«
Expand/Collapse
338 items tagged "information"
Related tags:
tool 2 [+],
tool [+],
sharing tool [+],
joomla [+],
dradis [+],
different stages [+],
cms [+],
apache [+],
black hat [+],
apache tomcat [+],
x.org [+],
information leakage [+],
information leak [+],
emc documentum [+],
chaos communication congress [+],
authentication [+],
virtuemart [+],
post [+],
mac os x [+],
mac os [+],
libxslt [+],
leak [+],
jd edwards [+],
glpi [+],
function [+],
denial of service [+],
tomcat [+],
gathering [+],
file [+],
apple hfs [+],
disclosure [+],
xplore [+],
spring framework [+],
spring [+],
read permission [+],
oracle [+],
network [+],
malicious users [+],
kayako [+],
fusion [+],
framework [+],
database [+],
d link [+],
cve [+],
crontab [+],
command [+],
call for papers [+],
bugtraq [+],
avamar [+],
information disclosure [+],
yaqas [+],
x xnu [+],
x ftpd [+],
wordpress [+],
whitepaper [+],
web [+],
vulnerabilities [+],
version [+],
user [+],
uri [+],
text password [+],
symlink [+],
stable [+],
sourceone [+],
shellscript [+],
several ways [+],
session management [+],
session [+],
sendfile [+],
security settings [+],
secunia [+],
safer use [+],
ruben bloemgarten [+],
routers [+],
root compromise [+],
request [+],
real time network [+],
ransack [+],
quick [+],
processor object [+],
printer [+],
phpthumb [+],
penetration testers [+],
password pair [+],
password disclosure [+],
os x [+],
nginx [+],
myfaces [+],
mobile engine [+],
local privilege escalation [+],
lexmark [+],
larry leibrock [+],
joomla virtuemart [+],
jdenet [+],
ini [+],
information user [+],
information security conference [+],
icedtea web [+],
icedtea [+],
hacks [+],
globals [+],
global internetwork [+],
ftpd [+],
freebsd [+],
filesystem data [+],
filesystem [+],
execution [+],
efront [+],
digital information [+],
digital [+],
d gwt [+],
content [+],
configuration [+],
concrete [+],
component version [+],
command execution [+],
code execution [+],
chokepointproject [+],
cart [+],
ca arcserve [+],
authentication tokens [+],
arcserve [+],
apache myfaces [+],
android [+],
alpha1 [+],
alpha [+],
Skype [+],
x server [+],
video [+],
unspecified [+],
syslog ng [+],
syslog [+],
sonexis [+],
snake oil [+],
smtp [+],
server [+],
security event [+],
rocky mountain [+],
rights [+],
privilege [+],
print [+],
premise [+],
postfix [+],
philipp bayer [+],
notmuch [+],
new media publications [+],
netragard [+],
mora tags [+],
mainstream media outlets [+],
mail [+],
local [+],
l.l.c [+],
information solutions [+],
information security industry [+],
information security community [+],
hfs [+],
hat europe [+],
grrcon [+],
grand rapids [+],
genome [+],
footprinting [+],
failure scenarios [+],
europe [+],
escalation [+],
emacs [+],
david cowan [+],
cryptography [+],
cryptographic primitives [+],
crowd [+],
conferencemanager [+],
conference call [+],
citizen scientists [+],
circumstances [+],
chaos communication camp [+],
card [+],
bastian greshake [+],
authors [+],
authentication methods [+],
association [+],
art of [+],
art [+],
arabic [+],
annalee newitz [+],
abu dhabi [+],
networking platforms [+],
image hosting services [+],
geolocation [+],
creepy [+],
social networking [+],
xss [+],
xfocus [+],
xcon [+],
world war ii [+],
webkit [+],
web application [+],
u.s national [+],
trustwave [+],
trust [+],
touchy feely [+],
tor directory [+],
tor [+],
time [+],
thrift shops [+],
thomas ryan tags [+],
thing [+],
tax information [+],
tax [+],
sun jre [+],
sun jdk [+],
sql injection [+],
sql [+],
spot [+],
spamvertised [+],
social networking sites [+],
slides [+],
shm [+],
session hijacking [+],
server performance [+],
server monitoring [+],
security restrictions [+],
security providers [+],
security models [+],
security law [+],
search [+],
satellite tracker [+],
satellite [+],
router [+],
robin sage [+],
robin [+],
rights management [+],
response management system [+],
remote [+],
real time [+],
read [+],
proficy [+],
privacy [+],
pr10 [+],
pentest [+],
paris [+],
papers [+],
paper [+],
panel [+],
oracle enterprise manager [+],
ofbiz [+],
nooks [+],
node [+],
network node manager [+],
mit shm [+],
misc [+],
microcontrollers [+],
microcontroller [+],
member [+],
manager i [+],
malicious [+],
leakage [+],
leak prevention [+],
law [+],
latitude and longitude [+],
laser cutter [+],
kindles [+],
jdedwards [+],
jamal bandukwala [+],
intrusion detection [+],
internet explorer [+],
internet [+],
infosphere [+],
information table [+],
information server [+],
information portal [+],
information panel [+],
information intelligence [+],
information gathering [+],
information attacks [+],
information aggregator [+],
individual [+],
ibm [+],
hp network [+],
hijacking [+],
hiding [+],
hap hazard [+],
greg conti [+],
greg [+],
google searches [+],
google [+],
fatcat [+],
extension [+],
explorer [+],
experiment [+],
executable [+],
eric monti [+],
enumeration [+],
engine [+],
el khalil [+],
echo [+],
dslreports [+],
documentum [+],
directory traversal vulnerability [+],
design elements [+],
design decisions [+],
denver colorado usa [+],
denver [+],
denial [+],
defeating [+],
data [+],
dane [+],
dan moniz [+],
custom search engine [+],
custom [+],
credit card numbers [+],
covert channel [+],
countering [+],
corporate information security [+],
conference [+],
communications protocol [+],
colorado [+],
cloud [+],
chris [+],
chemistries [+],
charles henderson steve ocepek [+],
charger [+],
bryan cunningham [+],
brushing your teeth [+],
brown rob ragan [+],
bridge [+],
brad bolin [+],
bolin [+],
bing [+],
battery charger [+],
battery [+],
audio [+],
asia [+],
arduino [+],
apple quicktime [+],
aka osint [+],
security [+],
emc [+],
usa [+],
sap netweaver [+],
sap [+],
netweaver [+],
vulnerability [+],
php [+],
information disclosure vulnerability [+],
yahoo answers,
xfs,
x. this,
x physical,
x kernel,
x event,
workaround,
wireless network,
wells,
web page,
warszawa,
warfare,
virtual tunnels,
virtual switchboard,
violins,
vehicle,
use,
uri clipboard,
uninitialized,
understanding,
unclassified,
unauthorized disclosure,
unauthorized,
txt,
trombone,
trashed,
transportation,
tor operator,
timothy brueggemann,
tiff image,
ti calculators,
testing management,
tar gz,
tar,
