Week 36 In Review

Events Related

• Watch: An (Almost) Inside Look at China’s Top Information Security Forum – blogs.wsj.com
  Chinese computer-security researchers and professionals gathered in Beijing late last week for the 10th annual session of the country’s best-known information security conference, where presenters spoke on security threats and how they could be prevented.
• DefCon 19 Archive Page – twitter.com
  The DefCon 19 archives page is up! Slides posted…
• USENIX Security Symposium 2011 – dbusenix.org
  Video plugin download.
• BlackHat USA 2011: The Past And Future of SSL – youtube.com
  In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic.

Resources

• Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10 – irongeek.com
  What I’m attempting to do with Mutillidae is implement the OWASP Top 10 in PHP, and do it in such a way that it is easy to demonstrate common attacks to others. Feel free to use it in your own classes or videos, but if you do I’d love to hear about it.

Tools

• Building A Safer Web With ASafaWeb – troyhunt.com
  In case it’s not already pretty obvious by now, there are a bunch of websites out there which have some rather glaringly large vulnerabilities in them. Or at least they did have, then they were hacked in spectacular fashion and security suddenly became important to them. But of course we only hear about the big ones whilst hoards of smaller attacks go by unreported and very often, unnoticed.
• Cryptohaze Multiforcer 1.1 Released! – blog.cryptohaze.com
  The big news is LM support.  Close behind is a set of improvements for network support: You can now run the server as only a server (not doing any compute), the clients will now sit and wait for the server if it goes away, and the Windows client no longer crashes the server when it disconnects.
• UPDATE: OWASPBWA v0.94! – sourceforge.net/projects/owaspbwa/files/0.94
  Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost VMware Player and VMware Server products(along with their commercial products).
• UPDATE: SWFRETools v1.4.0! – github.com/sporst/SWFRETools/downloads
  The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of maliciousSWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.
• OWADE: The Offline Windows Analysis and Data Extraction Tool! – pentestit.com/2011/09/07/owade-offline-windows-analysis-data-extraction-tool/
  What really makes OWADE special is that it is dedicated to cloud forensics! We know that almost everything is moving to the cloud now. We have antiviruses in the cloud, e-mails in the cloud and all the services that existed singularly can now be hosted on the cloud. Hence, cloud forensics is something that we need to concentrate on now.
• Announcing Registry Decoder – dfsforensics.blogspot.com
  Digital Forensics Solutions is pleased to announce Registry Decoder, an open source tool that automates the acquisition, analysis, and reporting of Microsoft Windows registry contents. The tool was initially funded by the National Institute of Justice (NIJ) and is now ready for public release.  Please see our History Page for information about the project.
• FBPwn: A Cross-Platform Facebook Profile Dumper! – code.google.com/p/fbpwn/downloads/list
  It supports a lot of modules that can expand its current functionalities. It has a well documented Wiki page explaining the process of building a FBPwn module. Though it has a lot of available modules prebuilt for your use.
• Registry Decoder: Automated Acquisition, Analysis and Reporting of Registry Contents! – digitalforensicssolutions.com/registrydecoder/content/download
  Registry Decoder provides a single tool in which to perform browsing, searching, analysis, and reporting of registry hive contents. All functionality is exposed through an intuitive GUI interface and accommodates even novice investigators. Registry Decoder also acts as a great resource for new research and experimenting within the registry. We have recenlty written about a tool that deals with forensics in the cloud – OWADE.
• The THC Hydra page – thc.org
  A very fast network logon cracker which support many different services.Have a look at the feature sets and services coverage page – including a speed comparison against ncrack and medusa!

Techniques

• toolsmith: memory Analysis with DumpIT and Volatility – holisticinfosec.blogspot.com
  Two recent releases give cause for celebration and discussion in toolsmith. First, in July, Matthieu Suiche of MoonSols released DumpIt for general consumption, a “fusion of win32dd and win64dd in one executable.” Running DumpIt on the target system generates a copy of the physical memory in the current directory.
• Post Exploitation Command Lists – room362.com
  I’ve had a private list of commands that I run on Windows or Linux when I pop a shell, as I’m sure most pentesters do. It isn’t so much a thing of hoarding as much it is just jumbled notes that are ‘not worth posting.’
• Announcing Etherpeep – blog.pentestify.com
  It’s rough right now, but the concept is solid. This would make a good base for implementing etherape / p0f-like functionality in the framework. In short, load it up, run it & hosts you contact appear in your metasploit database.
• Typosquatters exploit misspelled variations of YouTube.com domain name – labs.m86security.com
  Here is a scenario that may sound familiar to you. You were in front of your computer one night and decided to watch some YouTube clips. So you opened your favourite browser and because you have clumsy fingers, instead of typing “YouTube.com” in the address bar you entered “YoutTube.com”.
• DEP Enforcing Shellcode – blog.didierstevens.com
  I developed shellcode that enforces permanent DEP when it is injected inside a process.
• Post Exploitation In Windows: From Local Admin to Domain Admin – pentestmonkey.net
  There are some excellent tools and techniques available to pentesters trying to convert their local admin rights into domain admin rights.  This page seeks to provide a reminder of some of the most common and useful techniques as well as rating their effectiveness to suggest which ones to try first.

