background preloader

Home - The Community's Center for Security

Home - The Community's Center for Security - Supplying offensive security products to the world Insecure.Org - Tools & Hacking resources Black Hat USA 2014 - Arsenal Returning bigger than ever for 2014, Black Hat is pleased to once again present Arsenal--a Tool/Demo area where independent researchers and the open source community will showcase some awesome weapons. See below for the full list and descriptions of each of these tools. Hours and Location: August 6, 2014 | 10:00 - 18:00 | Breakers JK August 7, 2014 | 10:00 - 18:00 | Breakers JK Android Device Testing Framework The Android Device Testing Framework ("dtf") is a data collection and analysis framework to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Automated Memory Analysis Automated Memory Analysis is a set of new innovative Cuckoo Sandbox plugins that adds new dynamic and memory analysis abilities such as: Demonstrations will cover how the plugins can help security researchers analyze advanced malware. Malware samples such as Snake (Uroburos), Stuxnet, and friends that evaded analysis will be dissected live to demonstrate the toolkit abilities.

Professional Security Testers resources warehouse Black Hat: Top 20 hack-attack tools Network World - Turn someone else’s phone into an audio/video bug. Check. Use Dropbox as a backdoor into corporate networks. Check. Suck information out of pacemakers. Check. The Black Hat conference convening in Las Vegas next week offers hacker tools for all of those plus more. [LOOKING BACK: 10 scariest hacks from Black Hat and Defcon QUIZ: Black Hat's most notorious incidents MUST SEE: 10 more of the world’s coolest data centers] Intended to provide good-guy researchers with tools to test the security of networks and devices, the free tools distributed at the conference can also be used by the bad guys to break into networks, steal data and thwart defenses designed to expose malware halt attacks. Over the course of two days white-hat hackers from consultancies, universities and vendors will present more than 100 briefings on vulnerabilities and exploits they have discovered, and in many cases releasing tools that would be useful to hackers.

Hardware-based security more effective against new threats With software security tools and network vulnerabilities constantly being targeted by hackers, securing hardware components will grow in importance given it is more secure and cybercriminals will find it difficult to alter the physical layer for their purposes. Patrick Moorhead, president and principal analyst of Moor Insight and Strategy, said hardware-based security is more secure than software tools such as antivirus since it cannot be altered. Hardware-based security refers to safeguarding the computer using components such as processors. An RSA spokesperson added the physical layer eliminates the possibility of malware, such as virtual rootkits, from infiltrating the operating system and penetrating the virtualization layer. In 2010, RSA, together with VMWare and Intel, introduced a proof-of-concept framework to integrate security into the entire hardware stack. One example is ARM's joint venture with Gemalto and Giesecke & Devrient to set up Trustonic in December 2012.

Institute - The SANS Security Policy Project Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already, including policy templates for twenty-seven important security requirements. Find the Policy Template You Need! There is no cost for using these resources. Over the years a frequent request of SANS attendees has been for consensus policies, or at least security policy templates, that they can use to get their security programs updated to reflect 21st century requirements. This page will continue to be a work in-progress and the policy templates will be living documents. We'll make improvements and add new resources and sample policies as we discover them. Is it a Policy, a Standard or a Guideline? What's in a name?

Herramientas Seguridad Via @dragonjar Colombia #TICs Repositorio Exploit-DB En una auditoría de seguridad, uno de los objetivos puede ser vulnerar cuantas máquinas sean posibles. Para ello, nos valdremos de distintas herramientas escaneadores de red y puertos como nmap, visualizador y capturador de tráfico como Wireshark, alguna tool para hacer ataques MITM, como Cain y Abel y Evil FOCA etc.. Y para la parte de explotación, lo mas probable es que acabemos escogiendo Metasploit como Framework, pero no nos... Leer Más “Reflection Attacks” – DNS – SNMP y ahora NTP Los ataques de denegación de servicio se siguen usando tanto en ataques de protesta, como por parte de otras empresas para dejar sin servicio a empresas de la competencia. OASAM, Open Android Security Assessment Methodology Estas iniciativas me encantan, todos conocemos Owasp, un estándar que nos permite evaluar la seguridad web (entre otras cosas). Descarga la FocaPRO #gratis Monitorización para evitar el hijacking DNS

