Events Related:
- Belated RSA postings
Some last-minute RSA catchups- RSA 2010 – Day 1 Metricon – chuvakin.blogspot.com
- RSA 2010 – Day 2-3 – chuvakin.blogspot.com
- RSA 2010 – Day 4-5 – chuvakin.blogspot.com
- Ninja Networks Twitter – twitter.com
Follow ninjanetworks @ twitter leading up to and during DEFCON for Ninja badge and event information. - Hackers In Japan – hackerspaces.org
The primary idea is to do a nice trip with hackers from all around the world to Japan. - A few hacker challenges coming up
- smp Capture The Flag (CTF) 2010 Hacker Olympics – smpctf.com
- The Mid-Atlantic Regional CCDC 2010 Event – Part I – tenablesecurity.com
- The Mid-Atlantic Regional CCDC 2010 Event – Part II – tenablesecurity.com
Resources:
- Internet Crime Complaint Center Annual Reports – ic3.gov
All the data about hacking incidents and related attacks in one neat report. - Charlie Miller on Mac OS X, Pwn2Own and Writing Exploits – threatpost.com
An interview with the well-known hacker on his latest projects and future plans. - Facebook @ OWASP – owasp.org
Part of the wiki in OWASP’s site dedicated to the most popular social network on the planet. - Black Hat Webcast: Pen Testing the Web with Firefox – scribd.com
The slides from the recent presentation - The current state of the crimeware threat – Q&A – zdnet.com
One of the guys behind the takedown of the Waledac summarized 33GB of crimeware data.
Tools:
- Verizon Incident Sharing Framework – taosecurity.blogspot.com
Richard Bejtlich participates on a board affiliated with the VerIS framework. - Fimap v0.8A – code.google.com/p/fimap/
Fimap is a python tool which can find, prepare, audit, exploit and even search the web automatically for LFI/RFI bugs in webapps. - Presenting the Meraki WiFi Stumbler… – meraki.com
The first browser-based wireless scanner lets you find networks (even hidden ones) using any system. - sqlmap 0.8 – bernardodamele.blogspot.com
Damele releases an update to his SQL injection tool. - ZigBee: attack of the killer bees – h-online.com
Developer Joshua Wright intends to release KillerBee for testing the security of ZigBee networks. - WhatWeb v0.4 – morningstarsecurity.com
This is the next generation web scanner. - OWASP JBroFuzz 2.0 Fuzzer Released! – owasp.blogspot.com
An update on the fuzzer from OWASP, featuring better fuzzing, keyboard shortcuts and more. - Buck Security – buck-security.sourceforge.net
Buck Security is a collection of security checks for Linux. - skipfish – code.google.com/p/skipfish/
A fully automated, active web application security reconnaissance tool, straight from Google. - FireCAT v1.6.2 – firecat.fr
The auditing extension catalogue now features BackendInfo in its list. - Digital Forensics Framework v0.5 – digital-forensic.org
DFF is a simple but powerful open source tool with a flexible module system which will help you in your digital forensics works - Jericho Forum Offers Free Security Product Assessment Tool – darkreading.com
Jericho Forum has created a free self-assessment tool for security vendors and buyers to determine the security of their products in cloud-based environments. - XSSploit v0.5 – scrt.ch
It has been developed to help discovery and exploitation of XSS vulnerabilities in penetration testing missions. - Cookie Monster – tomneaves.com
Cookie Monster will grab cookies from a host and assign each character a number.
