- ShmooCon 2010 Presentations – shmoocon.org
Slides and video from sessions during the DC conference.
- Some posts related to the RSA Conference
- Some BSides SF posts
- Verizon Incident Metrics Framework Released – verizonbusiness.com
Our goal is to be able to create data sets that can be used and compared because of their commonality.
- Web Application Security Trends Report – cenzic.com
The report incorporates findings from Cenzic’s leading-edge managed security assessment (SaaS) and research from Cenzic Intelligent Analysis (CIA) Labs.
- Final Course and Exam Review: Pen Testing with BackTrack – ethicalhacker.net
The Pentesting with BackTrack course was originally released as Offensive Security 101 and consists of 3 separate training segments.
- Web Security Dojo – mavensecurity.com
A free open-source self-contained training environment for Web Application Security penetration testing.
- WebRaider v0.2.3.8 – code.google.com/p/webraider
WebRaider focuses on getting a shell from multiple targets or injection point.
- Product Watch: Free Tool Cleans Up ‘Rusty,’ Unsafe Firewall Settings – darkreading.com
Matasano Security rolls out open-source product that cleans up and checks firewall configurations for security holes.
- HPING3 Cheatsheet – professionalsecuritytesters.org
Also, some examples are enclosed in order to approach special requests with this awesome tool.
- ASPsh – A remote shell written in ASP. – skypher.com
The goal of this project was to create an ASP page that can be used on a server to provide a “command line shell”-like experience.
- Internet Exploiter 2 – bypassing DEP – skypher.com
I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in.
- Quickpost: NetworkMashup.xls – didierstevens.com
NetworkMashup.xls is a spreadsheet with VBA macros to execute pings and name/address resolution from within Excel with WIN32 API calls.
- Announcing Elevation of Privilege: The Threat Modeling Game – silverstr.ufies.org
If you have a team that is new to the whole process of threat modeling, you will want to check it out.
- RSA 2010: Experts Expect Several Ciphers to Be Cracked Soon – threatpost.com
Cryptographers are expecting several of the major cryptographic systems in use today to be broken in the near future.
- RSA 2010: Cryptographers Discuss Wisdom of ‘Foolishness’ – threatpost.com
By going against the grain, new objectives can be made and boundaries overcome.
- Top 25 Series Posts
A discussion of the top 25 security vulnerabilities
- Top 25 Series – Rank 2 – SQL Injection – sans.org
- Top 25 Series – Rank 3 – Classic Buffer Overflow – sans.org
- Top 25 Series – Rank 4 – Cross Site Request Forgery – sans.org
- RSA: Visualizing the Zeus attack against government and military – holisticinfosec.blogspot.com
For the article I discuss NetGrok and AfterGlow.
- Metasploit auxilary module FILE_AUTOPWN – houseofhackers.ning.com
Metasploit auxilary file_autopwn module – Video Tutorial
- SSH gymnastics with proxychains – pauldotcom.com
For this discussion I will be focusing on SOCKS4 proxies setup with the SSH -D parameter.
- Top 10 Hacks of 2009 and WAF Mitigations – tacticalwebappsec.blogspot.com
In case you were not able to attend his RSA talk, I am going to outline which items can been addressed by WAFs.
- Study on cloud security threats – h-online.com
Among the identified potential threats are malicious programs such as the Zeus botnet and the InfoStealing trojan.
- Fifteen Common Activities from BSIMM2 – informit.com
Part of what makes BSIMM interesting is its basis in actual data from real software security initiatives.
- IT Audit: 3 Easy Steps to Finding Rogue Wireless Clients – sans.org
You can easily discover if there are hosts from your network connecting to unprotected networks nearby and figure out which hosts are the rogues.
- How big is the ideal dick…tionary? – skullsecurity.org
I’ve been working on collecting leaked passwords/other dictionaries.
- Study of BlackBerry Proof-of-Concept Malicious Applications – smobilesystems.com
This research exposes the weakened security posture of devices that operate under the BlackBerry Internet Service environment.
- Proof-of-concept exploits IE using help files.
It uses a malicious dialog box which will trigger the execution of arbitrary code when the user presses the F1 key.
- Microsoft Security Advisory (981169) – microsoft.com
- Help keypress vulnerability in VBScript enabling Remote Code Execution – technet.com
- Microsoft: Don’t press F1 key in Windows XP – computerworld.com
- RSA compromised?
Researchers at the University of Michigan say they have uncovered a way to circumvent encryption used on many devices.
