Event Related

  • A cyber weapon – alexmgeorge.wordpress.com
    At RSA 2012 Dave Aitel made a presentation wherein he defined cyber weapons a bit outside of how people normally think. The tried and true metaphor (which I admit to using) is that exploits or frameworks are like guns, and if they’re like guns then it’s easy to classify them as ‘cyber weapons’. There has been some recent criticism of this idea which I think is well deserved.
  • Adventures in Domain Takedowns – vrt-blog.snort.org
    I gave a presentation entitled “Adventures in Domain Takedowns” recently at the APCERT 2012 conference in Bali, Indonesia. The conference itself was excellent – plenty of good technical material and lots of useful contacts – and the location, of course, couldn’t have been better.
  • 2012 Verizon DBIR Cover Challenge – darthnull.org
    Every year, the Verizon Business Risk Team publishes a Data Breach Investigations Report (DBIR), analyzing trends and other great statistical information gathered from working hundreds of different, well, data breaches.
  • Written Speech: TEDxMaui — Hack Yourself First – jeremiahgrossman.blogspot.com
    Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage — nothing short of amazing — life changing.

Resources

  • Why Do Hackers Want Facebook Data
    • Part I – blog.imperva.com
      Late in 2011, Max Schrems asked Facebook for a profile the social networking company assembled based on his posts, likes and friends. Max received a 1200 page PDF file with lots of personal details.
    • Part II – blog.imperva.com
      In the first of this two-part series, we showed how Facebook profile data is very attractive to different of hackers. But how do hackers gain this information?
  • Introduction to Microsoft PowerShell – Working with PSDrives and Items – darkoperator.com
    PowerShell provides many ways to work with files and with other sorts of structured data it treats as files. Typically as shown before we can use the same commands as in cmd.exe but they parameters change also we can call many using he names of commands found in Unix type systems, these are aliases for PowerShell cmdlets so as to make the transition to PowerShell easier for administrators.
  • Captcha Intruder – cintruder.sourceforget.net
    Captcha Intruder is an automatic pentesting tool to bypass captchas.
  • Introduction to Windows Dictionary Attacks – netspi.com
    Based on my experience, nine out of ten environments will have at least one account configured with a weak or default password. Those weak configurations usually lead to the compromise of the entire Windows Domain, so it is important to understand how to audit for them.
  • Slides from my “5 Lessons Learned From Breaking Into A Casino” Webcast – spylogic.net
    For those of you that attended the webcast yesterday (and those who didn’t) I’ve uploaded my slides to my SlideShare page. Thanks to my co-presenters Richard Stiennon and Kevin Henry for presenting some great content with me! If you’re interested Richard has posted his slides to SlideShare as well.
  • Vulnerability Severity Using CVSS – cert.org
    If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you’ve come across the Common Vulnerability Scoring System (CVSS). I’m happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics.
  • Slides for Presentation on Real-World Social Engineering Attacks – blog.zeltser.com
    I published the slides to my presentation “How attackers use social engineering to bypass your defenses,” which shows numerous examples of real-world social engineering examples.
  • Practical Malware Analysis Review – em386.blogspot.com
    I recently finished my review copy of ‘Practical Malware Analysis’. I enjoyed this book for a few reasons. Each chapter concludes with some simple questions/labs to test your knowledge and give you a chance at some hands on experience related to the content you just read.
  • Zero-Permission Android Applications – leviathansecurity.com
    There’s been a lot of research in the Android security space. The most notable examples are Jon Oberheide’s fake Twilight app, Georgia Weidman’s SMS bot, and the numerous clever root exploits. Recently in the mainstream media, there’s been buzz about apps (allegedly) misusing permissions; some of these apps include Facebook, Skype, Path, and just about every advertisement library.
  • HITB Magazine Issue 008 – magazine.hitb.org
    The HITB (aka Hack In The Box) Magazine is a deep-knowledge technical magazine. The quarterly magazine covers articles that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before.
  • Phrack Issues – phrack.org
    Phrack Issues
  • Microsoft EMET in The Enterprise – Microsoft EMET in The Enterprise – recxltd.blogspot.co.uk
    It’s Friday, so it’s time to take a step back from the low-level and have another post on the practical steps organisations can take at little cost. Before we begin it’s probably useful to outline some of the realities of business when it come to desktop and server security.

Tools

  • OWASP
  • Flashback Removal Tool
  • RitX Reverse Ip Lookup Tool v1.5 released – code.google.com
    RitX is a Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques
    RitX is a Perl script which uses multiple web services that provide this feature.
  • web-sorrow – Remote Web Security Scanner (Enumeration/Version Detection etc) – darknet.org.uk
    web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework.

