Week 48 in Review – 2012

Event Related

• Hacker Internship – nds.ruhr-uni-bochum.de
  Web applications are in the age of Web 2.0 increasingly become the target of attackers. Thus no problem SQL injection foreign databases are compromised, stolen by XSS vulnerability browser sessions and via cross-site request forgery you get from one day to the countless new friends in a social network.
• AppSec USA 2012 – Austin – videos.2012.appsecusa.org
  These are the videos from the OWASP AppSec USA 2012 conference in Austin, TX. The schedule for the conference is at http://appsecusa2012.sched.org/ and the site for the conference is at http://2012.appsecusa.org/.

Resources

• VU#281284 – Samsung Printer SNMP Backdoor – l8security.com
  In regards to http://www.kb.cert.org/vuls/id/281284 I don’t have time to write up a full post on this like I wanted to. Here’s the details you wanted anyways.

Tools

• Nmap 6.25 holiday season release! – seclists.org
  Hi folks. It has been more than five months since the Nmap 6.01 release, and I’m pleased to announce a new version for you to enjoy during the holidays!

Techniques

• Penetration Testing with Smartphones Part 1 – tripwire.com
  When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network remotely. Companies focus most of the security spending and policies on keeping hackers out remotely.
• Detouring Win32 Function Calls in PowerShell – csharpening.net
  Detouring Win32 API function calls is a more common practice than some may think. A long standing Microsoft research project has made this very easy in unmanaged code.

Other News

• Known keycard hack suspected in hotel room burglary – news.cnet.com
  A security bypass demonstrated at the BlackHat conference in July appears to have been utilized in at least one burglary, Forbes reports. Read this article by Steven Musil on CNET News.
• Hackers Steal Experts’ Email Addresses From International Atomic Energy Agency Server – cio.com
  A group of hackers leaked email contact information of experts working with the International Atomic Energy Agency (IAEA) after breaking into one of the agency’s servers.
• Forget Disclosure Hackers Should Keep Security Holes to Themselves – wired.com
  Vendors, governments and the information security industry have incentives to protect their interests over their users’. Not all the players will act ethically, or capably. So who should the hacker disclose to?