- ‘Severe’ OpenSSL vuln busts public key crypto – theregister.co.uk
Private keys pilfered through power supply
- U.S. Department of Defense Goes Social…Yes, Really! – readwriteweb.com
The U.S. Department of Defense gave all users of unclassified computers in the .mil domain access to popular social networking sites
- DoD 8570 and GIAC Certification – sans.org
Department of Defense Directive 8570 provides guidance and procedures for the Information Assurance functions in assigned duty positions.
- On the EC-Council’s Certified Ethical Hacker (CEH) Certification – informit.com
In my humble or not-so-humble opinion, the U.S. Department of Defense was wise to overlook the CEH.
- Feds Commence Huge Data Center Consolidation – datacenterknowledge.com
The federal government has begun what looms as the largest data center consolidation in history.
- Wiseguys Indicted in $25 Million Online Ticket Ring – wired.com
The defendants made more than $25 million in profits from the resale of the tickets between 2002 and 2009.
- Qualys to scan Web sites for malware – cnet.com
Qualys is set to launch on Monday a free service for Web site operators that will scan their sites for malware.
- Most resistance to ‘Aurora’ hack attacks futile, says report – theregister.co.uk
Most businesses are defenseless against the types of attacks that recently hit Google and at least 33 other companies.
- Cyberwar hubbub
All the latest buzz about the rumored war on the Internet
- Cyberwar Hype Intended to Destroy the Open Internet – wired.com
- White House Cyber Czar: ‘There Is No Cyberwar’ – wired.com
- State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test – darkreading.com
Veracode app-testing data demonstrates that application security still has a ways to go.
- Shamir acknowledges chip-and-PIN attack as his favorite – techtarget.com
Every year Adi Shamir brings something new to the table at the annual RSA Conference Cryptographers’ Panel.
- Microsoft wants to put infected PCs in rubber room – theregister.co.uk
A top Microsoft executive is floating the idea of creating mandatory quarantines for computers with malware infections that pose a risk to internet users.
- Regulators Revisit E-Banking Security Guidelines – krebsonsecurity.com
The guidance was meant to prod banks to implement so-called “multifactor authentication”.
- Apple hires ex-Mozilla security chief – h-online.com
Snyder, head of security at the Mozilla Foundation, is joining Apple as senior security product manager.
- Cybersecurity plan outed
Schmidt also announces release of unclassified version of Obama administration’s plan for securing government, private industry networks
- Cybersecurity Czar Outlines Priorities – darkreading.com
- U.S. Declassifies Part of Secret Cybersecurity Plan – wired.com
- US government publishes parts of its cyber security directive – h-online.com
- Mariposa botnet taken down
Three Spaniards have reportedly been arrested for gaining control of more than 13 million computers.
- Spanish police release details about Mariposa arrests – h-online.com
- How FBI, police busted massive botnet – theregister.co.uk
- Mariposa botnet – pandasecurity.com
- ‘Mariposa’ Botnet Authors May Avoid Jail Time – krebsonsecurity.com
- In focus: Mariposa botnet – technet.com
- RSA Highlight: Howard A. Schmidt – eset.com
An interview with the cybersecurity coordinator
- Wi-Fi finders let thieves track down hidden laptops – networkworld.com
Theives with increasingly sophisticated, directional Wi-Fi detectors can home in on the laptop’s radio even when the PC is hidden away.
- Narus develops a scary sleuth for social media – itworld.com
The new program, code-named Hone, is designed to give intelligence and law enforcement agencies a leg up on criminals.
- Privacy With a 4096 Bit RSA Key — Offline, On Paper – slashdot.org
The Dutch security company Safeberg developed an Offline Private Key Protocol, with an asymmetric key scheme.
- Professional Script Kiddies vs Real Talent – snosoft.blogspot.com
Do want to work with a security company that launches attacks against your network with tools that they do not fully understand?
- Krebsonsecurity Author Twice Honored – krebsonsecurity.com
The SANS Institute polled 75 cybersecurity journalists and asked them to rank the top peers in their field.
- Security Pros Question Deployment of Smart Meters – wired.com
The country’s swift deployment of smart-grid technology has security professionals concerned.
- Symantec exhibit makes cybercrime tangible – cnet.com
Symantec has created a Black Market exhibit that attempts to make these virtual ideas more tangible.
- Hacking human gullibility with social penetration – theregister.co.uk
So-called social penetration techniques are more reliable and easier to use in identifying chinks in client fortresses.