Week 15 in Review – 2012

Event Related

• A cyber weapon – alexmgeorge.wordpress.com
  At RSA 2012 Dave Aitel made a presentation wherein he defined cyber weapons a bit outside of how people normally think. The tried and true metaphor (which I admit to using) is that exploits or frameworks are like guns, and if they’re like guns then it’s easy to classify them as ‘cyber weapons’. There has been some recent criticism of this idea which I think is well deserved.
• Adventures in Domain Takedowns – vrt-blog.snort.org
  I gave a presentation entitled “Adventures in Domain Takedowns” recently at the APCERT 2012 conference in Bali, Indonesia. The conference itself was excellent – plenty of good technical material and lots of useful contacts – and the location, of course, couldn’t have been better.
• 2012 Verizon DBIR Cover Challenge – darthnull.org
  Every year, the Verizon Business Risk Team publishes a Data Breach Investigations Report (DBIR), analyzing trends and other great statistical information gathered from working hundreds of different, well, data breaches.
• Written Speech: TEDxMaui — Hack Yourself First – jeremiahgrossman.blogspot.com
  Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage — nothing short of amazing — life changing.

Resources

• Why Do Hackers Want Facebook Data
• Part I – blog.imperva.com
  Late in 2011, Max Schrems asked Facebook for a profile the social networking company assembled based on his posts, likes and friends. Max received a 1200 page PDF file with lots of personal details.
• Part II – blog.imperva.com
  In the first of this two-part series, we showed how Facebook profile data is very attractive to different of hackers. But how do hackers gain this information?
• Introduction to Microsoft PowerShell – Working with PSDrives and Items – darkoperator.com
  PowerShell provides many ways to work with files and with other sorts of structured data it treats as files. Typically as shown before we can use the same commands as in cmd.exe but they parameters change also we can call many using he names of commands found in Unix type systems, these are aliases for PowerShell cmdlets so as to make the transition to PowerShell easier for administrators.
• Captcha Intruder – cintruder.sourceforget.net
  Captcha Intruder is an automatic pentesting tool to bypass captchas.
• Introduction to Windows Dictionary Attacks – netspi.com
  Based on my experience, nine out of ten environments will have at least one account configured with a weak or default password. Those weak configurations usually lead to the compromise of the entire Windows Domain, so it is important to understand how to audit for them.
• Slides from my “5 Lessons Learned From Breaking Into A Casino” Webcast – spylogic.net
  For those of you that attended the webcast yesterday (and those who didn’t) I’ve uploaded my slides to my SlideShare page. Thanks to my co-presenters Richard Stiennon and Kevin Henry for presenting some great content with me! If you’re interested Richard has posted his slides to SlideShare as well.
• Vulnerability Severity Using CVSS – cert.org
  If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you’ve come across the Common Vulnerability Scoring System (CVSS). I’m happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics.
• Slides for Presentation on Real-World Social Engineering Attacks – blog.zeltser.com
  I published the slides to my presentation “How attackers use social engineering to bypass your defenses,” which shows numerous examples of real-world social engineering examples.
• Practical Malware Analysis Review – em386.blogspot.com
  I recently finished my review copy of ‘Practical Malware Analysis’. I enjoyed this book for a few reasons. Each chapter concludes with some simple questions/labs to test your knowledge and give you a chance at some hands on experience related to the content you just read.
• Zero-Permission Android Applications – leviathansecurity.com
  There’s been a lot of research in the Android security space. The most notable examples are Jon Oberheide’s fake Twilight app, Georgia Weidman’s SMS bot, and the numerous clever root exploits. Recently in the mainstream media, there’s been buzz about apps (allegedly) misusing permissions; some of these apps include Facebook, Skype, Path, and just about every advertisement library.
• HITB Magazine Issue 008 – magazine.hitb.org
  The HITB (aka Hack In The Box) Magazine is a deep-knowledge technical magazine. The quarterly magazine covers articles that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before.
• Phrack Issues – phrack.org
  Phrack Issues
• Microsoft EMET in The Enterprise – Microsoft EMET in The Enterprise – recxltd.blogspot.co.uk
  It’s Friday, so it’s time to take a step back from the low-level and have another post on the practical steps organisations can take at little cost. Before we begin it’s probably useful to outline some of the realities of business when it come to desktop and server security.

