Sunday, January 19, 2014

15 Free Hack-Attack Tools

For the next two days at the Black Hat conference, white-hat hackers from different consultancies, universities and vendors will come up with above 100 briefings on vulnerabilities and exploits, and will also be releasing tools that would be useful to hackers. Here are some hacker tips promised...

BREACH, Black Hat, 100 briefings, 100 vulnerabilities and exploits, Salesforce.com, HTTPS, CSRF tokens, DDoS defense, Bluebox




1) A tool termed as BREACH will be introduced to extract encrypted secrets from HTTPS streams. The BREACH will be used by the speakers from Salesforce.com and Square to show misuse against “a major enterprise product” that rescues session identifiers, CSRF tokens, email addresses and the like in less than 30 seconds from an HTTPS channel.

2) Another attack tool which as per its creators can defeat commercial products to mitigate DDoS attacks will be available for free. The tool will be presented by Bloodspear Research Group as a new DDoS defense to thwart BloodSpear’s own attack tool.

3) This is a tool to automate information collection that can be used to make spear phishing messages more persuasive. This is done by imitating how individuals interrelate with others, their interaction with others and vocabulary and phrasing used by them. This tool comes from researchers at Trustwave’s Spider Labs and is used for collecting the data from publicly available sites by making use of both APIs and screen scraping.

4) Bluebox will describe ways to develop a vulnerability to trick the Android mobile operating system into undertaking malevolent applications hidden behind the signatures of genuine, cryptographically-verified apps.

5) Michael Shaulov and Daniel Brodie of Lacoon Mobile Security will demonstrate how to avoid mobile malware-identification and mobile device management features including encryption to install surveillance tools which collect details like text messages, email location data and take control of the device’s record.

6) Kevin McNamee, research director at Kindsight, will demonstrate how code that is used in turning smartphones into spy sensors can be put into any phone application. It is possible to attack and operate the phone from an Internet -based command and control server.

7) It is possible to hijack the home-based devices that connect to carrier cell networks and interpret voice, texting and data traffic over a specific network informs a team from iSec Partners. Linux devices allow attackers to select traffic as well as replicate linked mobile devices without having physical access to them.

8) iPhones are susceptible to harms from nasty chargers. However, a team from Georgia Institute of Technology will demonstrate how to build a charger and use it to install software on an iphone. They will also tell you how to conceal such applications the same way Apple does its standard apps installed on the phones.

9) A team of three researchers from McAfee will show you software that can avoid Windows 8 Secure Boot, which is supposed to bar malware from corrupting the operating environment.

10) Google will launch a tool known as Bochspwn which has been previously used to discover nearly 50 vulnerabilities in the Windows kernel and associated drivers. Most of the vulnerabilities have been patched but the tool can find more.

11) A team at Cyclance will release a tool to identify how pseudorandom number generators work based just on the numbers they produce. This enables attackers to identify numbers produced in the past and to be generated in the future.

12) One can install a cheap sensor-based tracking system to monitor individuals or groups without releasing any information to the targets of the surveillance. The law student/security researcher (Malice Afterthought) Brendon O’Connor will demonstrate how to do that. His system, called CreepyDOL is open-source software to ID targets, which chases them and gathers the data.

13) Attackers can influence various Flash storage devices to conceal potentially malicious files on them or to make them useless. The situation will be explored by Josh Thomas, a researcher at Accuvant Labs in a session. He will introduce two proof-of-concept tools for Android – one that injects and hides files on Android devices and another one to locate such files.

14) Low-energy Bluetooth makes use of a primary exchange that as per the security consultant Mike Ryan of iSEC Partners is weak. He will show how to snivel those keys so as to decrypt traffic sent by such devices, launch a tool that does the sniffing and demonstrate how to fix the problem with Elliptic Curve Diffie-Hellman key exchange.

15) Barnaby Jack, director of embedded security research at IOActive, will show software that makes use of a bedside transmitter to scan for and cross-examine medical devices including pacemakers that are fixed in human patients. The device will be used to identify the faults of security on these devices and how to enhance it.

No comments:

Post a Comment