Week 14 in Review – 2010

Events Related:

CERIAS Symposium Posts
- Opening Keynote: Mike McConnell (Symposium Summary) – cerias.purdue.edu
- Morning Keynote Address: DHS Undersecretary Rand Beers (Symposium Summary) – cerias.purdue.edu
- CERIAS Seminar Presentation: David Bell (Symposium Summary) – cerias.purdue.edu
- Panel #1: Visualization of Security (Symposium Summary) – cerias.purdue.edu
- Panel #2: Infosec Ethics (Symposium Summary) – cerias.purdue.edu
- Panel #3: The Evolution of Research Funding and Projects (Symposium Summary) – cerias.purdue.edu
- Fireside Chat (Symposium Summary) – cerias.purdue.edu
Registration Opens for Annual High Tech Crimes Training Conference – forensicfocus.com
Investigators of high-tech crimes are invited to register for the HTCIA’s annual conference being held in Atlanta (GA) from September 20-22, 2010.
SANS Security 508 – cutawaysecurity.com
A recent review on a SANS training session.

Resources:

The First Steps to a Career in Information Security – erratasec.blogspot.com
Things you should be doing now to prepare for an exciting career in information security.
WhatApp? – whatapp.org
Online and mobile apps reviewed for privacy, openness, and security.
ITB 0×1 is out! – windowsir.blogspot.com
This issue has an article on plist files, and a write-up on Don’s review of the Super Drivelock.
(IN)SECURE Magazine Issue 25 Released – net-security.org
(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.
CWE/SANS Top 25 List updated to V1.0.3 – mitre.org
The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities.
Help Your Laptop to Survive a Security Conference – rootshell.be
It’s never too late to review and apply some basic rules.
Building the Foundation for Successful Password Self-Service: Part 1 – securitycatalyst.com
Password self-service is identity management functionality that enables end-users to reset their own password should they forget it.
Ejection Seats, Cooking Dinner, and Vuln Disclosure – attrition.org
A rant about life as an infosec professional.

Tools:

MoonSols Windows Memory Toolkit – moonsols.com
MoonSols Windows Memory Toolkit is the most advanced toolkit for Windows physical memory snapshot management.
Netsparker Community Edition – mavitunasecurity.com
Netsparker Community Edition is False Positive Free and can detect both SQL Injection and Cross-site Scripting issues better than many other scanners.
SFX-SQLi V1.1.3.2 – kachakil.com
SFX-SQLi (Select For XML SQL injection) allows you to extract the whole information of a Microsoft SQL Server 2005/2008 database in an extremely fast and efficient way.
TCPDump v4.1.1 – tcpdump.org
Tcpdump is a common computer network debugging tool that runs under the command line.
Libpcap v1.1.1 - tcpdump.org
Changes include a fix build on RHEL5 and shared library fix build on AIX, among others.
Malware Check Tool v1.0 – mertsarica.com
It calculates the md5 hash of a specified file and searches it in its current hash set (offline) or on virustotal site (online) and show the result.
FreeSentral IP PBX LiveCD v1.0 – freesentral.com
FreeSentral is a full IP PBX consisting of a Linux Distribution, an IP PBX and a Web Graphical User Interface for easy configuration.
PyLoris v3.0 – sourceforge.net/projects/pyloris
PyLoris is a tool for testing a web server’s vulnerability to a particular class of Denial of Service (DoS) attacks.
Introducing mitmproxy: an interactive man-in-the-middle proxy – corte.si
It’s aimed at software developers and penetration testers, who need to intensively tamper with and monitor HTTP traffic.
Scapy – freshmeat.net
Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer.
StreamArmor – Discover & Remove Alternate Data Streams (ADS) – darknet.org.uk
StreamArmor is a tool for discovering hidden alternate data streams (ADS) and can also clean them completely from the system.
Peach Fuzzer Framework v2.3.4 – peachfuzzer.com
Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing.
PVEFindAddr v1.30 – corelan.be
PVEFindAddr is a PyCommand (plugin) for Immunity Debugger.

