Week 41 in Review – 2010

Events Related:

• MIRCon, A Look Back
  I have the good fortune this week of being able to attend Mandiant’s Incident Response Conference (MIRcon) in Alexandria, Virginia, and so far it’s a very good time.
  • Review: Mandiant’s Incident Response Conference (MIRCon) Day 1 – sans.org
  • Review: Mandiant’s Incident Response Conference (MIRCon) Day 2 – sans.org
• Some word about WACCI
  • Back from WACCI – windowsir.blogspot.com
  • WACCI Digital Forensics (Part 1) – sans.org
• HacKid – An Amazing Conference – sunbeltblog.blogspot.com
  Of particular note to the parents was the “Five top scams to avoid”, which seemed to cause a few “Oh, so THAT’S what it was” type glances around the room.
• ZaCon2 & Fig Leaf Security – thinkst.com
  My talk this year was called “Fig Leaf Security”, and was aimed at saying some of the things that we generally dont like saying (about the industry in general, and about ourselves in particular).

Resources:

• Introducing the Threat Review Series – paloaltonetworks.com
  Last week we held our first webinar in the Threat Review Series where we focus on new or interesting threats in the security landscape and how to protect against them.
• BlackBerry Proof of Concept: Malicious Applications – smobilesystems.com
  At this year’s Hacker Halted conference, the Junos Pulse Global Threat Center gave a presentation entitled “BlackBerry Proof of Concept: Malicious Applications“.
• Announcing Microsoft Security Intelligence Report version 9 – technet.com
  Today, the 9th edition of the Microsoft Security Intelligence Report was released as Adrienne Hall, General Manager of Microsoft Trustworthy Computing Communications, gave her keynote at RSA Europe.
• Two New Social Media Security White Papers Released – spylogic.net
  SecureState has released two white papers as part of our Social Media Security Awareness Month.
• Resources for Building Incident Response Teams – taosecurity.blogspot.com
  The CERT.org CSIRT Development site is probably the best place to start.
• Cute (if nothing else) OSX Application.. – thinkst.com
  iTried is a quick little utility I wrote while testing something. It sits on your menubar, and shows you the photograph of the last person who disturbed your screensaver (ie. tried to login).
• TDE decrypt utilities and TDE/Password flash demo – blog.red-database-security.com
  Laszlo has posted 2 flash movies from his great presentation from the Hacktivity 2010 conference.

Tools:

• Multi exploit for Joomla – packetstormsecurity.org
  Implements the 58 joomla exploits sumarized by Mr.aFiR
• OracleEnumerator: A Tool to perform enumeration from an Oracle database server! – pentestit.com
  OracleEnumerator is a tool to perform enumeration from an Oracle database server.
• Update : PuzlBox v1.0.0.9 – pentestit.com
  PuzlBox is a PHP fuzz tool that scans for several different vulnerabilities by performing dynamic program analysis
• a href=”http://www.wireshark.org/news/20101011.html”>Wireshark 1.4.1 and 1.2.12 Released, 1.0.x EOL – wireshark.org
• This update fixes many vulnerabilities such as the one with ASN/BER dissector and updates support for a lot many protocols.
• sqlsus: An Open Source Injection & Takeover Tool! – pentestit.com
  sqlsus focuses on speed and efficiency, optimising the available injection space, making the best use of MySQL functions.reviewing work.
• Google Hacking Diggity Project: An Advance Search Engine Hacking Tool! – pentestit.com
  Google Hacking Diggity Project can be used for finger printing and other basic penetration testing steps and getting into organization data without hassle.
• New Tool: SDL Regex Fuzzer – msdn.com
  SDL Regex Fuzzer will evaluate regular expression patterns to determine whether they could be vulnerable to ReDoS.
• Exploit Next Generation SQL Fingerprint (ESF) – MS-SQL Server Fingerprinting Tool – darknet.org.uk
  Intentionally inserting an invalid input to obtain a typical error message or using certain alphabets that are unique for a certain server are two of the ways to possibly fingerprint a server.
• Windows Credentials Editor v1.0 – List, Add & Edit Logon Sessions – darknet.org.uk
  Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes).

Techniques:

