Event Related
- Bsides Boston – youtube.com
Security BSides Boston is a community driven event, created by information security professionals. The goal of Security BSides is to expand the security communication and expand the community. Over 200 students, technologists and information security professionals participate each year in Cambridge, MA. Don’t miss out and register today!! (as this event is expected to be sold out).
Resources
- Mobile Hotspots – cs.fau.de
Passwords have to be secure and usable at the same time, a trade-off that is long known. There are many approaches to avoid this trade-off, e.g., to advice users on generating strong passwords and to reject user passwords that are weak. - Reversing Basics Part 2: Understanding the Assembly – blog.opensecurityresearch.com
This is the second blog post in a three part series. In the first post, we reviewed the structure of a simple C program. In this installment, we will cover disassembling this program, and reviewing the Assembly code generated by the compiler, GCC. - Announcing: the ULTIMATE SANS Pen Test Poster! – pen-testing.sans.org
I am super excited to announce the release of our brand-new SANS Ultimate Pen Test Poster! Three months in the making, this poster is chock full of tips, tricks, ideas, tools, resources, references, practice environments, and much much more, all focused on helping penetration testers and related security professionals excel in their work. - The Problem With Networks ….. – blog.spiderlabs.com
Where do I start with this open-ended statement? I guess from a pen testing perspective, quite a lot. Internal pen test results tend to open up a can of worms for a company.
Tools
- EMET 4.0 now available for download – blogs.technet.com
We are pleased to announce that the final release of version 4.0 of the Enhanced Mitigation Experience Toolkit, best known as EMET, is now finally available for download.
Techniques
- Kernel double-fetch race condition exploitation on x86 further thoughts – j00ru.vexillium.org
All experimental data presented in this post has been obtained using a hardware platform equipped with an Intel Xeon W3690 @3.47GHz CPU (with Hyper-Threading disabled) and DDR3 RAM, unless stated otherwise. - Creating Malicious Firmware with Firmware-Mod-Kit – pauldotcom.com
The intent of this tech segment is really to show how insecure devices are, and how we need to be cautious when rooting, modifying or updating firmware. Where it first starts is a tool create by Craig Heffner and Jeremy Collake ( download here ). - Cross-domain communication with a JSP shell from a browser hooked with BeEF – blog.beefproject.com
If your target is a Java Application Server, for instance JBoss or GlassFish (see the exploits we ported to BeEF for both of them, inside the exploit directory), you can deploy the following JSP shell I wrote for that purpose.
Vendor/Software Patches
- Critical Update Plugs 40 Security Holes in Java – krebsonsecurity.com
Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows. - HP iLO3/iLO4 Remote Unauthorized Access with Single-Sign-On – isc.sans.edu
HP released a security bulletin on a potential remote unauthorized access with HP Integrated Lights-Out iLO3/iLO4 using Single-Sign-On. - Linkedin DNS Hijack – Update – isc.sans.edu
LinkedIn had its DNS “hijacked”. There are no details right now, but often this is the result of an attacker compromissing the account used to manage DNS servers.But so far, no details are available so this could be just a simple misconfiguration.
Vulnerabilities
- Scores of vulnerable SAP deployments uncovered – scmagazine.com.au
Hundreds of organisations have been detected running dangerously vulnerable versions of SAP that are more than seven years old. - USGv6 for IPv6, Common Criteria EAL 4+, and certifications that matter for cybersecurity – researchcenter.paloaltonetworks.com
Over the past six weeks, we’ve completed two major certifications that are significant for enterprises, governments and service providers that must strengthen their network security in light of heightened cybersecurity concerns and that are considering a transition to a next-generation firewall. - SolusVM 1.13.03 Vulnerabilities localhost – localhost.re
So what do we have here? SQL Injection? yup! exec()? yup! vulnerable binary that sets setuid to 0? yup! - DNS Redirection Puts LinkedIn Users At Risk – dnsmadeeasy.com
DNS hijacking may have exposed LinkedIn user-data to malicious third parties. Unencrypted session data was broadcast . Here’s what you need to know. - Facebook security bug exposed 6 million users’ personal information (update) – engadget.com
Today, Facebook announced a security bug that compromised the personal account information of six million users.
Other News
- Microsoft Finally Offers To Pay Hackers For Security Bugs With $100,000 Bounty – forbes.com
Vasilis Pappas claiming his $200,000 reward for developing a new hacking defense at Microsoft’s Blue Hat Prize event last year. Now Microsoft is adding ongoing bounties for offensive hacking techniques, too.
Leave A Comment