Events Related

  • RuxCon Presentation Materials Archive – ruxcon.org.au
  • BlackHat Abu Dhabi 2011 – tmacuk.co.uk
    I am going to keep this short, but I met a lot of new people, a lot of people I had spoken to over the phone but never seen face to face and people that I knew over Twitter. This, in my eyes, is what these conferences are about – and the networking breaks that were provided were great for this.

Resources

  • Cisco releases 2011 Annual Security Report – blogs.cisco.com
    Organizations are faced with providing security for employees that are rapidly adopting new technology in their personal and professional lives and expect their work environments and employers to do the same. As the data from the new Cisco 2011 Annual Security Report and the Cisco Connected World Technology Report Chapter 3 show, organizations that do not or cannot provide that type of environment are at risk of losing the ability to compete for those employees and business opportunities.
  • Adam Shostack on the methods of Compromise, the New School and Learning – threatpost.com
    Dennis Fisher talks with Adam Shostack of Microsoft about the taxonomy he helped develop for classifying how PCs are compromised, what he would and wouldn’t change in The New School of Information Security and who he’s learned the most from.
  • Carrier IQ Report – carrieriq.com
    Yesterday Carrier IQ released a report (PDF) which tries to answer some questions about how their system operates. Also, after reports of the FBI using Carrier IQ data, the company responded by saying, ‘Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators.’
  • From ROP to JOP – marcoramilli.blogspot.com
    Researchers from North Carolina State University and National University of Singapore presented an interesting paper to ASIACCS11 titled: “Jump-Oriented Programming: A New Class of Code-Reuse Attack”.
  • Google Safe Browsing v2 Lookup libraries for Perl, Python and Ruby – research.zscaler.com
    Last week, I mentioned that the Google Safe Browsing API has migrated to version 2. The new protocol is much more complex than version 1 and there are only a few libraries available for version 2 (see the full list in the previous post). Some popular languages, like Ruby, don’t have any implementation at all.
  • GlobalSign Security Incident Report – globalsign.co.uk
    Following recent events which have affected GlobalSign and the industry as a whole, we would like to take this opportunity to inform you that our investigations are now complete.

Tools

  • Exploit Pack Security Tool – exploitpack.com
    Exploit Pack  is an open source security tool and it comes to fill a need, a framework for exploit writers and security researchers, with a GPL license and Python as engine for its modules. Also it is based on Java and SWT to get real cross-platform. GPL license is used for the entire project and thus ensure the code will always be free.
  • DNS Brute Force – blog.0x0lab.org
    This python program, bfdomain.py, was written to identify valid hosts of a domain that deny zone transfers.
  • UPDATE: wavsep v1.1.0! – code.google.com/p/wavsep/downloads/list
    Wavsep, the Web Application Vulnerability Scanner Evaluation Project is a vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pagesthat can be used to test the various properties of web applicationscanners.

Techniques

  • Guide To Dumping Windows Password Hashes
    Generally, dumping operating system users’ password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc.
  • WireShark and SMB2
    Although Wireshark does not have a nice feature to export SMB2 objects, you can extract transferred files from the capture files. In this article I will show you how to extract small files, a pdf and a exe, from Wireshark capture files.
  • rrhunter: Detecting Rogue IPv6 Routers – blog.rootshell.be
    It’s a fact: Pv6 deployments are on the raise. We are close to the end of 2011 and this year was really some kind of a kick-off year to deploy the new protocol or to make live tests. I won’t come back on all the new features implemented in the sixth version of our beloved protocol but one of them is interesting amongst the others: the auto-discovery. Of course, it was already possible to let IPv4 hosts configure themselves via DHCP but here, it’s directly integrated in the stack.
  • Not Owning that ColdFusion Server but Helping… – carnal0wnage.attackresearch.com
    I thought I’d add to the conversation with some stuff I found doing CF research. The code he wrote and the metasploit module works great if things are in their default locations. Of course, this will never be the case when you are on a PT and need to break into that mofro.
  • Evading COntent Security Policy With CRLF Injection –  blog.opensecurityresearch.com
    Content Security Policy (CSP) was developed with the aim of reducing content injection attacks like Cross Site Scripting. CSP allows the developers to specify the permitted content sources for their web applications and relies on HTTP response headers to enforce content restrictions.
  • Using Pastebin For Malicious Sample Collection – dvlabs.tippingpoint.com
    Services like Malware Domain List, Virus Watch and MalC0de are great for finding URLs of malicious content that may be interesting to collect and they provide us with a great deal of information that we use for further analysis. There are times when I am looking for specific samples and these services can’t be used, that’s when I turn to Pastebin.
  • Inside Adobe Reader Zero-Day Exploit – blogs.mcafee.com
    As online shoppers rush to buy presents in the run up to Christmas, security researchers have put out a warning to beware of “typosquatters,” who prey on cack-handed typists that misspell domain and website names.
  • MiTM and certificate setup on Android 4.0 – intrepidusgroup.com
    The Nexus Galaxy and Android’s Ice Cream Sandwich (ICS) are finally here. If you’ve done Android application testing in the past, you’ve probably have tried to install your own Certificate Authority (CA) cert on to an Android device or emulator. This process was somewhat painful and required root level access on physical devices. We have an old blog post here on that process, but that all changes now with ICS.
  • Injecting Payloads Into Memory Meterpereter – darkoperator.com
    Recently at Derbycon 2010 I had a chance to see Egyp7 (James Lee) from the metasploit project do some demos for students of his Metasploit class and I saw he was using the multimeterinject script I wrote to create a secondary shell in case the main one died.
  • Intro To JavaScript Malware Analysis – h-i-r.net
    I am by no means an expert on this stuff. A few weeks ago, I ran across some suspicious links in spam and decided to see where they led. Some of them claimed to be from financial institutions that I have absolutely no connection to, and claimed that some transaction had failed to occur.

Vendor/Software Patches

Vulnerabilities

  • Hack to get free WiFi on Virgin America flights exploiting Chrome Book promo (Save $12.95) – comicmac.com
    So I’m currently a couple thousand feet up in the air on a Virgin America flight to San Francisco from Boston and Google are doing this cool thing where they loan you a Chrome Book for the flight, apart of this, you get free wifi on the Chrome Book, whilst on any other device you need to pay like $12.95. I figured out by faking the User Agent to be that of the Chrome Book, you can get free wifi.

Other News

  • Typosquatting Crash Course
    A Naked Security reader recently asked us to investigate the scale and the risk of typosquatting, after she accidentally put herself in harm’s way by mistyping a popular URL.She meant to visit posterous.com, but typed the linguistically-similar posterious.com by mistake. She was immediately and automatically deviated to a site which was blocked by Sophos Endpoint Security because it contained malware. Indeed, posterious.com redirects at the whim of its operator, taking you to different sites each time you visit.
  • China-Based Hacking of 760 Companies Shows Cyber-Based Cold War – bloomberg.com
    Google Inc. (GOOG) and Intel Corp. (INTC) were logical targets for China-based hackers, given the solid-gold intellectual property data stored in their computers. An attack by cyber spies on iBahn, a provider of Internet services to hotels, takes some explaining.