Resources:
- WASC Threat Classification to OWASP Top Ten RC1 Mapping – jeremiahgrossman.blogspot.com
A table of the OWASP Top 10 in relation to the WASC list. - Wireshark Network Analyzer Mind Map – mindcert.com
A mind map for Wireshark - OWASP O2 Platform – owasp.org
O2 is a collection of open source modules to help webapp security professionals.
Tools:
- SiteDigger v3.0 Released 12/01/2009 – layeredsec.com
SiteDigger searches Google’s cache for vulns, security issues in websites. - 2009-exploits – packetstormsecurity.org
An archive of exploits added to Packet Storm last year. - Thoughts about Open Source Community in RE – ragestorm.net
A few words about the diStorm disassembler and the community - CUDAdbCracker – Cracking Using CUDA – security-database.com
This tool is a salted SHA-1 cracker using CUDA enabled videocards. - fimap – Remote & Local File Inclusion (RFI/LFI) Scanner – darknet.org.uk
A small python tool for finding and auditing file inclusion bugs in webapps - WatiN v2.0 RC 1 – Web Application Testing in .NET – security-database.com
The testing automation tool for webapps is updated with a new release candidate. - WAFP v0.01 – Web Application Finger Printer – security-database.com
WAFP fetches files and checks their checksums vs. a Finger Prints checksum. - fspy – v0.1.1 – Linux Filesystem Activity Monitoring Tool – security-database.com
This is a fast, small activity monitoring tool for Linux filesystems. - sslciphercheck v1.2.0 – woany.co.uk
An update that includes support for standard GET HTTP requests, among others. - mssqlfp – code.google.com
A tool for version fingerprinting of Microsoft SQL Servers - OpenSCAP v0.5.6 Released – security-database.com
The SCAP framework tool is updated with a new checking mechanism, among others. - Burp Suite v1.3 released – portswigger.net
A new release of Burp features a new message editor, AMF-encoding support, among others. - Web scanning comes to the Cloud – rootshell.be
iiScan is a new online and free vulnerability scanner for websites. - iPhone Wardriving Just Got Better – synjunkie.blogspot.com
A review of WiFi-Where
Techniques:
- Hiding password hashes and a new sha1 Oracle password cracker – petefinnigan.com
A few thoughts and links about securing passwords and breaking them. - MySQL exploit demo – intevydis.com
A Flash movie on a Vulndisco exploit - Sun Web Server 7 exploit demo – intevydis.com
Another Flash movie, this time featuring heap overflow - Off Topic: Creating Metasploit Exploit Modules Step By Step (Tutorial!) – sans.org
A screencast on how to go about turning a exploit into a Metasploit module. - A checklist approach to security code reviews, part 3 – securityninja.co.uk
The ninja continues his series by discussing secure storage and secure development. - PDF file loader to extract and analyse shellcode – hexblog.com
An explanation on how to write a file loader in IDC and Python to extract shell code from malicious PDFs. - NAT Pinning and ABE – hackademix.net
Some feedback on NAT pinning and prevention of attacks using this. - SiteMinder Single Sign-On / Security Risks – cktricky.blogspot.com
A critique on insecure single sign-on implementations and using SiteMinder. - Glastopf – Web Application Honeypot – ethicalhack3r.co.uk
How to use Glastopf to attract vulns via emulation
Vulnerabilities:
- Adobe, Javascript and the CVE-2009-4324 Exploit – eset.com
A warning on defending against the new Javascript exploit - NIST-certified USB flash drives cracked wide open
A security firm has cracked the encryption used for transfering sensitive US government data.- Flash drive manufacturers warn: Hackers can decrypt ‘secure’ USB sticks – sophos.com
- Secure USB Flaw Exposed – darkreading.com
- Decrypting USB flash drives is easy – erratasec.blogspot.com
- Researcher Rates Mac OS X Vulnerability ‘High’ – darkreading.com
The vulnerability is a potential buffer overflow error arising from the use of the strtod function in Mac OS X’s underlying Unix code. - D-Link Routers: One Hack to Own Them All – sourcesec.com
A flaw in D-Link’s CAPTCHA can prove to be a backdoor into the admin settings interface.
Other News:
- Obama cyber czar choice worries about smartphones social networking – sfgate.com
Some of the thoughts of Howard Schmidt, the new cyber czar, on cybersecurity in the US. - Adobe Security Chief Defends Javascript Support – slashdot.org
The company says it’s impossible to completely remove Javascript support without causing major compatibility problems. - 2009 Annual Report – pandasecurity.com
A year-in-review report for malware by Panda Labs. - Adobe Reader, Acrobat, Flash Player updater coming – sunbeltblog.blogspot.com
A comment on the popularity of Adobe with malware makers and how the company is fighting against it. - Samy worm writer publishes proof-of-concept location hack
With the use of XSS, an attacker can plug your MAC address and find out your location via Google.- Hack Pinpoints Victim’s Physical Location – darkreading.com
- Hacker pilfers browser GPS location via router attack – theregister.co.uk
- Samy’s twitter – twitter.com
Samy Kamkar, Samy worm author and creator of the above attack, is now on Twitter.
- Research Consolidation: Gartner Acquires Burton Group For $56M In Cash – techcrunch.com
An IT professional consultancy company is acquired by Gartner.
Leave A Comment