Tools

• OWASP
• 
  OWASP Zed Attack Proxy (ZAP) 1.4.0 – owasp.blogspot.com
  I’m very pleased to announce that version 1.4.0 of the OWASP Zed Attack Proxy (ZAP) has now been released.
• OWASP Joomscan 4.4.2012 now scans for 623 vulnerabilities – toolswatch.org
  OWASP Joomscan is a tool for testing vulnerabilities on websites that use ‘Joomla’. This application allows you to view or Test the website on XSS attacks, SQL Injection, LFI, RFI, Bruteforce, etc.
• Flashback Removal Tool
• Flashback Removal Tool – f-secure.com
  We have created a free tool that automates the detection and removal of the widespread Flashback Mac OS X malware.
• Apple releases Java update with Flashback removal tool – Update – h-online.com
  As expected, Apple has released an updated version of the Java implementation for its Mac OS X operating system that includes a removal tool for the Flashback trojan.
• RitX Reverse Ip Lookup Tool v1.5 released – code.google.com
  RitX is a Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques
  RitX is a Perl script which uses multiple web services that provide this feature.
• web-sorrow – Remote Web Security Scanner (Enumeration/Version Detection etc) – darknet.org.uk
  web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework.

Techniques

• Mallory MiTM Proxy as a Wireless Access Point (Part 2 of 2) – pentesterconfessionsblogspot.com

  In Part 1 we got an Virtual Machine partially running as a wireless access point using Virtual Box, Ubuntu, hostapd, and an Alfa wifi card. In this Post we will fully configure the AP and install/configure Mallory to MiTM anything that connects to the virtual Wireless Access Point.

• Applying Security Intelligence to Patch Management – blog.coresecurity.com
  Last week as Patch Tuesday (which was today) approached, I wondered about the efforts of admins everywhere to understand, test and then apply those patches that are applicable for their environment.
• An Ethical Hacker’s View on Mobile Malware and How to Stop it – cio.com
  As our mobile handsets become more than just a way to make and receive phone calls their appeal to criminals increases. Mobile malware, once theoretical, is now very much a reality and a growing threat.
• How to Find and Remove Mac Flashback Infections – krebsonsecurity.com
  A number of readers responded to the story I published last week on the Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems.
• PPTP VPN and policy routing on user – blog.stalkr.net
  The first part of this post describes how to use PPTP VPN on Linux, in command-line and not GUI. The second part, actually independent of VPN, describes how to set up policy routing for a user, in order to have all traffic from that user to go through a specific interface (e.g. the VPN interface).

