Week 46 in Review – 2010

Events Related:

• The UCSB iCTF – uscb.edu
  The UCSB International Capture The Flag (also known as the iCTF) is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants.
• Another #sectorca has come and gone – anti-virus-rants.blogspot.com
  It just so happens i took quite a few notes this year (pen&paper style – i’m still not taking a computing device to a hacker conference – come on) so i’ve got plenty of material (perhaps too much) to draw from for this post .

Resources:

• Security Strategy: From Requirements To Reality – slashdot.org
  Anderson’s premise is that security technology needs to take a structured engineering approach to systems design, with detailed requirements and specification from start-up to development and implementation; just as those designing buildings and bridges do.
• Cloud CERT: Protecting the Next Generation of IT (PDF) – cloudsecurityalliance.org
  Computer Emergency Response Team/Coordination Centers (CERT/CCs) form the cornerstone of coordinated incident response and computer security information sharing for governments and large enterprises around the world.
• BSidesDE Slide Deck Posted – Hacking Your Way into an Infosec Career – novainfosecportal.com
  The talk wasn’t too technical obviously but I hope it helped a few people take that next step of turning a fun hobby into a life long career.
• Slides & Code from OWASP Appsec DC Posted – gdssecurity.com
  The slides from the “Unlocking the Toolkit: Attacking Google Web Toolkit” talk I gave at OWASP Appsec DC last week is available for download on the OWASP Appsec DC Wiki Page.
• @mubix A pdf of the talk : http://bit.ly/aBoMM2 – @purehate_, twitter.com
• iPhone Forensics white paper – sans.org
  We reviewed 13 different tools and provide our thoughts on each as forensic analysts who regularly analyze smart phones.
• Phrack Issue 67 – phrack.com
  Notes Concerning The Security, Design and Administration of Siemens DCO-CS, Dynamic Program Analysis and Software Exploitation and more.
• (IN)SECURE Magazine issue 28 – pentestit.com
  In all 93 pages of security information! We recommend this to all security professionals.
• Exchanging and sharing of assessment results – sans.org
  The sharing of pentest information can create a huge debate, just how much do you want to share?
• CSO: Designing a Pragmatic Pen Testing Program – coresecurity.com
  It’s true, many consultants and experienced testers fail to overlook this fact that an efficient, useful pen test is one where almost as much work is done in planning, and afterwards in presenting results, as is done during the testing itself.

Tools:

• NiX – Linux Brute Force 1.0.3 update has been released – seclists.org
  To those who want to ask, does it outperform Hydra? Yes it does,especially in basic auth and form mode.
• Wireshark 1.4.2 and 1.2.13 Released – wireshark.org
  Vulnerabilities in the LDSS and ZigBee ZCL dissectors have been fixed.
• Phreebird Suite v1.02 – pentestit.com
  Phreebird is a DNSSEC proxy that operates in front of an existing DNS server (BIND, Unbound, PowerDNS, Microsoft DNS, QIP) and supplements its records with DNSSEC responses.
• Social Engineering Ninja v0.3 – pentestit.com
  S-E Ninja is a Social Engineering tool, with 20-25 popular sites fake pages and anonymous mailer via mail() function in PHP. It is a Phishing Web Application Written in PHP,XHTML,CSS,JS.
• CUDA Multiforcer v0.72 – pentestit.com
  The Cryptohaze Multiforcer or the CUDA Multiforcer, is a high performance multihash brute forcer with support for per-position character sets, and very good performance scaling when dealing with large hash lists.
• OWASPBWA v0.92rc2 – pentestit.com
  Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products.
• skipfish – code.google.com/p/skipfish/
  A fully automated, active web application security reconnaissance tool
• Agnitio v1.0.0 released today – securityninja.co.uk
  I decided to give the code review tool and facelift and a proper name before I completed anymore coding. I’m glad I did this because I can forget about the GUI design now and just focus on functionality.
• Metasploit: Now with more commercial-grade-y-ness – metasploit.com
  A huge benefit of the commercial products is that we now have the resources to provide QA’d snapshots (see below).
• FOCA Free 2.5.6 – informatica64.com/foca/
  FOCA, which stands for “Fingerprinting Organization with Collected Archives” is an automated tool for downloading documents published in websites, extracting metadata and analyzing data.
• Nikto_2 – Revision 568: /trunk – assembla.com
  Nikto SVN version
• DarunGrim: A Patch Analysis and Binary Diffing Tool – darungrim.org
  DarunGrim is a free diffing tool which provides binary diffing functionality.
• SECmic v4.04 – pentestit.com
  Secmic is a Kubuntu based live security distribution that may be used by security professionals or for educational purposes.