subscribe,
social engineering,
shiro,
shane powell,
security vulnerabilities,
security researchers,
security issue,
security career,
security advisory,
robert clark tags,
repository,
realname,
realistic view,
raynal,
public sector organizations,
private rsa key,
privacy event,
presp,
prediction,
practical,
pla,
phpbazar,
penetration,
peer,
pdf,
pcs,
passive control,
paper shredder,
online,
nodal analysis,
nice,
news,
networked clusters,
nadia heninger,
n mdaemon,
more,
moment,
mitigation,
miranda im,
miranda,
mike murray lee kushner,
mike murray,
metasploit,
memory information,
memory,
manitoba,
management event,
mac addresses,
mac,
logon,
local information,
listing,
linux,
linton wells,
libmikmod,
legal commentaries,
layout manager,
kushner,
kernel internals,
kernel extensions,
kernel,
internet censorship law,
information warfare,
information systems management,
information operation,
information display,
incident response teams,
incident,
icebb,
hypervisor,
http,
hspii,
hpsbov,
hardware hacking,
hack in the box,
graphing calculators,
goatee beard,
gnu,
georgia tech center,
geohot,
forensic hardware,
firefox,
federal networks,
false sense of security,
exploits,
exploiting,
exploit,
expierience,
email,
electric vehicle,
effective,
eclipse,
dubai,
drupal,
droiddraw,
double slide,
domain information,
doctors,
docman,
display,
development timeline,
development,
denial of service dos,
demographic variables,
deluxebb,
dd wrt,
day,
data retention,
darknet,
cyber,
csws,
crossdomain,
computer network security,
computer network operations,
computer,
component,
compatability chart,
cold boot,
christopher mitchell,
christopher,
christiane ruetten,
bugzilla,
breach,
bournal,
boston,
boot,
bloofoxcms,
blazeds,
binaries,
beta,
best friend,
battery cell,
apple safari,
adobe,
admin,
addidiotnal,
Software,
Pentesting,
Newbie,
Idiots,
General,
ExploitsVulnerabilities,
Discussion,
Corner,
BackTrack,
Area
-
-
![Permalink for '[Video] Strong encryption of credit card information'](/themes/lilina/web//media/mark_off.gif)
15:22
»
SecDocs
Authors:
Torbjörn Lofterud Tags:
credit card PCI DSS compliance Event:
Chaos Communication Camp 2011 Abstract: The PCI DSS standard require strong cryptography or secure hashing as ways to protect cardholder information. But one important factor is missing; detailed instructions for how to correctly apply cryptography to credit card numbers. The primary objective of the Payment Card Industry Data Protection Standard (PCI DSS) is to safeguard cardholder information such as the Primary Account Number (PAN) and the sensitive authentication data (CVV2, Track 1 and 2). Chapter 3.4 deals with the details regarding encryption and key management. > 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, > backup media, and in logs) by using any of the following approaches: > * One-way hashes based on strong cryptography > * Truncation > * Index tokens and pads > * Strong cryptography with associated key-management processes and procedures What constitutes strong cryptography is further detailed in the glossary and in the PCI SSC FAQ documents as well as in periodic communication to security assessors. But one important factor is missing from the communication; the modes of operation for the cryptographic primitives. The PCI DSS glossary specifically mentions AES, 3DES, RSA, ECC, Elgamal and SHA1 as “industry-tested and accepted standards and algorithms for encryption” but fails to address important issues such as RSA padding and cipher block chaining for 3DES and AES. The requirements are quite clear on the fact that encryption and hashing needs to be implemented properly, but gives little guidance to developers or assessors as to what strong cryptography actually means. There are at least three different scenarios where cardholder information appears to be protected in compliance with the standard but remains vulnerable if disclosed. This presentation describes attacks for common failure scenarios when encrypting credit card information.
-
15:04
»
SecDocs
Authors:
Torbjörn Lofterud Tags:
credit card PCI DSS compliance Event:
Chaos Communication Camp 2011 Abstract: The PCI DSS standard require strong cryptography or secure hashing as ways to protect cardholder information. But one important factor is missing; detailed instructions for how to correctly apply cryptography to credit card numbers. The primary objective of the Payment Card Industry Data Protection Standard (PCI DSS) is to safeguard cardholder information such as the Primary Account Number (PAN) and the sensitive authentication data (CVV2, Track 1 and 2). Chapter 3.4 deals with the details regarding encryption and key management. > 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, > backup media, and in logs) by using any of the following approaches: > * One-way hashes based on strong cryptography > * Truncation > * Index tokens and pads > * Strong cryptography with associated key-management processes and procedures What constitutes strong cryptography is further detailed in the glossary and in the PCI SSC FAQ documents as well as in periodic communication to security assessors. But one important factor is missing from the communication; the modes of operation for the cryptographic primitives. The PCI DSS glossary specifically mentions AES, 3DES, RSA, ECC, Elgamal and SHA1 as “industry-tested and accepted standards and algorithms for encryption” but fails to address important issues such as RSA padding and cipher block chaining for 3DES and AES. The requirements are quite clear on the fact that encryption and hashing needs to be implemented properly, but gives little guidance to developers or assessors as to what strong cryptography actually means. There are at least three different scenarios where cardholder information appears to be protected in compliance with the standard but remains vulnerable if disclosed. This presentation describes attacks for common failure scenarios when encrypting credit card information.
-
8:39
»
Packet Storm Security Misc. Files
EMC Information Rights Management (IRM) contains vulnerabilities that can potentially be exploited by malicious users to cause denial of service.
-
-
21:36
»
SecDocs
Authors:
Annalee Newitz Tags:
social Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Print media are dying, but what is rising up to take their place? In this presentation, I'll answer that question by describing three new kinds of jobs for journalists that do not exist in mainstream print media. These jobs are: hacker journalist, data-mining reporter, and crowd engineer. I'll be describing what these jobs entail, and current examples of organizations already employing people to do them. My observations in this presentation are based on the nearly twenty years I have written for traditional print as well as new media publications, including zines like Bad Subjects and 2600, as well as mainstream media outlets like Wired and the Washington Post. I also created io9.com, the world's most widely-read blog devoted to science and science fiction. As I've watched friends and colleagues suffer through layoffs in the publishing industry, I've also seen the rise of new kinds of journalists who use technology to break stories in ways that would have been impossible even five years ago. Hacker journalists use everything from Perl scripts to open source mapping platforms to do investigative reporting (examples include writing at Ars Technica, as well as people working with the Ushahidi mapping platform). Data-mining reporters are people who analyze vast amounts of data to investigate issues from war crimes (using services like Wikileaks) to the stock market "flash crash". Crowd engineers work on crowd-sourced news sites like Reddit and Metafilter, writing algorithms and community software that makes it easy for people to share information. Like editors, crowd engineers can be very powerful figures who determine which information rises to the top. What these new journalists have in common is a newfound ability to aggregate and analyze information on a massive scale. Ultimately I'll explore how this changes the playing field in media, and why journalists of the future may be more powerful than ever before.
-
21:36
»
SecDocs
Authors:
Annalee Newitz Tags:
social Event:
Chaos Communication Congress 27th (27C3) 2010 Abstract: Print media are dying, but what is rising up to take their place? In this presentation, I'll answer that question by describing three new kinds of jobs for journalists that do not exist in mainstream print media. These jobs are: hacker journalist, data-mining reporter, and crowd engineer. I'll be describing what these jobs entail, and current examples of organizations already employing people to do them. My observations in this presentation are based on the nearly twenty years I have written for traditional print as well as new media publications, including zines like Bad Subjects and 2600, as well as mainstream media outlets like Wired and the Washington Post. I also created io9.com, the world's most widely-read blog devoted to science and science fiction. As I've watched friends and colleagues suffer through layoffs in the publishing industry, I've also seen the rise of new kinds of journalists who use technology to break stories in ways that would have been impossible even five years ago. Hacker journalists use everything from Perl scripts to open source mapping platforms to do investigative reporting (examples include writing at Ars Technica, as well as people working with the Ushahidi mapping platform). Data-mining reporters are people who analyze vast amounts of data to investigate issues from war crimes (using services like Wikileaks) to the stock market "flash crash". Crowd engineers work on crowd-sourced news sites like Reddit and Metafilter, writing algorithms and community software that makes it easy for people to share information. Like editors, crowd engineers can be very powerful figures who determine which information rises to the top. What these new journalists have in common is a newfound ability to aggregate and analyze information on a massive scale. Ultimately I'll explore how this changes the playing field in media, and why journalists of the future may be more powerful than ever before.
-
-
16:09
»
Packet Storm Security Recent Files
Ransack is a post exploitation shellscript for penetration testers. Its purpose is to grab any information deemed relevant on a system, post root compromise. This information may include config files, ssh keys, ssl keys, or any other information deemed valuable.
-
16:09
»
Packet Storm Security Tools
Ransack is a post exploitation shellscript for penetration testers. Its purpose is to grab any information deemed relevant on a system, post root compromise. This information may include config files, ssh keys, ssl keys, or any other information deemed valuable.
-
16:09
»
Packet Storm Security Misc. Files
Ransack is a post exploitation shellscript for penetration testers. Its purpose is to grab any information deemed relevant on a system, post root compromise. This information may include config files, ssh keys, ssl keys, or any other information deemed valuable.
-
-
21:49
»
SecDocs
Authors:
Ruben Bloemgarten Tags:
data mining Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information. The goals of the project are as follows: Provide a global early warning system against governmental or commercial abuse of internetworking systems in regards to civil and human rights. Enforce transparency by aggregating commercial ownership information. Enforce transparency by aggregating legislative information, including voting histories. Enable lobbyist to influence legislators by providing reliable, verifiable data. Provide a public database with near real-time network monitoring data for general use. Provide up to date circumvention methodologies, their relative legal status and their potential risks. The chokepointproject currently consists of two elements : A frontend and public database, An intended globally distributed network monitoring data collection system. The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information: A per country detailed description of: 1a. Network ownership (by IP block and route) 1b. Legislative information such as Which relevant laws are currently active. Who has voted for them (supposing voting was a part of the process). Which relevant laws are currently under review or being proposed. Who are proposing/drafting these laws. 1c. What circumvention methods are currently available for specific problems. Near real-time network status vitalisations such as, but not restricted to 2a. Connectivity of geographic clusters, 2b. Manipulation of connectivity such as: 2b.1. Traffic shaping, 2b.2. Content filtering, 2b.3. Blackouts. The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.
-
-
21:33
»
SecDocs
Authors:
Ruben Bloemgarten Tags:
data mining Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information. The goals of the project are as follows: Provide a global early warning system against governmental or commercial abuse of internetworking systems in regards to civil and human rights. Enforce transparency by aggregating commercial ownership information. Enforce transparency by aggregating legislative information, including voting histories. Enable lobbyist to influence legislators by providing reliable, verifiable data. Provide a public database with near real-time network monitoring data for general use. Provide up to date circumvention methodologies, their relative legal status and their potential risks. The chokepointproject currently consists of two elements : A frontend and public database, An intended globally distributed network monitoring data collection system. The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information: A per country detailed description of: 1a. Network ownership (by IP block and route) 1b. Legislative information such as Which relevant laws are currently active. Who has voted for them (supposing voting was a part of the process). Which relevant laws are currently under review or being proposed. Who are proposing/drafting these laws. 1c. What circumvention methods are currently available for specific problems. Near real-time network status vitalisations such as, but not restricted to 2a. Connectivity of geographic clusters, 2b. Manipulation of connectivity such as: 2b.1. Traffic shaping, 2b.2. Content filtering, 2b.3. Blackouts. The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.
