Week 30 in Review – 2012

Event Related

• Black Hat USA 2012
  • BlackHat USA 2012: Day One – it.toolbox.com
    Carrying on with my tradition of posting my notes from each session I attend… I present to you the first day of BlackHat Briefings 2012.
  • Black Hat Day 1 Talk Notes – STIX: The Structured Threat Information eXpression – novainfosecportal.com
    This Turbo Talk will give a brief introduction and overview of an ongoing effort to define a standardized integrated information architecture for representing structured cyber threat information.
  • BlackHat USA Day One – In Pictures – infosecevents.net
    Pictures of Black Hat USA Day One
  • Black Hat Day 1 Keynote Notes – Changing the Security Paradign – novainfosecportal.com
    The threat to our networks is increasing at an unprecedented rate. The hostile environment we operate in has rendered traditional security strategies obsolete. Adversary advances require changes in the way we operate, and “offense” changes the game. Former FBI Executive Assistant Director Shawn Henry explores the state of the industry from his perspective as the man who led all cyber programs for the FBI.
  • BlackHat Briefings USA 2012: Day 2 – it.toolbox.com
    Continuing into the final day of BlackHat…
  • Black Hat Day 2 Talk Notes – Hacking the Corporate Mind – novainfosecportal.com
    Network defenders face a wide variety of problems on a daily basis. Unfortunately, the biggest of those problems come from the very organizations that we are trying to protect. Departmental and organizational concerns are often at odds with good security practices. As information security professionals, we are good at designing solutions to protect our networks, and the data housed on them.
  • Black Hat Day 2 Talk Notes – The Christopher Columbus Rule and DHS – novainfosecportal.com
    “Never fail to distinguish what’s new, from what’s new to you.” This rule applies to a lot people when they think about innovation and technology in the government.
  • Hacker Will Expose Potential Security Flaw In Four Million Hotel Room Keycard Locks – forbes.com
    At the Black Hat security conference Tuesday evening, a Mozilla software developer and 24-year old security researcher named Cody Brocious plans to present a pair of vulnerabilities he’s discovered in hotel room locks from the manufacturer Onity, whose devices are installed on the doors of between four and five million hotel rooms around the world according to the company’s figures.
  • Arduino used as master key for hotel rooms – h-online.com
    Using an inexpensive Arduino microcontroller board, security researcher Cody Brocious was able to open the Onity HT lock system used to secure rooms by a number of hotels around the globe. Brocious presented his findings yesterday (Tuesday) at the Black Hat information security conference in Las Vegas.
  • Relating Responsibility and Liability- at the core of BYOD – h30499.www3.hp.com
    Just a quick post today, because I know everyone’s traveling around with Black Hat kicking up, and other conferences in full swing right now as well … but something we’ve been hitting on today just struck a nerve and I felt like I needed to write it up for everyone’s benefit.
  • Blackhat paper – daeken.com
    Well, my talk for Blackhat (My Arduino can beat up your hotel room lock) is over. Things could’ve gone better in terms of execution — went through it too quickly and ended up using 30 minutes of my 60 minute slot. But people really enjoyed it and I spent a good hour or so answering questions.
  • EMET 3.5 Tech Preview leverages security mitigations from the BlueHat Prize – blogs.technet.com
    Last year at Black Hat Las Vegas, we announced the BlueHat Prize contest – a large cash prize awarded for defensive security research. One month ago, we announced the names of three finalists. On Thursday night shortly after 10 PM, at the Microsoft Researcher Appreciation Party, we will unveil which finalist won which prize – the grand prize of $200,000 USD, the second prize of $50,000 USD, and the third prize of an MSDN subscription, valued at $10,000 USD. We are excited to reveal this to the finalists and to the world live at the same time.
  • Black Hat: Former FBI top cyber cop says defenders need to think more tactically – scmagazine.com
    The strategies used to fight adversaries in the real world are not much different than ones used to battle attackers in the cyber realm, the former executive assistant director of the FBI told a standing-room only crowd during the keynote Wednesday at the Black Hat conference in Las Vegas.
  • The BlueHat Prize finalists, in their own words – blogs.technet.com
