Zero Day posted a list of tools and applications that were released at Defcon 16. The applications run the gamut, from Beholder, an open source wireless IDS tool, to CollabREate, a reverse-engineering plugin that allows multiple people to share a single project. The list covers a lot of ground, and there’s a lot for hackers to play around with and explore. It’s nice to see someone bothering to maintain a list since the majority of conference tools just get lost in the shuffle and are never seen again.
hacking80 Articles
Russia Vs Georgia, The Online Front
While we’re sure that just about everyone has heard about the conflict between Russia and Georgia, few have probably heard about the role of cyber attacks in the conflict. Shortly before Russia’s armed response, Georgian state web servers were attacked by individuals assumed to be Russian hackers. This attack almost completely obliterated Georgia’s online presence by shutting down the website for the Ministry of Defense, and the Central Government’s main site. The Russian attackers seem to be using some form of sustained DDoS to keep many Georgian sites offline. In an effort to preserve some web presence, the Georgian Government transferred [President Mikheil Saakashvili]’s site to a US hosting provider in Atlanta. The Ministry of Foreign Affairs even created a BlogSpot page after their website initially went down. While politically motivated DDoS attacks have not been rare in past months, this seems to be the first time where the attacking party can be clearly identified. This seems to be the start of a trend where the unconventional methods of cyber warfare are used to gain an advantage over the enemy.
[photo: somefool]
Possible Entrapment Scenario In Hacking Case
[Brian Salcedo] made headlines a few years ago as a hacker who attempted to break into Lowe’s corporate network. He is currently serving a nine-year prison sentence, one of the longest sentences for a computer hacking offense. Recent events surrounding a different hacking case have revealed that the buyer he worked for, [Albert “Segvec” Gonzalez], was a Secret Service informant. [Salcedo] claims that were it not for [Gonzalez]’s threats, he would not have committed the hacking offense. While the Secret Service may not have even been aware of [Gonzalez’s] activity with other hackers, [Salcedo] could make a case of entrapment by arguing that [Gonzalez] threatened him as a government agent in order to make him plant the sniffer in Lowe’s network.
More On GIFAR
[pdp] provides some perspective on the news regarding the GIFAR attack developed by researchers at NGS Software. As he explains, the idea behind the attack, which basically relies on combining a JAR with other files is not new. Combining JAR/ZIP files with GIF/JPG files will create hybrid files with headers at both the top and bottom of the file and allow them to bypass any image manipulation library as valid files. While tightened security and more stringent file validation practices are advisable, the problem is larger than just a vulnerability in browser security. ZIP is an incredibly generic packing technology used everywhere, from Microsoft files to Open Office documents, and of course, in JAR files. He closes with, “any file format that is based on ZIP, you allow your users to upload on your server, can be used in an attack”
[photo: Jon Jacobsen]
Essential Bluetooth Hacking Tools
Security-Hacks has a great roundup of essential Bluetooth hacking tools. As they point out, Bluetooth technology is very useful for communication with mobile devices. However, it is also vulnerable to privacy and security invasions. Learning the ins and outs of these tools will allow you to familiarize yourself with Bluetooth vulnerabilities and strengths, and enable you to protect yourself from attackers. The list is separated into two parts – tools to detect Bluetooth devices, and tools to hack into Bluetooth devices. Check out BlueScanner, which will detect Bluetooth-enabled devices, and will extract as much information as possible from those devices. Other great tools to explore include BTCrawler, which scans for Windows Mobile devices, or Bluediving, which is a Bluetooth penetration suite, and offers some unique features like the ability to spoof Bluetooth addresses, and an L2CAP packet generator. Most of the tools are available for use with Linux platforms, but there are a few you can also use with Windows.
[via Digg]
Creating Web Applications For The IPhone
[Dominiek ter Heid] wanted to prototype an application for the iPhone that incorporated GPS. He experimented, and came up with a step-by-step tutorial on how to create a web application that would push GPS information to his iPhone through the use of JavaScript and AJAX. This tutorial will save web hackers who want to play with the iPhone 3G a lot of grief. Using Cocoa Touch, and a CSS/JavaScript pack called IUI, he successfully created a web application that looks native to the iPhone and is able to grab GPS information. The application integrates the GoogleMaps API with the GeoNames database. We look forward to seeing the types of creative applications that this prototype will inspire. What sort of web application would you want to create for the iPhone?
[via digg]
Techie Hall Of Shame
In the aftermath of [Terry Childs], the jailed disgruntled software engineer who created a God password and effectively locked San Francisco officials out of their own computer system, IT Grind unveils its Techie Hall of Shame. The Hall of Shame highlights figures who give computer professionals a bad name. From [Roger Duronio], the systems administrator who wasn’t satisfied with his raise, to [Kenneth Kwak], who installed spyware on his boss’ computer in order to gossip, the wrath of the IT professional can wreak thousands to millions of dollars of damages for companies and corporations to clean up. As much as these figures seem to be singular figures, we think they also serve as cautionary tales. Always have backup. If you suspect you’ve got a disgruntled employee, you should probably at the very least keep another expert eye on him. And hire more than one person to manage your systems. [Deb Perelman] asks her readers who else they think would be worthy of the Hall of Shame. We’re curious to know what you think, too.
[via digg]
