Week 37 in Review – 2012

Event Related

  • Man on the SecurityStreet
    • Man on the SecurityStreet – Day 2 Continued. – community.rapid7.com
      Dave Kennedy, the founder of TrustedSec, gave an entertaining presentation called Going on the Offensive – Proactive Measures in Security your Company. Just like HD’s earlier presentation, we had our staff artist plot out the entire speech, which you can see attached here at right.
    • Man on the SecurityStreet – UNITED Day 2 – communit.rapid7.com
      HD’s presentation entitled “An Evil World,” was an in-depth look at the Critical.IO project he’s working on, and how he’s currently scanning the entire Internet in order to make our own corner of it safer.
  • OWASP Belgium Chapter September 2012 Wrap-Up – blog.rootshell.be
    The holidays are gone, kids are back to school. For the security landscape, it means that security meetings are also back! The first OWASP Belgium Chapter was organised tonight. Here is my quick wrap-up.

Resources

  • Google Native Client – Attack Surface and Vulnerabilities (Part 4) – blog.leafsr.com
    In this final post we will take a look at the various attack surfaces present in NaCl and a few of the vulnerabilities I discovered in the pepper proxy during a 3 week source code audit in 2011. As usual you can find the standard NaCl architecture reference diagram directly to the right.
  • MoVP 1.1 Logon Sessions, Processes, and Images – volatility-labs.blogspot.com
    Attackers like to log on. They specifically like logging on remotely with RDP. Whenever these actions occur, the Windows kernel creates a new session, which is basically a container for processes and objects (like window stations and desktops) that belong to the session.
  • Advanced x86: Intel Hardware Assisted Virtualization Slides – docs.google.com
    Online training materials posted on advanced x86 virtualization (Intel Vt x) including labs to begin implementing a blue pill / hyperjacking attack.
  • Is Your SMB Bruteforcer Lying To You? – rewtdance.blogspot.com
    A few weeks back, on a job, I had enumerated a list of domain users from a linux device attached to a windows domain due to anonymous access. Not knowing the lockout policy I gave a quick attempt to enumerate which accounts had a weak password, ‘Password1’, using Metasploit’s smb_login module.
  • SAP Smashing (Internet Windows) – labs.mwrinfosecurity.com
    SAProuter is a SAP program working as a reverse proxy, which analyses connections between SAP systems and between SAP systems and external networks. It is designed to analyse and restrict SAP network traffic, which is allowed to pass through the firewall.
  • Unquoted Service Paths – commonexploits.com
    I have been playing with unquoted service paths/trusted paths the last few days and thought would write something up. Credit to Gavin Jones who introduced me to this issue, which to be honest I hadn’t heard of before and I normally only checked cacls and permissions of services.
  • SecMobi Wiki – wiki.secmobi.com
    A collection of mobile security resources.

Tools

  • slowhttptest – code.google.com
    SlowHTTPTest is a highly configurable tool that simulates some Application Layer Denial of Service attacks.