Techniques

  • Mallory MiTM Proxy as a Wireless Access Point (Part 2 of 2) – pentesterconfessionsblogspot.com

    In Part 1 we got an Virtual Machine partially running as a wireless access point using Virtual Box, Ubuntu, hostapd, and an Alfa wifi card. In this Post we will fully configure the AP and install/configure Mallory to MiTM anything that connects to the virtual Wireless Access Point.

  • Applying Security Intelligence to Patch Management – blog.coresecurity.com
    Last week as Patch Tuesday (which was today) approached, I wondered about the efforts of admins everywhere to understand, test and then apply those patches that are applicable for their environment.
  • An Ethical Hacker’s View on Mobile Malware and How to Stop it – cio.com
    As our mobile handsets become more than just a way to make and receive phone calls their appeal to criminals increases. Mobile malware, once theoretical, is now very much a reality and a growing threat.
  • How to Find and Remove Mac Flashback Infections – krebsonsecurity.com
    A number of readers responded to the story I published last week on the Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems.
  • PPTP VPN and policy routing on user – blog.stalkr.net
    The first part of this post describes how to use PPTP VPN on Linux, in command-line and not GUI. The second part, actually independent of VPN, describes how to set up policy routing for a user, in order to have all traffic from that user to go through a specific interface (e.g. the VPN interface).

Vendor/Software Patches

  • Microsoft Security Bulletin
    • Microsoft Security Bulletin MS11-100-Critical – technet.microsoft.com
      This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site.
    • Assessing risk for the April 2012 security updates – blogs.technet.com
      Today we released 6 security bulletins. Four have a maximum severity rating of Critical with the other two addressing Important class vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
    • MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents – blogs.technet.com
      Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office.
    • MS12-025 and XBAP: No longer a driveby threat – blogs.technet.com
      One of the security bulletins released today, MS12-025, addresses a code execution vulnerability in the .NET Framework. To exploit the vulnerability, an attacker would build a malicious XBAP application and lure victims to a malicious website serving the XBAP.
  • SAMBA
    • SAMBA “root” credential remote code execution – isc.sans.edu
      Samba – “a Windows SMB/CIFS fileserver for UNIX” seems to have a serious security vulnerability that samba versions 3.6.3 and all versions prior to it have a vulnerability that allows remote code execution as the “root” user from an anonymous connection.
    • Linux Users Beware: Patch New Samba Flaw ‘Immediately’ – darkreading.com
      A dangerous vulnerability in a pervasive tool for running Linux systems in a Windows environment leaves the door open for an attacker to access these systems without requiring any authentication.
    • Samba fixes critical remote code execution vulnerability – h-online.com
      The Samba developers have patched a critical security vulnerability that effects all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which was released in January.
  • OWTF 0.13 “HackPra” update – github.com
    The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make penetration testing more efficient. The purpose of this tool is to automate the manual, uncreative part of penetration testing.
  • theHarvester 2.2 update – code.google.com
    theHarvester is a tool for gathering emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tools is intended to help Penetration testers in the early stages of the project.
  • Social Engineer Toolkit 3.2.3 update – secmaniac.com
    The Social Engineering Toolkit (SET) is an open source, python-driven, social-engineering penetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing. It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. SET leverages multiple attack vectors that take advantage of the human element of security in an effort to target attackers.
  • OSX
    • OSX.Flashback.K – Suffering a Slashback – Infections Down to 270,000 – symantec.com
      OSX.Flashback initially arrived on the scene in late 2011. It has come a long way from its humble beginnings as a social-engineering scam trying to pass off as a fake Flash update using digital certificates purporting to come from Apple. Flashback is now leveraging the latest Java vulnerability (BID 52161 – Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability ) in order to deliver its payload.
    • New targeted Mac OS X Trojan requires no user interaction – zdnet.com
      A new Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is also exploiting Java vulnerabilities in a way that requires no user interaction. It is being used in targeted attacks.

Vulnerabilities

  • Medicaid Hacked
  • Adobe, Microsoft Critical Updates
    • Adobe Reader X (10.1.2) msiexec.exe Planting – blog.acrossecurity.com
      Adobe today issued an update for Adobe Reader X (new version is 10.1.3), which, among other issues, fixes the outside-the-sandbox msiexec.exe EXE planting vulnerability (CVE-2012-0776) I roughly demonstrated during my RSA Conference US talk last month titled “Advanced (Persistent) Binary Planting.”
    • Adobe, Microsoft Issue Critical Updates – krebsonsecurity.com
      Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.
  • Warning over medical implant attacks – bbc.com
    Many medical implants are vulnerable to attacks that could threaten their users’ lives, according to studies.
  • FBI: Smart Meter Hacks Likely to Spread – krebsonsecurity.com
    A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity.
  • MSRT April 2012: Win32/Claretore – blogs.technet.com
    We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool – Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.
  • Weak passwords still the downfall of enterprise security – computerworld.com
    A recent data breach that exposed the Social Security numbers of more than 255,000 people in Utah has once again highlighted the longstanding but often underestimated risks posed to organizations by weak and default passwords.
  • Thieves Replacing Money Mules With Prepaid Cards? – krebsonsecurity.com
    Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Other News

