Week 42 In Review

• Analysis of 250,000 Hacker Conversations – net-security.org
  This forum is used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction. Commercially, this forum serves as a marketplace for selling of stolen data and attack software.
• Pentesting iPhone Applications – securitylearn.wordpress.com
  I have given a presentation on Pentesting iPhone Applications in c0c0n. This presentation mainly focuses on methodology, techniques and the tools that will help security testers while assessing the security of iPhone applications.
• Trustwave’s 2011 Global Security Report – trustwave.com
  Featuring analysis of more than 220 data breach investigations and more than 2,300 penetration tests conducted by Trustwave’s SpiderLabs, the Global Security Report 2011 identifies the top vulnerabilities business encountered in 2010 as well as a list of strategic initiatives to help your business improve its overall security. Download the report today!
• Dr. Charlie Miller Compares The Security of iOS and Android – accuvant.com
  I had the honor of talking to Dr. Charlie Miller, principal research consultant for Accuvant LABS, for a bit during DerbyCon about the security of mobile devices’ operating systems. Specifically, Dr. Miller articulated the differences between Apple’s iOS and the Android OS. Here are some of the highlights before you watch the video to get it directly from the good doctor himself.

Tools

• Heaplocker: Preventing Heapsprays – blog.didierstevens.com
  I’ve been using my HeapLocker tool for almost a year now, and I’ve encountered no issues, except for the NOP sled detection. When used with Adobe Reader, HeapLocker will generate too many false positives when looking for NOP sleds. So I’ve disabled NOP sled detection for Adobe Reader.
• LoadDLLViaAppInit 64-bit – blog.didierstevens.com
  Many of my security tools are DLLs. If you want to use these tools inside a 64-bit process, you’re stuck, because you can’t use 32-bit DLLs inside a 64-bit process (and vice versa).
• The Crudminer files – github.com
  The idea of CrudMiner came from having inherited a large webserver full of user-installed software. As it is nearly always the case, when clients are allowed to install their own software, they never actually bother to keep it patched and updated. I wrote CrudMiner with the sole task of looking for known-outdated web software and reporting it to me in a format that was easy to grok and process.
• Website v1.0beta automated web passive analysis – code.gogle.com/p/webfight
  I was on AppSec Latam 2011, and Wagner Elias released a tool named WebFight. This tool uses a log parser of Burp and perform a series of tests.
• RunInsideLimitedJob 64-bit – blog.didierstevens.com
  RunInsideLimitedJob is a tool to sandbox applications by containing their process inside a limited job object. There are 2 versions of my RunInsideLimitedJob tool: a .EXE and a .DLL.

Techniques

• Re-engineering Android Applications To Introduce Security Bugs – securityaegis.com
  This is an excellent example of how easy this is on Android. Download, patch, resubmit to market, pwn users.
• When Is Full packet Capture NOT Full Packet Capture – securityonion.blogspot.com
  I was looking at some packets recently and noticed the Wireshark message “Packet size limited during capture”.  This was strange since the packets came from a Sguil sensor performing full packet capture using Snort’s default snaplen on a standard Ethernet connection (no Jumbo frames and no VLAN tags).

Vendor/Software Patches

• Oracle Patch, Java Update
  Oracle on Tuesday plans to release patches for 56 new vulnerabilities in a huge number of its products through its scheduled quarterly critical patch update. The company said that the various vulnerabilities in this month’s CPU affect hundreds of Oracle products.
• Oracle To Release 56 Patches, Plus 20 More For Java In October CPU – threatpost.com
• Critical Java Update Fixes 20 Flaws – krebsonsecurity.com
• Oracle Java SE Critical Patch Update – isc.sans.edu
• Mobile Threats On The Desktop – blogs.technet.com
  The MMPC has been routinely monitoring threats (via the desktop) that affect different mobile platforms such as Symbian, Java ME, Android, RIM, iOS and Windows Mobile. One of the increasingly common ways we see mobile devices being compromised is by allowing the user to download and install applications independently. This is because the consumer cannot know if the app might be malicious, thus, protection from mobile threats on the desktop is vital.
• Adobe fixes Flash privacy panel so hackers can’t check you out – arstechnica.com
  Yesterday, Adobe made changes to a page on an Adobe website that controls Flash user’s security settings—or more specifically, to the Flash .SWF file embedded in the page that opens the Flash website privacy settings panel. The changes are intended to prevent a clickjacking attack that uses the file to activate and access users’ webcams and microphones to spy on them.

Vulnerabilities

• iOS5 Flaws
  As with the release of any new version of a major operating system, the security holes will be picked out as users get their hands on it and starting putting it through the paces. Apple’s newest iOS 5 is no different.
• iOS5 introduces security challenges and flaws – nakedsecurity.sophos.com
• Encryption, Passcode, & Physical Security Flaws Found in iOS5 – readwriteweb.com
• DNS Poisoning Via Port Exhaustion – blog.watchfire.com
  Today we are releasing a very interesting whitepaper which describes a DNS poisoning attack against stub resolvers.

Other News

• Duqu Son of Stuxnet
  A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.
• Son of Stuxnet found in the wild on systems in Europe – wired.com
• Duqu, Son of Stuxnet, raises question of origin and intent – nakedsecurity.sophos.com
• Duqu FAQ – securelist.com
• Symantec, McAfee differ in Duqu Threat – infoworld.com
• iPhone spiPhone
  You sit down at your desk, set down your mobile phone, boot your computer and then start work. Would it occur to you that a hacker might be using your smartphone as a spying device to track what you were typing?
• iPhone hacked into spiSphone to eavesdrop and track what you type into a nearby PC – blogs.computerworld.com
• Researchers can keylog your PC using your iPhone’s accelerometer – arstechnica.com
• Statement Regarding Security Threat to JBoss Application Server – community.jboss.org
  Red Hat has become aware of a worm currently affecting unpatched or unsecured servers running JBoss Application Server and products based on it.  This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.
• Researcher Who Found Security Flaw Threatened By Firm He Was Trying To Help – nakedsecurity.sophos.com
  According to Gray’s account, First State Super threatened to track down the costs incurred “in dealing with this matter” if Webster does not agree to delete all information he obtained by demonstrating the flaw and promise to never attempt to access other member information again.
• Exclusive: Nasdaq Hackers Spied On Company Boards – reuters.com
  Hackers who infiltrated the Nasdaq’s computer systems last year installed malicious software that allowed them to spy on the directors of publicly held companies, according to two people familiar with an investigation into the matter.