Techniques:

Penetration Testing: Learn Assembly? – metasploit.com
Should a good penetration tester know assembly?
Update: Escape From PDF – didierstevens.com
The interesting thing about this fix is that it breaks my Foxit PoC, but that the Adobe PoC works for Foxit now!
Environment variable editor – hexblog.com
We are going to write an IDAPython script that allows us to add, edit or delete environment variables in a running process directly.
Bitlocker/Truecrypt Decryption Tool – mcafee.com
This is, to my knowledge, the first commercial implementation (or should that be exploitation?) of the Firewire memory attack.
PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit – offensive-security.com
This code should exploit a buffer overflow in the str_transliterate() function to call WinExec and execute CALC.
More on SANS’ Top 25 Series
- Top 25 Series – Rank 20 – Download of Code Without Integrity Check – sans.org
- Top 25 Series – Summary and Links – sans.org
Matt’s Primer for PDF Analysis – vrt-sourcefire.blogspot.com
I thought it might be useful to share some of what we’re seeing come in our data feeds, and what you should look for when reviewing PDF files.
Network Time Protocol (NTP) Fun – carnal0wnage.attackresearch.com
HD Moore released a new auxiliary module a few days ago that went along with his NTP research he has been doing.
OWASP AIR + Flash Security Projects – owasp.blogspot.com
To help reduce vulnerabilities, the AIR runtime restricts sensitive APIs and implements secure defaults.
Some presentations you might be interested in – dragos.com/csw10/
A server chock-full of nice presentations from various events.
PDFs Exploitable?!? I’m shocked… – eset.com
What happens when flawed functionality of Acrobat PDF file format leaves the door wide open…?
MalaRIA Malicious RIA Proxy – ha.ckers.org
The tool uses weak crossdomain.xml and clientaccesspolicy.xml (so both Flash and Silverlight) to allow a piece of code that resides on his server to use the client’s machine as a proxy.
Researcher Details New Class Of Cross-Site Scripting Attack – darkreading.com
‘Meta-Information XSS’ exploits commonly used network administration utilities
Cryptanalysis of the DECT – schneier.com
The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner.
Determine Windows version from offline image – skullsecurity.org
I am not a forensics expert, nor do I play one on TV.
Plugin Spotlight: SMB Insecurely Configured Service – tenablesecurity.com
A significant amount of testing is often required to ensure that you have the correct configuration settings, not just in terms of security, but also for system stability.
Jasager with BackTrack 4 Mind Map – mindcert.com
If you are new to Jasager be sure to read the original project pages to see what it can do.
Understanding *NIX File Linking (ln) – sans.org
The “ln” command is an important tool in any Unix admin’s arsenal and attackers use it too.
Capturing SSH V1 & V2 Credentials with a MitM ssh honeypot – pauldotcom.com
John Strand has put together an excellent video demonstrating how attackers can capture your SSH V1 and V2 passwords.

Vulnerabilities:

CVE-2010-0806 Exploit in the Wild – zscaler.com
The vulnerability impacts Internet Explorer 6, 6 SP1, and 7 – a patch was made available by Microsoft in the MS10-018 security update last week.
Java security hole runs amuck on all Windows systems to date
A huge vulnerability has been found that affects all Windows versions with Java installed
- Serious New Java Flaw Affects All Current Versions of Windows – threatpost.com
- Java exploit launches local Windows applications – h-online.com
- New bug/exploit for javaws – sans.org
Typo3 allows remote command execution via PHP – h-online.com
Attackers can inject PHP code from an external server and execute it within the Typo3 context.

Vendor/Software Patches:

Adobe doles out PDF hack workaround
The vendor is advising users to deactivate the “Allow opening of non-PDF file attachments with external applications” option.
- Adobe suggests workaround for PDF embedded executable hack – zdnet.com
- Adobe issues official workaround for PDF vulnerability – h-online.com
dbms_jvm_exp_perms 0day fixed on Windows 11gR2 – slaviks-blog.com
The 0day found by David Litchfield is now fixed in the newest Oracle 11.2.0.1 release for Windows.
Windows getting new patches
Another batch of fixes are coming around this Patch Tuesday, fixing 25 holes
- MS Patch Tuesday Heads-up: 11 Bulletins, 25 Vulnerabilities – threatpost.com
- Microsoft finally to close the VBScript hole in Internet Explorer – h-online.com
Pre-Notification – Quarterly Security Update for Adobe Reader and Acrobat – adobe.com
The updates will address critical security issues in the products.
Sun’s Solaris now getting quarterly security patches – computerworld.com
The update will include 16 security fixes for Sun products, including Solaris, Sun Cluster, Sun Convergence and the Sun Ray server software.

Other News:

Security programs: Less compliance, more protection
Enterprises are spending huge amounts on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected.
- Security Programs Focusing Too Much on Compliance, Study Finds – threatpost.com
- Security driven by compliance, rather than protection – cnet.com
Fighting back against toxic Facebook and iPhone app – itworld.com
The brains at Stanford Law School have come up a with a wiki that lets you speak your mind about iPhone, Facebook, and other apps.
Errata Security releases the results of the survey on secure coding practices – erratasec.blogspot.com
The survey found that Microsoft SDL was the most common security development lifecycle chosen.
Uncle Sam Wants You (To Fight Hackers) – businessweek.com
A cyberdefense competition at California State Polytechnic University in Pomona, Calif. drew about 65 students from Western colleges.
GhostNet is a cloud-based spy botnet
A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world
- Vast Spy System Loots Computers in 103 Countries – nytimes.com
- GhostNet 2.0 espionage network uses cloud services – h-online.com
- Shadows In The Cloud – forbes.com
- Researchers expose complex cyber espionage network – zdnet.com
- The Battle Against Cyber Espionage 2.0 – paloaltonetworks.com
Missing Firefox root authority found, confusion abounds
A root certificate in Firefox comes up having an unknown owner, but Mozilla is on a fix already.
- Removing the RSA Security 1024 V3 Root – mozilla.com
- Orphan root certificate creates confusion – h-online.com
- Updated: Owner of Firefox’s mystery root authority is confirmed – zdnet.com
Big phish catch: 70 cyber criminals caught.
DIICOT says that the raids were conducted in collaboration with the FBI and US Secret Service officers from the US Embassy in Bucharest.
- Romanian police arrest 70 phishers and fraudsters – sophos.com
- 70 Romanian Phishers & Fraudsters Arrested – garwarner.blogspot.com
Opinion: Conroy is right to question Google’s privacy record – itnews.com.au
Google gives the US Government access to Gmail, says iTnews’ editor.
From Cyber War: The Next Threat to National Security and What to Do About It – networkworld.com
Cyber war is not some victimless, clean, new kind of war that we should embrace.
Security Guru Richard Clarke Talks Cyberwar – forbes.com
The antiterrorism czar who foresaw 9/11 discusses Obama’s cybersecurity plans and North Korea.
Bank of America Employee Charged With Planting Malware on ATMs – wired.com
Rodney Reed Caverly, 37, was a member of the bank’s IT staff when he installed the malware.
A Chinese ISP momentarily hijacks the Internet (again) – computerworld.com
For the second time in two weeks, bad networking information spreading from China has disrupted the Internet.
Network Solution WordPress blogs infected with site-redirect hack
According to multiple postings on the WordPress user forum and other blogs, the attack doesn’t modify or create files, but rather appears to inject a Web address.
- Hundreds of WordPress Blogs Hit by ‘Networkads.net’ Hack – krebsonsecurity.com
- Mass infection of WordPress blogs at Network Solutions – sucuri.net
Adobe introduces automatic update for Reader – h-online.com
Adobe hopes that the new update function will mean fewer users running vulnerable versions of Reader.
Senate Bill 773: What it means for Cyber Security and Cybercrime – eset.com
The cybercriminals are faster and have shelter from litigation and arrest.

Week 14 in Review – 2010

Comments »

Trackback responses to this post