Week 10 in Review – 2012

Event Related

• CanSecWest
• CanSecWest evolving – blog.securiteam.com

  Let me say, right off the top, that I love CanSecWest. I am tired of “vendor” conferences, where you pay outrageous fees for the privilege of sitting through a bunch of sales pitches. At least CanSecWest has real information, as opposed to virtual information.

• CanSecWest Day 1 Pen testing, social authentication, APR and Duqu – nakedsecurity.sophos.com
  A wrap-up of the news and talks from CanSecWest 2012 in Vancouver. I highlight talks on pen testing, social authentication, vulnerability mitigation and the Duqu command and control servers.
• CanSecWest Day 2 Smartphones, mobile security, iOS 5 and NFC – nakedsecurity.sophos.com
  Day 2 at CanSecWest was dominated by mobile security talks. The highlights included anti-rooting technologies used in Android, iOS and a look at NFC enabled mobile phone security.
• Playing with Network Layers to Bypass Firewalls Filtering Policy – home.regit.org
  The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.
• RSA Conference
• B-Sides SF and RSAC 2012 Summary – rants.effu.se
  One of the consistent themes I heard from attendees of B-Sides SF and RSAC this year was “this was the best year yet!” That is a huge turn-around from the cynicism that was so prevalent last year.
• Invasion of the Risk Managers: Altering the Complexion of Security” – readwriteweb.com
  Article about the discussion panel on risk.

Resources

• M-Trends: The One Threat Report You Need to Read – blog.mandiant.com
  Today is a big day. If you’ve followed us for a while you know that once a year we step back and take stock of what we’ve seen on the front lines battling targeted attacks. What is the advanced persistent threat (APT) up to?

Tools

• TaskManager.xls V0.1.2 Update – blog.didierstevens.com
  This is a new version of TaskManager.xls with memory usage statistics, with code given to me by sciomathman.
• Zscaler tool can find unprotected embedded web servers – zdnet.com
  The web-based tool can scan IP ranges to find multi-function printers and photocopiers, VOIP devices and video-conferencing systems that are currently.
• Introducing Adobe SWF Investigator – adobe.com
  Today I am launching a beta of a tool on Adobe Labs called, Adobe SWF Investigator. This Adobe AIR-based application is a suite of tools that may be useful to SWF developers, quality engineers, and security researchers.
• Ettercap v0.7.4.1 Lazarus Released – ettercap.sourceforge.net
  Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
• Wireshark and Pcap-ng – blog.wireshark.org
  When Wireshark 1.8.0 is released in the next few months it will introduce two major features: the ability to capture from multiple interfaces at once and the ability to annotate packets.
• Mole v0.3 (2012-03-02) – themole.nasel.com.ar
  Command line sql injection tool
• WCE v1.3beta 32bit released – hexale.blogspot.com

  WCE v1.3beta 32bit released.

Techniques

• Testing the Security of Virtual Data Centers – community.rapid7.com
  If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much more fun.
• Why Security Assessments Must Cover IPv6, Even In IPv4 Networks – community.rapid7.com

  What’s your company doing to prepare for IPv6? Probably not an awful lot. While 10% of the world’s top websites now offer IPv6 services, most companies haven’t formulated an IPv6 strategy for the network.

• Foot printing – Finding your target… – sensepost.com
  Network foot printing is, perhaps, the first active step in the reconnaissance phase of an external network security engagement. This phase is often highly automated with little human interaction as the techniques appear, at first glance, to be easily applied in a general fashion across a broad range of targets.

Vulnerabilities

• Google Chrome Hacked
• Pwn2Own 2012: Google Chrome browser sandbox first to fall – zdnet.com

  Exploit writers at VUPEN take special pleasure in attacking Google’s Chrome browser, using a pair of zero-day flaws to defeat the browser.

• CanSecWest Pwnium: Google Chrome hacked with sandbox bypass – zdnet.com

  The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome.

• Chrome Finally Breached in Google’s $1 Million Hackathon– gizmodo.com

  Google recently offered up prizes totaling $1 million for those capable of exploiting its browser Chrome. Now, at Google’s own competition called Pwnium, a student has walked away with one of the top prizes, earning $60,000 by hacking a PC running Chrome.

• After the pwnage: Critical Google Chrome hole plugged in 24 hours – arstechnica.com

  Underscoring the nimbleness of Google’s patching cycle, Chrome developers fixed a complex series of bugs less than 24 hours after they were demoed at a hacker conference.

• Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest – wired.com

  A teenage hacker known as Pinkie Pie pokes a hole in Google’s Chrome browser, an unlikely winner who’s taking home $60K and a possible job at the search giant.

• How Google set a trap for Pwn2Own exploit team – zdnet.com

  Here’s the story of how a unique signature was used to figure out if exploit writers would take aim at the Flash Player plugin in Google Chrome

• Pwn2Own Hacking Contest
• Charlie Miller skipping Pwn2Own as new rules change hacking game – zdnet.com

  The annual Pwn2Own hacker contest kicks off today with new rules, controversy over disclosure and the absence of a regular participant.

• Pwn2Own 2012: IE 9 hacked with two 0day vulnerabilities – zdnet.com

  The code execution attack, which required no user action beyond browsing to a rigged web site, also works on Internet Explorer v10.

• How to Pwn the Pwn2Own Contest – wired.com

  Finding zero-day exploits to win a hacking contest can be really hard work these days. So sometimes the better strategy is just to game the game.

• The Ruby/GitHub hack: translated – erratasec.blogspot.com
  The underlying issue is an “Insecure Direct Object Reference”, #4 on the OWASP Top 10 list of most important web-application vulnerabilities. It means that that a hacker can change what’s in the website database without having permission.

Other News

• Uncle Sam: If It Ends in .Com, It’s Seizable – wired.com

  The U.S. government says it has the right to seize any .com, .net and .org domain name because the companies that have the contracts to administer them are based on United States soil, according to Nicole Navas, an Immigration and Customs Enforcement spokeswoman.

• Sabus sordid story detailed in FBI indictment – nakedsecurity.sophos.com

  Hector Xavier Monsegur may have portrayed the exploits of Anonymous and LulzSec as a glamorous fight against “the man”, but the dark criminal realities of their exploits were exposed in his indictment. It appears he wasn’t just in it for the lulz.

• Dropbox Abused by Spammers – symantec.com

  Recently we noticed spammers abusing Dropbox, a popular cloud-based, file-hosting and synchronization tool, to spread spam. Dropbox accounts have a public folder where files can be placed and made publicly available. This function is useful to spammers, as it effectively turns Dropbox into a free hosting site.