OWASP Testing Guide v4.0. Guia de seguridad en aplicaciones Web. La fundación Open Web Application Security Project lidera desde 2001 un proyecto libre sin ánimo de lucro orientado a promover la seguridad del software en general y de aplicaciones web en particular, manteniendo para ello varios proyectos e iniciativas. Bajo licencia Creative Commons, genera y distribuye libremente material de alta calidad desarrollado por decenas de profesionales relacionados con el desarrollo y seguridad del software, entre ellos guías, plataformas educativas y herramientas de auditoría, etc. Situadas entre las publicaciones más valoradas en relación al sector de auditorías de seguridad, las guías publicadas por la fundación OWASP se han convertido en un referente en el mundo de la seguridad del desarrollo y evaluación de aplicaciones. En 2008 se editó la versión 3 de la guía, con su traducción al castellano en 2009 en la que participó activamente INTECO. Guía de pruebas OWASP versión 4. • Gestión de Identidades • Control de errores • Criptografía 1. 2. 3. 4. 5. 6. 7.

Forensic Analysis of a Live Linux System, Pt. 1 1. Introduction During the incident response process we often come across a situation where a compromised system wasn't powered off by a user or administrator. This is a great opportunity to acquire much valuable information, which is irretrievably lost after powering off. I'm referring to things such as: running processes, open TCP/UDP ports, program images which are deleted but still running in main memory, the contents of buffers, queues of connection requests, established connections and modules loaded into part of the virtual memory that is reserved for the Linux kernel. Sometimes the live procedure described here is the only way to acquire incident data because certain types of malicious code, such as LKM based rootkits, are loaded only to memory and don't modify any file or directory. Other problems arise when we plan to take legal actions and need to comply with local laws. 2. This article is divided into four related sections: 2.1 Fitting to the environment Step 2: Media mounting

The Web's #1 Hacking Tools Directory - with tutorial videos! Hacking Tools Directory with Video Tutorials By Henry Dalziel | Information Security Blogger | Concise Courses We are big fans of blogging about Hacker Tools – for one major reason: if you are serious about working in cyber security you need to be able to use these tools like a boss. So! We have broken down our directory into the following hacking tools categories: (We feel that the below categories should encompass all the different fields within cyber security but as ever, if you feel that we have missed one out please let us know by dropping a comment below.) Let us know what you think about our Directory – we would love to hear your feedback. What we have tried to do to differentiate ourselves from the other Hacking Tools Sites out there, some of which are doing a great job, is that we have placed tutorial videos where possible to accompany the details about the tools. Drop a comment below to suggest a tool that we might be missing but you can also do that on the directory itself.

Infosec Tricks & Treats. Happy Halloween! This time around, we thought we’d offer up a couple of infosec tricks and treats for your browsing pleasure. Around MSI, we LOVE Halloween! Here are a couple of tricks for you for this Halloween: Columbia University gives you some good tricks on how to do common security tasks here. University of Colorado gives you some password tricks here. and The Moneypit even provides some tricks on cheap home security here. And now for the TREATS!!!!! Here are some of our favorite free tools from around the web: Wireshark - the best network sniffer around Find your web application vulnerabilities with the FREE OWASP ZED Attack Proxy Crack some Windows passwords to make sure people aren’t being silly on Halloween with Ophcrack Actually fix some web issues for free with mod_security Grab our DREAD calculator and figure out how bad it really is.. Put those tricks and treats in your bag and smile. Thanks for reading and have a fun, safe and happy Halloween!

Infosec Writers Text Library Disclaimer: Content in this library are provided "as is" and without warranties of any kind, either express or implied. InfoSec Writers does not warrant the use or the results of the use of the content in terms of their correctness, accuracy, reliability, or otherwise. In no event shall InfoSec Writers be liable for any damages - indirect, consequential or whatsoever - from usage of the content provided here. However, we are dedicated to providing QUALITY content, so we encourage you the reader to voice your queries or suggestions with regard to the technical accuracy/validity of any such content in this library. Email us: along with a CC to the respective writer. Re-posting ANY material, edited or not edited, (including files, text, design) off this site for public use is prohibited without prior authorization from us (or the respective owner/writer). To submit a text click here.

Top 15 Open Source. Free Security. Tools. 1. Nmap Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. 2. Wireshark is a network protocol analyzer. 3. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners. 4. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. 5. 6. ettercap 7. 8. 9. 10. w3af 11. hping 12. burpsuite 13. 14. sqlmap