Week 23 In Review

Events Related

• Defcon 19  Quals
  For the third year, I competed with team Shellphish in the Defcon quals. We pulled through with some amazing points at the end to finish in 8th place. My successful contributions, however, were really only with respect to Forensics 100 and 300
  • Defcon 19 Quals Forensics 100 and Forensics 300 solution – bryceboe.com
  • Defcon 19 CTF Pre-Quals: Binary 100 Challenge – blog.securestate.com
  • Defcon 19 CTF Quals: Forensic – 300 – blog.securestate.com
  • Defcon CTF Quals 2011 – Retro 400 – leetmore.ctf.su
  • Defcon CTF Quals 2011 – Pwnables 400 – leetmore.ctf.su
  • GB200 writeup DEFCON CTF quals – nonroot.blogspot.com
  • Quals files collection – daxnitro.com/quals/
  • Defcon 19 Quals Write-up List – rogunix.com/defconquals19.html
  • Pwntent Pwnables 200 Writeup – auntitled.blogspot.com
  • Shell-Storm CTF resources – repo.shell-storm.org/CTF

Resources

• AppSecEU Presentations
  • Brad Arkin of Adobe Corp
  • David Stubley’s APT in a nutshell
  • Giles Hogben INISA
  • Arian Evans on Whitehat Security
• Wordlists from Sownage – l1pht.com
  Here are a few cleaned up wordlists from the sownage files.  There are more than a few throwaways in use here, but it still might be worth a run in a few specific situations.
• TDSS and hacking the hackers – blog.eset.com
  If you’ve been following the research we’ve been publishing (spearheaded by my Russian colleagues Aleksandr Matrosov and Eugene Rodionov) you’ll be aware that the TDL rootkit family doesn’t make use of OS’s own file system.

Tools

• Skipfish Update
  Skipfish is a fully automated, active web application security reconnaissance tool. Its key features: High speed, Ease of use, Cutting-edge security logic.
  • UPDATE: Skipfish-1.91b! – code.google.com/p/skipfish/downloads/list
  • UPDATE: Skipfish-1.92b! – code.google.com/skipfish/downloads/list
• UPDATE: Nmap 5.52.IPv6.Beta2! – nmap.org
  Nmap (“Network Mapper”) is a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
• UPDATE: SWFRETools v1.2.0! – github.com/sporst/SWFREtools/downloads
  The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.
• UDPATE: ZAProxyv1.3.0! – code.google.com/zaproxy/downloads/list
  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
• RADARE: Reverse engineering framework – radare.nopcode.org
  Opensource tools to disasm, debug, analyze and manipulate binary files. There are small tools also included for better deguging, graphs can be used to link and have a better idea over of the binary.
• Burpsuite free edition v1.4 released – blog.portswigger.net
  This is a major upgrade with numerous new features, including: The ability to compare site maps, functions to help with testing access controls using your browser,support for preset request macros, session handling rules to help you work with difficult situations etc.
• SecureState Releases New Tool  For Footprinting 802.1x Wireless Networks – blog.securestate.com
  Today, SecureState is releasing a new tool for footprinting 802.1x wireless networks called EAPeak. EAPeak is a Python powered script that is meant to parse useful pieces of information for a Security Assessment of wireless networks that use the Enterprise Authentication Protocol.

Techniques

• Defcon Obfuscation Technique
  Feds aren’t the only ones who are paying attention to the demonstrations at security conferences like Black Hat and DEFCON – the folks who actually don the black hats are, also.That point was driven home this week by Kaspersky Lab researcher Marta Janus, who blogged about an interesting new code obfuscation technique that she discovered while analyzing a Polish e-commerce Web site that had been compromised.
  • Hackers Pinch Obfuscation Technique From Defcon presentation – threatpost.com
  • Dangerous Whitespaces – securelist.com

• Using Nmap for Pentesting eDirectory – cqure.net
  While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP).

Vendor/Software Patches

• Microsoft Patch Tuesday (Tomorrow!)
  Microsoft has announced that it plans to release 16 security bulletins on Tuesday 14 June. The company rates nine of the bulletins as critical; the remaining seven are considered to be “Important”. According to Microsoft, the bulletins will patch a total of 34 vulnerabilities in its products.
  • Microsoft Many Critical Vulnerabilities on Patch Tuesday – h-online.com
  • June Advance Notification Service And 10 Immutable Laws Revisited – blogs.technet.com
• Flash Player Updates
  Adobe and VideoLAN have released security updates for some of their software programs today. Adobe released a new version of Adobe Flash Player which fixes a security vulnerability in the popular application.
  • Flash Player, VLC Security Updates Released – ghacks.net
  • Adobe Flash Player 10.3.181.22

• Wireshark 1.6.0 Released – wireshark.org
  Wireshark 1.6.0 has been released. Installers for Windows, Mac OS X 10.5.5 and above (Intel and PPC), and source code are now available. Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets. Large file (greater than 2 GB) support has been improved.

Other News

• RSA SecurID Revelation
  Lockheed Martin and RSA today each separately confirmed that the breach that compromised RSA’s SecurID authentication technology helped lead to the recent targeted attack aimed at the defense contractor.

• • RSA Offers SecurID Token Repalcement For Customers In Wake Of Lockheed Hack – darkreading.com
  • RSA Finally Comes Clean: SecurID is Compromised – arstechnica.com
  • Replacing RSA SecurID Tokens Not So Simple – darkreading.com
  • Security Alert: RSA Breach and 7 Ways To Secure Your Tokens – stateofsecurity.com
  • On The RSA SecurID Compromise – dankaminsky.com
  • @hdmoore RSA Twitter Update
• The Ocean Bank Trial
  A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.
  • Bank Not Responsible for Letting Hackers Steal $300K From Customer – wired.com
  • Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security – krebsonsecurity.com
• Java Patch Plugs 17 Security Holes – krebsonsecurity.com
  Oracle today released an update to its ubiquitous Java software that fixes at least 17 security vulnerabilities in the program. The company is advising users to apply this update as soon as possible; it looks like most — if not all — of the vulnerabilities addressed by this new version may be exploited remotely without authentication.
• IMF is victim of ‘sophisticated cyberattack’ says report – pcworld.com
  The scope of the attack remains unknown, according to the New York Times, which broke news of the incident Saturday. But it noted that the IMF, which helps manage financial crises around the world, is “the repository of highly confidential information about the fiscal condition of many nations.”