-
21:33
»
SecDocs
Authors:
Ruben Bloemgarten Tags:
data mining Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The object of the lecture is to present and discuss the chokepointproject. How it (will) attempt(s) to aggregate and visualize near-realtime global internetwork data and augment this visualisation with legislative, commercial(ownership) and circumvention information. The goals of the project are as follows: Provide a global early warning system against governmental or commercial abuse of internetworking systems in regards to civil and human rights. Enforce transparency by aggregating commercial ownership information. Enforce transparency by aggregating legislative information, including voting histories. Enable lobbyist to influence legislators by providing reliable, verifiable data. Provide a public database with near real-time network monitoring data for general use. Provide up to date circumvention methodologies, their relative legal status and their potential risks. The chokepointproject currently consists of two elements : A frontend and public database, An intended globally distributed network monitoring data collection system. The frontend intends to provide an easily understandable visualisation of aggregated and processed data-sources. The data-sources intend to provide the following information: A per country detailed description of: 1a. Network ownership (by IP block and route) 1b. Legislative information such as Which relevant laws are currently active. Who has voted for them (supposing voting was a part of the process). Which relevant laws are currently under review or being proposed. Who are proposing/drafting these laws. 1c. What circumvention methods are currently available for specific problems. Near real-time network status vitalisations such as, but not restricted to 2a. Connectivity of geographic clusters, 2b. Manipulation of connectivity such as: 2b.1. Traffic shaping, 2b.2. Content filtering, 2b.3. Blackouts. The intended globally distributed network monitoring data collection system would provide an independent and publicly available dataset. I do not intend to discuss this in depth. The focus of this lecture is supposed to be the front-end and the aggregation of already publicly available data sources, and the supposed benefit to improving civil rights everywhere and protecting them in those places where their functional effectiveness is under threat.
-
-
12:55
»
SecDocs
Authors:
Bastian Greshake Philipp Bayer Tags:
science Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: It was only a couple of years ago that generating genetic information about individuals was expensive and laborious work. Modern techniques have drastically cut cost and time needed to get an insight into one's genome and have ultimately led to the formation of personal genetics companies – like 23andMe, deCODEme and others – that now offer direct-to-customer genetic testing. With a price tag of those tests starting at about 100 €, the number of people that do such tests is on the rise. By now, 23andMe alone has over 100.000 paying customers, with over 60.000 of them willing to donate their genetic data and to actively participate in research projects by filling out surveys, e.g. on their medical histories. This has resulted in a high-quality dataset with genetic information of 60.000 individuals. The best part: The data has already been paid for by the participants in the research. Who would not love to get their hands on data like this? Unfortunately, the data sits locked away in corporate vaults, inaccessible to interested (citizen) scientists. But what if we could change this? We've created openSNP, a central, open source, free-to-use repository which lets customers of genotyping companies upload their genotyping data and annotate them with phenotypes. OpenSNP provides its users with the latest scientific research on their genotypes and lets scientists download annotated genotypes to make science more open. Companies that perform Direct-To-Customer (DTC) genetic tests have now been around for about six years, with 23andMe – founded in 2006 – and deCODEme being two of the oldest companies on the market. Their customers receive a test tube via mail, spit into this tube and send it back to their DTC company to get their genetic information analyzed. The tests performed by DTC companies do not utilize the more famous DNA sequencing, but rely on faster and cheaper DNA microarrays instead. Microarrays screen for around 1 million genetic markers, called Single Nucleotide Polymorphisms (SNPs). A SNP is a genomic variation, where a single base is changed at one site between members of a population. Usually a SNP has only two alleles (variants) and occurs with a frequency of at least 1% in the population. Spread over the whole human genome, each of us carries around 10 million variable sites, where 10% are covered by DTC-companies. Because of their uniqueness, SNPs can be used as markers associated with certain conditions. For example, there are variations of SNPs that are associated with elevated risks of developing breast cancer or Alzheimer’s. Other SNPs can be used to predict how a person metabolizes chemicals or drugs. 23andMe uses the results of consenting customers to perform their own genome wide association studies (GWAS). Those studies check for statistical differences between different groups. In a simple example one could have a group that is known to have Alzheimer’s and a control-group that does not have Alzheimer’s. Given enough participants, one can then look for genetical variants that are over- or underrepresented in one of the groups. The variants that are found by this method can then be used as predictors for Alzheimer’s. We feel that research projects all over the world and science in general would benefit from a rich, freely available source of linked, genetic data. And although genome wide association studies need a minimum number of participants to be able to find significant variations, it is not necessary to have 30.000 participants in your study. There are many publications with significant results with a total number of participants of less than 5000 individuals. Given the current number of 23andMe customers, one only needs 5 % of them to participate in freely sharing their genetic information together with basic information on some medical conditions or other variations to reach the critical mass to be able to perform simple association studies! While many people have already started to publish their results on GitHub et al. and movements like DIYBio are starting to take off, there are no real efforts to create a repository to centrally collect this kind of data. But what if one could create an open platform to collect this kind of linked data? Is it possible to perform crowd-sourced association studies to create new knowledge about our genes? With the creation of openSNP we have tried (and are still trying) to find out.
