Security News #0x2F- Happy New Year!
- Yep- another 0-day was released attacking Internet Explorer, versions 6, 7, and 8. Sinn3r has a nice description of the problem on the Metasploit blog. The vulnerability is CVE 2012-4792, and there is an official Microsoft Advisory. As you might expect, there is a Metasploit module, though it only is configured for IE 8, and for Windows 7, Vista, XP (SP 3), or 2003. A demo? Eric Romang has got it.
- Want a quick guide to BASH scripting? Ask N1tr0g3n.
- Last week, when I was putting together the stuff that ends up here in Security News, I saw a couple of announcements about a large data breach that was claimed to have occurred at Verizon. I ended up not including the links- it looked routine, and I could not get the (claimed) raw data. Boy did I luck out, as later analysis suggests that this may have been a stunt. The lead article is by ZDnet, but the debunking comes courtesy of DataLossDB and Space Rouge.
- Jason Donenfeld recently found some vulnerabilities that affect the WordPress W3 Total Cache plugin. See Full Disclosure for the details.
- Raphael Mudge (author of Armitage) makes his recommendations on how to develop offensive skills as a computer science student.
- Randomness plays an important part in security, especially (but not exclusively) in cryptography. However, most people do not have a good sense of what it means for a data stream to be random. The best of us have, of course, read Volume 2 of Donald Knuth’s Art of Computer Programming. If you are a bit less mathematically inclined though, you should take a look at the blog post of Empirical Zeal who gives one of the best, non-technical description of what randomness means through examples from V2 attack sites in 1944 to shark attack data of the coast of South Africa. Most cool. If you are a student, stop and go read that piece. Seriously. I’ll wait.