Techniques:
- Looking for malware in all the wrong places? – itworld.com
Some thoughts on how malware scanning should evolve in the future - Effing with Foursquare
Goofing around with the popular location service courtesy of carnalOwnage- F**king With Foursquare – carnal0wnage.attackresearch.com
- F**king With Foursquare Goes MSF Style – carnal0wnage.attackresearch.com
- QuickZip Stack BOF : A box of chocolates – part 2 – offensive-security.com
How to build a quickzip exploit using a pop pop ret pointer from an OS dll. - Blazing fast password recovery with new ATI cards – net-security.org
Get some crazy cracking power by utilizing your GPU. - Network Analysis, Logitech Mouse Server – digitalbond.com
A bored hacker takes aim at the server program of Logitech’s iPhone app. - Fresh exploit served up with ads – avg.com
A politically motivated exploit based on Liberty arises. - Inline vs. Out-of-Line WAF Deployments – tacticalwebappsec.blogspot.com
A response to an article about Web Application Firewall considerations. - Auto-Scanning the Names People Choose For Their Wireless APs – slashdot.org
One wardriver gathered AP names on his commute for fun and… well, more fun. - Archiving Windows System Files for Binary Diffing – l1pht.com
I present for your viewing pleasure… binaryeti. - Technical Report: “Abusing Social Networks for Automated User Profiling” – honeyblog.org
It’s focus is on automatically collecting information about users based on the information available in different networks. - Top 25 series
SANS Top 25 security flaws comes back for another week. - Weaponizing dnscat with shellcode and Metasploit – skullsecurity.org
As long as the server has a DNS server set that will perform recursive lookups, it’ll work great! - Penetrating Intranets through Adobe Flex Applications – gdssecurity.com
In this post, I’ll show how you can exploit Flex applications that use BlazeDS to gain access to internal networks. - The Latest Adobe Exploit and Session Upgrading – metasploit.com
An exploit against Adobe was ported to Metasploit with interesting results. - Naming and Shaming ‘Bad’ ISPs – krebsonsecurity.com
The Washington Port security expert analyzes and pinpoints ISPs with outstanding abuse issues. - Skipfish, Google Enters the Web Scanner Fray – redspin.com
The new scanner from GOOG is tested and reviewed. - Burp Suite Tutorial – Repeater and Comparer Tools – securityninja.co.uk
A few words on the Repeater and Comparer security tools inside the Burp Suite. - Sniffing with Wireshark as a Non-Root User – packetlife.net
Use your Linux box with Wireshark. - Hijacking Blackberry Internet Browsing – remote-exploit.org
You can actually force a BlackBerry to use a rogue access-point for Internet browsing without having special user interaction. - Exploit’s new technology trick dodges memory protection – h-online.com
JDuck has discovered the first malicious PDF files which use Return Oriented Programming technology to bypass DEP.
Vulnerabilities:
- Trouble Ticket Express Exploit in the Wild… – isc.sans.org
A day ago, a proof-of-concept exploit in Trouble Ticket Express help desk software was made public. - Spamassassin Milter Plugin Remote Root Attack – isc.sans.org
It appears that the bad guys have started to actively exploit SpamAssassin’s milter vulnerability - Flaw in Virtual PC hits the fan
The vulnerability, which is unpatched, essentially allows an attacker to bypass several major security mitigations.- Vulnerability in Virtual PC? – windowsteamblog.com
- Microsoft Virtual PC Flaw Lets Hackers Bypass Windows Defenses – threatpost.com
- Holes in Apple’s software to be showcased in CanSecWest
Charlie Miller ran a three-week scan to find app vulnerabilities among several vendors- 20 critical Apple vulnerabilities to be revealed – net-security.org
- Mac OS X: “safer, but less secure” – Update – h-online.com
- Mozilla Acknowledges Critical Zero Day Flaw in Firefox – threatpost.com
It is a critical flaw that could result in remote code execution on a vulnerable version 3.6 of Firefox.
Vendor/Software Patches:
- Stopgap IE Fix, Safari Update Available – krebsonsecurity.com
A couple of browser updates to keep your computer fit and healthy. - Simple workarounds for latest IE security vulnerability – h-online.com
As posted above, Microsoft has released a workaround to solve your IE security woes
Other News:
- Airline buys competitor’s cheap seats so you can’t – gadling.com
Some anti-competitive tomfoolery using online ordering and some hacking by a Danish carrier. - Humans continue to be ‘weak link’ in data security – computerworlduk.com
A UK study shows that data breach costs are rising, too bad we can’t just release a patch to fix “Hu-mans”. - The Future of Botnets – threatpost.com
Malware-as-a-service is envisioned to take off in a different and scary way. - Conversations With a Blackhat – ha.ckers.org
An insight to the mind of a person wearing the “other” type of hat. - Iran hacks US spy sites, arrests 30 activists – computerworlduk.com
Iran’s Islamic Revolutionary Guards Corps hacked into 29 websites affiliated with US espionage networks. - Reality star turns back on TV to fight cybercrime – sophos.com
Spencer Pratt quitting The Hills to battle the looming national cyberthreat? Or just another reality prank? - Cyber crime losses in US almost ‘double’ during 2009 – bbc.co.uk