    In a little less than 24 hours, we will award $200,000 to Jared DeMott, Ivan Fratric, or Vasilis Pappas as we name the inaugural winner of the BlueHat Prize – and we’ll award more than $50,000 for the two runners-up. As excitement builds towards that announcement, I was fortunate enough to sit down with each finalist and get to know them a little bit better. Each of these researchers coincidentally took on the problem of mitigating ROP exploits, but each had different reasons for participating in the contest and each proposed different solutions to the same problem.
  • Black Hat – Smashing the future for fun and profit – nakedsecurity.sophos.com
    I’m delighted to once again be writing to you from the Black Hat USA conference in Las Vegas, Nevada. This year’s Black Hat is as big as ever and the talks seem to have improved over 2011.
  • Offensive / Proactive tactics, will they really work? Blackhat day 1 – blog.eset.com
    Blackhat keynote speaker Shawn Henry, the former executive assistant director of the FBI’s Criminal, Cyber, Response and Service Branch, started off the day after opening remarks from Jeff Moss, founder of Blackhat.
  • Ho-hum first date with Apple at Black Hat – news.cnet.com
    The sparks didn’t fly during the company’s first-ever talk at the hacking confab. Apple security specialist Dallas De Atley is stylish and all, but CNET’s Elinor Mills got the sense she’d heard his lines somewhere before.
  • Black Hat panel: Which do you trust less with your data, the U.S. government or Google? – computerworld.com
    To celebrate the 15th anniversary of the Black Hat Conference here, a panel of experts got together to expound on what they see as the privacy and security mess of our times, and they had plenty to say about the U.S. government, cyberwar and Google.
  • Payment terminal flaws shown at Black Hat – computerworld.com
    Three widely deployed payment terminals have vulnerabilities that could allow attackers to steal credit card data and PIN numbers, according to a pair of security researchers from penetration testing firm MWR InfoSecurity in the U.K.
  • Black Hat 2012: Best Giveaways and Booths – veracode.com
    Veracode’s remedy for the Application Security headache is in full swing at the Black Hat Conference. Swing by the booth (#229) and you can pick up an “I <3 Binaries” t-shirt, some Veracode Vitamins, a Water Bottle, or a chance to win $1,000. But we aren’t the only great booth here at Black Hat this year; quite a few security vendors have gone all out to create great themes and fun giveaways.
  • Black Hat: Iris scanners ‘can be tricked’ by hackers – bbc.com
    Security researchers have discovered a way to replicate a person’s eye to bypass iris-scanning security systems.
  • iOS app hacking alive and well – download.cnet.com
    While Apple was making its decidedly lackluster Black Hat debut just one floor up, security researcher Jonathan Zdziarski was explaining the dark art of iOS app hacking to a smaller but still crowded room.
  • Your Computer May Belong to Hackers – securitywatch.pcmag.com
    “We are not terrorists. We will not release our proof of concept code.” Those words from Jonathan Brossard, CEO of Toucan Systems, sounded a bit extreme to me. However, by the end of his Black Hat presentation I totally changed my mind. Brossard presented a technique by which anyone with access to your computer or its components could seriously reduce its security in a permanent and undetectable fashion.
  • BlackHat talk – Las Vegas 2012 – zhodiac.hispahack.com
    After a good talk with good feedback here is the deck I used and the video demo of win7/IE9 getting pwned.
  • MWR Labs – Pin Pad Racer – vimeo.com
    Smartcard exploit as demonstrated at Black Hat 2012 against popular payment terminal.
  • Probing Mobile Operator Networks – mulliner.org
    Slides for the talk “Probing Mobile Operator Networks”
  • Hash Corruption Whitepaper – media.blackhat.com
    Hash Corruption Whitepaper – Cain, Metasploit, & other tools fail
  • Protocol-Level Evasion of Web Application Firewalls – community.qualys.com
    Web application firewalls have come a long way from their modest beginnings more than a decade ago. They are now an accepted security best practice and have a significant role in compliance. But there is still a lot left to do before they can unlock their full potential.
  • Yup. That just happened… – passing-the-hash.blogspot.com
    It’s 1115 BlackHat Standard Time and our talk just concluded. Here’s the high points.
  • Blackhat USA 2012 – Pushing Past Intrusion Tolerance, Cutting Edge Research – securelist.com
    The Blackhat 2012 keynote started the event with Shawn Henry, former Executive Assistant Director of the Fbi, painting a grim, seemingly unspeakable picture of cyberespionage in the US.
  • DE MYSTERIIS DOM JOBSIVS: Mac EFI Rootkits – ho.ax
    Here’s the white paper of Loukas K (Snare) black hat talk on EFI malware.
  • DE MYSTERIIS DOM JOBSIVS: MAC EFI ROOTKITS – ho.ax
    Here’s the slide of Loukas K (Snare) black hat talk on EFI malware.
