Week 16 In Review – 2011

Events Related

• Debriefing on BSidesLondon
  It was a long but wonderful day! I woke up very early to catch my train from Brussels to London and arrived just in time. The room was already full of security guys, some well known faces and new ones.
  • BSidesLondon Wrap up – blog.rootshell.be
  • BSidesLondon D-Day – blog.rootshell.be
  • BSidesLondon: Jedi mindtricks for building application security programs – blog.c22.cc

• Notacon 8: At Least We’re Not Detroit – intrepidusgroup.com
  This weekend was Notacon 8, Cleveland, Ohio’s longest running hacker con.  Normally I don’t expect a lot of info sec related talks because in years past, Notacon emphasized the creative interpretation of the term hacker.

Resources

• Verizon’s DBIR 2011
  In other words, most of the damaging, expensive breaches has cheap countermeasures that people just don’t do. Niiiice! On a more serious note, not only many of the breached organizations were ignorant, there were not even close to being PCI DSS compliant.
  • Verizon Data Breach Investigations Report 2011 – chuvakin.blogspot.com
  • 2011 DBIR released – securityblog.verizonbusiness.com
  • What We Can Learn from the 2011 Verizon DBIR – jasonstultz.com

• Final Report On Pan-European Cyber Security Exercise – enisa.europa.eu
  The report underlines the need for more cyber security exercises in the future, increased collaboration between the Member States and the importance of the private sector in ensuring IT security.
• Microsoft Safety Scanner: Free On Demand Safety Scanner – microsoft.com
  Microsoft Safety Scanner has been designed with simplicity in mind. The program can be started right after downloading or transferring it to a Windows PC. Only the depths of the scan needs to be selected, everything else is handled automatically by the application.
• State of Software Security Report, Volume 3 – info.veracode.com
  Today we’re proud to release the third volume of our semi-annual State of Software Security report. This edition incorporates data from 4,835 applications analyzed via our cloud-based platform over the past 18 months.
• ClubHack Magazine April 2011 – docs.google.com
  ClubHACK has released another version of their magazine. It is the first  Indian “Hacking” Magazine.This issue has been dedicated to Mozilla.
• Locks that can re-key themselves? – skullsecurity.org
  I was at Rona last week buying a lead/asbestos/mold-rated respirator (don’t ask!), when I took a walk down the lock aisle. I’m tired of all my practice locks and was thinking of picking up something interesting. Then I saw it: a lock that advertised that it could re-key itself to any key. Woah! I had to play with it.
• NSTIC Strategy Released – blogs.cisco.com
  Last June, I blogged about a draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC) that had been released for public comment. This past April 15, the finalized NSTIC strategy document was released at an event at the US Chamber of Commerce.
• The Exploit Intelligence Project – goo.gl
  I got my slides up early.
• IP address can now pin down your location to within half a mile – usenix.org
  In a research paper and technical report presented at the USENIX Networked Systems Design and Implementation (NDSI) conference at the beginning of April, researchers from Northwestern University presented new methods for estimating the exact physical location of an IP address tens or hundreds of times more accurately than previously thought possible.
• Attacking Oracle Web Applications With MetaSploit – slidesha.re/dQvoJP
  Oracle talk slides here.
  [via Twitter]

Tools

• Windows Credentials Editor v1.2 Released – hexale.blogspot.com
  Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials. This can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory which can be used to perform further attacks, obtain Kerberos tickets and reuse them in other Windows or Unix systems.
• Directory Server Fingerprinting Tool – securityxploded.net
  DirectoryScanner is the FREE Directory Server fingerprinting tool. It can help you to remotely detect the type of Directory servers running on the local network as well as Internet.
• Bodgelt Store App – code.google.com
  There are various vulnerable web applications such as Jarlsberg, WackoPicko, Damn Vulnerable Web Application (DVWA), Vicnum, etc. Now we have another application that is vulnerable and ready to be exploited! The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to penetration testing.
• Signed Spreadsheet with cdm.dll & regedit.dll – blog.didierstevens.com
  Paul Craig has a signed version of my spreadsheet on his iKAT site. Download ikat3.zip and look for officekat.xls. These signed macros are handy when you’re working in a restricted environment that requires Office macros to be signed.
• Microsoft Makes Portable Anti-Virus Tool Ready To Download – h-online.com
  Microsoft has released its free Microsoft Safety Scanner.This scans for and removes malware from Windows systems without requiring prior installation. According to AV-Test’s Andreas Marx, the on-demand anti-virus scanner appears to be based on the Malicious Software Removal Tool, but with the addition of a complete signature database.
• Malware Analyzer v3.0 – sourceforge.net/projects/securityanalyzers/files
  It can be useful for string based analysis for Windows registry, API calls, IRC Commands, DLL’s called and anit-VMWare code detection. It displays detailed headers of PE with all its section details, import and export symbols etc.
• NMAP XML Parser – marcoramilli.blogspot.com
  After a couple of emails on this topic I decided to share some NMAP specific xml parsers. As many of you know through -oX flag it’s possible to save NMAP results into a well-structured xml file. But what about the visualization or the manipulation of such a file?
• Malheur 0.5.0 – NA
  Malheur is a tool for automatic analysis of program behavior recorded from malicious software. It is designed to support the regular analysis of malicious software and the development of detection and defense measures.
• NessusDB v1.4 – github.com/hammackj/nesusdb
  NessusDB is updated and new version v1.3 has been released. This release fixes some major ActiveRecord relation issues that seem to have popped up. I have also streamlined some of the command line options and added a config file for keeping track of different assessments.
• GUI frontend for GoogleDiggity and BingDiggity – stachliu.com/tools/searchdiggity.msi
  SearchDiggity is a new GUI application that serves as a front-end to both GoogleDiggity and BingDiggity. Both are good information gathering tool. We have discussed about it in detail in our previous posts.
• T50 v5.3 – pentestit.com/2011/04/22/update-t50-v53/t-50-5-3-websecforum-2/
  T50 Sukhoi PAK FA Mixed Packet Injector (f.k.a. F22 Raptor) is a tool designed to perform “Stress Testing”. It is a powerful and an unique packet injection tool.

