July 29th, 2014

Chronology of Data Breach Update

I posted about this issue before a few months ago, but after recently looking to the statistics again I was pretty amazed and so I’m posting an update. PrivacyRights.org keeps an updated list (as much as is possible) of the chronology of data breaches. In the last nine months or so the number of Data Breaches has almost doubled in number to 154,525,715! I would have guessed big numbers with the huge T.J. Maxx issue earlier this year, but those are pretty impressive numbers in any case. Over the last couple months there has been a listing for almost every single day.

A lot of the data has come from the guys over at attrition. They started a open source dataloss database as well as a mailing list for dataloss notification. These aren’t insignificant companies either — of the last ten issues posted, four of them were government agencies and two were large universities. Crazy stuff.

Bay Area Recycling Event

If you live around the bay area, this looks like a pretty fun event to go to. As found on boing boing:

This weekend, MAKE: and the Alameda County Computer Resource Center (ACCRC) in Berkeley, California are holding a 24 hour event for makers to build stuff from the tons of fantastic gear collected by the electronics recycler. BYOT! (Bring your own tools!) Here are the details:
ACCRC in Berkeley, CA and Make have been collecting household electronics–including old projects, failed inventions, half finished prototypes. All of these items will be diverted to ReMake, a 24-hour event beginning at noon on Saturday, April 28.

No punchline required

A most hilarious data leak.

The great fuzz frenzy

Fuzzing is hot these days. I just ran across a neat idea/tool called FuzzMan recently (posted to full-disclosure I think). It takes a man page as input, and will fuzz input parameters based on what options it can parse from the man-page. The examples page shows the tool eliciting several segfaults in a known vulnerable version of sharutils.

There is an article in the latest hackin9 magazine (the print version anyway) about fuzzing, which covers several different fuzzing tools as applied to their relevant layers. You should check out the hackin9 magazine if you haven’t already. It’s a pretty good read, and is much more technical than other security/hacking print publications. It is a little spendy though (probably partially because it’s translated and imported), but I think it’s worth it. This issue they started a hacking challenge which is included (among other things) on a CD.


Yea for google images.

Steam Powered R2D2

Ok, this one is is for hackers of a different sort. My inner geek wouldn’t let me pass this one by without posting it. It is a steam powered R2D2 (R2 Steam too) !. Very cool stuff — gotta love steampunk. You might recognize other work by crabfu steamworks, like the R/C Steam LocoCentipede, or one of the many other fascinating creations.

Thanks Hackaday.

aircrack-ng remote buffer overflow vulnerability

It’s always a bit painfully sardonic when security tools are vulnerable to nasty remote execution bugs. It appears that aircrack-ng has a buffer overflow vulnerability in the latest version, and I don’t see a patch for it yet. A side effect of this is that wicrawl is potentially vulnerable as well through its aircrack-ng plugin. wicrawl currently uses the 0.6.1 release of aircrack, and I’m not sure if it is vulnerable or not. The best bet is to disable the aircrack plugin in the profile for now, until we can get an updated version from upstream. I haven’t verified the vulnerability yet (in either version), but it will be interesting to see what comes of this. If anyone sees a patch surface, post a comment, and I’ll apply it to the aircrack-plugin and release it for wicrawl.

Update: Oops, I forgot to link to the actual exploit in the original post.

VOIP security tool list

Here is a list of VOIP security tools that I found today whilst scouring my RSS feeds (sorry original poster, I lost the reference). There are different sections for different attacks, including sniffing tools, scanning and enumeration tools, VoIP packet creation and flooding tools, and the attack du jour, fuzzing tools. Looks like fun. :)

Defcon One Five CFP in effect

The CFP is now open for defcon. It officially closes June 15th, but getting a submission in early will help chances of being accepted since they pre-schedule a certain number of people before the deadline to encourage early submissions. The BlackHat USA conference during the same week in vegas is also having their CFP, though its deadline is May 1. Good luck submitters, :) .

FireCat (Firefox Catalog of Auditing Toolbox)

FireCat catalogs Firefox Add-ons useful for web application pentesting. The catalog is divided into six groups: Security Auditing, Editors, Network Utilities, Information Gathering, Proxying/Web Utilities. In the latest 0.95 release, FireCat includes almost 40 tools including Tamper Data, LiveHTTPHeaders, Greasemonkey, FoxyProxy, and many others. The catalog is available in JPEG, PDF, and Mind Link formats.

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS