Hello participants of Mailing List. I want to draw your attention to the updates concerning my articles. In February my article CSRF Attacks on Network Devices (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-February/008265.html) was released in PenTest Extra 02/2012. I remind you, that in this article I've told about different CSRF attacks on network devices, including attacks on login forms described in my 2011's article (such attacks can be conducted on login forms of web applications, including the control panels of network devices). And in this article I've described this topic in details (with examples of attacks on vulnerabilities in real network devices). As I've mentioned in my announcement, I put pdf-file teaser of the magazine with part of the article at my site (and full text was available in the magazine). For those of you who are interesting in this subject, but haven't read the article due to lack of possibility to read this issue of the magazine, here is a good possibility to read it. At the beginning of this month I've published full article "CSRF attacks on network devices" at my site (http://websecurity.com.ua/articles/csrf_attacks_on_network_devices/). Concerning my two 2011's articles "Bypassing of captchas and blocking at web sites" and "Bypassing of blocking by IP at web sites", which I've briefly translated to the list (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html). And after the publication there were requests from readers of the list to make full translation of them. So how I've already informed people, who made the requests, I've translated them to English and combined them into one article (with much more information), which I called "Advanced methods of bypassing of blockings at web sites". This article was published in April in the magazine Pentest Regular 04/2012 (http://pentestmag.com/pentest-regular-0412/). You can download a teaser of this issue of the magazine with my article (http://websecurity.com.ua/uploads/articles/PenTest_04_2012_Teasers.pdf). There is a fragment of the article in it and you can read full version of the article in the magazine. I hope it will be interesting for you. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua

Hello dear participants of the Web Security mailing list, [completely off topic] In other news, here is one of my recent articles: http://www.exploit-db.com/wp-content/themes/exploit/docs/18669.pdf To make this mail more interesting, the TDC Home Trio Box contains a builtin backdoor, used for "Tech Support" purposes, which is essentially just another user, that the actual user / customer, doesn't know about! The customer may have a login of, let's say "iLike", and a password of: "http://www.youtube.com/watch?v=ZZDWW9yHPq4&hd=1", which may seem hard to bruteforce and even crack directly or indirectly. But this hidden user, this is always the same. User: tdchd Pass: tdc The only good thing, is that only the TDC Company knows about it, or well, no.. The good thing is that this exact problem is localized to Denmark only, but other similar problems, do exist in the real world. One of them, is Scada (e.g., http://cirt.net/passwords?vendor=Siemens%20Corp ), and if you're hacking by random, Shodan (http://www.shodanhq.com/browse/tag/scada) is one of the places to go. Now the game suddenly became a lot more dangerous ( http://www.infosecisland.com/blogview/19587-More-Exposure-to-SCADA-Devices-Through-Shodan.html ), when you combine the power of Shodan and CIRT, but this is just an example. So, weak passwords (and users), they're bad. In some devices you know they exist (such as service or hidden menu's on printers: http://youtu.be/1ZQ8R5y5VnQ ), and in others, you don't. There are secrets everywhere to be revealed, including vulnerabilities that existed in e.g., Apple's products for years: http://www.ibtimes.com/articles/327143/20120412/flashback-trojan-hack-malware-apple-mac-terminal.htm All of this, in some sense, is what I call "real hacking". Some of it is just news, or information, but I can relate to all of this information. These (except the Scada stuff) are just some of the things I and probably you have seen lately, and as previously mentioned, it all relates to hacking. Using Shodan and Default Passwords is not high-tech hacking, doing your own (real) research, which can include programming, DIY projects and disassembly of programs, is all closer to the essence of hacking. All of this MustLive, is the world I've been waiting for and hoping you would enter one day. Because you have the potential, if you're willing to move deeper into hacking. Best regards, MaXe On Tue, 17 Apr 2012 23:50:05 +0300, "MustLive" <mustlive@websecurity.com.ua> wrote: > Hello participants of Mailing List. > > I want to draw your attention to the updates concerning my articles. > > In February my article CSRF Attacks on Network Devices > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-February/008265.html) > was released in PenTest Extra 02/2012. I remind you, that in this article > I've told about different CSRF attacks on network devices, including > attacks > on login forms described in my 2011's article (such attacks can be > conducted > on login forms of web applications, including the control panels of network > devices). And in this article I've described this topic in details (with > examples of attacks on vulnerabilities in real network devices). > > As I've mentioned in my announcement, I put pdf-file teaser of the magazine > with part of the article at my site (and full text was available in the > magazine). For those of you who are interesting in this subject, but > haven't > read the article due to lack of possibility to read this issue of the > magazine, here is a good possibility to read it. At the beginning of this > month I've published full article "CSRF attacks on network devices" at my > site (http://websecurity.com.ua/articles/csrf_attacks_on_network_devices/). > > Concerning my two 2011's articles "Bypassing of captchas and blocking at > web > sites" and "Bypassing of blocking by IP at web sites", which I've briefly > translated to the list > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-September/008051.html). > And after the publication there were requests from readers of the list to > make full translation of them. So how I've already informed people, who > made > the requests, I've translated them to English and combined them into one > article (with much more information), which I called "Advanced methods of > bypassing of blockings at web sites". > > This article was published in April in the magazine Pentest Regular 04/2012 > (http://pentestmag.com/pentest-regular-0412/). You can download a teaser of > this issue of the magazine with my article > (http://websecurity.com.ua/uploads/articles/PenTest_04_2012_Teasers.pdf). > There is a fragment of the article in it and you can read full version of > the article in the magazine. I hope it will be interesting for you. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org