Week 24 In Review

Events Related

• ENISA First 2011
  The European Network & Information Security Agency (ENISA) formed in 2004. The agency supports the commission and the EU member states in the area of information security. Facilitate the exchange of information between EU institutions, the public sector and the private sector.
  • Security Challenges for Future Systems – blog.c22.cc
  • #First2011-Remediating Compromised Environments – blog.c22.cc
  • Remediating Compromised Environments: Case studies from large and small environments – darknet.org.uk
  • #First2011-Funny Pharma: Inside the Web’s Leading Rogue Pharmacies – blog.c22.cc
• Workshop on Economics of Information Security (WEIS) 2011– schneier.com
  I’m at the Tenth Workshop on Economics of Information Security (WEIS 2011) , at George Mason University. Most of the papers are online, and Ross Anderson is liveblogging the talks.
• June 2011 OWASP Belgium Meeting Wrap Up – blog.rootshell.e
  Back from the latest OWASP Belgium Chapter meeting… Two speakers were scheduled tonight: Colin Watson presented the OWASP AppSensor project then Andreas Falkenberg talked about modern attacks against web services like Twitter. A last-minute guest joined us: Josh Corman who spoke about “rugged software“.

Resources

• Hack In The Box Amsterdam 2011 – professionalsecuritytesters.org
  Hack In The Box resource portal with download links for materials and photos.
• Most Common iPhone Passcodes – amitay.us
  In essence, this post is an homage to the well known Most Common Passwords on the Internet articles. Different articles pull from different sources, so naturally aren’t the same, but still demonstrate certain trends. Similar trends are evident in the data I present below.
• OWASP NYC Slides Posted – gdssecurity.com
  The discussion focused on identifying and exploiting Padding Oracles in custom web applications, and walked through specifics on how to use PadBuster in a variety of common scenarios. Hopefully those using PadBuster will find the second half of the deck a useful reference.
• OWASP AppSec EU 2011 – owasp.org
  Catalogue of AppSec presentations.
• Mona 1.0 Released! – corelan.be
  For anyone who missed my talks (either at AthCon or Hack In Paris), mona is the long awaited successor to pvefindaddr.  Named after my daughter (I’m sure she’s too young to hackinparis_IMG_8830realize or even care at this point), this Immunity Debugger PyCommands introduces a lot of improvements and new features compared to pvefindaddr.
• Welcome to WS-Attacks.org – clawslab.nds.rub.de
  WS-Attacks.org is not a new web service standard by the OASIS Group or W3C; instead it presents the flaws of today’s web service standards and implementations in regard to web service security! WS-Attacks.org aims at delivering the most comprehensive enumeration of all known web service attacks.

Tools

• UPDATE:The Sleuth Kit v3.2.2! – sourceforge.net/project/sleuthkit/files
  The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. It is a collection of open source file system forensics tools that allow one to view allocated and deleted data from NTFS, FAT, FFS, and EXT2FS images.  The Autopsy Forensic Browser provides a graphical interface to The Sleuth Kit.
• UDPATE: THC Hydra v6.4! – thc.org/releases/hydra-6.4-src.tar.gz
  THC-HYDRA is a very fast network logon cracker which support many different services. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD and OSX.
• Introducing WPScan the WordPress Security Scanner – ethicalhack3r.co.uk
  WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.
• OWASP iGoat 1.o – owasp.blogspot.com
  The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting  them first.
• BodgeIt Vulnerable Web Application Platform – sectechno.com
  Legal hacking is possible as you can create a vulnerable platform to test any new vulnerability without breaking Lows. Person that is looking to test his skills without thinking about proxies or hide his activities and test new web exploits can consider BodgeIt. BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

Techniques

• OWASP Top 10 for .NET developers part 7: Insecure Cryptographic Storage –  troyhunt.com
  Cryptography is a fascinating component of computer systems. It’s one of those things which appears frequently (or at least should appear frequently), yet is often poorly understood and as a result, implemented badly.
• Analyzing the LulzSec Password Leak – rafekettler.com
  Maybe there’s something wrong with me, but when I first heard about LulzSec releasing 62,000 passwords, I was actually pretty excited. I’ve always wanted to a little analysis on a big leak like this, and now I finally get to do one.
• Sniffing using iptables – r00tsec.blogspot.com