  • #BlackHat Mac rootkit bypasses Filevault, installs at boot – scmagazine.com.au
    An Australian security penetration tester has developed a method to inject a rootkit capable of loading at boot on encrypted Apple computers.
  • The Dark Art of iOs Application Hacking – viaforensics.com
    The following presentation was delivered by Jonathan Zdziarski at Blackhat 2012 on July 26.
• DEFCON 20
  • Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate – cloudcracker.com
    At Defcon 20 last weekend, David Hulton and I gave a presentation on cracking MS-CHAPv2. This blog post is meant to be a rough overview of what we covered in our talk.
  • NSA director finally greets Defcon hackers – news.cnet.com
    National Security Agency Director Gen. Keith Alexander calls Defcon the “world’s best cybersecurity community” and asks for their help.
  • Hacker delves into secret world of warranties – news.cnet.com
    A young hacker here at Defcon 20 has pulled back the dense curtain of text and ambiguity surrounding warranties to show consumers how they can hack the warranty system — and to tell companies how to improve their warranty management.
  • Defcon Badge – etherpad.openstack.org
    All of the badge binary sequences have been posted. Get in on the challenge and help out.
  • DEFCON 20: Day 1 Favorite Talk – it.toolbox.com
    I promised a reader that I’d transcribe this talk for her, so here you go! Really good talk, although Michael drank a lot of beer during it… which probably made it even better! Some comments strewn about as usual. Enjoy everyone.
  • Defcon 20 Day 1 Review – resources.infosecinstitute.com
    This article will discuss about the talks and events that happened on Defcon day 1.
  • Defcon Day 1 Talk Notes – An Inside Look into DIB Technical Security Controls – novainfosecportal.com
    With an ever changing threat of nation states targeting the United States and its infrastructure and insiders stealing information for public release, we must continuously evaluate the procedural and technical controls we place on our national assets.
  • Defcon Day 2 Talk Notes – Bruce Schneier Answers Your Questions – novainfosecportal.com
    Bruce Schneier will answer questions topics ranging from the SHA-3 competition to the TSA to trust and society to squid.
  • Defcon Day 1 Keynote Notes – Shared Values, Shared Responsibility – novainfosecportal.com
    We as a global society are extremely vulnerable and at risk for a catastrophic cyber event. Global society needs the best and brightest to help secure our most valued resources in cyberspace: our intellectual property, our critical infrastructure and our privacy.
  • Tools Released at Defcon Can Crack Widely Used PPTP Encryption – pcworld.com
    Security researchers released two tools at the Defcon security conference that can be used to crack the encryption of any PPTP (Point-to-Point Tunneling Protocol) and WPA2-Enterprise (Wireless Protected Access) sessions that use MS-CHAPv2 for authentication.
  • Hardware Backdooring is practical – slideshare.net
    This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more …
  • DEFCON 20 – Botnets Die Hard – Owned and Operated – secniche.blogspot.com
    A presentation for Botnets Die Hard Owned and Operated
  • Defcon Day 3 Talk Notes – Sploitego – novainfosecportal.com
    Sploitego makes it easy to quickly develop, install, distribute, and maintain Maltego Local transforms. The framework comes with a rich set of auxiliary libraries to aid transform developers with integrating attack, reconnaissance, and post exploitation tools. It also provides a slew of web tools for interacting with public repositories.
  • Into the Droid – Gaining Access to Android User Data – viaforensics.com
    The following presentation was delivered by Thomas Cannon at Defcon 2012 on July 28, 2012.
• HITCON 2012
  • HITCON 2012 Review and slides – reverse.put.as
    HITCON was really great and well organized. It was bigger than I expected, with lots of curious and cool people. Went in the mood and took many pictures with everyone – there goes my anonymity!
• Bsides Las Vegas 2012
  • Bsides Las Vegas 2012 – youtube.com
    Video playlists of Bsides Las Vegas 2012
  • Smart grid vulnerability could give hackers free electricity – rawstory.com
    A cyber security researcher will demonstrate a toolset later this week which allows users to break into so-called “smart meters” that control a structure’s access to the power grid and water utilities, potentially enabling the user to modify the reported volume of services used or even avoid being charged altogether.
• Hope Number 9
  • The HOPE Number Nine Speaker Schedule – hopenumbernine.net
    There are three scheduled speaker tracks. Talks begin at 10am Friday morning, July 13, and end Sunday evening with Closing Ceremonies. The schedule details are presented in a few different ways.

