Events Related:
- Second w3af training @ New York – bonsai-sec.com
The ninja training course is focused on manual and automated discovery and exploitation of web application vulnerabilities using w3af. - AppSec DC and OWASP Global Summit 2009 – owasp.blogspot.com
- AppSec Brazil 2009 – Call for Participation – owasp.blogspot.com
Schedules for upcoming OWASP conferences plus a few reminders. - SecTor 2009 Presentations – sector.ca
A list of the presentations and videos from the Canadian security event. - Notes from Cornerstones of Trust Conference – chuvakin.blogspot.com
Some takeaways from the Bay Area conference. - Watch the #brucon videos online in our vimeo channel – brucon.org
No download needed to view these video from this event held at the EU capital. - Randy Smith of UPS Presents on Web App Security at SC World Congress Event – cenzic.com
A presentation from the recent security event
Resources:
- Small Business Information Security: The Fundamentals – csrc.nist.gov
This is a simple, easy to understand, introduction to information security, focused on the small business. - Oracle Hacker’s Handbook Book Review – carnal0wnage.attackresearch.com
A review on the handbook touted as required reading for hacking into Oracle databases. - Six Steps Toward Better Database Security Compliance – darkreading.com
No matter what regulations say, securing the database is a critical part of any compliance effort.
Tools:
- NatProbe – code.google.com/p/natprobe
This useful program tries to send an ICMP packet out the LAN to detect NAT hosts. - Check for compromised mail-account – serversniff.de
An online tool for checking email credential security - Mozilla Plugin Check – mozilla.com
A tool from the makers of Firefox to check if your browser plugins are up-to-date. - VIPER Lab’s VAST Live Distro – VoIP Security Testing LiveCD – darknet.org.uk
VAST is a VIPER Lab live distribution that contains VIPER developed tools. - Deep Packet Inspection Engine Goes Open Source – darknet.org.uk
Deep packet inspection is an extremely niche area and requires great expertise. - Nikto 2.1.0 release – cirt.net
The update includes a new plugin engine, caching among others - Cain & Abel v4.9.34 – oxid.it
Cain & Abel is a password recovery tool for Microsoft Operating Systems.
Techniques:
- USB Device Parsing Logparser Scripts – sans.org
Using Microsoft’s Log Parser, you can catalogue the USB devices present in a network. - Oracle Openworld 2009 – SQL Injection Presentation – red-database-security.com
A presentation about SQL Injection and using Netsparker - Blind SQL Injection in Oracle – slaviks-blog.com
This post describes SQL injection types, examples for web apps and blind SQL injection into Oracle databases. - Spoofing users and programs and presenting at OWASP – petefinnigan.com
Using Java thin client, you can spoof client details in V$SESSION views. - Cross Site Scripting Payloads – bonsai-sec.com
The vulnerability that we’re going to be exploiting is a persistent cross site scripting in Achievo. - Update: PDFiD Version 0.0.9 to Detect Another Adobe 0Day – didierstevens.com
More details coming on a future post, but for now check out the newest version right now. - Cyber Security Awareness Month – Day 13 Proxies (TCP 3128, 8080 & ……) – isc.sans.org
If not patching today, maybe make today your “check for open proxies in my network day”. - HITB Malaysia 2009 and sandboxing – scarybeastsecurity.blogspot.com
The blogger presented on various intriguing aspects of sandboxing on Linux during the Hack In The Box conference. - ePerolehan – SQL Injection – security.org.my
An injection vulnerability is found in the ePerolehan website. - Waiting for patches to release to WSUS – terminal23.net
The reality of patching is that it is not quite as easy as we always make it sound. - The Curse of the Flash Exploit – symantec.com
Malware authors often leave hidden messages in files for analysts to find or for other malware authors to see. - Adoption of X-FRAME-OPTIONS Header – sans.org
One of the more viable solution to clickjacking is the X-FRAME-OPTIONS header that allows a site to control whether its content can be within a frame. - GOP Posts Password, Admin Instructions on New Web Site – nydailynews.com
In their haste to get their new site up, the Republican Party has posted online instruction how operate that site. - Exploiting suid binaries – hexesec.wordpress.com
A quick refresher on exploiting suid bits (and why they’re so darn evil). - More on reDuh – carnal0wnage.attackresearch.com
reDuh is actually a tool that can be used to create a TCP circuit through validly formed HTTP requests. - Analysis of 10k Hotmail Passwords Part 2 – reusablesec.blogspot.com
A few thoughts on this surprising exposure of passwords and user credentials. - Create Table to OSDBA – oracleforensics.com
A new paper has a demo on bypassing Oracle directory controls as well as protection against this. - Abusing VLANs With BackTrack – synjunkie.blogspot.com
The aim is to demonstrate why simlpy placing hosts in a seperate VLAN might sometimes not be enough.
