AV Bypass Made Stupid

July 13, 2010 Added by:Rob Fuller

I started with fgdump, a well known hashdumping/pwdump tool. It’s detected by 80% of all AVs and by all the top 10. You see this on your AV report for your domain controller, and you’re having a bad day, probably week...

Comments  (1)


Are you Using or Abusing Digital Certificates?

June 28, 2010 Added by:Ron Lepofsky

Digital certificates were originally designed to help authenticate, provide non repudiation, and to sometimes ensure integrity and confidentiality for written communication.  They of course became the rage for securing Internet based transactions.

Comments  (5)


Understanding PHP RFI Vulnerabilities

June 14, 2010 Added by:Brent Huston

A large majority of publicly disclosed vulnerabilities are PHP related. In 2009, 5733 PHP Remote File Inclusion vulnerabilities were disclosed. In situations where exploiting PHP RFI is possible, most likely SQL Injection and Cross Site Scripting are all possible. This is due to the exploits having the same root cause or lacking input validation.

Comments  (0)


Using SQL Injection Tools in the Field

June 11, 2010 Added by:Brent Huston

As the Internet continues to morph, common attack vectors change. Info Sec professionals once had the ease of scanning a network and leveraging available vulnerabilities to gain a foothold; but now we’re seeing a paradigm shift toward web applications and the security that protects them.

Comments  (6)


Pending Domain Name System Changes

May 28, 2010 Added by:Simon Heron

The Domain Name System (DNS) is undergoing a change that was started in December of 2009 and is intended to complete in July of this year, 2010. In the light of a number of exploits of vulnerabilities with DNS identified over the past year or so, a more secure implementation is being brought into play which could cause problems with connectivity in some cases.

Comments  (0)


Watching Out For Criminal Hacks

May 25, 2010 Added by:Robert Siciliano

We use the web to search out tons of information, to shop online and to connect with friends and family. And in the process criminals are trying to whack us over the head and steal from us. And they’ve become very proficient at their craft while most computer users know enough about protecting themselves today as they did 15 years ago. Which equates to not so much.

Comments  (1)


Impact of Online Intelligence Searches part II

May 17, 2010 Added by:Bozidar Spirovski

In our previous article - "Open Source Intelligence Operations" we looked at the generic process of information gathering. But what is this process looking for? The answer to this question is important to all parties..

Comments  (0)


Wordpress mass infection continues to spread....

May 12, 2010 Added by:Jason Remillard

As reported yesterday, and now reinforced by our friends at, the godaddy malware infections continue to grow, and now seems to be spreading across different hosters and now targeted applications.

Comments  (2)


Web Application Insecurity - VIDEO

May 10, 2010 Added by:Jeremiah Talamantes

As a professional penetration tester, I help organizations identify and validate vulnerabilities in their systems everyday. However even in today's heighten awareness for vulnerabilities in web apps, I tend to find myself involved in more network-centric pen tests vs. application-centric pen tests. Some of this can be attributed toward the maturity of network security. But as security profess...

Comments  (4)


Open Source Intelligence Operations Part One

May 10, 2010 Added by:Bozidar Spirovski

Wikipedia defines Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. In reality, the methodology used in OSINT is the information gathering phase of every penetration phase. They only stuck a fancy name to the process.

Comments  (0)


The Need to Develop Security Guidelines For Medical Devices

May 10, 2010 Added by:shawn merdinger

In the April 2010 issue of New England Journal of Medicine, William Maisel and Tadayoshi Kohno state that “medical-device manufacturers have a legal responsibility to be vigilant and responsive to security threats, although their specific responsibilities have not been well delineated.”

Comments  (1)


Scammers Bait 40,000 Facebook Victims with Ikea Gift Card

April 21, 2010 Added by:Robert Siciliano

It’s just a matter of setting up a fake Facebook page and marketing it to a few people who then send it to their friends and it goes somewhat viral. The Ikea scam hooked 40,000 unsuspecting victims with the promise of a $1,000 gift card.

Comments  (0)


How to be exposed via xss - in one click - just doing your job...

April 16, 2010 Added by:Jason Remillard

As the attacks on infrastructure become more complicated, the true nature of deep penetration attacks prove food for thought for all developers and operators.  Consider this case - where the apache open source infratructure itself became significantly exposed by a simple XSS attack that utilized some social engineering techniques (i.e. getting folks to click on things), to load others up with...

Comments  (2)


Why we did it, and don't want to make money from it..

March 18, 2010 Added by:Jason Remillard

A description of the automated wordpress security plugin by SSM. If you're running WP, check it out!

Comments  (0)


Hacker Releases Second Video of Enhanced XerXeS DoS Attack on Apache Vulnerability

March 11, 2010 Added by:Anthony M. Freed

Infosec Island has once again gained exclusive access to a video demonstration of the XerXeS DoS. This new video shows a little more of the XerXeS dashboard, and reveals even more about the attack technique – watch the text box on the left as Jester mentions “Apache” for the first time outside of our private conversations.

Comments  (15)


Press F1 for Help, pwned.

March 08, 2010 Added by:Daniel Kennedy

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Comments  (0)

Page « < 15 - 16 - 17 - 18 - 19 > »