• Fiddler and Channel-Binding-Tokens – msdn.com
  Some users of Fiddler who have HTTPS Decryption enabled have found that some of their internal HTTPS sites that used to work properly with Fiddler now endlessly prompt for credentials while Fiddler is running.
• Death of an ftp client / Birth of Metasploit modules – corelan.be
  Using a custom built ftp client fuzzer, now part of the Metasploit framework (svn r10658 and up), the team has audited several ftp clients and applications that use an embedded client ftp component.
• Traditional Penetration Testing is DEAD – BSIDES Atlanta – secmaniac.com
  To start off on somewhat of a tangent, the penetration testing field can be looked at in two different lights.
• Hacking a Fix – securitybraindump.blogspot.com
  By default APC PCNS can be found in the C:\Program Files\APC\PowerChute\group1 directory of a Windows system.
• Updates, updates – golubev.com
  About GTX460 — firstly it was looking like cut-in-half version of GF100 and initial performance tests shows this too.
• Http Request Splitting and Header Abuse with Java AddRequestProperty – mindedsecurity.com
  Applets sandbox allow requests to be performed to the host where they originate by using the class java.net.URL.
• Java-JNLP-Applet User Assisted Arbitrary Execution – mindedsecurity.com
  Among others there is the possibility to create an applet that will become a desktop applet by using JNLP in restricted environment.
• Get Internal Network Information with Java Applets – mindedsecurity.com
  In particular a malicious user could get important information about private IP of each NIC a victim has on her platform.
• Tshark/Wireshark SSL Decryption – Lessons Learned – pauldotcom.com
  We decided to use TSHARK because it has the ability to decrypt SSL and you can use Wireshark display filters.
• Buffer Overflow Pattern Tool – justanotherhacker.com
  Being a perl man I decided I wanted to grab a perl based generator so I could modify it to suit my own needs.
• DNS Rebinding on Java Applets – mindedsecurity.com
  During an assessment of Java VM source code (v. 6 update 21) it was found that the attack was still feasible, probably due to a regression issue and, more important, I found a way to extend the attack to every browser.
• LiveKd for Virtual Machine Debugging – technet.com
  After giving it some thought, I realized that I could fool the debuggers into thinking that they were looking at a crash dump file by implementing a file system filter driver that presented a “virtual” crash dump file debuggers could open.
• Windows 7 symbolic links and hidden files – pauldotcom.com
  Try this experiment: Create an Alternate Data Stream and attempt to open it with Microsoft Word.
• Metasploit HowTo: Standalone Java Meterpreter Connect-Back – 0x0e.org
  The process is very straightforward, simply generate the .jar, setup a handler.
• setdllcharacteristics – didierstevens.com
  Because I need to set DEP and ASLR flags in a script, I wrote a C-program to read, set or clear these flags (together with another flag to check AuthentiCode signatures, more about this later).
• Nessus XML parsing with awk – h-i-r.net
  Usually, I only concern myself with the high-severity issues for weekly reports, then as I have time, I dig deeper into the more trivial problems.
• Padding Oracle attack PoC
  A proof-of-concept attack against MS10-070, this PoC is an implementation in Ruby of a Padding Oracle attack and allows you to download the ‘Web.config’ file or any other file from a vulnerable ASP.NET installation.
  • MS10-070 ASP.NET Padding Oracle Attack to download web.config or other files – hexale.blogspot.com
  • MS10-070 ASP.NET Padding Oracle attack PoC exploit video – hexale.blogspot.com
• PDF, DEP, ASLR and Integrity Levels – didierstevens.com
  If the application did not use DEP, ASLR or Integrity Levels, I changed some settings to make the application use these features.
• Force.com secure code review howto Part 1 – greebo.net
  Visual Force is a MVC based framework. It appears to act like a tag library with the <apex:… prefix, used inside files with a .page extension.

Vendor/Software Patches:

• Java Update Clobbers 29 Security Flaws – krebsonsecurity.com
  Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.
• MS Security Bulletins and Patch Tuesday
  • Microsoft Security Bulletin Summary for October 2010 – microsoft.com
  • Assessing the risk of the October security updates – technet.com
  • Note on Bulletin Severity for MS10-081 and MS10-074 – technet.com
  • Microsoft Plugs a Record 49 Security Holes – krebsonsecurity.com
• Is the Oracle Critical Patch Update for October 2010 Massive? – integrigy.com
  First, lets look at the 85 vulnerabilities patched in the CPU to see how this CPU compares with previous CPUs.

Other News:

• Dead or Alive: Pen Testing – securosis.com
  The pen testers need to operate in a reasonable semblance of a real wold scenario. Obviously you don’t want them taking down your production network. But you can’t put them in a box either.
• Pen-and-Paper SQL Injection Attack Against Swedish Election – schneier.com
  Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot.
• Security services firm iSEC Partners acquired – techtarget.com
  ISEC Partners, a pen-testing and security services consultancy that has been at the forefront of innovative research in the past half-decade, was acquired today by NCC Group of Manchester, England.
• Attack of the monster frames (a mini-retrospective) – lcamtuf.blogspot.com
  The next notable milestone: clickjacking – a seemingly obvious threat essentially ignored by the security community (perhaps in hope it disappears), until extravagantly publicized by Jeremiah Grossman and Robert ‘RSnake’ Hansen in 2008.
• Java: A Gift to Exploit Pack Makers – krebsonsecurity.com
  Take one look at the newest kit on the block — “Blackhole” — and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.
• Guest Post: Michelle Klinger “Interview with a Mentor…Mentor R – infosecmentors.blogspot.com
  As previously mentioned, this is the continuation in a series of interviews with both mentees and mentors on their experience with InfoSec Mentors to date.
• Mentor vs. Mentee – infosecmentors.blogspot.com
  We’ve been matching mentors and mentees at lightning speed in the past days and as one would come to expect, we have much more mentees than we have mentors.
• Suggestions for getting started – infosecmentors.blogspot.com
  I thought I would create a small list of activities you should expect to do during the beginning phase of your mentoring relationship.