Finally, Oracle has made changes to the way they store passwords. Oracle 11g introduces a different algorithm (SHA1), supports mixed-case passwords and adds salts to stored passwords. This all sounds great EXCEPT that the old weaker hashes are still being stored in the sys.user$ table.
It seems as if several different people have been looking in [...]

Core security released their PSH (passing-the-hash) toolkit today. Even though the concept of passing-the-hash is old, few tools putting it into practise have been available to the public. A number of companies working within security industry have had their own tools, some being more proud of them than others I myself attempted to write [...]

Martyn’s Ruks presentation and MQ tools are now available on their website.  You can get the material from here.

Even though I missed some of the great presentations at Defcon I had a chance to see quite a few. Here is a brief summary of the most inspiring.
“MQ Jumping” by Martyn Ruks. This was a great presentation of IBM Websphere MQ and some of it’s security problems. Martyn presented a number of ways [...]

Defcon and Las Vegas was great this year. A number of great presentations, a reporter being chased out from the hotel and my friend ending up on the wall of sheep As promised I have put my updated presentation online together with the small DNS server used for the demonstration. You can find [...]