Week 38 in Review – 2012

Event Related

• Columbus OWASP Meeting Presentation – stateofsecurity.com
  Last week, I presented at the Columbus OWASP meeting on defensive fuzzing, tampering with production web applications as a defensive tactic and some of the other odd stuff we have done in that arena.
• Charlie Miller & Dino Dai Zovi at CodenomiCON 2012: iOS Hacker’s Update – youtube.com
  Charlie Miller and Dino Dai Zovi presenting at CodenomiCON 2012 in Las Vegas. Miller and Dai Zovi are authors of the iOS Hacker’s Handbook, available at http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123.

Resources

• Full Analysis of Flame’s Command & Control servers – securelist.com
  The Flame malware, including all of its components, was very large and our ongoing investigation revealed more and more details since that time. The news about this threat peaked on 4th June 2012, when Microsoft released an out-of-band patch to block three fraudulent digital certificates used by Flame.
• Windows Internals – vimeo.com
  This is a video about Windows Internals
• Advanced Teensy Penetration Testing Payloads – offensive-security.com
  In one of our recent engagements, we had the opportunity to test the physical security of an organization. This assessment presented an excellent scenario for a USB HID attack, where an attacker would stealthily sneak into a server room, and connect a malicious USB device to a server with logged on console, thus compromising it.
• ‘Attackers will follow the users’: an interview with F-Secure’s Mikko Hyppönen – theverge.com
  Mikko Hyppönen is the Chief Research Officer at F-Secure, where he’s spent the last two decades tracking, dissecting, and disabling malware, from viruses to trojans to worms to botnets.
• BSIMM4 Release Expands Software Security Measurement Tool and Describes New Activities – blog.mindedsecurity.com
  The BSIMM project continues to expand with data from 51 leading firms in 12 vertical markets and is now ten times its original 2009 size.
• NIST Issues Risk Assessments Guidance – bankinfosecurity.com
  The National Institute of Standards and Technology has issued what could be characterized as the bible of risk assessment.
• [Video] 21LTR – Scene 1 – g0tmi1k.blogspot.com
  12ltr is another boot2root collection, with its own unique twist. It has various ‘issues’ with the operating system, which have been purposely put in place to make it vulnerable by design. The end goal is to become the ‘super user’ of the system (aka ‘root’). There is an optional stage afterwards, in which the user can try and find the ‘flag’, proving (to themselves) that they successfully completed it.
• (IN)SECURE Magazine Issue 35 – net-security.org
  IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. (IN)SECURE Magazine Issue 34, the September 2012 issue has been released!
• ClubHack Magazine’s Issue 32 – Sept 2012 has been released – professionalsecuritytesters.org
  ClubHack Magazine’s Issue 32 – Sept 2012 is here.

Techniques

• Fuzzing Like A Boss with Pythonect – blog.ikotler.org
  I wrote about how to use Pythonect to automate static malware analysis. In this post I’ll describe how to use Pythonect and all of its perks to fuzz file formats, network protocols, and command line arguments.
• Owning Dell DRAC for ONE AWESOME HACK – trustedsec.com
  When a new Dell Chassis hardware infrastructure is installed, a web interface is also present to help with management of the Chassis. Each blade has its own web interface that gets installed by default on 443 (HTTPS).
• Infiltrating Corporate Networks Using XXE Inection – securityhorror.blogspot.ie
  External entity injection is generally speaking a type of XML injection that allows an attacker to force a badly configured XML parser to “include” or “load” unwanted functionality that compromise the security of a web application. Now days is rear to find this types of security issues. This type of attack is well documented and known since 2002.
• Bypassing Intel SMEP on Windows 8 x64 Using Return-oriented Programming – blog.ptsecurity.com
  This article presents a way to bypass Intel SMEP security feature on x64 version of Windows 8. It is performed by using return-oriented programming. A way to build a suitable ROP chain is demonstrated below.
• ldd arbitrary code execution – catonmat.net
  In this article I am going to show you how to create an executable that runs arbitrary code if it’s examined by `ldd`. I have also written a social engineering scenario on how you can get your sysadmin to unknowingly hand you his privileges.
• UltraReset – Bypassing NFC access control with your smartphone – intrepidusgroup.com
  We were just in Amsterdam to present our research on uses of NFC for physical access control. The two main industries we focused on were transit and hotel systems.
• Remote Packet Capture for iOS Devices – useyourloaf.com
  As with the Network Link Conditioner you need to use a host Mac computer to perform remote packet capture of an iOS device. The only other requirement is that the device be connected to the host computer via USB. No jailbreaking or hacking of your device is required to get this to work.