-
12:38
»
SecDocs
Authors:
Bastian Greshake Philipp Bayer Tags:
science Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: It was only a couple of years ago that generating genetic information about individuals was expensive and laborious work. Modern techniques have drastically cut cost and time needed to get an insight into one's genome and have ultimately led to the formation of personal genetics companies – like 23andMe, deCODEme and others – that now offer direct-to-customer genetic testing. With a price tag of those tests starting at about 100 €, the number of people that do such tests is on the rise. By now, 23andMe alone has over 100.000 paying customers, with over 60.000 of them willing to donate their genetic data and to actively participate in research projects by filling out surveys, e.g. on their medical histories. This has resulted in a high-quality dataset with genetic information of 60.000 individuals. The best part: The data has already been paid for by the participants in the research. Who would not love to get their hands on data like this? Unfortunately, the data sits locked away in corporate vaults, inaccessible to interested (citizen) scientists. But what if we could change this? We've created openSNP, a central, open source, free-to-use repository which lets customers of genotyping companies upload their genotyping data and annotate them with phenotypes. OpenSNP provides its users with the latest scientific research on their genotypes and lets scientists download annotated genotypes to make science more open. Companies that perform Direct-To-Customer (DTC) genetic tests have now been around for about six years, with 23andMe – founded in 2006 – and deCODEme being two of the oldest companies on the market. Their customers receive a test tube via mail, spit into this tube and send it back to their DTC company to get their genetic information analyzed. The tests performed by DTC companies do not utilize the more famous DNA sequencing, but rely on faster and cheaper DNA microarrays instead. Microarrays screen for around 1 million genetic markers, called Single Nucleotide Polymorphisms (SNPs). A SNP is a genomic variation, where a single base is changed at one site between members of a population. Usually a SNP has only two alleles (variants) and occurs with a frequency of at least 1% in the population. Spread over the whole human genome, each of us carries around 10 million variable sites, where 10% are covered by DTC-companies. Because of their uniqueness, SNPs can be used as markers associated with certain conditions. For example, there are variations of SNPs that are associated with elevated risks of developing breast cancer or Alzheimer’s. Other SNPs can be used to predict how a person metabolizes chemicals or drugs. 23andMe uses the results of consenting customers to perform their own genome wide association studies (GWAS). Those studies check for statistical differences between different groups. In a simple example one could have a group that is known to have Alzheimer’s and a control-group that does not have Alzheimer’s. Given enough participants, one can then look for genetical variants that are over- or underrepresented in one of the groups. The variants that are found by this method can then be used as predictors for Alzheimer’s. We feel that research projects all over the world and science in general would benefit from a rich, freely available source of linked, genetic data. And although genome wide association studies need a minimum number of participants to be able to find significant variations, it is not necessary to have 30.000 participants in your study. There are many publications with significant results with a total number of participants of less than 5000 individuals. Given the current number of 23andMe customers, one only needs 5 % of them to participate in freely sharing their genetic information together with basic information on some medical conditions or other variations to reach the critical mass to be able to perform simple association studies! While many people have already started to publish their results on GitHub et al. and movements like DIYBio are starting to take off, there are no real efforts to create a repository to centrally collect this kind of data. But what if one could create an open platform to collect this kind of linked data? Is it possible to perform crowd-sourced association studies to create new knowledge about our genes? With the creation of openSNP we have tried (and are still trying) to find out.
-
-
7:59
»
Packet Storm Security Advisories
nginx versions prior to 1.0.14 stable and 1.1.7 development suffer from an information leak vulnerability when receiving a malformed HTTP response.
-
7:59
»
Packet Storm Security Recent Files
nginx versions prior to 1.0.14 stable and 1.1.7 development suffer from an information leak vulnerability when receiving a malformed HTTP response.
-
7:59
»
Packet Storm Security Misc. Files
nginx versions prior to 1.0.14 stable and 1.1.7 development suffer from an information leak vulnerability when receiving a malformed HTTP response.
-
-
16:23
»
Packet Storm Security Recent Files
GrrCON is an information security and hacking conference held annually in the Midwest. This conference was put together to provide the information security community with a venue to come together and share ideas, information, solutions, forge relationships, and most importantly engage with like minded people in a fun atmosphere. It will take place September 27th through the 28th, 2012 in Grand Rapids, MI, USA.
-
16:23
»
Packet Storm Security Misc. Files
GrrCON is an information security and hacking conference held annually in the Midwest. This conference was put together to provide the information security community with a venue to come together and share ideas, information, solutions, forge relationships, and most importantly engage with like minded people in a fun atmosphere. It will take place September 27th through the 28th, 2012 in Grand Rapids, MI, USA.
-
-
22:01
»
Packet Storm Security Advisories
Onapsis Security Advisory - Several ways to gather information exist in the JDENET service. Sending specific types of messages, it is possible to access technical information about the system's configuration.
-
22:01
»
Packet Storm Security Recent Files
Onapsis Security Advisory - Several ways to gather information exist in the JDENET service. Sending specific types of messages, it is possible to access technical information about the system's configuration.
-
22:01
»
Packet Storm Security Misc. Files
Onapsis Security Advisory - Several ways to gather information exist in the JDENET service. Sending specific types of messages, it is possible to access technical information about the system's configuration.
-
21:45
»
Packet Storm Security Advisories
Onapsis Security Advisory - If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely retrieve data from the JDE.INI configuration FILE. This information includes password for database connection and configuration of node password for authentication tokens.
-
21:45
»
Packet Storm Security Recent Files
Onapsis Security Advisory - If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely retrieve data from the JDE.INI configuration FILE. This information includes password for database connection and configuration of node password for authentication tokens.
-
21:45
»
Packet Storm Security Misc. Files
Onapsis Security Advisory - If a specially crafted message is sent to the JDENET service (specifically to the SAW Kernel), a user can remotely retrieve data from the JDE.INI configuration FILE. This information includes password for database connection and configuration of node password for authentication tokens.
-
-
19:21
»
Packet Storm Security Advisories
PHP versions 5.2.0 through 5.2.17 suffers from an information disclosure and possible code execution vulnerability due to the filter_globals struct not being clean up during the shutdown stage.
-
19:21
»
Packet Storm Security Recent Files
PHP versions 5.2.0 through 5.2.17 suffers from an information disclosure and possible code execution vulnerability due to the filter_globals struct not being clean up during the shutdown stage.
-
19:21
»
Packet Storm Security Misc. Files
PHP versions 5.2.0 through 5.2.17 suffers from an information disclosure and possible code execution vulnerability due to the filter_globals struct not being clean up during the shutdown stage.
-
-
6:44
»
Packet Storm Security Exploits
Netragard, L.L.C Advisory - Sonexis ConferenceManager versions up to 10.x suffer from multiple information disclosure and lack of authentication vulnerabilities.
-
6:44
»
Packet Storm Security Misc. Files
Netragard, L.L.C Advisory - Sonexis ConferenceManager versions up to 10.x suffer from multiple information disclosure and lack of authentication vulnerabilities.
-
-
14:11
»
Packet Storm Security Exploits
Even if a user has their security settings with no history enabled, Skype 5.x.x fails to securely remove chat messages stored in the sqlite3 database.
