Week 12 in Review – 2012

Event Related

• CanSecWest 2012
• Hardware Involved Software Attack – forristal.com
  Material for CanSecWest 2012 by Jeff Forristral

• Vulnerability analysis, practical data flow analysis and visualization – blogs.technet.com
  Recently at CanSecWest 2012, we presented on the technology we use for analyzing malicious samples and PoC files. As malware often actively attempts to exploit software vulnerabilities these days, understanding the internals of these vulnerabilities is essential when writing defense logic.
• Top 5 Things Learned at the SANS Mobile Device Security Summit – blog.securestate.com
  This is a quick post about the SANS Mobile Device Security Summit that I participated in last week. I presented the latest version of my ever evolving “Attacking and Defending Apple iOS Devices” presentation.

Resources

• 2012 Verizon Data Breach Investigation Report (DBIR)
• How to Read and Act on the 2012 Verizon Data Breach Investigations Report (DBIR) – securosis.com
  Verizon just published their excellent 2012 Data Breach Investigations Report, and as usual, it’s full of statistical goodness.
• Verizon Business Security Blog Blog Archive 2012 Data Breach Investigations Report Released – verizonbusiness.com
  It’s hard to believe, but it’s time again for another installment of Verizon’s annual Data Breach Investigations Report. This year’s report represents our largest dataset ever, with 855 confirmed security breaches accounting for a combined 174 million compromised records.
• How to Win CCDC -Slides – room362.com
  Since this is a constantly updating slide deck I figured I’d post it here so I didn’t have to keep emailing it out. If you have comments or if something is wrong grammatically, technically or in any other way I’d love input. Suggestions also welcome.
• ROP and deROP – marcoramilli.blogspot.com
  Many different researches put theirs efforts in finding a good ways to fight ROP malware, for example Davi et Al. And Chen et Al. Implemented a threshold system able to count how many buckets of instruction followed by RETN are present in a executable, once the threshold is reached the security mechanism alerts the user about that.
• CVSS – Common Vulnerability Scoring System – a critique
  [ Part1 ] – blog.zoller.lu
  Ever since I started my career in information security I was both interested and intrigued by metrics applied to vulnerabilities (or metrics in general for that matter). CVSS is certainly not new and I had to make the choice whether to use it or not in the past and I always wanted to share some issues I had with it. This blog post laid dormant in DRAFT state since 8 months and I decided to publish it in parts rather than wait another year to finish it.
• Is Threat Modeling Overrated ? – curphey.com
  I few weeks ago I posted “Is Threat Modeling Overrated? I think so….” on Twitter. It was piggybacking on this blog post and my bait was a combination of a few glasses of red wine (aka “Dutch courage”) and less than 140 chars of expressiveness but I have come to think that despite the potential high value in analyzing an applications architecture from a security view point that threat modeling as generally practiced is not delivering on it’s potential.
• Protecting Privileged Domain Accounts: Safeguarding Access Tokens – computer-forensics.sans.org
  This is the 4th in a multi-part series on the topic of “Protecting Privileged Domain Accounts”. My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.

Tools

• Smart Scapy By Lacofa – r00tsec.blogspot.com
  There are many areas on which they work from a security point of view, one of them are the tests carried out on these devices that manage information. Generally speaking, we can say that devices include a protocol stack, such as TCP/IP.
• Mercury – labs.mwrinfosecurity.com
  Droid’s first assessment framework of its kind. A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android.

Techniques

• Top 10 Oracle Steps to a Secure Oracle Database Server – blog.opensecurityresearch.com
  There are numerous resources on the Internet that detail secure configurations for Oracle; CISecurity, NIST, SANS, and Oracle just to name a few. Despite this, however, Foundstone continues to encounter vulnerable Oracle databases in our internal and external penetration tests. More often than not, we consultants are able to leverage the vulnerable Oracle databases to compromise additional hosts.
• Creating WMI Filters and GPOs with PowerShell – darkoperator.com
  In my last 2 blog post I covered the creation of group policy objects for distributing certificates to all computers in a domain and enable Network Level Authentication on them plus also covered how to create and use WMI filters to specify which machines a Group Policy Object should apply to.
• Blog Archive windows privilege escalation via weak service permissions – travisaltman.com
  When performing security testing on a Windows environment, or any environment for that matter, one of the things you’ll need to check is if you can escalate your privileges from a low privilege user to a high privileged user.

Vendor/Software Patches

• An interesting case of JRE sandbox breach (CVE-2012-0507) – blogs.technet.com
  The Microsoft Malware Protection Center Blog provides information on viruses, worms and other malware and spyware and explains how Microsoft antivirus products help protect your computer
• Piecing the malware puzzle – Exploring a spike in exploit activity – technet.com
  The Microsoft Malware Protection Center Blog provides information on viruses, worms and other malware and spyware and explains how Microsoft antivirus products help protect your computer.
• Joomla! 2.5 update fixes security vulnerabilities – h-online.com
  Version 2.5.3 of the open source content management system closes two "High Priority" security holes that could have been exploited by an attacker to gain escalated privileges or change a user’s password.

Vulnerabilities

• Java-based Web attack installs hard-to-detect malware in RAM – computerworld.com
  A hard-to-detect piece of malware that doesn’t create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to security researchers from antivirus firm Kaspersky Lab.
• FreePBX Exploit Phone Home – offensive-security.com
  During a routine scan of new vulnerability reports for the Exploit Database, we came across a single post in full disclosure by Martin Tschirsich, about a Remote Code Execution vulnerability in FreePBX.

Other News

• The Hackers
• Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees) – forbes.com
  Chaouki Bekrar (center) and Vupen's team of hackers at the Pwn2Own hackathon in Vancouver in March. (Photo credit: Ryan Naraine) This story appears in the April 9th issue of Forbes magazine. At a Google-run competition in ­Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice.
• Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits – forbes.com
  A clever hacker today has to make tough choices. Find a previously unknown method for dismantling the defenses of a device like an iPhone or iPad, for instance, and you can report it to Apple and present it at a security conference to win fame and lucrative consulting gigs.
• DuQu Mystery Language Solved With the Help of Crowdsourcing – wired.com
  A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.
• EFF Says Cyber Security Bills Open Door To Government, Corporate Abuse – threatpost.com
  The Electronic Frontier Foundation (EFF) is sounding alarms about a collection of overly vague cyber-security bills making their way through Congress.
• 63% of website owners don’t know how they were hacked – zdnet.com
  It’s bad enough when your website is hacked, but it’s even worse when you don’t know how it happened. It turns out only some website owners have an idea how their sites were compromised.