Vulnerabilities:
- Latest PDF Zero Day Leads to Exploit Egg Hunt – avertlabs.com
The currently unpatched exploit opens the door to code execution when a victim simply reads a malicious PDF document. - Old WordPress Versions Under Attack – lorelle.wordpress.com
Reports are that this attack impacts ALL versions of WordPress up to 2.8.3 and 2.8.4, the most recent release. - Adobe recommends disabling JavaScript to avoid PDF hack attack – computerweekly.com
Users of Adobe Reader should disable JavaScript to avoid a zero-day hacking attack. - Windows plugin opens security hole in Firefox
An add-on that Microsoft silently slipped into Mozilla’s Firefox lleaves the browser open to attack, Microsoft acknowledged- Sneaky Microsoft plug-in puts Firefox users at risk – computerworld.com
- .NET Framework Assistant Blocked to Disarm Security Vulnerability – mozilla.com
- Firefox’s Immune System – hackademix.com
Mozilla’s response to the recent security hole, by blocking plugins that might be vulnerable. - How To Stop Automatic Plugin Installations In Firefox – ghacks.net
- How To Uninstall Windows Presentation Foundation Plugin In Firefox – ghacks.net
A DIY fix for prohibiting unauthorized plugin installs by third parties. - Update: .NET Framework Assistant (ClickOnce support) unblocked – shaver.off.net
Vendor/Software Patches:
- Adobe patches Reader and Acrobat
Aside from fixes, the update includes a new deployment tool for future updates - Microsoft security update
A slew of updates from Redmond to fix issues in Silverlight, IE, IIS and others.- October 2009 Security Bulletin Release – technet.com
- MS09-050: Exploit timeline for the SMB2 RCE vulnerability – technet.com
- MS09-051: A note on the affected platforms – technet.com
- MS09-054: Extra info on the attack surface for the IE security bulletin – technet.com
- MS09-056: Addressing the X.509 CryptoAPI ASN.1 security vulnerabilities – technet.com
- MS09-061: More information about the .NET security bulletin – technet.com
- New attack surface reduction feature in GDI+ – technet.com
- Microsoft Ships Largest Batch of Security Patches – threatpost.com
- Patch Tuesday: MS plugs critical IE, Windows Media Player holes – zdnet.com
- Assessing the risk of the October security bulletins – technet.com
- Oracle to fix 38 database, product vulnerabilities – zdnet.com
Oracle announced plans to ship a Critical Patch Update with fixes for at least 38 security vulnerabilities in its products.
Other News:
- Avoid Windows Malware: Bank on a Live CD – washingtonpost.com
Don’t use Microsoft Windows when accessing your bank account online. - E-Banking on a Locked Down (Non-Microsoft) PC – washingtonpost.com
LiveCDs of Ubuntu help stop a majority of malware since they mainly target Windows machines. - Snow Leopard guest account bug deletes user data – appleinsider.com
Reports of a potentially critical Snow Leopard bug that can erase a user’s account data have continued to surface since the operating system’s debut. - Thawte discontinues Web of Trust for free SSL certificates – h-online.com
Thawte advises its WOT users to switch to VeriSign certificates as soon as possible to allow sufficient enrollment time. - Big-Box Breach: The Inside Story of Wal-Mart’s Hacker Attack – wired.com
Internal documents reveal that the nation’s largest retailer was among the earliest targets of a wave of cyberattacks. - Passenger Advocate Sues Delta for Allegedly Hacking Her E-Mail – wired.com
The founder of FlyerRights.org found that her AOL email was being redirected to an unknown site. - Sweden’s Internet broken by DNS mistake – pingdom.com
A DNS error caused the .se domain to stop responding for roughly a couple of hours. - Security Vendor Illegally Collects and Displays Attendee Information at Security Conference – andrewhay.ca
At a recent security conference, information on users of the site’s wired network was posted in a public ‘wall of shame’. - Hacker High: 10 Stories of Teenage Hackers Getting into the System – itsecurity.com
A few real-life stories of teens getting trouble with the law through unsupervised hacking. - Show Me the Malware! – googleonlinesecurity.blogspot.com
Webmaster Tools now provides webmasters with samples of the malicious code that Google’s automated scanners detected on their sites. - Hacked Facebook applications reach out to exploit sites in Russia – avg.com
These seem to be actual Facebook applications that have been hacked, not just user accounts. - Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers – cisco.com
The advisory outlines vulnerabilities in HTTP authentication among others.
Leave A Comment