few throwaways in use here, but it still might be worth a run in a few specific situations.
• TDSS and hacking the hackers – blog.eset.com
  If you’ve been following the research we’ve been publishing (spearheaded by my Russian colleagues Aleksandr Matrosov and Eugene Rodionov) you’ll be aware that the TDL rootkit family doesn’t make use of OS’s own file system.

Tools

• Skipfish Update
  Skipfish is a fully automated, active web application security reconnaissance tool. Its key features: High speed, Ease of use, Cutting-edge security logic.
  • UPDATE: Skipfish-1.91b! – code.google.com/p/skipfish/downloads/list
  • UPDATE: Skipfish-1.92b! - code.google.com/skipfish/downloads/list
• UPDATE: Nmap 5.52.IPv6.Beta2! - nmap.org
  Nmap (“Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
• UPDATE: SWFRETools v1.2.0! – github.com/sporst/SWFREtools/downloads
  The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.
• UDPATE: ZAProxyv1.3.0! - code.google.com/zaproxy/downloads/list
  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
• RADARE: Reverse engineering framework – radare.nopcode.org
  Opensource tools to disasm, debug, analyze and manipulate binary files. There are small tools also included for better deguging, graphs can be used to link and have a better idea over of the binary.
• Burpsuite free edition v1.4 released – blog.portswigger.net
  This is a major upgrade with numerous new features, including: The ability to compare site maps, functions to help with testing access controls using your browser,support for preset request macros, session handling rules to help you work with difficult situations etc.
• SecureState Releases New Tool  For Footprinting 802.1x Wireless Networks – blog.securestate.com
  Today, SecureState is releasing a new tool for footprinting 802.1x wireless networks called EAPeak. EAPeak is a Python powered script that is meant to parse useful pieces of information for a Security Assessment of wireless networks that use the Enterprise Authentication Protocol.

Techniques

• Defcon Obfuscation Technique
  Feds aren’t the only ones who are paying attention to the demonstrations at security conferences like Black Hat and DEFCON – the folks who actually don the black hats are, also.That point was driven home this week by Kaspersky Lab researcher Marta Janus, who blogged about an interesting new code obfuscation technique that she discovered while analyzing a Polish e-commerce Web site that had been compromised.
  • Hackers Pinch Obfuscation Technique From Defcon presentation – threatpost.com
  • Dangerous Whitespaces – securelist.com

• Using Nmap for Pentesting eDirectory – cqure.net
  While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP).

Vendor/Software Patches

• Microsoft Patch Tuesday (Tomorrow!)
  Microsoft has announced that it plans to release 16 security bulletins on Tuesday 14 June. The company rates nine of the bulletins as critical; the remaining seven are considered to be “Important”. According to Microsoft, the bulletins will patch a total of 34 vulnerabilities in its products.
  • Microsoft Many Critical Vulnerabilities on Patch Tuesday – h-online.com
  • June Advance Notification Service And 10 Immutable Laws Revisited – blogs.technet.com
• Flash Player Updates
  Adobe and VideoLAN have released security updates for some of their software programs today. Adobe released a new version of Adobe Flash Player which fixes a security vulnerability in the popular application.
  • Flash Player, VLC Security Updates Released – ghacks.net
  • Adobe Flash Player 10.3.181.22

• Wireshark 1.6.0 Released – wireshark.org
  Wireshark 1.6.0 has been released. Installers for Windows, Mac OS X 10.5.5 and above (Intel and PPC), and source code are now available. Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets. Large file (greater than 2 GB) support has been improved.

Other News

• RSA SecurID Revelation
  Lockheed Martin and RSA today each separately confirmed that the breach that compromised RSA’s SecurID authentication technology helped lead to the recent targeted attack aimed at the defense contractor.

• • RSA Offers SecurID Token Repalcement For Customers In Wake Of Lockheed Hack – darkreading.com
  • RSA Finally Comes Clean: SecurID is Compromised – arstechnica.com
  • Replacing RSA SecurID Tokens Not So Simple – darkreading.com
  • Security Alert: RSA Breach and 7 Ways To Secure Your Tokens – stateofsecurity.com
  • On The RSA SecurID Compromise – dankaminsky.com
  • @hdmoore RSA Twitter Update
• The Ocean Bank Trial
  A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.
  • Bank Not Responsible for Letting Hackers Steal $300K From Customer - wired.com
  • Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security – krebsonsecurity.com
• Java Patch Plugs 17 Security Holes - krebsonsecurity.com
  Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program. The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.
• IMF is victim of ‘sophisticated cyberattack’ says report – pcworld.com
  The scope of the attack remains unknown, according to the New York Times, which broke news of the incident Saturday. But it noted that the IMF, which helps manage financial crises around the world, is “the repository of highly confidential information about the fiscal condition of many nations.”

• Outerzone 2011 Hacker Con – irongeek.com
  The following are videos of the presentations from the Outerzone 2011 hacker conference.

Resources

• web.config Security Analyzer
  This little beauty let’s you feed in a Web.config then it comes back and tells you everything you’ve done wrong in the world of security configuration.
  • web.config Security Analyzer – wcanalyzer.com
  • Continuous Web.config security analysis with WCSA and TeamCity – troyhunt.com

• OWASP Top 10
  If you’ve spent any time defending web applications as a security analyst, or perhaps as a developer seeking to adhere to SDLC practices, you have likely utilized or referenced the OWASP Top 10.
  • OWASP Top 10 Tools and Tactics – resources.infosecinstitute.com
  • A Deliberately Vulnerable Set of PHP Scripts That Implement the OWASP Top 10 – irongeek.com

• Focusing on the Spirit of NIST’s Guidance For Continuous Monitoring – blog.coresecurity.com
  The National Institute of Standards and Technology (NIST) has regularly recommended new guidance to help give agencies a clearer deployment path to a more robust information security program.
• Viewpoint Paper on Threats and Vulnerabilities – jps.anl.gov
  I would go even further and argue that understanding Vulnerabilities is more powerful than understanding Threats—regardless of the relative difficulty of TAs vs. VAs.
• The Key Skill-Set of Great Penetration Testers – thehackeracademy.com
  For me, the difference between Keatron’s list and a great penetration tester comes down to one thing: intelligence types.   Specifically, the difference between convergent intelligence and divergent intelligence.

Tools

• Metasploit VNC Password Extraction – room362.com
  I ran into the same issue on Penetration Tests in the past but didn’t know much about the wacked out version of DES that RFB (the VNC protocol) was using.
• Update: Inspathx r66 – code.google.com
  Inspathx is a tool that uses local source tree to make requests to the URL and search for path inclusion error messages.
• Update: JBroFuzz 2.5! – sourceforge.net
  JBroFuzz is a web application fuzzer for requests being made over HTTP or HTTPS. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities.
• Update: Skipfish-1.85b! - code.google.com
  Skipfish is a fully automated, active web application security reconnaissance tool.
• Update: WhatWeb v.0.4.6! – github.com
  WhatWeb next generation web scanner identifies what websites are running. Released at the Kiwicon conference (kiwicon.org) in Wellington, New Zealand.
• Pastenum – Pastebin/pastie enumeration tool - corelan.be
  When conducting a pen-test, the process typically starts with the reconnaissance phase, the process of gathering information about your target(s) system, organization or person.
• The Open Pentest Bookmark Collection v1.4 – securityaegis.com
  News, news, news… Hey guys and gals of the security community.  We are pleased to announce the release of version 1.4 (yes 1.3 squeaked by without a blog post) of the Open Pentest Bookmarks Collection.
• New SNMP Metasploit Modules - carnal0wnage.attackresearch.com
  My new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.

Techniques

• PenTest Perfect Storm 6: We Love Cisco! – willhackforsushi.com
  In the webcast, hosted by CORE Security Technologies, we discussed attack techniques against Cisco devices, combining wireless, network and web app techniques to exploit common network architectures.
• Metasploit: Adobe Flash CVE-2011 - blog.metasploit.com
  Recently, I spent about a week and a half working on the latest 0-day Flash vulnerability. I released a working exploit on March 22nd 2011. The original exploit was just an attempt to get something working out the door for all of our users.
• Attack using CVE-2011-0609 – f-secure.com
  Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits.
• Extracting AP names from Packet Captures – packetstan.com
  Years ago, while working as a Network Engineer, I did a bit of sniffing of our wireless access points. I noticed that some access point, mainly Cisco, broadcast the Access Point’s name.