-
14:11
»
Packet Storm Security Recent Files
Even if a user has their security settings with no history enabled, Skype 5.x.x fails to securely remove chat messages stored in the sqlite3 database.
-
14:11
»
Packet Storm Security Misc. Files
Even if a user has their security settings with no history enabled, Skype 5.x.x fails to securely remove chat messages stored in the sqlite3 database.
-
-
14:09
»
Packet Storm Security Recent Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
14:09
»
Packet Storm Security Tools
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
14:09
»
Packet Storm Security Misc. Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
-
16:04
»
Packet Storm Security Advisories
EMC Documentum xPlore contains an information disclosure vulnerability that may allow unauthorized users, under certain circumstances, to see certain information on protected objects in an xPlore search result. They will not, however, be allowed to view the objects themselves, or any associated content. Versions 1.0, 1.1 and 1.2 are affected.
-
16:04
»
Packet Storm Security Recent Files
EMC Documentum xPlore contains an information disclosure vulnerability that may allow unauthorized users, under certain circumstances, to see certain information on protected objects in an xPlore search result. They will not, however, be allowed to view the objects themselves, or any associated content. Versions 1.0, 1.1 and 1.2 are affected.
-
16:04
»
Packet Storm Security Misc. Files
EMC Documentum xPlore contains an information disclosure vulnerability that may allow unauthorized users, under certain circumstances, to see certain information on protected objects in an xPlore search result. They will not, however, be allowed to view the objects themselves, or any associated content. Versions 1.0, 1.1 and 1.2 are affected.
-
-
18:53
»
Packet Storm Security Recent Files
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
18:53
»
Packet Storm Security Tools
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
18:53
»
Packet Storm Security Misc. Files
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
-
21:31
»
SecDocs
Authors:
Jamal Bandukwala Tags:
intelligence Google Event:
Black Hat Abu Dhabi 2011 Abstract: Traditional Google searches can generate millions of results many of which are not relevant to what a user is looking for and when a user searches for items with various advanced operators they are still limited to searching one site at a time. This means that an individual can have to peruse through several different pages of sometimes questionable quality looking for relevant and usable information. My custom searches allow a user to peruse multiple relevant sources at the same time. I have put together three different custom searches/ engines; each of these searches goes through different types of online sources/ content and consequently provides different types of information/ intelligence. My presentation goes over each of these custom searches and provides examples of the type of information one can obtain from them and also examines how they can be used both in an offensive manner (ie. attacks) and defensively as well. One can find everything from credit card numbers to passport information and even do things like interrupt travel plans and take over identities. Additionally you can also find significant information on various individuals even if they do not have their own presence online; this can allow an attacker to craft a much more convincing attack to get the information they need. It would appear that the custom search engine owner/ creator and the individual using the searches are both only limited by the content in the search engine and their imagination. The possibilities on what you can find with the appropriate search are endless.
-
-
5:22
»
Packet Storm Security Tools
This is an automatic SQL Injection tool called FatCat. It has features that help you to extract the database information, table information, and column information from a web application.
-
-
16:54
»
Packet Storm Security Advisories
EMC SourceOne Web Search contains a vulnerability that may, under certain circumstances, log sensitive user credential information in plain text to the OS log of the web server. This can potentially be exploited by an unprivileged user with access to log information to gain access to the protected SourceOne components.
-
16:54
»
Packet Storm Security Recent Files
EMC SourceOne Web Search contains a vulnerability that may, under certain circumstances, log sensitive user credential information in plain text to the OS log of the web server. This can potentially be exploited by an unprivileged user with access to log information to gain access to the protected SourceOne components.
-
16:54
»
Packet Storm Security Misc. Files
EMC SourceOne Web Search contains a vulnerability that may, under certain circumstances, log sensitive user credential information in plain text to the OS log of the web server. This can potentially be exploited by an unprivileged user with access to log information to gain access to the protected SourceOne components.
-
16:26
»
Packet Storm Security Advisories
Apache Tomcat versions 7.0.0 through 7.0.21 and 6.0.30 through 6.0.33 suffer from an information disclosure vulnerability. For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request.
-
16:26
»
Packet Storm Security Recent Files
Apache Tomcat versions 7.0.0 through 7.0.21 and 6.0.30 through 6.0.33 suffer from an information disclosure vulnerability. For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request.
-
16:26
»
Packet Storm Security Misc. Files
Apache Tomcat versions 7.0.0 through 7.0.21 and 6.0.30 through 6.0.33 suffer from an information disclosure vulnerability. For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request.
-
-
6:20
»
Hack a Day
With all the Kindles and Nooks we’re bound to find at yard sales and thrift shops in the coming years, this might be useful. [Chris] made a door-mounted e-paper display to keep himself up to date on recent events. The hardware comes from an e-paper development kit [Chris] and his friend [Deian] were given a few years [...]
-
-
22:56
»
Packet Storm Security Advisories
Secunia Security Advisory - Blue Coat has acknowledged multiple weaknesses, security issues and vulnerabilities in Blue Coat IntelligenceCenter, which can be exploited by malicious, local users to disclose sensitive information and bypass certain security restrictions, by malicious users to disclose sensitive information, bypass certain security restrictions, manipulate certain data, gain escalated privileges, cause a DoS (Denial of Service), and compromise a vulnerable system, and by malicious people to conduct spoofing and cross-site scripting attacks, disclose certain system information, bypass certain security restrictions, and cause a DoS (Denial of Service).
-
-
5:11
»
Packet Storm Security Exploits
Apache MyFaces Core versions 2.0.1 through 2.0.10 and versions 2.1.0 through 2.1.4 suffer from an information disclosure vulnerability.
-
-
22:56
»
Packet Storm Security Advisories
Secunia Security Advisory - Gentoo has issued an update for sun-jre-bin, emul-linux-x86-java, and sun-jdk. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information, by malicious users to disclose certain information, and by malicious people to disclose potentially sensitive information, bypass certain security restrictions, hijack a user's session, manipulate certain data, conduct DNS cache poisoning attacks, cause a DoS (Denial of Service), and compromise a vulnerable system.
