Week 43 in Review – 2010

Events Related:

• ToorCon related news
  • Some Results from the ToorCon Security Conference – connectedinternet.co.uk
    Hackers, security researchers at the ToorCon security conference in San Diego showed how easy it can be to poke holes in hardware and software with the right combination of tools, know-how, and good old fashioned cat curiosity.
  • ToorCon: New Apps, Old Infrastructure Make Toxic Brew – threatpost.com
    In a variety of ways, experts at this weekend’s ToorCon Conference warned that the tidal wave of new devices and Web based services is straining an already aging Internet infrastructure, with privacy and security as the first victims.
• Hack.lu wrap-=up posts
  • Hack.lu Day #1 Wrap-up – rootshell.be
  • Hack.lu Day #2 Wrap-up – rootshell.be
  • Hack.lu Day #3 Wrap-up – rootshell.be
  • Hack.lu CTF – sscat writeup – stalkr.net
  • Hack.lu CTF – Challenge 9 “bottle” writeup, extracting data from an iodine DNS tunnel – stalkr.net
    Challenge #9 entitled “bottle” was original and worth its 500 points. We were given the following network capture and instructed to find a message.

Resources:

• Pentesting with Burp Suite: Taking the Web Back From Automated Scanners – securityaegis.com
  Thanks to everyone at Toorcon who attended our talk: “Pentestng with Burp Suite, Taking the web back from automated scanners”.
• Hack3rcon 2010 Videos – irongeek.com
  Below are videos of the presentations from Hack3rcon 2010.
• Nmap Scripting and Pcap Analysis – securityaegis.com
  There were a lot of really great talks at Toorcon and two of my best friends, David Shaw of Redspin and Nate Drier of Spiderlabs were kind enough to send me their video and slides.
• Hardware Will Cut You (video) – adafruit.com
  The hardware design process is fraught with pitfalls, from library component sketchiness, parts availability, erroneous data sheets, underestimates of complexity and long lead times.
• pci dss v2.0 released – terminal23.net
  The PCI Council has released PCI DSS v2.0 along with a doc of the changes.
• Exploitation 101 – cryptocity.net
  This week’s homework is to find and exploit the security vulnerability in homework.exe, which is a simple server very similar to the demo.exe from class.
• Security Talks – ucla.edu
  A list of security talks at UCLA

Tools:

• WATOBO – THE Web Application Toolbox – sourceforge.net/apps/mediawiki/watobo/
  WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits.
• USB Thief: A USB Social Engineering Tool! – pentestit.com
  It is a tweaked USB that steals every passwords including licences. Probably, you could use it in one of your “physical access” heists.
• RSYaba Modular Brute Force Attacker – randomstorm.com
  RSYaba is tool to run brute force attacks against various services in a similar way to Hydra and Medusa. The tool was written after bad experiences at getting existing tools working correctly with HTTP and SSH so it was decided to make a tool that would be easier to configure.
• Firesheep makes cookies crumble
  In roughly 24 hours, Firesheep has been downloaded more than 104,000 times, as would-be-hackers — or the merely curious— downloaded the Firefox extension to test the exploit.
  • I’ll take the Firesheep with a side order of ARP Poisoning please… – mcafee.com
  • Lazy Hackers Unite: Firesheep Boasts +104,000 Downloads In 24 Hours – techcrunch.com
  • Plugin, FireSheep, Lays Open Web 2.0 Insecurity – threatpost.com
  • New Firefox Plug-In Offers WiFi Cookie-Jacking For ‘Average Joe’ – darkreading.com
  • Firesheep: who is eating my cookies? – pandasecurity.com
  • Firefox extension makes social network ID spoofing trivial – net-security.org
  • Re: FireSheep – erratasec.blogspot.com
  • Firesheep: Making the Complicated Trivial – f-secure.com
  • Cooling Down the Firesheep – mozilla.com
  • Firesheep: Baaaaad News for the Unwary – krebsonsecurity.com
  • The Message of Firesheep: “Baaaad Websites, Implement Sitewide HTTPS Now! – eff.org
• Fireshepard – notendur.hi.is
  The program kills the current version of FireSheep running nearby, but the user is still in danger of all other session hijacking mechanisms. Do not do anything over a untrusted network that you cannot share with everyone.
• Update: LoadDLLViaAppInit – didierstevens.com
  This new version of LoadDLLViaAppInit allows you to load more than one DLL inside a process. You separate the DLL names with a semi-colon (;).
• Hashkill: A Multithreaded Open Source Password Cracker! – pentestit.com
  Hashkill is a multi-threaded open source password cracker. It uses the OpenSSL library to crack different types of password hashes.
• WordPress SQL Injection Checker v1 – packetstormsecurity.org
• GMER – gmer.net
  GMER is an application that detects and removes rootkits.
• Websecurify Security Testing Runtime – code.google.com/p/websecurify/
  Websecurify is a powerful web application security testing platform designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
• Evilgrade 2.0 – the update explotation framework is back – infobytesec.com
  This framework comes into play when the attacker is able to make traffic redirection, and such thing can be done in several ways such as: DNS tampering, DNS Cache Poisoning, ARP spoofing Wi-Fi Access Point impersonation, DHCP hijacking with your favorite tools.
• The Sleuth Kit – sleuthkit.org
  The Sleuth Kit can be used with The Autopsy Forensic Browser, which can be downloaded here.
• Bluelog – digifail.com
  Bluelog is a Linux Bluetooth scanner written to do a single task, log devices that are in discoverable mode.
• SIP Inspector – sites.google.com/site/sipinspectorsite/
  New version (1.22) is just released.