Vendor/Software Patches

• Apple releases Mac OS x 10.6.7 update – h-online.com
  In the software update notes, Apple also recommends the update “for all early 2011 MacBook Pro models”.
• Firefox 3 Updates and SSL Blacklist Extension – isc.sans.edu
  At the heels of yesterday’s Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version.
• Adobe fixes Vulnerabilities in Flash, AIR and Acrobat - h-online.com
  Adobe has released updates to its Flash Player, Acrobat and Acrobat Reader products to fix related security vulnerabilities in these products that potentially allowed an attacker to compromise a system by means of a crafted SWF embedded in an Excel file.

Vulnerabilities

• SCADA: The Luigi Auriemma files
  The security of critical infrastructure is in the spotlight again this week after a researcher released attack code that can exploit several vulnerabilities found in systems used at oil-, gas- and water-management facilities, as well as factories, around the world.
  • Interview with Luigi Auriemma of 34 0day ICS Vulnerabilities - digitalbond.com
  • Italian Researcher Publishes 34 ISC Vulnerabilities – digitalbond.com
  • Vulnerabilities in some SCADA server software – seclists.org
  • Attack Code For SCADA Vulnerabilities Released Online - wired.com
  • Another zero-day exploit for SCADA systems - h-online.com

• Advanced Exploitation of the recent Flash Zero-Day Vulnerability – blog.fortinet.com
  Looking into it more in-depth, I was then able to confirm that this vulnerability is a perfect real-world example of program flow validation error.

Other News

• The Comodo Conspiracy
  Thus, while an Iranian state-sponsored attack is a plausible theory, it’s not the only one.
  • List of Fraudulently Issued Certificates - comodo.com
  • A brief introduction to web ‘certificates’ - erratasec.blogspot.com
  • No Reason to Believe Comodo Attack Came from Iranian Government – erratasec.blogspot.com
  • Web Browsers and Comodo Disclose A Succesful Certificate Authority Attack, Perhaps from Iran - freedom-to-tinker.com
  • Comodo RA Compromise - isc.sans.edu
  • Microsoft Advisory About Stolen SSL Crtificates – isc.sans.edu
  • Microsoft Warns: Fraudulent digital certificates issued for high value websites - zdnet.com
  • Comodo CA Compromised by Iran? – djtechnocrat.blogspot.com
  • Hack Obtains 9 Certificates to prominent Websites; traced to Iran – wired.com
  • SSL meltdown forces browser developers to update – h-online.com
  • Phony SSL Certificates issued to Google, Yahoo, Skype and others – threatpost.com
  • Fraudulent Certificates Issued by Comodo, is it time to rethink who we trust? – nakedsecurity.sophos.com
  • How the Comodo Certificate fraud calls CA trust into question - arstechnica.com
  • Comodo certificate issue follow up – blog.mozilla.com

• Homegrown: Rustock Botnet fed By U.S. Firms – krebsonsecurity.com
  Aaron Wendel opened the doors of his business to some unexpected visitors on the morning of Mar. 16, 2011.

• HD Moore Releases His Process for Security Research – resources.infosecinstitute.com
  HD Moore is Chief Security Officer at Rapid7 and Chief Architect of Metasploit, the leading open-source penetration testing platform.
• Industrial Control Systems: security holes galore - h-online.com
  It seems that Stuxnet has given many security experts an interest in the potential holes in industrial control and SCADA (Supervisory Control and Data Acquisition) systems.
• McAfee Acquires Sentrigo – securosis.com
  McAfee has had a partnership with Sentrigo for a couple years, and both companies have cooperatively sold the Sentrigo solution and developed high-level integration with McAfee’s security management software.

