Events Related:
- It’s the 26the Chaos Communication Congress! A roundup of recent related news to this event.
- The CCCs retrospect for 2009 – events.ccc.de
A look back at some of the happenings in this conference - 26c3 Backstage – events.ccc.de
A few observations on what happens behind the curtain in this congress. - The Official 26C3 Twitter Feed – twitter.com
- Conference Recordings for 26C3 – events.ccc.de
A list of the released videos for this event plus errata and mirror download sites. - Dragons Everywhere: The 26th Chaos Communication Congress, Part 1 – avertlabs.com
- Dragons Everywhere: The 26th Chaos Communication Congress, Part 2 – avertlabs.com
A summary of the events of the 26C3 held in Berlin
- The CCCs retrospect for 2009 – events.ccc.de
Resources:
- NetCat Mind Map – mindcert.com
A mind map of some security tools covered during a pentesting course. - 8 Basic Rules to Implement Secure File Uploads – blogs.sans.org/appsecstreetfighter
A few simple basics to think about when implementing file uploads in your site. - Backtrack 4 “Full” Disk Encryption How-to Minor Updates – infosecramblings.com
An update to the post on how to create an encrypted bootable Backtrack thumb drive. - SQL Injection Resources – owasp.blogspot.com
A few links to sites related to SQL injection. - The WASC Threat Classification v2.0 – webappsec.org
The threat classification is an effort to classify weaknesses and attacks that can lead to the compromise of a website, its data or its users. - Penetration Testing Framework v0.57 Released – security-database.com
PTF is updated
Tools:
- 26C3: Protection against Flash security holes – h-online.com
Blitzableiter is a proactive tool that helps clean Flash code prior to playback. - Happy Holidays (Project Updates) – metasploit.com
Some quick updates included by the project team during the holiday break. - Meterpreter pivoting improved – darkoperator.com
Some of the improvements of Meterpreter are displayed in this post. - Wapiti v2.2.0 (Vulnerability Scanner For Web App) Released – security-database.com
Some new features include modules for searching weak .htaccess files, additional options for scanning, among others. - DECAF 2 Launched, Takes on More Than Just COFEE – djtechnocrat.blogspot.com
Now back from being recalled, this tool now monitors usage of other forensic software. - Meterpreter persistence – darkoperator.com
A script that generates and uploads its own payload that provides a backdoor to the system. - John the Ripper 1.7.4 Released – security-database.com
This fast password cracker gets an update. - Suricata released! – inliniac.net
This open source, next generation intrusion detection and prevention tool is now in open beta. - DirChex_v1.2 Released (New Functionality) – cktricky.blogspot.com
New tabs and more in this update.
Techniques:
- New options in msfconsole session command – darkoperator.com
A post about 2 recent additions to Metasploit - Popup &Focus URL Hijacking – ha.ckers.org
A short look into using Javascript to hack a user’s browsing session - Exploiting Microsoft IIS with Metasploit – metasploit.com
How to use msfencode to exploit IIS file name parsing - Generic cross-browser cross-domain theft – scarybeastsecurity.blogspot.com
A simple way to hijack data from a page and how it works. - MySQL support in Metasploit – bernardodamele.blogspot.com
The integration sqlmap in the tool gives hackers power to exploit databases more easily. - Metasploit payload format galore – darkoperator.com
Inserting exploit payloads are easy with all the export options in Metasploit. - Exporting the Registry for Fun and Profit – metasploit.com
Some thoughts on WinScanX and the Remote Registry service - The Undeletable SafeBoot Key – didierstevens.com
A solution to stopping malware from deleting your SafeBoot Key and preventing you from booting into Safe Mode. - Meterpreter token manipulation – darkoperator.com
Some new code enables manipulating tokens much easier when running as System. - Safe, reliable hash dumping – metasploit.com
Meterpreter’s hashdump and its ins and outs.
Vulnerabilities:
- GSM code cracked wide open
A speaker at the 26C3 in Germany announced success at breaking the cellular standard- GSM crypto code cracked, engineer says – cnet.com
- 26C3: GSM hacking made easy – h-online.com
- GSM Decryption Published – slashdot.org
- GSM Encryption Cracked… GSMA’s First Response? That’s Illegal! – techdirt.com
A missive on the wrong focus of the cellular standards authority regarding the recent GSM cracking news.
- 26C3: Network design weaknesses – h-online.com
The vulnerabilities of existing networks was demonstrated at the recent Berlin conference. - What’s up with port 12174? Possible Symantec server compromise? – isc.sans.org
A LANDesk vuln on older Symantec servers lead to nasty malware dumps. - Quantum Encryption Implementation Broken – slashdot.org
A theoretically perfect encryption method is broken by exploiting hardware flaws. - Microsoft IIS Vulnerability Found
Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be potentially bypass certain security restrictions.- New Reports of a Vulnerability in IIS – technet.com
- Microsoft IIS ASP Multiple Extensions Security Bypass – djtechnocrat.blogspot.com
- Results of Investigation into Holiday IIS Claim – technet.com
An official word from Microsoft says the issue isn’t with them, it’s with how the server with IIS is configured.
- PayPal vs Fake PayPal: Can You Tell the Difference? [PIC] – mashable.com
A look at how the new ICANN policy on non-Latin character might open a whole new can of phishing worms.- 26C3: Encryption code for DECT mobile phones cracked – h-online.com
On top of the GSM decryption, hackers have also unraveled the security used in cordless phones. - RFID emulator – hackaday.com
A video on a DIY RFID reader and emulator.
Vendor/Software Patches:
- Microsoft patched 190 exploits in 2009 – neowin.net
Looking back at all the updates and bulletins has issued this past year.
Other News:
- Mega-D brought to its knees
A three-man team breaks one of the most powerful botnets in the world- Man Challenges 250,000 Strong Botnet and Succeeds – slashdot.org
- How Three Guys Dismantled One of the World’s Most Powerful Botnets – gizmodo.com
- Adobe Flash To Be Top Hacker Target in 2010 – slashdot.org
The popularity of flash in social sites have made it the new focus of cybercriminals in the coming year.
- 370 banned passwords on Twitter
Twitter bans all obvious passwords off the bat to prevent you from endangering yourself.- Twitter’s List of 370 Banned Passwords – businessinsider.com
- Badly implemented password security – msmvps.com/blogs/spywaresucks
- RockYou 32 Million Password List Top 100 – reusablesec.blogspot.com
A comparison of the RockYou hacked password list and Twitter’s blocked password list. - 26C3: Nothing to crack in “Legic Prime” RFID chip cards security system – h-online.com
A couple of intrepid hackers explain how easy it is to read data off these smartcards. - RockYou Sued Over User Data Breach – gigaom.com
A user brings the social media startup to court for their recent failure to protect user’s private data.
- 26C3: Encryption code for DECT mobile phones cracked – h-online.com
Leave A Comment