Transcript
Page 1: News Bytes - May by corrupt

C () r r |_| p -|- NewsBytes

Page 2: News Bytes - May by corrupt
Page 3: News Bytes - May by corrupt

Pacman on google.com is playable (when click on insert coin). :P

AWESOME !!!!

Page 4: News Bytes - May by corrupt

A hacker, who calls himself “ins3cted”, has demonstrated to Webwereld via video how by exploiting a simple SQL injection, he can retrieve 168,000 personal records from a Dutch website called Experience the OV (http://www.ervaarhetov.nl).

Hopefully this incident will raise much needed awareness around the world of the need to ensure secure development and web application penetration tests

The video is available from the following URL; http://webwereld.nl/nieuws/66012/ov-site-lekt-persoonlijke-data-168-000-reizigers.html

Oops, SQL Injection Did it Again !!!

Page 5: News Bytes - May by corrupt

AusCERT, Australia's premier information security event on the Gold CoastIn an email, IBM advised visitors to its AusCERT

booth that its complimentary USB key was infected with a virus. An IBM spokesman and conference organisers confirmed the email was genuine.

Wightwick said the malware, which dated to 2008, was detected by most anti-virus products.

"The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. 

http://www.itnews.com.au/News/175451,ibm-unleashes-virus-on-auscert-delegates.aspx

IBM unleashes virus on AusCERT delegates

Page 6: News Bytes - May by corrupt

US security software vendor Symantec has reached an agreement to acquire VeriSign's web

security business.Symantec has agreed to pay approximately $1.28 billion

in cash for VeriSign's identity and authentication business assets. 

Symantec will take over the company's Secure Sockets Layer (SSL) Certificate Services, the Public Key Infrastructure (PKI) Services, the VeriSign Trust Services and the VeriSign Identity Protection (VIP) Authentication Service. According to Symantec, the deal is expected to close in "the September quarter

More details about the acquisition can be found in slides and a press release from Symantec.

Symantec acquires VeriSign's web security business

Page 7: News Bytes - May by corrupt

vulnerability count of 40 vulnerabilities, which is nearly as much as disclosed during the whole Month of PHP Bugs in 2007

For those that don't already know you can follow the Month of PHP Security on Twitter, too. Just follow @mops_2010

http://www.php-security.org/

May – Month of PHP Bugs

Page 8: News Bytes - May by corrupt

This codelab is built around Jarlsberg, a small, cheesy web application that allows

its users to publish snippets of text and store assorted files. "Unfortunately," Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Jarlsberg and in general.

Jarlsberg - A Codelab by Bruce Leban, Mugdha Bendre, and Parisa Tabriz

Page 9: News Bytes - May by corrupt

http://jarlsberg.appspot.com

Page 10: News Bytes - May by corrupt

John Shepherd-Barron – ATM Inventor

India-Born Scottish inventor

ATM inspired by Vending Machines

also invented the PIN number

(23 June 1925 – 15 May 2010) 84

Page 11: News Bytes - May by corrupt

Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)

Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)

Over 100 tickets were closed since the last point release and over 200 since v3.3

http://blog.metasploit.com/2010/05/metasploit-framework-340-released.html

Metasploit 3.4.0 Released

Page 12: News Bytes - May by corrupt

A commercial Metasploit Express variant by Rapid7 has been released at the same time. It offers a graphical user interface, is said to be more user friendly and simplifies report generation. Rapid7 offers a free 14-day trial licence and a full Metasploit Express licence costs $3,000 per year.

Metasploit Express

Page 13: News Bytes - May by corrupt

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.

To download Metasploitable, you can pick up the torrent on the Express Community site. If you are an Express customer, you can pick up a direct HTTP download from the Customer Center. See the README.txt here for additional information, but be aware, there are spoilers in it.

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Metasploitable

Page 14: News Bytes - May by corrupt
Page 15: News Bytes - May by corrupt

Bizploit is the first Opensource ERP Penetration Testing framework. Developed by the Onapsis Research Labs, Bizploit assists security professionals in the discovery, exploration, vulnerability assessment and exploitation phases of specialized ERP Penetration Tests. Currently, Bizploit is shipped with many plugins to assess the security of SAP business platforms. Plugins for other popular ERPs will be included in the short term.

Bizploit Opensource ERP Penetration Testing framework released

Page 16: News Bytes - May by corrupt

Right click and start busting!

http://www.sittinglittleduck.com/DirBuster-1.0-RC1.xpi

Dirbuster Firefox Plugin

Page 17: News Bytes - May by corrupt

makes firefox can't make texts into body element and then it crashed.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571

Firefox 3.6.3 memory exhaustion crash vulnerabilities

Page 18: News Bytes - May by corrupt

http://www.nirsoft.net/utils/router_password_recovery.html

New password recovery tool for router files

Page 19: News Bytes - May by corrupt

THANK YOU


Top Related