Vendor/Software Patches

• Microsoft Security Bulletin
• Microsoft Security Bulletin MS11-100-Critical – technet.microsoft.com
  This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site.
• Assessing risk for the April 2012 security updates – blogs.technet.com
  Today we released 6 security bulletins. Four have a maximum severity rating of Critical with the other two addressing Important class vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
• MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents – blogs.technet.com
  Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office.
• MS12-025 and XBAP: No longer a driveby threat – blogs.technet.com
  One of the security bulletins released today, MS12-025, addresses a code execution vulnerability in the .NET Framework. To exploit the vulnerability, an attacker would build a malicious XBAP application and lure victims to a malicious website serving the XBAP.
• SAMBA
• SAMBA “root” credential remote code execution – isc.sans.edu
  Samba – “a Windows SMB/CIFS fileserver for UNIX” seems to have a serious security vulnerability that samba versions 3.6.3 and all versions prior to it have a vulnerability that allows remote code execution as the “root” user from an anonymous connection.
• Linux Users Beware: Patch New Samba Flaw ‘Immediately’ – darkreading.com
  A dangerous vulnerability in a pervasive tool for running Linux systems in a Windows environment leaves the door open for an attacker to access these systems without requiring any authentication.
• Samba fixes critical remote code execution vulnerability – h-online.com
  The Samba developers have patched a critical security vulnerability that effects all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which was released in January.
• OWTF 0.13 “HackPra” update – github.com
  The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make penetration testing more efficient. The purpose of this tool is to automate the manual, uncreative part of penetration testing.
• theHarvester 2.2 update – code.google.com
  theHarvester is a tool for gathering emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tools is intended to help Penetration testers in the early stages of the project.
• Social Engineer Toolkit 3.2.3 update – secmaniac.com
  The Social Engineering Toolkit (SET) is an open source, python-driven, social-engineering penetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing. It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. SET leverages multiple attack vectors that take advantage of the human element of security in an effort to target attackers.
• OSX
• OSX.Flashback.K – Suffering a Slashback – Infections Down to 270,000 – symantec.com
  OSX.Flashback initially arrived on the scene in late 2011. It has come a long way from its humble beginnings as a social-engineering scam trying to pass off as a fake Flash update using digital certificates purporting to come from Apple. Flashback is now leveraging the latest Java vulnerability (BID 52161 – Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability ) in order to deliver its payload.
• New targeted Mac OS X Trojan requires no user interaction – zdnet.com
  A new Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is also exploiting Java vulnerabilities in a way that requires no user interaction. It is being used in targeted attacks.

Vulnerabilities

• Medicaid Hacked
• Medicaid hacked: over 181,000 records and 25,000 SSNs stolen – zdnet.com
  The Utah Department of Health has been hacked. 181,604 Medicaid/CHIP recipients have had their personal information stolen. 25,096 have had their Social Security numbers (SSNs) compromised.
• Medicaid hack update: 500,000 records and 280,000 SSNs stolen – zdnet.com
  The Utah Department of Health hack has grown once again, and the FBI is now involved. The latest total is 780,000 victims: 500,000 records and 280,000 Social Security numbers (SSNs) stolen.
• Adobe, Microsoft Critical Updates
• Adobe Reader X (10.1.2) msiexec.exe Planting – blog.acrossecurity.com
  Adobe today issued an update for Adobe Reader X (new version is 10.1.3), which, among other issues, fixes the outside-the-sandbox msiexec.exe EXE planting vulnerability (CVE-2012-0776) I roughly demonstrated during my RSA Conference US talk last month titled “Advanced (Persistent) Binary Planting.”
• Adobe, Microsoft Issue Critical Updates – krebsonsecurity.com
  Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.
• Warning over medical implant attacks – bbc.com
  Many medical implants are vulnerable to attacks that could threaten their users’ lives, according to studies.
• FBI: Smart Meter Hacks Likely to Spread – krebsonsecurity.com
  A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity.
• MSRT April 2012: Win32/Claretore – blogs.technet.com
  We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool – Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.
• Weak passwords still the downfall of enterprise security – computerworld.com
  A recent data breach that exposed the Social Security numbers of more than 255,000 people in Utah has once again highlighted the longstanding but often underestimated risks posed to organizations by weak and default passwords.
• Thieves Replacing Money Mules With Prepaid Cards? – krebsonsecurity.com
  Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Other News

• CISPA
• Why CISPA Is a Really Bad Bill – yro.slashdot.org
  We’ve heard recently of CISPA, the Cyber Intelligence Sharing and Protection Act, a bill currently making its way through Congress that many are calling the latest incarnation of SOPA. Reader SolKeshNaranek points out an article at Techdirt explaining exactly why this bill is bad, and how its backers are trying to deflect criticism by using language that’s different and rather vague.
• It’s imperfect, but CISPA isn’t the devil in disguise

  – gigaom.com
  CISPA still needs work to clear up what, exactly, it allows for, but strong congressional and industry support might make it a lot harder to stop than was the Stop Online Piracy Act of 2011, or SOPA, that created an online firestorm earlier this year.