Tools

• Social Engineer Toolkit
• Social-Engineer Toolkit – trustedsec.com
  The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.
• The Most Advanced Version of The Social-Engineer Toolkit To Date Released – trustedsec.com
  Welcome to one of the most advanced versions we have ever released. The Social-Engineer Toolkit (SET) version 4.0 codename “Balls of Steel” is officially available for public consumption. This version is the collection of several months of development and over 50 new features and a number of enhancements, improvements, rewrites, and bug fixes. In order to get the latest version of SET, download subversion and type svn co https://svn.trustedsec.com/social_engineering_toolkit set/
• NIkto 2.1.5 – cirt.net
  Nikto is an open source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers.
• Prenus : The Pretty Nessus Thing – github.com
  Prenus is a hacked together Ruby script that can consume Nessus 2 files – with the help of an updated ruby-nessus gem. Basically we can format nessus output file in any of the mentioned format for our reprentation.
• ipv6mon v1.0 – Networks’ Address Monitoring Daemon Released – si6networks.com
  ipv6mon is a tool meant for monitoring IPv6 address usage on a local network. It is meant to be particularly useful in networks that employ IPv6 Stateless Address Auto-Configuration (as opposed to DHCPv6), where address assignment is decentralized and there is no central server that records which IPv6 addresses have been assigned to which nodes during which period of time.
• Stand-alone executable for O2 Platform – diniscruz.blogspot.com
  There is a now a stand-alone executable for the O2 Platform (20Mbs) which has all the main dependencies and comes in 1 exe.
• IronWASP Part 1 – resources.infosecinstitute.com
  IronWASP stands for Iron Web application Advanced Security testing Platform, and was developed by Mr.Lavakumar Kuppan. It is an open source system and is mainly used for testing web application vulnerabilities.
• Free Scanner for MySQL Authentication Bypass CVE-2012-2122 – community.rapid7.com
  The MySQL authentication bypass vulnerability (CVE-2012-2122) – explained in detail in HD Moore’s blog post – was the cause for much concern when it was first discovered. In response, we’ve created a new vulnerability scanner for CVE-2012-2122 called ScanNow, which enables you to check your network for vulnerability to this security issue. The best thing: it’s simple to use, completely free, and scans unlimited IPs for this vulnerability!

Vendor/Software Patches

• Internet Explorer
• IE Zero Day is “For Real” – isc.sans.edu
  Since I’m not a “Malware Analysis Guy” (at least until I take Lenny’s Forensics 610 class), I hunted around for some confirmation before I posted.
• New Internet Explorer zero day being exploited in the wild – labs.alienvault.com
  After the last zero day exploit on Java we reported some weeks ago it appears that a new 0day has been found in Internet Explorer by the same authors that created the Java one.
• New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7 – community.rapid7.com
  We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user.
• The New Zero-Day in Internet Exploder (Oops… Explorer) – blog.spiderlabs.com
  The ride on the roller coaster called the web security world never stops and keeps providing us, the security researches, with new challenges. Blackhole v2 that just came out last week and which was in headlines seems like a distant history since the emergence of the new zero-day in Internet Explorer at the beginning of this week (CVE-2012-4969).
• Microsoft Fixes Zero-Day, Four Other Flaws in IE – krebsonsecurity.com
  Microsoft has released an emergency update for Internet Explorer that fixes at least five vulnerabilities in the default Web browser on Windows, including a zero-day flaw that miscreants have been using to break into vulnerable systems.
• Microsoft releases MS12-063 – Cumulative Security Update for Internet Explorer – blogs.technet.com
  Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier. The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible.
• SamuraiWTF 2.0 SVN Repository & Bug Tracker – blog.taddong.com
  With the recent release of SamuraiWTF 2.0 we have introduced significant changes to the official SamuraiWTF SVN repository, available at http://svn.code.sf.net/p/samurai/code/trunk/ (check the new SourceForge.net project code section).
• UPDATE: IronWASP v0.9.1.4 – ironwasp.org
  IronWASP (Iron Web application Advanced Security testing Platform) is an open sourcesystem for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.
• Skipfish v2.09b Released – code.google.com
  Skipfish is an active web application security reconaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.
• More information on Security Advisory 2757760’s Fix It – blogs.technet.com
  The vulnerability is a use-after-free issue that exists in the MSHTML module and affects versions 6, 7, 8, and 9 of Internet Explorer. Internet Explorer 10 is not affected. To trigger this type of memory corruption, the exploit invokes the method “execCommand()” to select the content of the web page while assigning a function handler to the event “onselect,” which will delete an object from the memory and try to dereference the freed object immediately after.

