Finally Microsoft is doing something proactive and perhaps even slightly ahead of the game, a real game-change for the security community.
They have released a new AND open-source tool to make debugging easier, it gives developers a lot of help during the release cycle to build more secure software. Mostly because it takes the legwork and [...]

Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the [...]

It’s seems like a new hacker is in the sights of the US Government, this time it’s Ehud Tenenbaum AKA ‘The Analyzer’.
He seems to have been quite sloppy about covering his tracks and remaining under the radar, he acts as if no-one can get him. Perhaps he knows something we don’t?
Anyway he’s firmly under investigation [...]

In April last year we wrote about ProxyStrike, recently the developer has released a couple of new versions – the latest being v2.1.
ProxyStrike is an active Web Application Proxy, is a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that [...]

You right remember in March last year we posted about Charlie Miller at the PWN2OWN contest owning the MacBook Air in under 2 minutes.
Guess what? He’s done it again! This time though he’s even faster clocking in at under 10 seconds. No one else stood a chance. He walked off with the prize again, $5000 [...]

sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…
It is designed to maximize the amount of data gathered [...]

In a recent undercover sting the BBC has uncovered some unscrupulous Indian chaps selling valid UK credit card details, the kicker to the story is the fraud is linked to Symantec as the people being defrauded had all recently bought Norton subscriptions.
I guess it’s hard to control a 3rd party call center though and who [...]

Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.
You may remember back in March 2008 we published about Webshag 1.00 being released. Now Webshag 1.10 has been released! This new version provides several feature enhancements [...]

Conficker has gotten quite a lot of news recently with it growing so fast and Microsoft offering a bounty for the authors.
It seems like the Conficker authors are really serious about retaining control of their botnet and expanding it further without hindrance from the companies trying to stop them.
It’s quite likely they are netting some [...]

dnsmap is a subdomain bruteforcer for stealth enumeration, you could say something similar to Reverse Raider or DNSenum.
Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain [...]

The BBC has made an odd move recently by buying/seeding a botnet of 22,000 computers under the guise of investigative journalism.
They claim it’s not illegal as they caused no harm and only sent spam to e-mail accounts used by themselves. Technically I think it’s still breaking the law under the Computer Misuse Act but most [...]

WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, [...]

It seems to the feds are really cracking down on cybercrime recently, with a special kind of attention paid to botnets and their handlers. The sentences are getting stiffer too, this time with 4 years in prison for running a botnet and data theft.
I hope they keep it up, botnets are the scourge of the [...]

What is VideoJak?
VideoJak is an IP Video security assessment tool that can simulate a proof of concept DoS against a targeted, user-selected video session and IP video phone. VideoJak is the first of its kind security tool that analyzes video codec standards such as H.264.
VideoJak works by first capturing the RTP port used in a [...]

What is Native Client?
Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps. We’ve released this project at an early, research stage to get feedback from the security and broader open-source communities. [...]

fzem is a MUA (mail user agent) fuzzer that fuzzes MAIL/MIME email headers as well as how clients handle SMTP, POP and IMAP responses.
Purpose
fzem’s purpose is to fuzz MUAs as they process email content and handle server reponses.

How does it work?
fzem has the three main mail protocols implemented as well as mail/mime headers. Using these [...]

Click-jacking has hit the news a few times recently with most browsers being susceptible to this kind of redirection attack.
This time it’s Twitter that’s being hit, as with anything gaining popularity it’s going to become the focus of more attacks and attempts to compromise its security.
It seems like click-jacking may well be here to stay [...]

Finally an update to Medusa! Version 1.5 of Medusa is now available for public download. Medusa 1.4 was released quite some time back in November 2007 and before that Medusa 1.3 showed up November 2006.
You would have thought version 1.5 would have been released in November 2008! Looks like they missed by a few months.

What [...]

Koobface is computer worm that targets the users of the social networking websites Facebook and Myspace. Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.
A new variation of Koobface has popped up aggressively on Facebook and is attempting to steal login credentials for other social networking [...]