• Not Your Parent’s Wireless Threat – isc.sans.edu
  Back in the good old days, wireless threats could be summarized in “security your 802.11x access point by picking a strong passphrase and do not connect to evil unknown access points”.
• Navy Hires Contractor to Data-Mine Gaming Consoles – threatpost.com
  The U.S. Navy recently hired an outside contractor, Obscure Technologies, to develop computer forensics tools capable of analyzing network traffic and stored data on gaming consoles.
• Java: The OSX and Cross-Platform Nightmare – threatpost.com
  For a few days now I’ve been asking myself the following question: Which is more important: The fact we had a 500k-strong OSX botnet fly under the radar or the culprit that enabled the malware to infect so many machines?
• Marriott Puts An End To Shady Ad Injection Service – techcrunch.com
  Late last week, one Justin Watt discovered something suspicious going on with the Wi-Fi at his hotel, the Times Square Marriott.
• Court Rebukes DOJ, Says Hacking Required to be Prosecuted as Hacker – wired.com
  Employees may not be prosecuted under a federal anti-hacking statute for simply violating their employer’s computer use policy, a federal appeals court ruled Tuesday, dealing a blow to the Obama administration’s Justice Department, which is trying to use the same theory to prosecute alleged WikiLeaks leaker Bradley Manning.
• No Permissions Android Application Can Harvest, Export Device Data – threatpost.com
  The term “permissions” may be a relative one for Google’s Android operating system, which grants applications with no permissions access to a wide range of user and device data, according to research from the company Leviathan Security Group.
• Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections – forbes.com
  Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets.
• Final Stats On Heartland Payment Systems Class Action: $1,925 To 11 People, $600k To Lawyers – techdirt.com
  We’ve been discussing for years just how broken the “class action” lawsuit system is in the US. The idea behind it sounds like it makes sense: if a company wrongs a bunch of people, the ability to bundle them all into a class, and get recompense via a single lawsuit seems like a good idea.
• American Universities Infected by Foreign Spies Detected by FBI – bloomberg.com
  The CIA couldn’t confirm that the company wasn’t an arm of Iran’s government. Simon rejected the offer and shut down undergraduate programs in Dubai, at a loss of $3.7 million.
• Code Not Physical Property, Court Rules in Goldman Sachs Espionage Case – wired.com
  Former Goldman Sachs programmer Sergey Aleynikov, who downloaded source code for the investment firm’s high-speed trading system from the company’s computers, was wrongly charged with theft of property because the code did not qualify as a physical object under a federal theft statute, according to a court opinion published Wednesday.
• Appeals Court Rules Computer Code Is Not “Property” and Can’t Be Stolen – gizmodo.com
  Sergey Aleynikov, an ex-Goldman-Sachs programmer, spent a year in prison for downloading source code of the firm’s high-speed trading software before his sentence was overturned in February.
• It’s Not a Crime to Break a Terms of Service Agreement (So It’s Okay to Never Read Them) – gizmodo.com
  
  The ruling that breaking a user agreement was totally okay and not a crime was made in the case of US vs Nosal.
• Cybersecurity Is About Risk, Not War, Says Former DHS Cyber Chief – readwriteweb.com
  The word The Wall Street Journal used in its headline was “war,” which always gets people’s attention. In a March 28th story headlined, “U.S. Outgunned in Hacker War,” outgoing FBI Executive Assistant Director Shawn Henry was quoted as saying, with respect to the ongoing battle against cyber threats, “We’re not winning.” As the story made its rounds through the Web, “not winning” quickly became “losing.”
• Biggest Threats Come From Inside The Enterprise, Survey Says – darkreading.com
  Security pros are more worried about the lack of visibility into their networks and about insider threats than they are about being hacked by outsiders, according to a new survey.