Techniques:

• Show what wasn’t tested – clearnetsec.com
  The chaos and confusion besetting all involved in security work due to how each participant defines popular security services doesn’t appear to be heading toward sanity any time soon (i.e. what is a pen. test to you?).
• Stuxnet: A Breakthrough – symantec.com
  However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran.
• Stripping fuzzdb Down and Other Nonsense – l1pht.com
  The first item is that when using the fuzzdb as-is with Burp we load the file and it’s imported with all the comments.
• Still on FireSheep
  Afterparty posts on this bedazzling Firefox add-on
  • Why the web has not switched to SSL-only yet? – zscaler.com
  • FireSheep – ha.ckers.org
  • Which networks are more susceptible to Firesheep (aka session sniffing)? – zscaler.com
• Padding Oracle Attack – securestate.blogspot.com
  In the simplest terms the oracle can be asked questions and depending on the response the attacker can decrypt a valid cipher text.
• Cracking Passwords In The Cloud and Amazon’s EC2 GPU
  GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes
  • Cracking Passwords In The Cloud: Amazon’s New EC2 GPU Instances – stacksmashing.net
  • Cracking Passwords In The Cloud: Getting The Facts Straight – stacksmashing.net
  • New EC2 Instance Type – The Cluster GPU Instance – aws.typepad.com
• Nessus Parsing… 101? – securityaegis.com
  When you do a lot of external scoped projects with vulnerability scanners you tend to notice a few common low level vulnerabilities.
• Silently Uninstall SEP – room362.com
  Now one idea i had in mind instead of malicious uses is actually use this is to help possibly get rid of some nasty spyware when all else fails.
• Hacking Virtual Machines series
  Running IT services in a virtualized environment brings a whole host of new opportunities for hackers.
  • Hacking Virtual Machines Part 1 – Sniffing – shortinfosec.net
  • Hacking Virtual Machines Part 4 – Knowing That the Target is a Virtual Machine – shortinfosec.net
• Is BGP the Next Threat on Internet? – rootshell.be
  BGP is used to exchange groups of routes (or IP addresses prefixes) via autonomous systems (“AS“).
• Presenting nbesort.rb: An Easy Way to Sort Nessus Results by Finding – redspin.com
  The data that I need from Nessus is a complete list of the issues its raised, with affected hosts and ports listed under each finding.
• Understanding and using skipfish – lcamtuf.blogspot.com
  Skipfish, my open source web application security scanner, is now about eight months old – and, over the course of over 70 releases, has undergone a number of substantial changes.
• Continuing attacks against osCommerce sites – sucuri.net
  On most of the sites we’ve analyzed so far, the attackers used the file_manager.php vulnerability to hack the site.

Vulnerabilities:

• Explore the CVE-2010-3654 matryoshka – technet.com
  We recently discovered a sample that is trying to exploit the 0-day Adobe vulnerability tracked by CVE-2010-3654.
• Google 0day?
  A 21-year-old Armenian calling himself “Vahe G” has uncovered a way of sending spam to Gmail users, just by them visiting an exploited webpage
  • Website exploit allows spam to be sent from Google.com (with real headers) – sophos.com
  • Whoa, Google, That’s A Pretty Big Security Hole – techcrunch.com
• Cisco Videoconferencing Products Contain Vulnerable Credentials – darkreading.com
  Researchers were able to use these hard-coded and unchangeable passwords, other vulnerabilities, to access internal network.

Vendor/Software Patches:

• Mac OSX 10.6.5 and the PGP debacle
  One group who need to specially cautious this time around are users of PGP Whole Disk Encryption who found their Macs were no longer able to boot after installing the operating system update.
  • OS X Patch Catch-Up – krebsonsecurity.com
  • Mac OS X 10.6.5: 100+ Good Security Reasons To Upgrade, But Tread Carefully – darkreading.com
• Another Adobe Update
  Adobe released security updates for Adobe Reader 9.4 (and earlier versions) for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 (and earlier 9.x versions) for Windows and Macintosh.
• Yes, Adobe Reader X is out
  Protected Mode Adobe Reader comes with a sandbox (like Internet Explorer, Microsoft Office 2010, Google Chrome) designed to prevent malware from writing to important system components.
  • Adobe Reader X is Here! – adobe.com
  • Inside Adobe Reader Protected Mode – Part 4 – The Challenge of Sandboxing – adobe.com
  • Confused by Adobe? There’s a security update in there somewhere! – sophos.com
  • Quickpost: Adobe Reader X – didierstevens.com

Other News:

• Lin Mun Poo: Hacker of the Federal Reserve and …? – garwarner.blogspot.com
  Poo was in possession of 400,000 stolen credit and debit card numbers at the time of his arrest.
• China diverts 15% of net traffic
  Nearly 15 percent of the world’s Internet traffic — including data from the Pentagon, the office of Defense Secretary Robert Gates and other U.S. government websites — was briefly redirected through computer networks in China last April, according to a congressional commission report obtained by FoxNews.com.
  • Internet Traffic from U.S. Government Websites Was Redirected Via Chinese Networks – foxnews.com
  • China Hijacks 15% of Internet Traffic? – arbornetworks.com
• Notable changes in PCI DSS 2.0 affecting Web application security – acunetix.com
  Hot off the press are the new PCI DSS and PA-DSS requirements which take effect January 1, 2011.