Techniques

• The TDSS Guide
  In the two years since the Win32/Olmarik family of malware programs (also known as TDSS, TDL and Alureon) started to evolve, its authors have implemented a notably sophisticated mechanism for bypassing various protective measures and security mechanisms embedded into the operating system.
  • TDSS part 1: The x64 Dollar Question – resources.infosecinstitute.com
  • TDSS part 2: Ifs and Bots – resources.infosecinstitute.com
  • TDSS part 3: Bootkit on the other foot – resources.infosecinstitute.com

• Exploiting Adobe Flash Player On Windows 7 – abysssec.com
  Here we have type confusion vulnerability in ActionScript bytecode language. The cause of these vulnerabilities is because of implementation of verification process in AS3 jit engine that because of some miscalculation in verifying datatype atoms, some data replaces another type of data and the confusion results in faulty machine code.
• Running Commands In Restricted Command Prompt – r00tsec.blogspot.com
  Ok, so far so good. Unfortunately, it looks like the commands we want to run are restricted… How do we bypass this? Simple, run a command that isn’t restricted and pipe a restricted command in.
• Memory Forging Attempt By A Rootkit – blogs.mcafee.com
  Some time ago a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file.
• Recent Facebook XSS Attacks Show Increasing Sophistication – theharmonyguy.com
  A few weeks ago, three separate cross-site scripting (XSS) vulnerabilities on Facebook sites were uncovered within a period of about 10 days. At least two of these holes were used to launch viral links or attacks on users – and it’s clear that attacks against Facebook users are becoming increasingly sophisticated.
• Surveymonkey: IP spoofing – blog.c22.cc
  A few weeks back I was finalizing some of the survey results for my #BSidesLondon talk when I noticed something interesting, if a little strange. When somebody fills out a survey on the Surveymonkey website, they record a number of pieces of meta data along with the survey answers.
• In-house developed applications: The constant headache for the information security officer – isc.sans.edu
  Although perimeter security controls are well publicized, there are many suppliers who can offer them in different countries and these devices can fit into all types of budgets, there are still security problems in custom applications developed within companies that are not so easily solved.
• Crafting Overlapping Fragments (Eventually) Part 2 – packetstan.com
  In my last blog I covered the theory of fragmentation. Just to remind you – our ultimate goal is to use Scapy to craft overlapping fragments. So far, we’ve seen how Scapy can create normal fragments and the composition of normal fragments. That will come in very handy when we create our overlapping fragments.

Vulnerabilities

• Adobe reader, Acrobat Update Nixes Zero-Day – krebsonsecurity.com
  Adobe shipped updates to its PDF Reader and Acrobat products today to plug a critical security hole that attackers have been exploiting to break into computers. Fixes are available for Mac, Windows and Linux versions of these software titles.

Other News

• Spear Phishing Incident At Oak Rideg National Laboratory
  The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.
  • Top Federal Lab Attacked In Spear Phishing Attacked – wired.com
  • Oak ridge, spear phishing, and i-voting – freedom-to-tinker.com

• Grey Hat Hacks ESA Website – blogs.computerworld.com
  It seems that hardly a day passes without hearing of another breach, but what is unique about the high profile ESA breach was that it was allegedly an anniversary hack.
• The Linux Security Circus: On GUI Isolation – theinvisiblethings.blogspot.com
  There certainly is one thing that most Linux users don’t realize about their Linux systems… this is the lack of GUI-level isolation, and how it essentially nullifies all the desktop security. I wrote about it a few times, I spoke about it a few times, yet I still come across people who don’t realize it all the time.
• The Web Exploitation Framework Project – novainfosecportal.com
  In January of 2010, Seth Law and I had a conversation about using tools for our everyday testing and exploitation. Which tools we prefer, those we do not and those that are no longer maintained.
• SQL injection: Why can’t we learn – isc.sans.edu
  Recently we have been all witnesses of two high profile incidents where the attackers exploited SQL injection vulnerabilities: the now infamous HBGary Federal hack and the Barracuda Networks hack. What’s even more worrying about these two incidents is that they happened to companies which are information security consultants/product developers.
• Insufficiently Prepared Infrastructure Firms Increasingly Under Attack – h-online.com
  A new study written jointly by McAfee and the Center for Strategic International Studies (CSIS) concludes that utility companies are increasingly under threat from targeted attacks and yet many are simply not taking the proper precautions to protect their systems.
• Windows Functions Disables Exploit Protection – h-online.com
  Security experts Chris Valasek and Ryan Smith have revealed how they are able to bypass Windows’ heap-exploitation mitigation feature. They have presented their findings at the hacker conference Infiltrate.
• iPhone Keeps Record of Everywhere You Go – guardian.co.uk
• Security researchers have discovered that Apple’s iPhone keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner’s computer when the two are synchronised.
• Weaponizing GPS Tracking Devices – darkreading.com
  Those low-cost embedded tracking devices in your smartphone or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, a researcher has discovered.