Events Related:
- Special Publication 800-53 Revision 3 Workshop – guerilla-ciso.com
Ron Ross from NIST will talk about how the NIST Risk Management Framework is changing to a more dynamic “real-time continuous monitoring”.
Resources:
- (IN)SECURE Mag Issue 22 – net-security.org
The free publication includes the top 5 myths of wireless protection, security for multi-enterprise applications and more.
Tools:
- GrAudit – justanotherhacker.com
Graudit is a simple script and signature set that allows you to find potential security flaws in source code using the GNU utility grep. - Websecurify v0.3 – code.google.com/p/websecurify/
Websecurify Security Testing Runtime identifies web security vulnerabilities by using advanced browser automation, discovery and fuzzing technologies. - Burp Suite Pro v1.2.16 – portswigger.net
Improved handling of AMF messages, to support some data types which were previously omitted. - MySqloit v0.1 – code.google.com/p/mysqloit/
MySqloit is a SQL Injection takeover tool focused on LAMP and WAMP platforms. - BackTrack FRHACK Version – Another Linux Bootable PenTest Distro based on Backtr – professionalsecuritytesters.org
It’s a pentesting live dvd coming from FRHACK. - Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10 – irongeek.com
A set of exploit scripts for safe study of the OWASP Top 10 - Jasager – digininja.org
Jasager is an implementation of Karma designed to run on OpenWrt on the Fon.
Techniques:
- Weaponizing the Web at Defcon 17 – mcgrewsecurity.com
Shawn Moyer and Nathan Hamiel’s talk at Defcon 17, Weaponizing the Web: More Attacks on User-Generated Content, is now available on Vimeo. - What’s in Your Folder: Security Cheat Sheets – securitymonks.com
These guides are also very useful in any training program, helping remind students of the essential information. - Pass the Hash Metasploit Demo – room362.com
Here is a quick no nonsense PTH video I made for the guys over at SecurityAegis. - GPU Password Recovery For Rar Archives – ghacks.net
The password recovery software is a command line utility.
Vulnerabilities:
- New security hole in IIS5&6 and FTP
Microsoft advises about a new exploit that can give attackers system privileges through IIS and FTP- Microsoft Security Advisory (975191) – microsoft.com
- Microsoft Security Advisory 975191 Revised – technet.com
- IIS 5.0 FTP Server / Remote SYSTEM exploit – milw0rm.com
- New vulnerability in IIS5 and IIS6 – technet.com
- Microsoft Security Advisory 975191 Released – technet.com
- FTP service of Microsoft IIS 5 and 6 vulnerable to attacks – Update 2 – h-online.com
- Microsoft IIS 5.0/6.0 FTP Remote Stack-based Buffer Overflow – rec-sec.com
- Microsoft FTP in IIS vulnerability now under attack – zdnet.com
- Microsoft IIS FTP Server NLST Buffer Overflow Clarifications – secunia.com
- A quick grep on recent IIS FTP 0day – hkashfi.blogspot.com
- Plugin Spotlight: Microsoft IIS FTP Server NLST Remote Buffer Overflow Vulnerability – tenablesecurity.com
- ActiveX Vulnerability Outed
Remote exploitation in ATL/MFC ActiveX template allows attackers to read memory contents within Internet Explorer.- Microsoft ATL/MFC ActiveX Security Bypass Vulnerability – securiteam.com
- Microsoft ATL/MFC ActiveX Information Disclosure Vulnerability – securiteam.com
- RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence – techcrunchit.com
Today came news that an XSS vulnerability had been found in the RubyOnRails development framework. - Older WordPress versions vulnerable to attack
A worm is hitting some self-hosted WordPress blog that inserts hidden spam into older posts.- How to Keep WordPress Secure – wordpress.org
- WordPress blogs falling prey to worm – cnet.com
- WordPress Under Attack, Upgrade Now – laughingsquid.com
- Checking Your WordPress Security – dougal.gunters.org
Other News:
- How to Recover Your Firefox Master Password – lifehacker.com
FireMaster is a command line tool designed specifically to recover your master password from Firefox. - Passwords leakage from MS SQL Server – slaviks-blog.com
Turns out that SQL Server saves in clear text user credentials of users logging in using SQL Server native authentication. - Hiring hackers (part 2) – networkworld.com
The second installment in a series on how to recruit and interview hackers for corporate work. - Firefox Spyware Add-On Adobe Flash Player 0.2 – ghacks.net
The spyware add-on injects ads into Google search results pages and every Google search query is transferred to a third party server.
Leave A Comment