• ShmooCon CTF 2011 Ghost In the Shellcode – ghostintheshellcode.com
  Congratulations to ppp for winning the second GitS CTF! The game board as it was when the contest ended is now live, though answers are not accepted, nor are any of the exploitable services running.
• Just like the real thing - blog.uncommonsensesecurity.com
  The goal is to build a truly “enterprise class” network, and they pull it off every year.
• RSA 2011
  Last year we produced a pretty detailed Guide to the Conference and it was well received, so – gluttons for punishment that we are – we’re doing it again
  • RSA Guide 2011: Key Themes – securosis.com
  • Researchers To Hit Major Website In Drive-By At RSA – darkreading.com

Resources

• USB Attacks On Linux
  Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years.
  • USB Autorun Attacks Against Linux – linux.slashdot.org
  • ShmooCon 2011 Presentation - blog.iss.net
  • Microsoft says RIP Windows XP AutoRun for USB – itnews.com.au
• Some common infosec job roles and related certifications – resources.infosecinstitute.com
  Most people hear the term Infosec, and they automatically associate that with network and telecom security, but in reality it’s much broader than that.
• Project Ubertooth: Building A Better Bluetooth Adapter – ossman.blogspot.com
  Video of my presentation,Project Ubertooth: Building a Better Bluetooth Adapter, at ShmooCon 2011 is now online.
• Apple iOS Push Notifications: Security Implications, Abuse Scenarios, and Countermeasures – blogs.sans.org
  In this article, I will briefly introduce details of how APN works and present scenarios of how insecure implementations can be abused by malicious parties.
• Cisco 4Q10 Global Threat Report - blogs.cisco.com
  The Cisco 4Q10 Global Threat Report is now available for download. The report showcases data from the 4th calendar quarter (October 1, 2010 – December 31, 2010).
• ShmooCon 2011 Debriefing - blog.fortinet.com
  First, just like in BlackHat DC 2011, this year’s conference had several talks on smart phones. Good news! I was however slightly surprised they all concerned Android.
• Five Key Design Decisions That Affect Security In Web Applications - blogs.sans.org
  Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come.
• What netsec-like podcasts do you listen to? - risky.biz
  I’m having a hard time getting my fill of security related news and discussion. I’m down to two podcasts that I listen to weekly.
• Exploit Kits – A Different View – securelist.com
  Exploit kits are packs containing malicious programs that are mainly used to carry out automated ‘drive-by’ attacks in order to spread malware.
• Password/Word Lists – room362.com
  Brute force, even though it’s gotten so fast, is still a long way away from cracking long complex passwords.
• Multi-State Information Sharing & Analysis Center CyberSecurity Digital Dashboard – msisac.org
  I stumbled upon this and was kind of impressed.

Tools

• PDF Exploit Disguised As A Xerox Scanned Document - labs.m86security.com
  Most office network printers and scanners have a feature that sends scanned documents over email. Cyber crooks however, have imitated email templates used by these devices for malicious purposes
• The Honeynet Project Releases New Tool: PhoneyC - chuvakin.blogspot.com
  As promised, I will be reposting some of the cool new announcements from The Honeynet Project here on my blogsince I now serve as Project’s Chief PR Officer.
• MetaSploit Framework 3.5.2 Released – blog.metasploit.com
  On February 1st, Eduardo Prado of Secumania notified us of a privilege escalation vulnerability on multi-user Windows installations of the Metasploit Framework.
• Open SCAP v0.6.8 released – open-scap.org
  The OpenSCAP Project was created to provide an open-source frameworkto the community which enables integration with the Security Content Automation Protocol (SCAP) suite of standards and capabilities.
• SSL Diagnosis v0.8.1a released – sourceforge.net
  SSL Diagnos is used to get information about SSL usage (protocols ssl2, ssl3, tls, dtls, and ciphers). It can also be used for testing and rating ciphers on SSL clients.
• Passwords shared between rootkit.com and gawker – terminal23.net
  This is a classic journo case of an editor-sensationalized title for an article that doesn’t really get reasonable until the last two paragraphs where it kinda puts the brakes on calling password reuse “endemic.”
• UPDATE: Nmap 5.51! – nmap.org
  Wow! In about two weeks time, another Nmap release! We now have Nmap version 5.51! The last release was Nmap 5.50, which we wrote about here.
• eEye to Release Free Vulnerability Scanner with Zero -Day Identification and Configuration Auditing – eeye.com
  eEye Digital Security, a provider of IT security and unified vulnerability management solutions, today announced the pre-release of Retina Community.
• UPDATE: Fiddler v2.3.2.3! - fiddler2.com
  Our first post regarding Fiddler, the web debugger can be found here. On the 13th of February, an update was released.
  