Techniques:

• More about ATI 6XXX – golubev.com
  It turns out that even Catalyst 10.6 can compile code for mysterious ISA id=15 and resulting disassembly looks very interesting — T unit indeed gone from ATI’s thread processors and XYWZ units now can process instructions they weren’t able to handle before, like 32-bit integer multiplies.
• ZigBee Lab – digitalbond.com
  We purchased the ETRX3DVKA357 Developers Kit from Telegesis. It contains a number of ZigBee modules, a ZigBee USB adapter, three developer (dev) boards and software.
• Pentesting with Burp Suite: Taking the Web Back from Automated Scanners http://bit.ly/cl60yJ preso, ty @joelparish & @portswigger – twitter.com@Jhaddix
• Integrating Nikto with Nessus Video – tenablesecurity.com
  A new video has been uploaded to the Tenable Security YouTube Channel titled, “Integrating Nikto with Nessus”.
• Analysis of a UDP worm – sensepost.com
  From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate.
• BIOS Password Backdoors in Laptops – dogber1.blogspot.com
  When a laptop is locked with password, a checksum of that password is stored to a sector of the FlashROM – this is a chip on the mainboard of the device which also contains the BIOS and other settings, e.g. memory timings.
• iPhone, meet Wireshark – Capturing Traffic from Mobile Devices – mudynamics.com
  I wanted to see what the apps on my iPhone do and as I searched around, most of the current methods seem to involve jail-breaking, setting up hubs and access points and other such cumbersome nastiness.
• Exploitation using publicly available Base64 encode/decode code – zscaler.com
  Recently, we have seen additional malicious JavaScript hosted on one website, using another publicly available Base64 encode/decode scheme.
• JSREG BYPASSES – thespanner.co.uk
  Another clever trick, the string is placed inside of an array and when the eval function is called it used to check the object type if it was a string then it rewrote the code if not it was assumed to be a already rewritten string however I didn’t expect an array to be used in this context so this would effectively bypass the sandbox

Vulnerabilities:

• Here we go again: Adobe has a new zeroday
  Adobe says that version 10.1.85.3 and earlier of Flash Player for the Windows, Macintosh, Linux and Solaris operating systems are vulnerable.
  • Critical zero-day vulnerability found in Adobe Flash, Reader, Acrobat – sophos.com
  • CVE-2010-3654 Adobe Flash player zero day vulnerability – contagiodump.blogspot.com
  • Fuzz My Life: Flash Player zero-day vulnerability (CVE-2010-3654) – fortinet.com
• VIDEO: Cross-platform malware runs on Windows, Mac and Linux – sophos.com
  We made a quick video demonstrating the much-talked about “Boonana” malware threat, also being compared to Koobface as it appears that cybercriminals have been distributing links to it via Facebook, tempting unsuspecting users with the promise of a video.

Vendor/Software Patches:

• Critical Fixes for Shockwave, Firefox – krebsonsecurity.com
  Adobe Systems pushed out a critical security update for its Shockwave Player that fixes nearly a dozen security vulnerabilities.

Other News:

• iPhone Jailbreak Tool Sets Stage for Mobile Malware – threatpost.com
  The success of a group of hackers in compromising the security of Apple’s iPhone may set the stage for more malware for the popular handset, including rootkit-style remote monitoring tools and data stealing malware.
• SCADA Vendors Still Need Security Wake Up Call – threatpost.com
  Speaking at the ToorCon Security Conference in San Diego, Jeremy Brown, a vulnerability researcher at security firm Tenable said that many SCADA software vendors lag far behind other IT firms in vulnerability research and lack even a basic awareness of modern security principles.
• Researchers hack toys, attack iPhones at ToorCon – cnet.com
  One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched.
• Report: China hijacked U.S. Internet data – cnet.com
  In several cases, Chinese telecommunications firms have disrupted or impacted U.S. Internet traffic, according to the excerpts.
• Impact of Artificial “Gummy” Fingers on Fingerprint Systems – cryptome.org
  Potential threats caused by something like real fingers, which are called fake or artificial fingers, should be crucial for authentication based on fingerprint systems.
• Expert Advises Caution on SCADA Security Hysteria – threatpost.com
  But the concern about spontaneous utility outages and surreptitiously poisoned food supplies are overblown and largely misplaced, an expert says.
• The Long Tail of Information Security – secmaniac.com
  I wanted to blog about it because the talk itself resonated with me and directly correlates to a previous post on the current state of penetration tests.