Week 13 in Review – 2012

Event Related

• Pwn2Own
• Lesson From Pwn2Own: Focus On Exploitability – darkreading.com

  The Pwn2Own contest earlier this month at the CanSecWest Conference showed off the speed with which knowledgeable security professionals can code exploits for known vulnerabilities.

• On the failings of Pwn2Own 2012 – scarybeastsecurity.blogspot.com

  This year’s Pwn2Own and Pwnium contests were interesting for many reasons. If you look at the results closely, there are many interesting observations and conclusions to be made.

• Outerz0ne 2011 Hacker Con (Hacking Illustrated Series InfoSec Tutorial Videos) – irongeek.com

  The following are videos of the presentations from the Outerzone 2011 hacker conference. Thanks to Skydog, Robin, Scott, SomeNinjaMaster and the Hacker Consortium crew for the con. Also thanks to Seeblind and others for doing AV. I’m looking forward to Skydogcon and working with the guys again at Derbycon.

Resources

• sqlitespy for Sqlite Database Analysis – blog.opensecurityresearch.com

  Sqlite is the ubiquitous database for iPad, iPhone and Android applications. It is also used by certain internet browsers, web application frameworks, and software products for their local storage needs. While doing penetration tests, we often see sensitive information like usernames, passwords, account numbers, SSN etc… insecurely stored in these databases. Thus, every penetration test requires comprehensive analysis of the local databases being used.

• The mystery of Duqu: Part Ten – securelist.com

  There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new “in-the-wild” driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.

• Introduction to Microsoft PowerShell Basics of RunningCmdlets – darkoperator.com

  You will notice that for the PowerShell commands I use the word Cmdlet, that is how Microsoft calls and spells the word. In a PowerShell shell you can execute regular windows commands in addition to the cmdlets and most work without any problem some may experience problems depending on the parameters used since PowerShell uses space as a delimiter so do keep this in mind when you are running local exe files.

• Skipfish Web Vulnerability Scanner – resources.infosecinstitute.com

  Web application security is a serious and an important topic to discuss nowadays, since hacking attacks are common. There are hundreds and thousands of tutorials available on blogs and forums that can help an attacker hack into a web application.

• Praeda version 0.02.0b is now available for download – foofus.net

  Updated release of Praeda 0.02.0b can be downloaded from HERE . This release contains a few new modules and an update to the dispatcher, allowing NMAP .gnmap as target input.

Tools

• OWASP Zaproxy
• ZAProxy 1.4.alpha.1 update – code.google.com

  “The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. ZAProxy provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.”

• OWASP Zaproxy v.1.3.4 released – code.google.com

  It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

• OWTF 0.13 “Trooper” update – github.com

  The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make penetration testing more efficient. The purpose of this tool is to automate the manual, uncreative part of penetration testing.

• Spooftooph v0.5 Spoofing Bluetooth – hackfromacave.com

  Spooftooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Address. Cloning this information effectively allows Bluetooth device to hide in plain site. Bluetooth scanning software will only list one of the devices if more than one device in range shares the same device information when the devices are in Discoverable Mode (specificaly the same Address).

• Wireshark v1.6.6 Released – wireshark.org

  Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.

• SSLCop v1.0 Blocking CAs Released – security-projects.com

  SSLCop is a hardening tool that can block those CAs you don’t need, based in their geographical procedence. You can disable CAs sorted from countries and leave only those which make sense to you.

• Kautilya v0.2.0 payloads for Teensy Released – code.google.com

  Kautilya is a toolkit which provides various payloads for Teensy device which may help in breaking in a computer. The toolkit is written in Ruby and currently contains all Windows payloads written mostly in powershell.

• Creepy version 0.2 – github.com

  Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.

• OWASP WebGoat 1.2 – owasp.blogspot.com

  FYI, we released iGoat version 1.2 today. The primary change over 1.1 is the addition of a new keychain exercise, contributed by a newcomer to the team, Mansi Sheth.

Techniques

• iPhone
• Here’s How Law Enforcement Cracks Your iPhone’s Security Code (Video) – forbes.com

  Set your iPhone to require a four-digit passcode, and it may keep your private information safe from the prying eyes of the taxi driver whose cab you forget it in. But if law enforcement is determined to see the data you’ve stored on your smartphone, those four digits will slow down the process of accessing it by less than two minutes.

• iPhone passcode cracking is easier than you think – cnet.com

  A report came out last fall suggesting that repeating one number in the iPhone’s four-digit security PIN made for better protection than using all unique numbers. However, that little trick doesn’t seem to go very far with Micro Systemation, a Swedish security firm that helps police and military around the world crack digital security systems.

• Reading iPhone Backups – securitylearn.wordpress.com

  When iPhone is connected to a computer for the first time, iTunes automatically creates a subfolder with device UDID as the folder name and takes a backup of everything available on the iPhone.

• IPv6
• Identifying IPv6 Security Risks in IPv4 Networks: Tools – community.rapid7.com

  This post details some of the tools used in my recent IPv6 security testing webcast If you have any specific questions, please open a Discussion thread.

• Finding v6 hosts by efficiently mapping ip6.arpa – 7bits.nl

  A technique for quickly finding existing reverse (PTR) entries in ip6.arpa-zones occurred to me recently. A cursory internet search reveals little about the subject, suggesting nobody else may have connected these dots before.

