Week 18 In Review – 2011

Events Related

• ICSJWG Debriefing
  The semi-annual Industrial Control System Joint Working Group Conference is traditionally the best place to catch up with everyone in the ICS Security community. DHS puts on a solid program, and there is a certain feeling you need to be here even though there have been little non-conference results from ICSJWG or its predecessor PCSF.
  • ICSJWG Day One Report – digitalbond.com
  • ICSJWG Day Two Report – digitalbond.com
• BeaCon – intrepidusgroup.com
  Last weekend Corey, Zach, and I went to BeaCon, organized by MassHackers. This was one of the most fun and interesting conferences I’ve been to this year, and I know other people there felt the same way. It was cool to talk in front of such an approachable and lively group of people and overall a great experience.

Resources

• NSA publishes home networking security tips – terminal23.net
  The NSA has published a nifty Best Practices for Keeping Your Home Network Safe fact sheet. This is a pretty good document which mixes easy-to-understand concepts with some more challenging ones.
• Economics of Information Security Paper reviews and Notes – irongeek.com
  Below are my write-ups and notes for the papers I’ve been reading in the “Economics of Information Security” class I’m enrolled in. I’m guessing most of my readers won’t get much out of them unless they have read, or plan to read, the same papers.  More to come as the class continues.
• Matthieu Suiche Reveals His Process For Security Research – resources.infosecinstitute.com
  In our ongoing series of interviews, this week Matthieu Suiche answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.
• Incident response Methodologies – cert.societegenerale.com
  CERT Societe Generale provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields on which a CERT team can be involved. One IRM exists for each security incident we’re used to dealing with.
• Carolina Con video archive – blip.tv
  A comprehensive selection of lectures during the recent Carolina Con.
• Hacking Exposed presentation and demo app – slaviks-blog.com
  Here is the presentation and demo application I’ve used for the hacking exposed webinar I did on April 14th. The download file includes an eclipse project and instructions under the “etc” folder.

Tools

• SWFRETools: A Tool To Reverse Engineer SWF Files! – github.com/sporst/SWFRETools
  The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.
• UPDATE: TheHarvester v2.0! – github.com/laramies/theHarvester/downloads
  theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers. This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.
• UPDATE: Watcher V1.5.2! – websecuritytool.codeplex.com
  Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it won’t damage production systems, it’s completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments.
• UPDATE: Google Hack Database Tool v1.1! – secpoint.com/freetools/google-hack-db-tool-1.1
  Google Hack DB Tool is a database tool with almost 8,000 entries. It allows administrators the ability to check their site for vulnerabilities based on data stored in Google.
• Automated Vulnerability Testing With winAUTOPWN – resources.infosecinstitute.com
  winAUTOPWN is a minimal Interactive Exploit Framework which acts as a frontend for quick systems vulnerability exploitation. It is a collection of remote exploits using which one can compromise vulnerable systems.
• Metasploit Framework 3.7.0 Released! – blog.metasploit.com
  The Metasploit team has spent the last two months focused on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend.
• Junkie The Network Sniffer – blogs.rootshell.be
  As usual, there are lot of open source solutions installed under the cover. They like free software and decided to release a core component developed by them selve: “Junkie“.
• sslsnoop v0.6 – darknet.org.uk
  sslsnoop dumps live session keys from openssh and can also decrypt the traffic on the fly.
• AMFShell: The Action Message Format Shell – github.com/georgehedfors/AMFShell/archives/master
  We know that Action Message Format (AMF) is a binary format used to serialize ActionScript objects. It is used primarily to exchange data between an Adobe Flash application and a remote service, usually over the internet.

Techniques

• Buby Script Basics Part 1 – cktricky.blogspot.com
  For those of you who are new to Buby, it is a platform to write Ruby based extensions for the Burp Suite API and I’m going to attempt to cover some of the basics.
• /bin/bash Phone Home – blog.rootshell.be
  I found UNIX a wonderful OS, whatever the flavors! I use it for 17 years and almost every week, I learn new stuffs. One of the particularities of UNIX is the way it communicate with devices.

Vulnerabilities

• Skype 0day vulnerability discovered by Pure Hacking – purehacking.com
  About a month ago I was chatting on skype to a colleague about a payload for one of our clients.  Completely by accident, my payload executed in my colleagues skype client.
• Vulnerabilities in Zyxen’s ZyWall products –  h-online.com
  The web-based user interface of the ZyWall range of productsGerman language contains vulnerabilities that allow unauthorised attackers to obtain data and reconfigure devices. The ZyXEL USG 20, 20W, 50, 100, 200, 300, 1000, 1050 and 2000 appliances are affected.

Other News

• The LastPass Breach
  We noticed an issue yesterday and wanted to alert you to it. As a precaution, we’re also forcing you to change your master password.
  • LastPass Security Notification Updates – blog.lastpass.com
  • LastPass forces users to pick another passwords – krebsonsecurity.com

• RSA Among Dozens of Firms Breached By 0day Attacks – krebsonsecurity.com
  The hackers who broke into RSA appear to have leveraged some of the very same Web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA, new information suggests.
• FBI says you’ve been visitng illegal websites? It’s a Malware attack! – nakedsecurity.sophos.com
  If you make the mistake of running the program in the attached ZIP file, you’ll find that your computer is hit with a fake anti-virus attack – designed to scare you into handing over your credit card details.
• Multiplatform Java botnet spotted n the wild – net-security.org
  Cross-platform malware is still a rare occurrence, so when it’s detected, it usually attracts more attention than the malware engineered to affect only one particular platform.
• Barracuda Networks Breached – acunetix.com
  Barracuda Networks admitted that they made several mistakes, the biggest of which was to unintentionally turn off their own firewall for a few hours. This was a golden window of opportunity which hackers pounced on and immediately exploited.
• Microsoft, Juniper urged to patch dangerous IPv6 DoS hole – networkworld.com
  Security experts are urging Microsoft and Juniper to patch a year-old IPv6 vulnerability so dangerous it can freeze any Windows machine on a LAN in a matter of minutes.
• Verizon DBIR (or, I told you so) – blog.uncommonsensesecurity.com
  I told you so.  For all the scary, uber-sophisticated attacks we run off to conferences to see, and all the amazing feats of exploitation we hear about, real-world compromises are most often exploiting basic failures in security.
• How I Met Your Router – atenlabs.com
  I suppose you can call it “arriving late to the game” – I’ve only been on the full disclosure mailing list for something on the order of 6-8 months.
• Crimeware Kit Emerges for Mac OS X – threatpost.com
  Crimeware kits have become a ubiquitous part of the malware scene in the last few years, but they have mainly been confined to the Windows platform. Now, reports are surfacing that the first such kit targeting Apple’s Mac OS X operating system has appeared.
• Hacking to pwn a cop car – blogs.computerworld.com
  Penetration tester Kevin Finisterre has found all kinds of exploits and has been hired to hack all kinds of companies and peculiar devices. But after Finisterre was hired to pen test a city’s infrastructure, he discovered just how easily he could compromise a police cruiser’s computer gear.
• Selective Attack With A Rogue GSM/GPRS base station – blog.taddong.com
  An attacker employing a rogue GSM/GPRS base station usually wants to compromise the communications of a particular user, while trying to generate the least possible activity for the rest of mobile users within his radio range. We call this a “selective attack”.
• Marlinspike releases Android firewall – securecomputing.net.au
  The free software, dubbed WhisperMonitor, is a dynamic firewall and real-time connection monitor designed to restrict how sometimes-unruly Android apps handle user data.