Week 20 In Review

Events Related

Resources

  • WhiteHat Secuirty’s Approach to Detecting Cross-Site Request Forgery (CSRF) – blog.whitehatsec.com
    Cross-Site Request Forgery (CSRF) generates many questions from prospects, customers, partners, and Web application security professionals we work with. The questions tend to fall into similar categories, so we figured it would be helpful to summarize them and share our perspective on CSRF.
  • Kevin Finisterre Reveals His Process for Security Research – resources.infosecinstitute.com
    In our ongoing series of interviews, this week Kevin Finisterre answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.
  • Common Vulnerability Reporting Format (CVRF) is announced! – blog.iss.net
    We are very excited to see the public announcement of the Common Vulnerability Reporting Format (CVRF) by the Industry Consortium for the Advancement of Security on the Internet (ICASI). CVRF is an XML standard for publishing security vulnerability advisories.
  • Attacking and Defending Apple iOS Devices Presentation – spylogic.net
    Last week I spoke at the Central Ohio ISSA Conference about Attacking and Defending Apple IOS Devices.  This talk was based on information gathered from several of the mobile pentests that I conducted at SecureState.

Tools

  • Microsoft EMET v2.1
    EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications.  This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited.

  • BackTrack V5 Released – digitalbond.com
    BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.
  • UPDATE: Safe3 Sql Injector v.8.1 – sourceforge.net/projects/safe3se/files
    Safe3 is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
  • UPDATE: Google Hack Database Tool v1.2! – secpoint.com/freetools
    Google Hack DB Tool is a database tool with almost 8,000 entries. It allows administrators the ability to check their site for vulnerabilities based on data stored in Google.
  • UPDATE: Microsoft We Application Configuration Analyzer v2.0! – microsoft.com/downloads
    Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production and production servers. The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications.
  • Metasploit Framework 3.7.1 Released! – blog.metasploit.com
    We are happy to announce the immediate availability of version 3.7.1 of the Metasploit Framework, Metasploit Express, and Metasploit Pro. This is a relatively small release focused on bug fixes and performance improvements.
  • The DOMinator Project – blog.mindedsecurity.com
    DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss). It is the first runtime tool which can help security testers to identify DOMXss.
  • Nuf-fuzzer: A Browser Fuzzer Based On The Mangleme Fuzer Concept – nuf-fuzzer.sourceforge.net
    We wrote about a similar tool – iExploder that was based on the mangleme fuzzing concept. mangleme helps you to automatically check for HTML parsing flaws. It generates a basic set of badly mangled tags on request, with auto-refresh back to the script, so that you can point a browser to it once, and let it run until it crashes.
  • AndroidAudittools : Dynamic Android Analysis tools – intrepidusgroup.com
    When taking the SANS reverse engineering malware class, the two analysis techniques taught are dynamic and static. These concepts/techniques are directly applicable to any sort of reverse engineering. When I am assessing, or pen-testing an application I usually separate my thought process into one of those two buckets.
  • Androguard – code.google.com/p/androguard/
    You can analyze, display, modify and save your apps easily and statically by creating your own software (by using the API), or by using the tool (androlyze) in command line. This tool is useful when you would like to do reverse engineering on a specific application (e.g : malware).
  • Oracle Auditing Toolkit – blog.0x0lab.org
    The Oracle Auditing Toolkit can be used to audit security within Oracle database servers.

Techniques

  • Dumping Hashes On x64
    When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I really don’t like doing because of the added clean up and chance of getting ‘caught’. Well, with a bit of migration you’ll be back to passing the hash.

  • Buby Script Basics Part 6 – cktricky.blogspot.com
    The latest installment of the long running series.
  • JRuby+Buby+wXf = fun – cktricky.blogspot.com
    The Web Exploitation Framework has created two separate versions of the console. The version you get depends on the environment it is started in. If JRuby, as of now, you get a version of the framework that allows you to interact with Burp from the console and run Buby scripts (with the flexibility of changing options easily and quickly).
  • Hack Notes: Ropping Eggs for Breakfast – corelan.be
    I think we all agree that bypassing DEP (and ASLR) is no longer a luxury today. As operating systems (such as Windows 7) continue to gain popularity, exploit developers are forced to deal with increasingly more memory protection mechanisms, including DEP and ASLR. From a defense perspective, this is a good thing.
  • AttackingWeb Servers Via .HTAccess – justanotherhacker.com
    A while back I was testing a CMS that had a curious feature, all uploaded files were placed in their own directory. This was not a security enhancement as the application allowed php files to be uploaded. However I coudn’t help ask, what if php uploads had been restricted? The answer was .htaccess files.
  • Herding Cats: Windows Object Access Analysis on a Budget – securitybraindump.blogspot.com
    I recently had to deal with a lot of archived Windows Security Logs (evtx files) spanning a fairly lengthy period of time. The evtx binary was introduced with Windows Vista and can be found on all modern version of windows.

Vulnerabilities

  • Flash + 307 Redirect = Game Over – blog.whitehatsec.com
    The default CSRF prevention built into RAILS has two components: (1) a custom HTTP Header, and (2) a CSRF token in the post body. The default was designed so that only one, rather than both, of the components was required in a request. Modern browser security typically makes this a fairly secure method, because JavaScript cannot create custom HTTP Headers and then have them sent across domains.
  • Mutillidae: A Deliberately Vulnerable Set of PHP Scripts That Implement The OWASP Top 10 – irongeek.com
    What I’m attempting to do with Mutillidae is implement the OWASP Top 10 in PHP, and do it in such a way that it is easy to demonstrate common attacks to others. Feel free to use it in your own classes or videos, but if you do I’d love to hear about it.

Other News

  • New Version Of Alureon Ups the Ante On Encryption – threatpost.com
    A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems.
  • Something Old Is New Again: Mac RATS, CrimePacks, Sunspots, and Zeus Leaks – krebsonsecurity.com
    New and novel malware appears with enough regularity to keep security researchers and reporters on their toes. But, often enough, there are seemingly new perils that  really are just old threats that have been repackaged or stubbornly lingering reports that are suddenly discovered by a broader audience.
  • Former Sf worker who hijacked network must pay city $1.5 million – sfexaminer.com
    A judge Tuesday ordered a former city worker who locked San Francisco out of its main computer network for 12 days in 2008 to pay nearly $1.5 million in restitution, prosecutors said.
  • Journalist Held Over Article On Hacking – brisbanetimes.com.au
    A FAIRFAX journalist was arrested by Queensland Police yesterday after an article he wrote about vulnerabilities in Facebook’s privacy controls was published on Fairfax websites.He was later released without charge, but police retained his iPad.
  • Point-of-Sale Skimmers: Robbed and Registered – krebsonsecurity.com
    Michael Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs.
  • Researcher Talk Pulled, When Will Siemens Talk? – digitalbond.com
    Yesterday Dillon Beresford cancelled his talk and demonstration titled Chain Reaction: Hacking SCADA at the Takedown event after a discussion with DHS and Siemens.

Leave A Comment