Vendor/Software Patches

• MS12-020
• Understand MS12-020 – auntitled.blogspot.com

  I saw many misunderstanding about MS12-020 bug. Here is my quick explanation (hope it is clear). There are 2 bugs for this bulletin. One is RCE (CVE-2012-0002). Another one is DoS (CVE-2012-0152). I use the diff result from work of people in IRC (freenode#MS12-020) http://pastie.org/private/4egcqt9nucxnsiksudy5dw.

• A Tool Exploiting MS12-020 Vulnerabilities – f-secure.com

  Since the public release of Microsoft’s MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called “RDPKill by: Mark DePalma” that was designed to kill targeted RDP service.

• DNS
• DNS Changer – circleid.com

  One fine night in November 2011 I got an opportunity to get my hands dirty, working on a project for the United States Federal Bureau of Investigation (FBI). They were planning to seize a bunch of computing assets in New York City that were being used as part of a criminal empire that we called “DNS Changer” since that was the name of the software this gang used to infect a half million or so computers. I work for Internet Systems Consortium (ISC), a small non-profit company headquartered in California.

• Weekly Metasploit Update: DNS payloads, Exploit-DB, and More – community.rapid7.com

  This week we’ve got a nifty new shellcode delivery scheme, we’ve normalized on Exploit-DB serial numbers, and a pile of new modules, so if you don’t have Metasploit yet, you can snag it here.

• New Java Attack Rolled into Exploit Packs – krebsonsecurity.com

  If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.

• New exploit uses old Office vulnerability for OS X malware delivery – reviews.cnet.com

  While this means of exploiting Mac systems via Microsoft Office is old and has been patched, this marks the first time Office documents have been used to exploit OS X systems.

Vulnerabilities

• Microsoft
• Microsoft Raids Tackle Internet Crime – nytimes.com

  Microsoft employees, accompanied by United States marshals, raided two nondescript office buildings in Pennsylvania and Illinois on Friday, aiming to disrupt one of the most pernicious forms of online crime today — botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers.

• Microsoft Takes Down Dozens of Zeus, SpyEye Botnets – krebsonsecurity.com

  Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.

• Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets – technet.com

  Cybercriminals have built hundreds of botnets using variants of Zeus malware. For this action – codenamed Operation b71 – we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages.

• Credit Card Processor Breach
• MasterCard, VISA Warn of Processor Breach – krebsonsecurity.com

  VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

• Hackers Breach Credit Card Processor; 50K Cards Compromised – wired.com

  Global Payments Inc, an Atlanta-based processor, has been breached by hackers, leaving more than 50,000 card accounts potentially compromised.

• Hackers steal passwords from military dating site – news.cnet.com

  Hackers broke into the database for a military dating Web site and stole passwords, e-mail addresses, and other information from nearly 171,000 accounts, according to a post on the Pastebin site this weekend

• Command Injection Attacks, Automated Password Guessing On The Rise – darkreading.com

  Spam and several of the most common vulnerabilities are on the decline, according to a report issued this week, but there has been a marked increase in new types of attacks, such as shell command injection and automated password guessing.

• LulzSec hacks CSS Corp – zdnet.com

  LulzSec has hacked CSS Corp and released the company’s e-mail database to the public. The hacktivist group is also asking followers to join #LulzSecReborn on Anonymous’ IRC channel.

• Critical Security Update for Adobe Flash Player – krebsonsecurity.com

  Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

Other News

• China on Hacking
• Inside a Commission Hearing on the Chinese Threat – taosecurity.blogspot.com

  This morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities. In the picture taken by Mrs Bejtlich (thanks for attending!) I’m seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey.

• China Hacked RSA, U.S. Official Says – darkreading.com

  Until this week, no one has ever confirmed publicly what everyone has suspected all along: that China was behind the advanced attack against RSA’s SecurID systems last year. That was the revelation by the head of the U.S. Cyber Command in a Congressional hearing on Tuesday.

• TSA asks congressional panel to uninvite critic Bruce Schneier – news.cnet.com

  Bruce Schneier, a vocal critic of security measures used by the Transportation Security Administration, was asked to testify before Congress about TSA’s security screening initiatives but then was “formally uninvited” after the agency complained.

• NSA Chief: Agency Wants to Provide Malware Signatures, Not Enter Private Networks – wired.com

  The NSA continued to downplay its role in the cyberdefense of private networks when Gen. Keith Alexander told a Senate committee Tuesday that his intelligence agency absolutely did not want to be lurking in private networks monitoring data for threats.

• Satellite-jamming becoming a big problem in the Middle East and North Africa – arstechnica.com

  The Arab Spring has had yet another consequence—satellite jamming, and the practice is serious enough to threaten the satellite operators’ business. Two operators, Arabsat and Nilesat, complained about the jamming in the Satellite 2012 Conference in Washington, D.C. last week, according to an article in Space News.

• Draft EU Law Proposes 2 Year Minimum Sentence for Hackers – techweekeurope.co.uk

  The proposed directive, which was backed by 50 votes at the European Parliament’s Civil Liberties Committee compared to one against, would mean the UK would no longer rely on the Computer Misuse Act that currently has a maximum sentence of two years for a single breach of systems.

• U.S. Outgunned in Hacker War – online.wsj.com

  The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.

• Richard Clarke on Who Was Behind the Stuxnet Attack – smithsonianmag.com

  America’s longtime counterterrorism czar warns that the cyberwars have already begun—and that we might be losing.

• EU legislation – Digging below the FUD line – blog.c22.cc

  Yesterday I started to see some chatter on Twitter about new/updated EU legislation dealing with “cyber” attacks.