Vulnerabilities

• Phonetic attack commands crash bank phone lines – scmagazine.com.au
  A security researcher has demonstrated a series of attacks capable of disabling touch tone and voice activated phone systems or forcing them to disclose sensitive information.
• How To Protect Yourself From PayPal Identity Theft – forbes.com
  An individual walks into a Home Depot, configures his cellphone to use PayPal and uses it to buy nearly $8,000 worth of $200 gift certificates. What’s the problem? It was my PayPal account and it wasn’t me – I was a victim of identity theft.
• Flaw in Oracle Logon Protocol Leads to Easy Password Cracking – threatpost.com
  There is a serious vulnerability in the authentication protocol used by some Oracle databases, a flaw that could enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user’s password.

Other News

• Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked – wired.com
  Virgin Mobile U.S. promises its customers that it uses “standard industry practices” to protect its customers’ personal data – but according to a Silicon Valley web developer, any first-year coder can bust into a subscriber’s account, see who they call and text, register a different phone on the account and even purchase a new iPhone.
• Study finds web developers undertake too little vulnerability testing – h-online.com
  Software vendor Coverity has released its Software Security Risk Report, which claims that less than two fifths of web development companies carry out testing during the development cycle and that more than half decline to check their code for bugs and security vulnerabilities prior to integration testing. According to the study, the result is more frequent web application-related security incidents, leading to overall higher costs.
• Your BMW can be stolen by any idiot with a $30 hacking kit – nakedsecurity.sophos.com
  On-board diagnostics (OBD) security bypass kits, replete with reprogramming modules and blank keys, are reportedly enabling low-intelligence thieves to steal high-end cars such as BMWs in a matter of seconds or minutes.
• Mobile Pwn2Own: iPhone 4S hacked by Dutch team – zdnet.com
  How long would it take a determined attacker to hack into Apple’s iPhone 4S from scratch? A Dutch research team uses the Pwn2Own contest to provide the answer.
• SSL Digital Certificate Security Issues Put CAs on Notice – threatpost.com
  It’s been a rough couple of years for the security of fundamental Internet infrastructure technologies such the domain name system (DNS), SSL and digital certificates. Hackers are taking aim at these core technologies at the heart of ecommerce and online communication, and are more often than not, hitting their mark with devastating accuracy.
• Exploit beamed via NFC to hack Samsung Galaxy S3 (Android 4.0.4) – zdnet.com
  Using a pair of zero day vulnerabilities, a team of security researchers from U.K.-based MWR Labs hacked into a Samsung Galaxy S3 phone running Android 4.0.4 by beaming an exploit via NFC.
• Sources: Zynga Chief Security Officer Nils Puhlmann Has Resigned From Company – techcrunch.com
  We’re hearing that Nils Puhlmann, the cloud security expert who has worked as Zynga’s Chief Security Officer since 2009, resigned from the company yesterday, according to several sources familiar with the matter.
• Another EUSecWest NFC Trick: Ride the Subway For Free – it.slashdot.org
  At the EUSecWest security conference in Amsterdam, researchers showed how their ‘UltraReset’ Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance.
• Android NFC hack enables travelers to ride US subways for free, researchers say – itworld.com
  The researchers who developed the application said transit systems in other US cities could be vulnerable.
• U.S. banks on high alert against cyberattacks – computerworld.com
  Hackers engaging in wire fraud by gaining access to bank networks, FS-ISAC says
• Feds go overboard in prosecuting information activist – arstechnica.com
  Many universities pay hefty subscription fees to provide their users unlimited access to archives like JSTOR. Most non-academics pay by the article. Swartz, who was a fellow at Harvard University in the fall of 2010, was apparently unhappy about this situation and so joined neighboring MIT’s WiFi network as a guest and began rapidly downloading JSTOR documents. He reportedly got 4.8 million of them.