Techniques

• A Python Domains Extractor From IPs – blog.kaffenews.com
  I developed it in 5 mins just because I had to do a PT on a list of IP Addresses and it was needed to get the Domains from IPs.
• TrueCrypt
  After I read the documentation and some reviews I realize that it is a very secure piece of software that implements many high level features so I knew I will not be easy, at least in theory.
  • Cracking a TrueCrypt Container - shortinfosec.net
  • TrueCrypt Self-Bruteforce - q-protex.com
• What is Mausezahn? – peripheral.at
  Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.
• Proxocket
  • Proxocket - sethioz.co.uk
  • Proxocket – DLL Proxy For Winsock – darknet.org.uk
  • Proxocket – A Winsock Proxy Sniffer - netresec.com

• Move over tsgrinder/tscrack hello ncrack – carnalOwnage.attackresearch.com
  So thanks to mubix for telling me that ncrack now supports RDP. very cool stuff.
• Left or right handed passwords - justanotherhacker.com
  Are you left or right handed? How about your password? English based passwords seem to be predominantly left handed.
• Hidden bandit Inside NeoSploit - symantec.com
  Over the last few years, Symantec has observed a substantial rise in the use of exploit kits.
• Breaking web security – it’s all about RCS – net-ninja.net
  I will be discusing ways in which we can include error handling, anonymimity and how we can build the exploit so that the auditor has a reliable and flexible weapon.
• Decoding HTML Style tag based malicious frames - research.zscaler.com
  Injecting clear text or obfuscated malicious Iframes has become a common attack vector.
• Universe’s best and legal Mac OS X reversing tutorial for newbies – reverse.put.as
  I have decided to re-release my beginners tutorial, this time based on a crackme, so it deserves the upgrade to Universe instead of World.
• Android Gmail App: Stealing Emails via XSS - spareclockcycles.org
  This post documents an XSS vulnerability that I discovered in the default Gmail app (v1.3) provided by Google in Android 2.1 and prior.
• Android Reverse Engineering – thomascannon.net
  This project all started when I was asked tot ake a look at a software product that was under evaluation.
• Forensic Examination of Pointsec Encrypted Drives - dfsforensics.blogspot.com
  Many organizations use Pointsec (Check Point) full disk encryption in order to keep their data secure, especially in the case of laptops.
• Blackhole exploits kit attack growing - research.zscaler.com
  Recently, we have seen an increase in Blackhole exploit kit attacks. Blackhole is yet another web exploit kit developed by Russian hackers.
• Better Passwords In Under 200 Characters - blog.wearpants.org
  Good password security is a pain in the neck. Done properly, it requires a different password for every site.

Vendor/Software Patches

• February 2011 Microsoft Black Tuesday Summary – isc.sans.edu
  Here are the February 2011 Black Tuesday patches.  Enjoy!
• Adobepatch
  Adobe released updates for Reader for 9.4.2 and 10.0.1.  While this page on Adobe’s site doesn’t actually list them correctly, if you drill down into the actual product and OS, you’ll see the updates listed for 2/8/2011.
  • Adobe Reader 9.4.2 and 10.0.1 Updates are out - isc.sans.edu
  • Adobe patches for Shockwave, Flash, Reader, and Cold Fusion – isc.sans.edu
• Adobe, Microscoft, WordPress Issue Security Fixes – krebsonsecurity.com
  Talk about Patch Tuesday on steroids! Adobe, Microsoft and WordPress all issued security updates for their products yesterday. In addition, security vendorTipping Point released advisories detailing 21 unpatched vulnerabilities in products made by CA, EMC, HP, Novell and SCO.
• VMWare Security Advisory - vmware.com
  Updated versions of the Cisco Nexus 1000V virtual switch address a denial of service in VMware ESX/ESXi.

Vulnerabilities

• Last August, TippingPoint said they will enforce a six-month disclosure on bought bugs that haven’t been patched. Today, TippingPoint rolled out 22 - dvlabs.tippingpoint.com
  These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010.
• Comcast DOCSIS 3.0 Business gateways Multiple Vulnerabilities – exploit-db.com
  With these default credentials, internal attackers can modify deviceconfigurations to leverage more significant attacks, including redirection of DNS requests.

