BlackHat 2012, part II

As I’ve mentioned before, I didn’t make it out to the BlackHat this year. These are the top 5 ways to tell you’re not at a Vegas Con. Ā šŸ™Ā Some of the other notable things that I saw coming out from BlackHat/Defcon:

1. A significant vulnerability in MSCHAPv2 and by extension PPTP Microsoft VPN. The keys are too small at 56-bit DES. If you’re are still using it: don’t. The tool is here

2. A long paper about intrusion kill chains and a short summary of it. Here is one more for good measure. It boils down to the fact that you want to be able to detect and respond to an attack as early as possible. The only way to do that is to be able to look at events in context and be able to correlateĀ disparate event streams into a single attack.

3. Ā A very neat attack tool. Could be excellent for pen testing.

4. Javascript attacks on SOHO routers.

5. Vulnerabilities in payment terminals.

6. How to attack poorly configured Apache servers. A new tool has been released for this. Vulnerability isn’t new; lazy admins with bad .htaccess files have been doing this for a while. This automates the process.

7. Possibly a nice extension to one of my favorite tools: Maltego.

8. A fairly significant 0-day against Oracle.


Another password FAIL

Another major password FAIL. In fact, it’s not just the passwords, but more or less everything. Brought to you by Tesco.



Security Mindset

A great post from Schneier. Though I think it’s not just a security mindset. It’s more of a hacker mindset, as defined here. It’s wanting to solve problems, overcome limits and the desire to ask “Why?”. Ā That’s applicable across many different disciplines.




Nothing to Hide

A good article with a solid refutation of the all too common “you have nothing to hide” argument.


Security Fail

That’s nice.


© 2021 Mind End

Theme by Anders NorénUp ↑