Techniques

  • Bypassing Microsoft Windows ASLR with a little help by MS-Help – greyhathacker.net
    Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library.
  • How can you protect yourself from CRIME, BEAST’s successor? – security.blogoverflow.com
    For those who haven’t been following Juliano Rizzo and Thai Duong, two researchers who developed the BEAST attack against TLS 1.0/SSL 3.0 in September 2011, they have developed another attack they plan to publish at the Ekoparty conference in Argentina later this month – this time giving them the ability to hijack HTTPS sessions – and this has started people worrying again.
  • Tracking Down the UDID Breach Source – intrepidusgroup.com
    I’d heard about the alleged FBI/Apple UDID leak shortly after arriving at work last Tuesday morning, and immediately downloaded and began reviewing the data. Less than an hour later, I’d surmised that comparing apps across multiple devices might help narrow down the source.
  • Getting Tricky with Shellcode – blog.fireeye.com
    For those who read my previous blog regarding a very interesting shellcode exploit running inside a PDF, I got a little curious during my spare time and, upon further research, I realized that there is yet another way to insert shellcode inside a Windows program.
  • TCP Fuzzing with Scapy – isc.sans.edu
    Greetings ISC Readers! Today I wanted to share a technique that I find quite useful when I fuzz TCP applications with scapy. Scapy is a Python module used for packet parsing and packet crafting. With scapy you can create just about any packet your heart desires, transmit it to a target, capture the response and respond again accordingly. It is an excellent tool to use for fuzzing network protocols.
  • Current User psexec – community.rapid7.com
    When doing a normal psexec, metasploit uploads an exe to the remote system and uses that as the service executable. It turns out the Windows API allows UNC paths for service executables, and since we have control of a system already on the network, we can reduce the forensics footprint on the network overall by just upload it to the compromised machine.
  • Details on the “CRIME” Attack – isecpartners.com
    Juliano Rizzo and Thai Duong, the authors of the BEAST attack on SSL (or TLS – used interchangeably here), have released a new attack dubbed CRIME, or Compression Ratio Info-leak Made Easy. The attack allows an attacker to reveal sensitive information that is being passed inside an encrypted SSL tunnel.
  • Cracking KeePass Passwords – excivity.com
    The task of breaking into a KeePass password file landed on my desk. I was told that the password was exactly 12 characters long, but we didn’t know which characters.

Vendor/Software Patches

  • Microsoft Security Bulletin MS12-024 – Critical – technet.microsoft.com
    This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

Vulnerabilities

  • The Elderwood Project
    • ‘Elderwood’ Crew, Tied to Google Aurora Attack, Targeting Defense, Energy, Finance Companies – threatpost.com
      The same team that attacked Google in the Aurora campaign in 2009 is still active and has been conducting a long-term campaign targeting defense contractors, financial services companies, energy companies, human rights organizations and government agencies using a seemingly inexhaustible supply of zero day vulnerabilities.
    • The Elderwood Project – symantec.com
      In 2009, we saw the start of high profile attacks by a group using the Hydraq (Aurora) Trojan horse. We’ve been monitoring the attacking group’s activities for the last three years as they’ve consistently targeted a number of industries.

Other News

  • The Top Five Dangers Of Online Shopping & Precautions To Take – forbes.com
    Before you, your family, or friends (e.g. Facebook, Twitter and LinkedIn) spend another dime online, please take a moment to mull over my “Top Five Dangers” and ways to reduce risk.
  • Cosmo, the Hacker ‘God’ Who Fell to Earth – wired.com
    Cosmo is huge — 6 foot 7 and 220 pounds the last time he was weighed, at a detention facility in Long Beach, California on June 26. And yet he’s getting bigger, because Cosmo — also known as Cosmo the God, the social-engineering mastermind who weaseled his way past security systems at Amazon, Apple, AT&T, PayPal, AOL, Netflix, Network Solutions, and Microsoft — is just 15 years old.
  • Research Shows Half of All Androids Contain Known Vulnerabilities – threatpost.com
    About half of all Android phones contain at least one vulnerability that could be used to take control of the device, according to new research. Duo Security, which launched a free vulnerability scanning app for Android this summer, said their preliminary data from users shows a huge number of the devices are vulnerable to at least one of the known Android flaws.
  • CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions – threatpost.com
    The new attack on TLS developed by researchers Juliano Rizzo and Thai Duong takes advantage of an information leak in the compression ratio of TLS requests as a side channel to enable them to decrypt the requests made by the client to the server. This, in turn, allows them to grab the user’s login cookie and then hijack the user’s session and impersonate her on high-value destinations such as banks or e-commerce sites.
  • Chat app used by activists has security flaws, say critics – news.cnet.com
    Security bloggers are piling on with the criticism of WhatsApp, saying there are serious problems with how data is protected from prying eyes in the popular mobile IM software.

Leave A Comment