Other News

• Anonymous vs. Aaron Barr/HBGary
  A security researcher claims to have infiltrated the higher echelons of the Anonymous organisation and identified key leaders’ names and addresses.
  • Anonymous infiltrates the HBGary security company, which was tasked with infiltrating Anonymous by the FBI –  reddit.com
  • Researcher claims to have infiltrated Anonymous high command - v3.co.uk
  • HBGary Federal Hacked by Anonymous – krebsonsecurity.com
  • Anonymous hacks security company HBGary, Dumps 50,000 emails online - readwriteweb.com
  • Measuring password re-use empirically - lightbluetouchpaper.org
  • Anonymous Attacks US Security Company – guardian.co.uk
  • rootkit.com cleartext passwords – dazzlepod.com
  • How One Man Tracked Down Anonymous – And Paid A Heavy Price – wired.com
  • HBGary’s conversations with Feds – uiu.me
  • HBGary’s conversations with the Feds pt. 2 - uiu.me
  • blow by blow of how Anonymous gained root access on rootkit.com – dazzlepod.com
  • The Report on Anonymous by Aaron Barr - cryptome.org
• Rootkit.com’s MySQL database leaked – stfu.cc
  Come on, I know it’s /r/netsec, so we should be familiar with checking URLs before clicking, but I’d expect at least a warning before clicking a direct download of a company’s database.
• Hatfields and McCoys 2011 Style – 1raindrop.typepad.com
  By itself its an derisive, throw away comment that security people make about developers all the time, and of course developers are not averse to throwing haymakers back at security people.
• Sony Marketing Man Tweets PS3 Master Key - twitpic.com
  My life is complete. Sue yourself, Sony.
• iPhone Password Hack
  Researchers in Germany say they’ve been able to reveal passwords stored in a locked iPhone in just six minutes and they did it without cracking the phone’s passcode.
  • iPhone Attack Reveals Password In 6 Minutes - techworld.com.au
  • iPhone Hacked and Passwords Stolen In Just 6 Minutes - cyberarms.wordpress.com
  • How to steal passwords from a locked iPhone - nakedsecurity.sophos.com
  • Researches steal iPhone password in 6 minutes – engadget.com
• Secret Plan To Kill WikiLeaks With FUD Leaked – wikileaks.ch
  Three information security consultancies with links to US spy agencies cooked up a dirty tricks campaign late last year to destroy Wikileaks by exploiting its perceived weaknesses.
• Hackers hit ‘at least five oil and gas firms’ – bbc.co.uk
  Hackers have run rampant through the networks of at least five oil and gas firms for years, reveals a report.
• Night Dragon attacks: myth or reality – nakedsecurity.sophos.com
  Many readers will have seen the press around a series of hacking attacks that have been labelled the ‘Operation Night Dragon’ attacks by McAfee.

• ShmooCon 2011
  Getting to ShmooCon each year is always challenging (as is trying to get home). Mother Nature seems to enjoy disrupting the travel to and from the conference, which is held in Washington, D.C in January or February of each year.
  • ShmooCon 2011 – intrepidusgroup.com
  • ShmooCon 2011 Conference Wrap Up - blog.tenablesecurity.com
• US Cyber Challenge 2011
  The Center for Internet Security’s US Cyber Challenge today kicked off an online competition to identify high school students possibly interested in cybersecurity career.
  • High school cybersecurity competition kicks off – itknowledgeexchange.techtarget.com
  • New Contest To Promote Cyber Security Skills In Teens – threatpost.com
• Participate remotely on the OWASP Summit - diniscruz.blogspot.com
  The OWASP Summit is gearing up to be an amazing event. If you are not able to make it in person to Portugal, then please make the time to participate remotely.
• Announcing Pwn2Own 2011 - dvlabs.tippingpoint.com
  It’s that time of year again and the Zero Day Initiative (ZDI) team here at HP TippingPoint is proud to announce the 5th annual Pwn2Own competition is back.

