Events Related
- USENIX Security ’14 Technical Sessions – usenix.org
The full Proceedings published by USENIX for the symposium are available for download here. Individual papers can also be downloaded from the presentation page.- WOOT ’14 Workshop Program -usenix.org
The full papers published by USENIX for the workshop are available for download as an archive or individually below.
- WOOT ’14 Workshop Program -usenix.org
- DEF CON 22 ICS Village -digitalbond.com
Corey Thuen’s first blog post at Digital Bond and he’s going to break The Rule and talks about what happened in Vegas. - Hacktivism & Radical Politics: DEF CON 22 -duosecurity.com
It was cool to see the difference between the more corporate Black Hat crowd versus the unabashedly radical libertarian viewpoints of the DEF CON attendees – both presented valuable data and information in their own particular style.
Resources
- New Git Repositories That I’m Following – www.andrewhay.ca
Every now and then Andrew Hay stars a Git repo that looks interesting, has a tool he wants to try later, or is something immediately useful. In reviewing some of his more recent ‘stars’, he thought it might be useful to share them with his readers. - SimpleRisk Enterprise Risk Management Simplified – simplerisk.org
If you would like to play with SimpleRisk to see what it looks like before you install it, they have a demo site for you to use. - Pcb Deconstruction Techniques – grandideastudio.com
Printed Circuit Boards (PCBs), used within nearly every electronic product in the world, are physical carriers for electronic components and provide conductive pathways between them. Presentations and papers are available here. - Software Defined Radio with HackRF, Lesson 1 – greatscottgadgets.com
The video of Software Defined Radio with HackRF, Lesson 1 is available here. You can watch and download the video in high resulation.- Software Defined Radio with HackRF, Lesson 2 -greatscottgadgets.com
Here is The video of Software Defined Radio with HackRF, Lesson 2. You can watch and download the video in high resulation.
- Software Defined Radio with HackRF, Lesson 2 -greatscottgadgets.com
- BlackHat Talk and Railo Shoutout -breenmachine.blogspot.com
Here are the BlackHat USA 2014 presentation titled “Mobile Device Mismanagement” by Stephen Breen and also a shout out and reference to some work he has done with drone on vulnerabilities and some exploits they have whipped up for the Railo framework. - Passwordscon 2014 Videos -irongeek.com
These are the videos from the Passwordscon 2014 conference. You can watch and download the videos from here. - TakeDownCon Rocket City 2014 Videos -irongeek.com
These are the videos from the TakeDownCon Rocket City 2014. You can watch and download the videos from here. - Mimikatz and Golden Tickets..What’s the BFD? BlackHat USA 2014 Redux part 1 -passing-the-hash.blogspot.com
A couple weeks ago Benjamin Delpy and Exorcyst presented at Blackhat USA and, in a somewhat impromptu manner, the Wall of Sheep at DefCon as well. The updated slides (from the WoS talk) can be found here. - Q&A: DEF CON At 22 -darkreading.com
Dark Reading executive editor Kelly Jackson Higgins sat down with DEF CON founder Jeff Moss, a.k.a. The Dark Tangent, to get his take on this year’s show, the NSA, and the reality that cyberattacks are inevitable. Here is an excerpt from that interview.
Tools
- iOS Reverse Engineering Toolkit (iRET) v1.0 Released – github.com
The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. Download iRETv1.0 from here. - Haka v0.2 Protocols and Policies Analyzer Released – github.com
Haka is a collection of tool that allows capturing TCP/IP packets and filtering them based on Lua policy files.You can download the tool from here. - OWASP WebSpa Project – owasp.org
The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command. It provides a cryptographically protected “open sesame” mechanism on the web application layer, comparable to well-known port-knocking techniques. - XSScrapy: fast, thorough XSS vulnerability spider – danmcinerney.org
Unsatisfied with the current crop of XSS-finding tools, Dan McInerney wrote one and he is very pleased with the results. He has tested this script against other spidering tools like ZAP, Burp, XSSer, XSSsniper, and others and it has found more vulnerabilities in every case. - Nmap 6.47 released: Bugfixes for Zenmap & Ndiff; 366 new OS fingerprints; OS X installer issues fixed; OpenSSL updates – nmap.org
Nmap and Zenmap (the graphical front end) are available in several versions and formats. Latest releases are available here. Download now! - oclHashcat v1.30 released, improved performance, cracking skype hashes – hashcat.net
This release is again focused on performance increase of the kernels and bugfixes. However, the most code intensive change in this version was the new workload dispatcher as it’s part of the the oclHashcat core.- Interesting comments about this -reddit.com
- Viproy 2.0 – VoIP Penetration Testing and Exploitation Kit -thehackerspost.com
Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules.
li>Lynis v1.5.9 Released -cisofy.com
Security auditing tool for Linux, Mac and Unix based systems. Scan your systems in a matter of minutes and know what can be improved.
Techniques
- Learning Exploitation with FSExploitMe – blog.opensecurityresearch.com
Brad wanted to create something that would help ease the students into the learning environment, and that’s what FSExploitMe is; a tutorial that walks you through the basics of WinDBG and general exploitation in a browser environment. - Script Execution and Privilege Escalation on Jenkins Server – labofapenetrationtester.com
If you want to get admin access to Jenkins, read on. As per, Jenkins documentation here, you can disable security by setting the[useSecurity]true[/useSecurity] to false in config.xml in $JENKINS_HOME or by deleting the config,xml.Vulnerabilities
- Masscan does STARTTLS – blog.erratasec.com
Robert Graham has updated his port-scanner masscan to support STARTTLS, including Heartbleed checks. He suggest you run this on all your outward facing sites on all ports -p0-65535 to find lots of Heartbleed vulnerable services that your normal vulnerability scanner might’ve missed. - RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc. – algorithm.dk
One night andrew was randomly reading the tel URI scheme RFC as he is fascinated by old relics that are still used today, their flaws and the way people never read the RFC which leads to RTFM pwnage as he call it. - Documentum DQL Injection / ESA-2014-046 – penturalabs.wordpress.com
Pedro Laguna discovered an issue on the EMC Documentum software and internally called it “injeception”. Now that naming your vulnerability is so mainstream he will just call it ESA-2014-046.
Other News
- Hospital network hacked, 4.5 million records stolen – money.cnn.com
Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.
- Masscan does STARTTLS – blog.erratasec.com
Leave A Comment