  • CISPA
    • Why CISPA Is a Really Bad Bill – yro.slashdot.org
      We’ve heard recently of CISPA, the Cyber Intelligence Sharing and Protection Act, a bill currently making its way through Congress that many are calling the latest incarnation of SOPA. Reader SolKeshNaranek points out an article at Techdirt explaining exactly why this bill is bad, and how its backers are trying to deflect criticism by using language that’s different and rather vague.
    • It’s imperfect, but CISPA isn’t the devil in disguise

      – gigaom.com
      CISPA still needs work to clear up what, exactly, it allows for, but strong congressional and industry support might make it a lot harder to stop than was the Stop Online Piracy Act of 2011, or SOPA, that created an online firestorm earlier this year.

  • Not Your Parent’s Wireless Threat – isc.sans.edu
    Back in the good old days, wireless threats could be summarized in “security your 802.11x access point by picking a strong passphrase and do not connect to evil unknown access points”.
  • Navy Hires Contractor to Data-Mine Gaming Consoles – threatpost.com
    The U.S. Navy recently hired an outside contractor, Obscure Technologies, to develop computer forensics tools capable of analyzing network traffic and stored data on gaming consoles.
  • Java: The OSX and Cross-Platform Nightmare – threatpost.com
    For a few days now I’ve been asking myself the following question: Which is more important: The fact we had a 500k-strong OSX botnet fly under the radar or the culprit that enabled the malware to infect so many machines?
  • Marriott Puts An End To Shady Ad Injection Service – techcrunch.com
    Late last week, one Justin Watt discovered something suspicious going on with the Wi-Fi at his hotel, the Times Square Marriott.
  • Court Rebukes DOJ, Says Hacking Required to be Prosecuted as Hacker – wired.com
    Employees may not be prosecuted under a federal anti-hacking statute for simply violating their employer’s computer use policy, a federal appeals court ruled Tuesday, dealing a blow to the Obama administration’s Justice Department, which is trying to use the same theory to prosecute alleged WikiLeaks leaker Bradley Manning.
  • No Permissions Android Application Can Harvest, Export Device Data – threatpost.com
    The term “permissions” may be a relative one for Google’s Android operating system, which grants applications with no permissions access to a wide range of user and device data, according to research from the company Leviathan Security Group.
  • Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections – forbes.com
    Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets.
  • Final Stats On Heartland Payment Systems Class Action: $1,925 To 11 People, $600k To Lawyers – techdirt.com
    We’ve been discussing for years just how broken the “class action” lawsuit system is in the US. The idea behind it sounds like it makes sense: if a company wrongs a bunch of people, the ability to bundle them all into a class, and get recompense via a single lawsuit seems like a good idea.
  • American Universities Infected by Foreign Spies Detected by FBI – bloomberg.com
    The CIA couldn’t confirm that the company wasn’t an arm of Iran’s government. Simon rejected the offer and shut down undergraduate programs in Dubai, at a loss of $3.7 million.
  • Code Not Physical Property, Court Rules in Goldman Sachs Espionage Case – wired.com
    Former Goldman Sachs programmer Sergey Aleynikov, who downloaded source code for the investment firm’s high-speed trading system from the company’s computers, was wrongly charged with theft of property because the code did not qualify as a physical object under a federal theft statute, according to a court opinion published Wednesday.
  • Appeals Court Rules Computer Code Is Not “Property” and Can’t Be Stolen – gizmodo.com
    Sergey Aleynikov, an ex-Goldman-Sachs programmer, spent a year in prison for downloading source code of the firm’s high-speed trading software before his sentence was overturned in February.
  • It’s Not a Crime to Break a Terms of Service Agreement (So It’s Okay to Never Read Them) – gizmodo.com

    The ruling that breaking a user agreement was totally okay and not a crime was made in the case of US vs Nosal.
  • Cybersecurity Is About Risk, Not War, Says Former DHS Cyber Chief – readwriteweb.com
    The word The Wall Street Journal used in its headline was “war,” which always gets people’s attention. In a March 28th story headlined, “U.S. Outgunned in Hacker War,” outgoing FBI Executive Assistant Director Shawn Henry was quoted as saying, with respect to the ongoing battle against cyber threats, “We’re not winning.” As the story made its rounds through the Web, “not winning” quickly became “losing.”
  • Biggest Threats Come From Inside The Enterprise, Survey Says – darkreading.com
    Security pros are more worried about the lack of visibility into their networks and about insider threats than they are about being hacked by outsiders, according to a new survey.