Week 16 in Review – 2012

Event Related

  • Hackito Ergo Sum 2012
    • TALKS // Hackito Ergo Sum 2012 – 2012.hackitoergosum.org
      In this presentation we will cover critical aspects of web applications, and how these techniques can be used on real life scenario on big (and highly “secured”) websites. These bugs and methods will be able to assist you in your next bug-hunting in your pentest or (god-forbid) bounty program.
      We will reveal several vulnerabilities found on real big scale and important websites.
    • Hackito Ergo Sum 2012 – breakingcode.wordpress.com
      The event took place at the headquarters of the French Communist Party, and I have to say the conference room was quite impressive. It was an underground dome all covered with white metallic plates and lamps behind, giving a peculiar visual effect.
  • Notacon 9 (2012) Videos (Hacking Illustrated Series InfoSec Tutorial Videos) – irongeek.com
    These are the videos from the 9th Notacon conference held April 12th-15th, 2012. Not all of them are security related, but I hope my viewers will enjoy them anyway.
  • SOURCE Boston Security Conference and Training 2012 Day 2 – Dan Geer Keynote, Android Modding and Cloud Security – securelist.com
    Dan Geer’s fantastic Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks also were Jeremey Westerman’s “Covering *aaS – Cloud Security Case Studies for SaaS, PaaS and IaaS”, and Dan Rosenberg’s “Android Modding for the Security Practitioner”.

Resources

  • Troy Hunt: 5 interesting security trends from Verizons 2012 data breach report
    – troyhunt.com
    This report is based on 855 incidents in 2011 (don’t be confused by the year in the title!) and because Verizon does this each year, there’s lots of data on how trends are changing.
  • VLAN Network Segmentation and Security- Chapter 5 – resources.infosecinstitute.com
    In this chapter, we step through a description of VLAN technology, how to secure it (including basic switch security), and how to control packets to increase the overall strength of attack surface defense. I use the term packet instead of frame to refer to transmission entities at both the network and the data link layers.
  • Penetration Testing for iPhone Applications- Part 2 – resources.infosecinstitute.com
    Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker.
  • From LOW to PWNED
    [0] Intro – carnal0wnage.attackresearch.com
    I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
  • Analysis of the Eleonore exploit pack shellcode – blogs.technet.com
    ‘​Eleonore’ is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run.

Tools

  • InteractiveSieve – blog.didierstevens.com
    Interactive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant.
  • Ra.2 is Blackbox DOM-based XSS Scanner tool – code.google.com
    Ra.2 is a new Blackbox DOM-based XSS Scanner an approach towards finding a solution to the problem of detecting DOM-based Cross-Site Scripting vulnerabilities in Web-Application automatically, effectively and fast.
  • DOE Lab Releases Open-Source Attack Intelligence Tool – darkreading.com
    The U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.
  • NfSpy ID-spoofing NFS Client Tool Mount NFS Shares Without Account – darknet.org.uk
    We wrote about this tool originally last year – NfSpy – ID-spoofing NFS Client – Falsify NFS Credentials – and a new version just came out!
  • SQL Server 2012 Best Practices Analyzer – blogs.msdn.com
    I’m pleased to announce that SQL Server 2012 Best Practices Analyzer (BPA) has been released and is available for download at http://www.microsoft.com/download/en/details.aspx?id=29302.

Techniques

  • Hack Tips: Good for Enterprise Exploitation – blog.opensecurityresearch.com
    Good for Enterprise™ is a suite of powerful mobile device management tools that bring military-grade security, end-to-end data loss prevention, and collaboration features to today’s most popular smartphones and tablets — without compromising IT security and control.
  • XSS Shortening Cheatsheet – labs.neohapsis.com
    In the course of a recent assessment of a web application, I ran into an interesting problem. I found XSS on a page, but the field was limited (yes, on the server side) to 20 characters.
  • Extracting AES keys from iPhone – securitylearn.wordpress.com
    The iPhone application processor comes with two built-in encryption keys – UID, GID. OS running on the device cannot read the hardcoded keys but it can use the keys to generate other encryption keys used for data protection, media encryption and keychain encryption. The hardcoded keys can only be used from bootloader and kernel mode.

Vendor/Software Patches

Vulnerabilities

Other News

  • 15-year-old arrested for hacking 259 companies – zdnet.com
    A 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of three websites per day.
  • 3 million bank accounts hacked in Iran – zdnet.com
    First, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks.
2017-03-12T17:39:49-07:00 April 23rd, 2012|Security Conferences, Security Tools, Security Vulnerabilities|0 Comments

Share This Story, Choose Your Platform!

Leave A Comment