Vendor/Software Patches

• Microsoft Handles DigiNotar Crisis
  Last week, We
  [Microsoft] released Security Advisory 2607712, notifying customers that fraudulent digital certificates had been issued by certificate authority DigiNotar. We’d like to follow up on that notification in this blog post by explaining more about the potential risks and actions you can take to protect yourself from any potential attacks that would leverage those fraudulent certificates.
• Protecting Yourself From Attacks That Leverage Fraudulent DigiNotar digital certificates – blogs.technet.com
• Microsoft flips killswitch on all Diginotar certificates – computerworld
• Microsoft Revokes Trust In Five Diginotar Root Certs – threatpost.com
• Microsoft Revokes DigiNotar certificates from Windows, Mac Users Still Vulnerable – nakedsecurity.sophos.com
• Apple Patch post-DigiNotar
  Apple released a patch to update their certificate trust policy affecting Mac OS X Server 10.6, Mac OS X 10.6, Lion Server, OS X Lion. Using fraudulent certificates operated by DigiNotar, an attacker with enough network privileges could intercept user credentials or sensitive information. Apple recommends applying security update 2011-005.
• Apple Certificate Trust Policy Update – isc.sans.edu
• Protecting Your Mac from the DigiNotar.nl Certificate Compromise – ps-enable.com
• Mac OS X can’t properly revoke dodgy digital certificates – computerworld.com
• Wireshark 1.4.9 and 1.6.2 Released – wireshark.org
  Wireshark 1.6.2 and 1.4.9 have been released. Installers for Windows, Mac OS X 10.5.5 and above (Intel and PPC), and source code are now available.

Other News

• The Great DigiNotar Security Certificate Hack
  On 29 August 2011 it became known that a fraudulent DigiNotar security certificate was issued for Google.com, as a result of an intrusion. DigiNotar is a Dutch company that issues – amongst others – SSL certificates. These certificates are used for the identification of websites and protection of internet communication.
• Factsheet: Fraudulently issued security certificate issued – govcert.nl
• Fraudulent DigiNotar Certificate image via Twitpic – twitter.com
• DigiNotar Hacked by Black.Spook and Iranian Hackers – f-secure.com
• Diginotar English Report from Fox-IT – rijksoverheid.nl
• Operation black Tulip: Fox-IT’s report On DigiNotar breach – nakedsecurity.sophos.com
• Comodohacker Returns in DigiNotar incident – news.cnet.com
• Comodohacker claims responsibility for DigiNotar attack – computerworld.com
• Comodohacker Claims Credit For DigiNotar Atack – threatpost.com
• Hackers Steel SSL Certificates For CIA,MI6, Mossad – computerworld.com
• Hackers Spied on 300,000 Iranians Using Fake Google Certificate – computerworld.com
• DigiNotar Breached due to disastrous security – h-online
• Ten Reasons The DigiNotar Breach Wil be Bigger Than Stuxnet – threatpost.com
• Audit Report Shows Many Cracks In DigiNotar Security – threatpost.com
• Pastebin Confessional By Comodohacker – pastebin.com
• Who do you trust to tell who you trust? – blog.agilebits.com
• Comodohacker takes credit for massive DigiNotar attack – darkreading.com
• DigiNotar response – terminal23.net
• Mozilla Asks Firefox CAs to Audit Security Systems in wake of DigiNotar Hack – threatpost.com
• GlobalSign investigation Continues, Some CA Services To Return Monday – threatpost.com
• DigiNotar Hacker Threatens To Expand Spy Attacks Using Stolen Certificates – computerworld.com
• Mozilla gets tough after digital certificate hacks – news.cnet.com

• The Net Must Fight Back To Regain Our Trust – news.cnet.com
  We’ve all heard about Trojan horse malware that poses as software you might want to run, phishing scams that send fake e-mail purporting to be from your bank, and identity thieves who can siphon away your money. But an unpleasant new variety of faith-undermining behavior has shown up twice now in recent months: bogus versions of the digital certificates that enable encrypted communications on the Net.
• Obama Administration Seeking Tougher Penalties For Cybercrimes Like Hacking – thehill.com
  The Obama administration is seeking tougher sentences for people who are found guilty of hacking or other digital offenses, two officials said Wednesday.  Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez said the maximum sentences for cyber crimes have failed to keep pace with the severity of the threats.
• Symantec: Cybercrime costs $114 billion a year – digitaltrends.com
  Symantec has released its Norton CyberCrime Report for 2011, and if you thought business was good for smartphone and mobile device makers…well, business appears to be good for cybercriminals too. According to Symantec, some 431 million adults worldwide were victims of cybercrime in the last year, with the total cost of those crimes amounting to some $114 billion.