Resources

• 2010 Top Web Application Hack Attacks – chaptersinwebsecurity.blogspot.com
  I must admit that I was curious just like everybody else, what 2010 will look like, retrospectively, through the eyes of the international infosec community.
• TiGa’s Video Tutorial Site – woodman.com
  TiGa’s video tutorial series on IDA Pro.
• Mobile Security Tips – f-secure.com
  With data charges getting cheaper and technologies in mobile computing getting more powerful, mobile devices are becoming more like a small personal computer.
• ShmooCon 2011 FireTalks
  • FireTalks at ShmooCon 2011, Night 1 – vimeo.com
  • FireTalks at ShmooCon 2011, Night 2 – vimeo.com
  • Net Neutrality, the FCC, and the end of the Internet as we know it - vimeo.com
• OMG-WTF-PDF Denouement – blog.fireeye.com
  I recently gave this presentation at the 27th Chaos Computer Congress in Berlin. For some reason, the slides never made it from Pentabarf to the Fahrplan.
• Guide to Security for Full Virtualization Technologies – csrc.nist.gov
  The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure.
• ShmooCon 2011 Library
  This year I talked about my improvements to VERA over the past 6 months. Much of the talk was centered around live demos, which unfortunately did not make it to the slides. The new tracing module and updated versions of the VERA code will be posted here soon.
  • ShmooCon 2011: Visual Malware Reversing – offensivecomputing.net
  • ShmooCon 2011: Zigbee Security: Find, Fix, Finish – youtube.com
  • ShmooCon 2011 video collection - reddit.com
• So you think your *capability* model is bad? – Icamtuf.blogspot.com
  In his recent post, Brad Spengler mocked the Linux capability system – a somewhat ill-conceived effort to add modern access controls on top of the traditional Unix permission model.

Tools

• Password Length Matters - justanotherhacker.com
  In fact, it matters so much that the term password is just plain wrong. Passphrase is better, and I did mean to start using that term instead.
• UPDATE: Cain & Abel v4.9.38 – oxid.it
  Our previous post regarding Cain & Abel can be found here. Now, oxid.it has released an updated Cain & Abel version 4.9.38!
• Another update to gdbinit for iOS and ARM support to ptool.pl and offset.pl – reverse.put.as
  I have fixed some of the missing stuff in gdbinit for iOS. Now the jump conditions are displayed for ARM and Thumb modes and the “stepo” command is working for ARM and semi-working for Thumb (to be fixed in the next release).
• THC Hydra v6.1 released – vulnerabilitydatabase.com
  THC-Hydra – the best parallized login hacker: for Samba, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support and is part of Nessus.
• Majordomo2- Directory Traversal (SMTP/HTTP) – exploit-db.com
• GoogleDiggity
  The Google Hacking Diggity Project is a research and development initiative dedicated to investigating the latest techniques that leverage search engines, such as Google and Bing, to quickly identify vulnerable systems and sensitive data in corporate networks
  • Exclusive!! GoogleDiggity the exclusive Google hacking project v0.2 - stachliu.com
  • SharePoint – GoogleDiggity dictionary file – stachliu.com
• Pentesting Web Services with WS-Attacker v1.0 - sourceforge.net
  WS-Attacker is a modular framework for web services penetration testing. It is a free and easy to use software solution, which provides an all-in-one security checking interface with only a few clicks.
• I found a hotmail “exploit” that allows me to change a large percentage of people’s passwords – reddit.com
  As the title says, I found an exploit on Hotmail that allows me to change hotmail/msn/live passwords for people using their service.
• InformIT: comparing static analysis tools – mail-archive.com
  There are cases where dynamic and static each have clear strengths. Pragmatic combination of the two has promise in solving a broad spectrum of test-cases.
• UPDATE: NetworkMiner 1.0 - sourceforge.net
  Fresh off the compiler again! A newer version of NetworkMiner has just been released a few hours ago! The updated NetworkMiner version 1.0 is out!
• QuickRecon: A Simple Information gathering Python Script! - pypi.python.org
  The first submission for the year 2011! We are proud to present to all of you QuickRecon. It is a simple information gathering tool.
• GWT-Penetration-Testing-Toolset – github.com
  A set of tools made to assist in penetration testing GWT applications. Additional details about these tools can be found on my OWASP.