Resources

• Sneaky Apps Have Probably Stolen Your Private Data
  [Infographic] – inquisitr.com
  As internet company’s realize the revenue power of owning user data we have found ourselves watching as our private information is virtually stolen and used for marketing purposes. While we often hear about Facebook and its complete lack of user privacy respect FB is not the only social program that grabs user data for its own goods.
• The NTLM Authentication Protocol and Security Support Provider – davenport.sourceforge.net
  This article seeks to describe the NTLM authentication protocol and related security support provider functionality at an intermediate to advanced level of detail, suitable as a reference for implementors.
• Android vs. Apple iOS Security Showdown Slides – spylogic.net
  Slides for the android vs. apple ios security.
• SharePoint Security Playbook [eBook] – blog.imperva.com
  Today, we conclude our blog series on SharePoint security, where each day we took a closer look at the five lines of defense you need to secure your SharePoint environment from both internal and external threats.

Tools

• Hcon Security Testing Framework (HconSTF) v0.4 – Fire Base – darknet.org.uk
  HconSTF is an Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessment. It contains webtools which are capable of carrying out XSS attacks, SQL Injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. It could prove useful to anybody interested in the information security domain – students, security professionals, web developers and so on.
• Get-PEHeader – A Scriptable In-memory and On-disk PE Parsing Utility – exploit-monday.com
  Introducing, yet another PE parsing utility! Where Get-PEHeader differentiates itself though is that it will parse 32 and 64-bit executables both on disk and loaded in memory. Where it really shines is in its scriptability. For example, you can pipe the output of ls (Get-ChildItem) or ps (Get-Process) right to Get-PEHeader and it will return to you a fully parsed PE header.
• OWASP BWA VM version 1.0 released – owasp.blogspot.com
  Today, I am proud to announce the release of the OWASP Broken Web Applications Project VM version 1.0. This new release is now available for download from https://sourceforge.net/projects/owaspbwa/files/.
• GUIdumpASN – Next Generation – geminisecurity.com
  The GUIdumpASN application allows you to view and print a human readable version of an Abstract Syntax Notation One (ASN.1) file. ASN.1 is a standard and flexible notation that describes data structures for representing, encoding, transmitting, and decoding data.
• iSECPartners / ios-ssl-kill-switch – github.com
  MobileSubstrate extension to disable certificate validation within NSURLConnection in order to facilitate black-box testing of iOS Apps.
• OWASP Xelenium Project – owasp.org
  Xelenium is a security testing tool that can be used to identify the security vulnerabilities present in the web application. Xelenium uses the open source functional test automation tool ‘Selenium’ as its engine and has been built using Java swing.
• Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells – pentestlab.org
  Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.
• Web Security Dojo – mavensecurity.com
  A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

Techniques

• Proxying Android 4.0 ICS and FS Cert Installer – blog.opensecurityresearch.com
  The first step to testing Android applications is to inspect the application’s traffic. If the application uses SSL encryption, this requires forcing the app to use an intermediate proxy that allows us to grab, inspect, and possibly modify this traffic.
• New Techniques in SQLi Obfuscation: SQL never before used in SQLi – client9.com
  SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities.

Vendor/Software Patches

• X-Ray for Android – xray.io
  X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.
• Update to the NMAP Pass the Hash script – josephpierini.blogspot.com
  I’ve had a lot of questions about this, so let’s see if this helps. When I score a password or a hash, I use an nmap script to quickly determine if this gives me local admin rights to the workstations and servers.
• PENETRATION TESTING WITH HTTPFS: RFI – disse.cting.org
  As every system administrator knows, mounting remote filesystem with protocols like sshfs or smbfs saves time and simplify interactions with remote machines. This leisure is usually not available when having limited remote access, like managing a web shell or during a web application penetration testing.