-
-
18:58
»
Packet Storm Security Recent Files
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
18:58
»
Packet Storm Security Tools
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
18:58
»
Packet Storm Security Tools
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
18:58
»
Packet Storm Security Misc. Files
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
-
12:01
»
Hack a Day
For less than $100 you can buy a little tracking module that will upload your location to a satellite. But you’ll only get latitude and longitude information. [Natrium42] spent some time reverse engineering the hardware, and the communications protocol, to allow custom data to be transferred using a SPOT module. The flat fee for the [...]
-
-
13:59
»
SecuriTeam
This vulnerability allows remote attackers to leak information on vulnerable installations of Internet Explorer.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
13:27
»
SecDocs
Authors:
Thomas Ryan Tags:
social engineering Event:
Black Hat USA 2010 Abstract: Given the vast number of security breaches via the internet, the experiment seeks to exploit the fundamental levels of information leakage—the outflow of information as a result of people’s hap-hazard and unquestioned trust. The experiment was conducted by creating a blatantly false identity and enrolling on various social networking websites. By joining networks, registering on mailing lists, and listing false credentials, the conditions were then set to research people’s decisions to trust and share information with the false identity. The main factors observed were: the exploitation of trust based on gender, occupation, education/credentials, and friends (connections). By the end of this Experiment, Robin finished the month having accumulated 100’s connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences. Through this 28 day experiment, it became evident that the propagation of a false identity via social networking websites is rampant and viral. Much of the information revealed to Robin Sage violated OPSEC procedures. The deliberate choice of an attractive young female exposed the role that sex and appearance plays in trust and people’s eagerness to connect with someone. In conjunction with her look, Robin Sage’s credentials listed on her profile resulted in selection perception; people’s tendency to draw unwarranted conclusions in their attempt to make a quick decision. By acquiring a large number of connections, Robin had the ability to identify the individual who was positioned to provide the most intelligence based on their involvement in multiple government agencies. The false identity combined with carefully chosen false credentials led to a false trust that could have resulted in the breach of multiple security protocols.
-
-
12:03
»
SecDocs
Authors:
Francis Brown Rob Ragan Tags:
intelligence Event:
Black Hat USA 2010 Abstract: During World War II the CIA created a special information intelligence unit to exploit information gathered from openly available sources. One classic example of the team’s resourcefulness was the ability to determine whether Allied forces had successfully bombed bridges leading into Paris based on increasing orange prices. Since then OSINT sources have surged in number and diversity, but none can compare to the wealth of information provided by the Internet. Attackers have been clever enough in the past to take advantage of search engines to filter this information to identify vulnerabilities. However, current search hacking techniques have been stymied by search provider efforts to curb this type of behavior. Not anymore - our demonstration-heavy presentation picks up the subtle art of search engine hacking at the current state and discusses why these techniques fail. We will then reveal several new search engine hacking techniques that have resulted in remarkable breakthroughs against both Google and Bing. Come ready to engage with us as we release two new tools, GoogleDiggity and BingDiggity, which take full advantage of the new hacking techniques. We’ll also be releasing the first ever “live vulnerability feed”, which will quickly become the new standard on how to detect and protect yourself against these types of attacks. This presentation will change the way you've previously thought about search engine hacking, so put on your helmets. We don't want a mess when we blow your minds.
-
-
10:35
»
SecDocs
Authors:
Charles Henderson Steve Ocepek Tags:
exploiting Event:
Black Hat USA 2010 Abstract: 0-days are a lot of fun. Whether it’s an overlooked buffer overflow, a poorly implemented encryption algorithm, or something downright bizarre, the thrill of breaking things is the reason most of us get hooked. That’s why Trustwave’s Global Security report is a bit sobering. Why are so many of these systems still vulnerable to SQL injection, LANMAN hash recovery, and default password guessing? And is an NFS exploit considered a 7665-day? But this isn’t about getting bent out of shape about the state of information security. Without being too preachy, this talk is about what we can do to help turn things around. Because if there’s one thing that is clear, the need for information security will only increase. And we’re all feeling the growing pains. The end of 2009 brought with it a great deal of controversy over the effectiveness of information security. We’re all pretty frustrated about it. But that’s the thing about growing up – you start to realize your own limitations. Like dieticians and dentists, we watch people make bad choices and wonder where we went wrong. And like them, we need to focus on the fundamentals: eating healthy, brushing your teeth, and blocking port 139. But man, that sounds pretty boring. So maybe it’s time for a new approach. Maybe it’s not so much about the message, but how it’s getting delivered. And maybe there’s something we can do about that. After all, we’re pretty secure folks – we can handle the touchy-feely stuff, right?
-
-
18:09
»
SecuriTeam
An Information Disclosure vulnerability was identified in HP Network Node Manager i.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
7:36
»
Packet Storm Security Advisories
Spring Framework versions 3.0.0 to 3.0.5, 2.5.0 to 2.5.6.SEC02, and 2.5.0 to 2.5.7.SR01 suffer from an information disclosure vulnerability.
-
-
0:18
»
Packet Storm Security Advisories
An issue with Adaptive Authentication (On-Premise) was discovered which in certain circumstances might affect the out-of-the-box available authentication methods. In certain circumstances, when authentication information is compromised, and with the knowledge of additional session information, the authentication information might be reused within an active session.
-
0:18
»
Packet Storm Security Misc. Files
An issue with Adaptive Authentication (On-Premise) was discovered which in certain circumstances might affect the out-of-the-box available authentication methods. In certain circumstances, when authentication information is compromised, and with the knowledge of additional session information, the authentication information might be reused within an active session.
-
-
20:34
»
SecuriTeam
An Information Disclosure vulnerability was identified in Apache Tomcat.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
6:45
»
Packet Storm Security Exploits
This Metasploit module exploits an information disclosure vulnerability in the CA Arcserve D2D r15 web server. The information disclosure can be triggered by sending a specially crafted RPC request to the homepage servlet. This causes CA Arcserve to disclosure the username and password in cleartext used for authentication. This username and password pair are Windows credentials with Administrator access.
-
6:45
»
Packet Storm Security Recent Files
This Metasploit module exploits an information disclosure vulnerability in the CA Arcserve D2D r15 web server. The information disclosure can be triggered by sending a specially crafted RPC request to the homepage servlet. This causes CA Arcserve to disclosure the username and password in cleartext used for authentication. This username and password pair are Windows credentials with Administrator access.