Technique

• Java Cisco Group Password Decrypter - neohapsis.com
  For whatever reason I have found myself needing to “decrypt” Cisco VPN client group passwords throughout the years.
• Darkshell: A DDos bot targeting vendors of industrial food processing equipment - asert.arbornetworks.com
  This week, we continue our efforts to document the crowded space of Chinese DDoS bots by analyzing Darkshell.
• Padocon 2011 CTF Karma 400 exploit: the data re-use way – vnsecurity.net
  Karma 400 at Padocon 2011 Online CTF is a fun challenge. The binary was provided without source code, you can reach its decompiled source at disekt’s team writeup.
• Exploiting SEH Overwrites Using ROP - blog.metasploit.com
  In the final days of 2010, an exploit for the Windows CreateSizedDIBSECTION vulnerability was added to the Metasploit trunk.
• TaskManager.xls – blog.didierstevens.com
  TaskManager.xls is a simple taskmanager implemented in Excel/VBA. It can list the running processes; and terminate, suspend or resume selected processes.
• Exploiting Networks with Loki on Backtrack 4 R2 - packetstan.com
  Loki is the impressive layer 2/3 network manipulation tool by Daniel Mende, Rene Graf and Enno Rey of ERNW.
• Unchecked redirection + URL shortener = Spam – research.zscaler.com
  Recently, I found several legitimate sites, with bad coding practices,  used to redirect users to spam sites with the help of URL shorteners.
• Adobe Reader X stops malicious PDF spam campaign dead in its tracks – nakedsecurity.sophos.com
  A new malicious spam campaign underlines the security benefits of upgrading to the latest version of Adobe Reader – Adobe Reader X.
• Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac memory reader – computer-forensics.sans.org
  In Part 1 of this post, I showed you how to acquire the contents of physical RAM of a Mac OS X computer using ATC-NY’sMac Memory Reader, and did some simple analysis using strings and grep searches.
• ShmooCon Ghost in the Shellcode 2011 – ppp.cylab.cmu.edu
  Just got back from ShmooCon and it seems that some people want a writeup for the taped challenge. I highly encourage you to try it yourself first, because once you see the bug, it takes away some of the fun.

Vendor/Software Patches

• Critical Adobe Reader X Patches On Deck - threatpost.com
  Adobe will join Microsoft on the security patch treadmill next Tuesday (February 8, 2011) with “critical” updates for code execution holes in its flagship Adobe Reader and Adobe Acrobat products.
• Patch Tuesday heads -up: Critical flaws in Windows, Internet Explorer - zdnet.com
  As part of this month’s Patch Tuesday schedule, Microsoft plans to ship a dozen bulletins with fixes for 22 vulnerabilities, some serious enough to allow hackers complete access to a vulnerable Windows machine.

Vulnerability

• Veracode Free JAVA Cross-Site Script Scanning Service - veracode.com
  As we know – cross-site scripting(XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.
• Cisco Security Advisory: Default Credentials for Root Account on Tandberg E, EX and C Series Endpoints - cisco.com
  Tandberg C Series Endpoints and E/EX Personal Video units that are running software versions prior to TC4.0.0 ship with a root administrator account that is enabled by default with no password. An attacker could use this account in order to modify the application configuration or operating system settings.

Other News

• ATM Skimmers That Never Touch The ATM – krebsonsecurity.com
  Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place.
• Facebook flaw allowed websites to steal user’s personal data without consent - nakedsecurity.sophos.com
  A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.
• Research Reveals Huge Cache Of FTP, Email Credentials Stolen By Waledac - threatpost.com
  Researchers have discovered that the gang behind the once-and-future botnet Waledac has gathered nearly 500,000 stolen passwords for email accounts, along with close to 125,000 sets of pilfered credentials for FTP accounts.
• Red Gate: We could not make the free model work for us as a commercial company – zdnet.com
  If you’re a .NET developer, chances are you’ve heard of .NET Reflector, a decompilation, debugging, and reverse engineering tool for managed code.
• IPv6-What’s New – blogs.cisco.com
  IPv6 is becoming more widely deployed as the availability of IPv4 addresses continue to decline. In June, Cisco will be participating in World IPv6 Day, a 24-hour global “test drive” of IPv6 that is organized by the Internet Society.
• New Android Market web store could open backdoor for phone hackers - nakedsecurity.sophos.com
  If you follow the Google Android operating system scene, you will probably have heard about the new, web-based Android Market store which was launched a few days ago.
• How To: Forensically Sound Mac Acquisition in Target Mode – computer-forensics.mac.org
  It is really a matter of personal opinion, Mac’s are an engineering marvel just ask anyone that has had to remove a hard drive from a Mac for forensic imaging and then try to put it back together properly.