Week 33 in Review – 2010

Events Related:


  • BlackHat 2010 – Slides / Paper / Rest. – thinkst.com
    This year my talk was 50 minutes long (i wasn’t convinced that the topic could hold interest for longer periods), and my keynote deck was made up of 38 slides.
  • 20 Critical Security Controls – sans.org
    The 20 Critical Controls are the most effective processes that organizations use to stop computer attackers from gaining entry to systems and networks, or to mitigate damage from attackers who get in.
  • SQL Injection Cheat Sheet – mavituna.com
    Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.
  • Reverse Engineering over Acrobat Reader using Immunity Debugger (RECON) – securitytube.net
    Blind scanning using generic fuzzers and automated generic tools don’t have a significant level of success anymore.
  • Constricting The Web: Post Black Hat – neohaxor.org
    The basic premise of our talk is that web architectures and technology are getting far more complicated and it is not sufficient just to run a vulnerability scanner on an application and call it done.
  • How to Render SSL Useless – threatpost.com
    In this video from the OWASP AppSec Research conference in Sweden, security researcher Ivan Ristic of Qualys discusses practical methods for breaking SSL.
  • ClamAV for Windows – clamav.net
    ClamAV for Windows utilizes advanced Cloud-based and community-based detection methods.
  • Is My Mail Secure? – ismymailsecure.com
    Secure email transfers rely not only on the security of the connection between the mail client (email program) and the email server (or a secure webmail site in the browser), but also on secure connections between servers.
  • iPen: Hacking with the iDevice – nickmpetty.com
    So this article/how-to/whatever is just that. A document of my experiences turning my iPod Touch into a all-in-one hacking/penetration-testing platform.
  • Steam Hardware & Software Survey: July 2010 – steampowered.com
    Steam collects data about what kinds of computer hardware and software our customers are using.


  • MetasploitExpress::Parser – spl0it.wordpress.com
    I coded for around 4 hours at Defcon and MetasploitExpress::Parser was ready before his presentation on Sunday.
  • Metasploit Java Meterpreter Payload – exploit.co.il
    It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed.
  • RSMangler – Keyword Based Wordlist Generator For Bruteforcing – darknet.org.uk
    The main new feature is permutations mode which takes each word in the list and combines it with the others to produce all possible permutations (not combinations, order matters).
  • Websecurify 0.7 – websecurify.com
    This version contains numerous improvements including user interface changes, faster, more stable testing platform, among others.
  • Blind Elephant: A New Web Application Fingerprinting Tool – sans.edu
    The tool uses the same techniques I’ve been using for a few years now, manually or through custom scripts, during web-app penetration tests to identify the available resources on the web application, and based on them, categorize its type and fingerprint its version.
  • Mobius Forensic Toolkit – freshmeat.net/projects/mobiusft
    Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions.
  • cvechecker – cvechecker.sourceforge.net
    The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning the installed software and matching the results with the CVE database.
  • Microsoft Baseline Security Analyzer 2.2 – filehippo.com
    Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
  • nmapsi4 0.2 beta3 released – nmapsi4.org
    New nmapsi4 0.2 beta3 is out!
  • Blockfinder – github.com/ioerror/blockfinder
  • Contrary to popular media claims, blockfinder is a simple text based console tool that returns a list of netblocks for a given country.
  • FGET V1.0 Goes Live!! – hbgary.com
    It’s primary function is collecting sets of forensicly interesting files from one or more remote windows machines.
  • skipfish 1.58b – code.google.com/p/skipfish/
    A fully automated, active web application security reconnaissance tool.
  • Virtualization ASsessment TOolkit (VASTO) – nibblesec.org
    VASTO is a Virtualization ASsessment TOolkit, a collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutions.
  • Fast-Track v4.0.1 released – secmaniac.com
    Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network.


Other News:

Leave A Comment