Losses due to online crime totalled $560m in 2009, up from $265m the previous year. - Internet safety video could win you $10,000 – cnet.com
Trend Micro launched a contest where the person who submits the best short video can win a heap of cold, hard cash. - Security Pros With Written Career Plans Make More Money – darkreading.com
Around 60 percent of those who have written career plans earn more than $100,000 a year. - Waledac-based news from the front
- What we know (and learned) from the Waledac takedown – technet.com
- Waledac Botnet Now Completely Crippled, Experts Say – threatpost.com
- Latest Intel processor security features – erratasec.blogspot.com
The updated “Westmere” processors are boosted with new security features. - New Trick to View Hidden Facebook Photos and Tabs – theharmonyguy.com
A neat trick to peek at hidden stuff from your friends - Undercover Feds on Social Networking Sites Raise Questions – wired.com
Law enforcement agents are using Facebook and Myspace as investigative tools to root out crooks. - Academic Paper in China Sets Off Alarms in U.S. – nytimes.com
One Chinese researcher publishes a proof-of-concept attack that could shut down the entire US power grid. - SQL Injection License Plate Hopes to Foil Euro Traffic Cameras – gizmodo.com
This should teach them to sanitize database inputs. - Researchers Map Multi-Network Cybercrime Infrastructure – krebsonsecurity.com
The infamous botnet Troyak is analyzed and taken down. - Change in Focus – securityfocus.com
Symantec buys off a popular security community site, and the future of the site is pondered. - a $16 pocket spectrum analyzer – ossmann.blogspot.com
Michael Ossmann transforms a teeny bopper messaging device into a spectrum analyzer. - The tricks in the book – news on the latest cons, scams and dupes on the Web
- Beware census scam artist tricks – cnn.com
- FBI details most difficult Internet scams – networkworld.com
- Top Cybercrimes Of The Year – inc.com
- Law firms are lucrative targets of cyberscams – sfgate.com
- Casinos conned by IT hackers who printed false betting slips – telegraph.co.uk
- We’re Not Talking Peanuts Here, Folks – eset.com
- Stock fixing Russian company investigated
A company allegedly fixing trades in the stock market faces stiff penalties for their misdeeds.- SEC: Hacker Manipulated Stock Prices – wired.com
- Firm denies hacking, stock manipulation charges – cnet.com
- Top 10 Vulnerability Researchers 2009 – zoller.lu
IBM ISS collected information about the researches that discovered and published most Vulnerabilities in 2009. - Hacker Disables More Than 100 Cars Remotely – wired.com
A disgruntled ex-employee of an auto center tries to brick cars sold by the company that sacked him. - PSC sought change – wdam.com
Telemarketers beware, spoofing your caller ID can lead to criminal charges. - Cybercrime’s bulletproof hosting exposed – theregister.co.uk
Researchers have identified the network framework that endows notorious botnets with always-on connections. - Revised cybersecurity bill introduced in Senate – computerworld.com
It seeks to improve national cybersecurity preparedness by fostering a closer collaboration between the government and the private sector companies. - Pwn2Own Predictions: Apple iPhone Will Fall – threatpost.com
Infosec experts predict which devices will get rooted in this year’s CanSecWest hacking contest. - FTC to Internet Companies: Start Using SSL – eff.org
Outgoing FTC Commissioner Pamela Jones Harbour called on Web services services like Facebook and Hotmail to start using HTTPS/SSL encryption. - 1st Trial Under California Spam Law Slams Spammer – slashdot.org
People who receive false and deceptive spam emails are entitled to damages of $1,000 per email under California Law - Fired CISO says his comments never put Penn.’s data at risk – computerworld.com
Maley admits he was wrong to speak at RSA, won’t appeal firing. - Unprecedented 25-Year Sentence Sought for TJX Hacker – wired.com
Gonzales, who was charged with bank-card theft, might be facing at least 17 years in prison. - Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies – washingtonpost.com
A website run by the Saudi government jointly with the CIA was shut down to prevent further terrorist threats. - Malware infected memory cards of 3,000 Vodafone mobiles – itworld.com
The company is now investigating how the malware programs ended up on the phones. - PNC: Former National City Bank Accounts Hacked – liquidmatrix.org
Due diligence didn’t reveal that a credit card data breach affected PNC’s latest bank acquisition. - Latest Version Of Cybersecurity Act Lessens Presidential Power – darkreading.com
Chief exec no longer has unilateral power to disconnect networks from the Internet in the event of a major cyberattack. - End Users Buck Security Advice For Economic Reasons – darkreading.com
Without proof that strong passwords and Website certificates actually keep them safe, it’s no wonder end users ignore security advice, says Microsoft Research expert, others . - Massive FBI computer overhaul is put on ice (again) – theregister.co.uk
Putting the project known as Sentinel on hold has alarmed some on Capitol Hill. - IRS security faults leave taxpayer information at risk – networkworld.com
A whopping 69% of the tax agency’s previously noted security flaws remain unfixed.
Leave A Comment