Vulnerabilities

• 16,000 New Password Hashes Dumped – novainfosecportal.com
  Wow some people have been busy the past few days… There are three new significant password hash dumps that we discovered over on OZDC.net this evening.
• 284 More Password Hashes Dumped – novainfosecportal.com
  There are three new relatively small password hash dumps that we discovered over on OZDC.net yesterday. Of course many of the records also contained other interesting data such as phone numbers, email addresses, full names, user ids, usernames, club ids, and user types.
• Windows malware found in iOS App Store. Say what?! – nakedsecurity.sophos.com
  The discovery of new, low-distribution Mac malware known as Crisis or Morcut would be bad enough news, just before the launch of Mountain Lion.
• Android DNS Poisoning: Randomness gone bad (CVE-2012-2808) – blog.watchfire.com
  Recently we discovered a very interesting vulnerability in Android’s DNS resolver, a weakness in its pseudo-random number generator (PRNG), which makes DNS poisoning attacks feasible.
• Apple removes Windows malware from iOS App Store – zdnet.com
  Malware hit the iOS App Store. Don’t worry though: it won’t harm your iPhone, iPad, or Mac (your Windows computer is a different story, but even that is a long shot), and Apple has already removed it.
• Backdoor Tool Kit – Today’s Scary Web Malware Reality – blog.sucuri.net
  This past week we came across a nice little package that we felt compelled to share with you. In it, the attacker makes use of a number of tools designed to help them infiltrate your environment. What’s likely most annoying about this kit is that it’s loaded into your environment, and uses your own resources to help hack you. That’s like being punched in the gut and slapped at the same time, not cool.
• Meet ‘Rakshasa,’ The Malware Infection Designed To Be Undetectable And Incurable – forbes.com
  Malicious software, like all software, gets smarter all the time. In recent years it’s learned to destroy physical infrastructure, install itself through Microsoft updates, and use human beings as physical “data mules,” for instance.
• Cracking Down on Insider Fraud – bankinfosecurity.com
  Three insider fraud schemes at banks in Minnesota, Texas and California illustrate just how difficult it is for institutions to thwart inside jobs.
• Next-Gen Air Traffic Control Vulnerable To Hackers Spoofing Planes Out Of Thin Air – forbes.com
  A hacker attack that leads to planes dropping from the sky is the stuff of every cyberwar doomsday prophesy.

Other News

• Beyond the Hype of the Cybersecurity Act – bankinfosecurity.com
  U.S. government federal agencies would be required to continuously monitor and conduct penetration tests of their IT systems under the latest version of the Cybersecurity Act of 2012.
• Multi-context XSS injection contest – thespanner.co.uk
  started to wonder a while ago how you could produce a vector that executed in many contexts. It’s cool because you can limit the number of requests an automated scanner uses without a high failure rate, you can even reduce the failure rate by making it as small as possible because some filters have a length limit. What does a multi-context vector look like I hear you ask?
• Charlie Miller Takes on NFC, Charlie Miller Wins – threatpost.com
  LAS VEGAS–Do not stand near Charlie Miller. Actually, you might not even want to let him walk past you. It’s not that Miller is a bad person, you understand. The problem is that Miller has figured out a couple of methods that enable him–or an attacker–to use the NFC chip in some phones to exploit vulnerabilities in the phones’ software and force users to visit a Web site or even gain complete control of the phone.
• IOActive Announces Acquisition of Flylogic Engineering and Hardware Security Lab – prweb.com
  IOActive, Inc., a global leader in information security services and research, today announced the acquisition of Flylogic Engineering and its assets, in addition to the appointment of Christopher Tarnovsky as IOActive’s Vice President of Semiconductor Security Services. In conjunction with this announcement, IOActive will be opening an expanded hardware and semiconductor security lab in San Diego, California.
• Hackers Linked To China’s Army Seen From EU To D.C. – bloomberg.com
  The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity.
• Global Payments: data breach cost a whopping $84.4 million – computerworld.com
  Global Payments, which back in the spring reported a data breach in which information associated with an estimated 1.4 million payment cards was stolen, has revealed that expenses associated with investigations, fines and remediation has hit $84.4 million.