Vulnerabilities

• Hacking Oracle Business Intelligence – dsecrg.blogspot.com
  Here I will show some vulnerabilities founded in Oracle BI and hoe they can be founded and how a different exploits can be written. It will be based on vulnerabilities that was patched in April CPU 2011 by Oracle. Interesting moment that founded PL/SQL vulnerabilities founded in programs that executed by privileged user but not a DBA directly so it is more interesting to find out a way to get access to whole system using those rights.
• Critical 0day Websphere exploit, 1/3rd of middleware in existence can now potentially be exploited! – 1337day.com

Vendor/Software Patches

• June 2011 Patch Tuesday
  Adobe has released its latest batch of quarterly security updates covering Flash, Shockwave, Reader, Acrobat, ColdFusion, LifeCycle and Blaze. Flash logoAfter only 9 days, another zero-day exploit has been fixed in Adobe Flash player.
  • 16 Bulletins, 9 Critical – nakedsecurity.sophos.com
  • Adobe patches, Reader, Flash and more – nakedsecurity.sophos.com
• Microsoft Patch Tuesday
  This security update resolves eight privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS11-045-Important – microsoft.com
  • Microsoft Patches Fix 34 Security Flaws -krebsonsecurity.com

Other News

• The Great Citigroup Credit Card Hack
  Citigroup Inc said a cyber attack in May affected almost twice as many accounts as the bank’s figures had initially suggested, as major U.S. lenders come under growing pressure from lawmakers to improve account security.
  • Citi Says 360,000 accounts hacked in May cyber attacks –  reuters.com
  • Citi Credit Card Hack Bigger Than Originally Disclosed – wired.com

• Barr Unbowed (Interview with Aaron Barr) – threatpost.com
  Aaron Barr, the former CEO of security firm HBGary Federal, is one of those unlucky few. No fountain-flopper, Barr is a respected authority on computer security whose mistake was to openly speculate on the identities of members of the online hacking group Anonymous, then watch as events spun gruesomely out of his control.
• Foreign Government Allegedly Behind Cyberattack On IMF –  arstechnica.com
  The International Monetary Fund suffered a “major breach” earlier this year that allowed hackers to access a “large quantity” of data, staff and board members were told by e-mail last week.
• EU Ministers Seek To Ban Creation of ‘Hacking Tools’ – networkworld.com
  Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission’s text, the ministers extended the draft to include “the production and making available of tools for committing offenses”.
• Spear phishers sharpen skills, craft ‘incredible’ attacks, says experts – computerworld.com
  Recent break-ins at high-profile targets like the International Monetary Fund (IMF) demonstrate just how proficient hackers have become at “spear phishing,” researchers said today.
• Replacing RSA SecurID Security Tokens Not So Simple – darkreading.com
  Should all RSA SecurID customers take the company up on its new offer to swap out their authentication tokens as a precaution? Not so fast, security experts warn. While RSA says it will provide replacements for SecurID tokens to allay security concerns in the wake of its breach and the subsequent related breach at Defense contractor Lockheed Martin, the move might be only a temporary fix if the attackers who compromised RSA’s SecurID servers indeed got the seed files.
• The LulzSec manifesto – arstechnica.com
  LulzSec certainly has enemies. Gamers in particular have been agitated by the group’s attack on login servers for games like EVE Online. Angrier, perhaps, have been those whose e-mail, Facebook, and PayPal account passwords were leaked—and who then had to watch as Twittizens celebrated the sometimes-criminal misuse of those accounts.
• The Cloud-time for serious consideration-web services – shortinfosec.net
  In 2008 we published an article on cloud computing, which basically said, don’t turn off your local datacenter. To be very sincere, Shortinfosec was a little hypocritical in that article – since Shortinfosec was and is hosted in the cloud.