-
6:45
»
Packet Storm Security Misc. Files
This Metasploit module exploits an information disclosure vulnerability in the CA Arcserve D2D r15 web server. The information disclosure can be triggered by sending a specially crafted RPC request to the homepage servlet. This causes CA Arcserve to disclosure the username and password in cleartext used for authentication. This username and password pair are Windows credentials with Administrator access.
-
-
22:55
»
Packet Storm Security Advisories
Secunia Security Advisory - Multiple vulnerabilities have been reported in Oracle Enterprise Manager, which can be exploited by malicious, local users to disclose sensitive information, by malicious users to disclose sensitive information and manipulate certain data, and by malicious people to disclose sensitive information, manipulate certain data, and cause a DoS (Denial of Service).
-
-
8:58
»
Hack a Day
[Dane] bought a reasonably cheap ($17) Hobbyking Echo-6 battery charger and wanted to see what sort of information he could pull from the unit. Since the charger is designed for a variety of battery chemistries and sports an LCD screen, he figured that it contained a fairly decent microcontroller which he could tap into for [...]
-
-
20:37
»
Packet Storm Security Advisories
Tomcat versions 7.0.0 through 7.0.18, 6.0.0 through 6.0.32, and 5.5.0 through 5.5.33 suffer from an information disclosure vulnerability. Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated.
-
20:37
»
Packet Storm Security Recent Files
Tomcat versions 7.0.0 through 7.0.18, 6.0.0 through 6.0.32, and 5.5.0 through 5.5.33 suffer from an information disclosure vulnerability. Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated.
-
20:37
»
Packet Storm Security Misc. Files
Tomcat versions 7.0.0 through 7.0.18, 6.0.0 through 6.0.32, and 5.5.0 through 5.5.33 suffer from an information disclosure vulnerability. Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated.
-
-
2:17
»
Packet Storm Security Recent Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
2:17
»
Packet Storm Security Tools
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
2:17
»
Packet Storm Security Misc. Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
-
19:44
»
SecuriTeam
Apple HFS contains a vulnerability that could lead to reading arbitrary files from an HFS, HFS+ or HFS+j File System.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
13:30
»
Hack a Day
[Greg] built himself a small indicator dial with his laser cutter, and wanted to use it for visualizing server performance and load information. Before he started using it for server monitoring however, he thought he should test out his data parsing skills on a simpler data set. Pachube has a wealth of information that can [...]
-
-
19:02
»
Packet Storm Security Recent Files
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
19:02
»
Packet Storm Security Misc. Files
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
-
-
21:25
»
SecDocs
Authors:
Christofer Hoff Tags:
cloud computing Event:
Black Hat Abu Dhabi 2010 Abstract: Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities. This "abstraction distraction" has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility. The fundamental re-architecture of the infostructure, metastructure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity -- protecting the stuff that matters most in the first place. The problem is that we're unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in a disintermediated and distributed sets of automated, loosely-coupled resources. We're going to cover the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this "new world order" and what your options are in making sustainable security design decisions.
-
-
12:40
»
Packet Storm Security Recent Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
12:40
»
Packet Storm Security Tools
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
12:40
»
Packet Storm Security Misc. Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
-
22:42
»
Packet Storm Security Recent Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
22:42
»
Packet Storm Security Tools
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
22:42
»
Packet Storm Security Misc. Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
14:29
»
Packet Storm Security Advisories
VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure.
-
14:29
»
Packet Storm Security Recent Files
VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure.
-
14:29
»
Packet Storm Security Misc. Files
VSR identified a vulnerability in HFS+, a filesystem implemented in the OS X XNU kernel. HFS+ is the default filesystem in use on many installations of the Mac OS X operating system. By exploiting this vulnerability, an unprivileged user with local access to a machine using HFS+ may be able to read raw filesystem data, bypassing file permissions and resulting in information disclosure.
-
-
7:29
»
Packet Storm Security Advisories
EMC Avamar utilizes an internally developed service utility which can potentially transmit customer sensitive information in clear text for certain events to other EMC internal systems as part of normal operations. Also, emails configured to be sent by the customer to notify about these events, may also potentially contain sensitive information. Versions 5.0.0-407 and later but prior to 5.0.4 are affected.
-
7:29
»
Packet Storm Security Recent Files
EMC Avamar utilizes an internally developed service utility which can potentially transmit customer sensitive information in clear text for certain events to other EMC internal systems as part of normal operations. Also, emails configured to be sent by the customer to notify about these events, may also potentially contain sensitive information. Versions 5.0.0-407 and later but prior to 5.0.4 are affected.
-
7:29
»
Packet Storm Security Misc. Files
EMC Avamar utilizes an internally developed service utility which can potentially transmit customer sensitive information in clear text for certain events to other EMC internal systems as part of normal operations. Also, emails configured to be sent by the customer to notify about these events, may also potentially contain sensitive information. Versions 5.0.0-407 and later but prior to 5.0.4 are affected.
-
-
18:49
»
Packet Storm Security Recent Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
18:49
»
Packet Storm Security Tools
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
18:49
»
Packet Storm Security Misc. Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
-
14:22
»
Packet Storm Security Advisories
FreeBSD's crontab implementation suffers from various race condition and symlink vulnerabilities that allow for minor information leakage.
-
-
15:19
»
Packet Storm Security Recent Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
15:19
»
Packet Storm Security Tools
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
15:19
»
Packet Storm Security Misc. Files
creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
-
16:02
»
Packet Storm Security Recent Files
Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
16:02
»
Packet Storm Security Tools
Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
16:02
»
Packet Storm Security Misc. Files
Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown, accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
-
-
15:55
»
Packet Storm Security Advisories
Syslog-NG versions 2.0, 3.0, 3.1, 3.2 OSE and PE suffer from information leak, access prevention and possible privilege escalation vulnerabilities.
-
15:55
»
Packet Storm Security Misc. Files
Syslog-NG versions 2.0, 3.0, 3.1, 3.2 OSE and PE suffer from information leak, access prevention and possible privilege escalation vulnerabilities.
-
-
9:22
»
Packet Storm Security Recent Files
The Rocky Mountain Information Security Conference has announced its call for papers. It will be held Friday, May 13, 2001 in Denver, Colorado, USA.
1337day (was: Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Carnal0wnage
Darknet
The Exploitant
Wirevolution