Week 47 in Review – 2010

Events Related:

• wXf Videos from AppSec DC 2010 – cktricky.blogspot.com
  Here are some of the videos from AppSec DC 2010 and our presentation (Seth Law, Chris Gates and I) on wXf (Web Exploitation Framework).
• DeepSEC: Wrap-up – c22.cc
  It might not be as technical as DefCon, but DeepSEC had a good mixture of topics, and didn’t fail to deliver some unique and thought provoking content.
• PacketWars: Hackers go head-to-head in first ever cyber sport – tgdaily.com
  What used to be a frowned upon and shady underworld of computer hackers is now emerging as a network of professionals that boasts teamwork and helps provide insight into the world of cyber security.

Resources:

• EFF’s Guide to Protecting Electronic Devices and Data at the U.S. Border – eff.org
  Amid recent reports that security researchers have experienced difficulties at the United States border after traveling abroad, we realized that it’s been awhile since we last discussed how to safeguard electronic devices and digital information during border searches.
• A summary of talks done during DeepSEC
  • DeepSEC: All your baseband are belong to us – c22.cc
  • DeepSEC: Attacking SAP Users Using sapsploit eXtended 1.1 – c22.cc
  • DeepSEC: DYI malware analysis with Minibis – c22.cc
  • DeepSEC: Passwords in the wild: What kind of passwords do people use, and how do we crack them? – c22.cc
  • DeepSEC: Cloud-based log Analysis and Visualization – c22.cc
  • DeepSEC: Developers are from Mars, Compliance auditors are from Venus – c22.cc
  • DeepSEC: Circumventing common Pitfalls when auditing sourcecode for Security vulnerabilities – c22.cc
  • DeepSEC: Recent advances in IPv6 insecurity – c22.cc
  • DeepSEC: The Future of Social Engineering – c22.cc

Tools:

• Websecurify Security Testing Runtime – code.google.com/p/websecurify/
  Websecurify web security testing runtime v0.8 alpha 3 is released.
• AltoroMutual – owasp.org
  AltoroMutual is an vulnerable-by-design web application created by WatchFire (now AppScan Standard) as a demo test application for their BlackBox Scanner.
• OWASP HTTP Post Tool – owasp.org
  This QA tool was created to allow you to test your web applications to test availability concerns from HTTP GET and HTTP POST denial of service attacks – This tool is GPLv3.
• Ubertooth: first release – ossmann.blogspot.com
  This is a very preliminary release, but it includes the complete hardware design for Ubertooth Zero, firmware source code, and the host code needed to perform rudimentary Bluetooth sniffing as I demonstrated at ToorCon 12.
• ScreenSpy – interactive view of remote desktops using meterpreter – metasploit.com
  The script will give an attacker the ability to view remote desktop of multiple hosts in order to use the script firefox is needed to be installed on the local machine.
• Armitage – fastandeasyhacking.com
  Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day.
• skipfish 1.80b – code.google.com/p/skipfish/
  High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.

Techniques:

• SSL: the sites which don’t want to protect their users – zscaler.com
  It has been exactly a month since Firesheep was released to demonstrate the problem of session side-jacking, but these websites are still not willing to do anything about this problem.
• Axis2 Deployer via SOAP – spl0it.wordpress.com
  At OWASP AppSecDC @willis__ and I talked about several attacks against SAP BusinessObjects. SAP BusinessObjects uses a module known as dswsbobje.war to deploy the Axis2 interface.
• Episode #122: More Whacking of Moles – commandlinekungfu.com
  In my home town we have a college with a team who intends to compete in the CCDC Competition. The students are in control of a number of systems that are under attack by professional penetration testers (hackers) and the students need to defend the systems from the attackers.
• Scanning for Client-Side JavaScript Vulnerabilities – watchfire.com
  For this research, we used a new IBM technology called JavaScript Security Analyzer (JSA), which performs static taint analysis on JavaScript code that was collected from web pages extracted by an automated deep web crawl process.
• Additional Discussion of the April China BGP Hijack Incident – arbornetworks.com
  My blog post last week on the April 8th China BGP hijack incident generated significant discussion and raised additional questions in both the media and research / engineering community.
• Metasploit with MYSQL in BackTrack 4 r2 – offensive-security.com
  With the Metasploit team moving away from sqlite3, it is vital to be able to make use of a properly threaded database. There have also been quite a number of additional database commands added to Metasploit and documentation tends to be rather sparse online when it comes to the less “glamorous” side of database management.
• Using password cracking as metric/indicator for the organisation’s security posture – sans.edu
  The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many cases the first and last line of defence. It is quite important to get it right.

Vulnerabilities:

• New Windows zero-day flaw bypasses UAC – sophos.com
  The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

Other News:

• Google Will Rat You Out to the Feds for $25 – gawker.com
  Google receives “tens of thousands” of requests each year from the government to turn over user data, and it complies with any it deems legitimate.