Week 42 in Review – 2012

Event Related

• Ruxcon Breakpoint
• Ruxcon Breakpoint kicks off with a bang – risky.biz
  The inaugural Ruxcon Breakpoint security conference has kicked off with a bang in Melbourne.
• Pacemakers, defibrillators open to attack (The Register) – risky.biz
  The researcher in question, Barnaby Jack, today told the Ruxcon Breakpoint security conference in Melbourne, Australia that “the most obvious scenario would be a targeted attack against a high profile individual.”
• OMFW 2012
• OMFW 2012: The Analysis of Process Token Privileges – volatility-labs.blogspot.com
  Reverse engineering windows systems nowadays involves looking at static data, such as executables, symbols, pdbs, and/or dynamic data when debugging with a tool like windbg. Determining data structures and the meaning of their content has proven to be time consuming, especially when dealing with undocumented objects.
• OMFW 2012: Mining the PFN Database for Malware Artifacts – volatility-labs.blogspot.com
  This OMFW talk was enlightening, as George shared stories of tracking single UDP packets between hosts in China, his experiences single-stepping through the Windows kernel, and how he tracked a TDI object with an NTFS pool tag in deallocated memory.
• HackerCon 3
• Hack3rcon 3 Videos – irongeek.com
  Here are the videos from Hack3rcon^3. Enjoy.
• DNSRecon from Hack3rCon 3 – novainfosec.com
  At HackerCon today I had a chance to sit in on Carlos “@carlos_perez” Perez’s DNSRecon talk. This awesome tool brings together all the tips and tricks that Carlos has learned and used over the years into one easy-to-use package.
• Hack In The Box 2012 Malaysia: Like No Other – zdnet.com
  Controversial Global hacking conference Hack In The Box just celebrated its ten-year mark in Kuala Lumpur, Malaysia. The event attracted hackers from all over the world and company participants that included Google, Mozilla, Microsoft, Amazon, sponsor ‘friends’ such as Megaupload, and many more.
• Group Policy Preferences and Getting Your Domain 0wned – carnal0wnage.attackresearch.com
  I did a talk at the Oct 20012 NovaHackers meeting on exploiting 2008 Group Policy Preferences (GPP) and how they can be used to set local users and passwords via group policy.
• ICSJWG in Review – digitalbond.com
  The ICSJWG meeting was this past week in Denver, and the schedule was packed with great presentations, and speakers with a wealth of experience to share with the ICS community. There was a significant bump in attendance this time around.
• Toorcon14 – always-debugged.never-unpacked.net
  Links for Toorcon 14
• Information Superiority – vrt-blog.snort.org
  I presented yesterday at the 9th annual Hackers2Hackers conference in Sao Paulo on the subject of information superiority, a subject the VRT has long been fond of. My slides are here for those who’d like to read them.

Resources

• Pass the Hash w/o Metasploit – Part 2 – room362.com
  Anywho, I was once in a similar scenario, where I had no Metasploit to back me up, but the box I was on did have one interesting thing, ruby and an accessible target for relatively up-to-date ruby gems. Since Metasploit’s powerhouse library ‘rex’ installed just fine I was set.
• The Scrap Value of a Hacked PC, Revisited – krebsonsecurity.com
  I recently updated the graphic (below) to include some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums.
• More with Mimikatz (Crypto Module) – carnal0wnage.attackresearch.com
  The Crypto module does some interesting things. I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.
• miniFlame aka SPE: “Elvis and his friends” – securelist.com
  In May 2012, a Kaspersky Lab investigation detected a new nation-state cyber-espionage malware, which we named “Flame”. Our research also identified some distinguishing features of Flame’s modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform.
• Steam Browser Protocol University – revuln.com
  In this paper we will uncover and demonstrate a novel and interesting way to convert local bugs and features in remotely exploitable security vulnerabilities by usin the well known Steam platform as attack vector against remote systems.
• Before We Knew It – users.ece.cmu.edu
  An empirical study of zero-day attacks in the real world.
• Backdoors are Forever: Hacking Team and the Targeting of Dissent? – citizenlab.org
  In this report, Citizen Lab Security Researcher Morgan Marquis-Boire describes analysis performed on malicious software used to compromise a high profile dissident residing in the United Arab Emirates.
• Olmasco bootkit: next circle of TDL4 evolution (or not?) – blog.eset.com
  Olmasco (also known as SST, MaxSS) is a modification of the TDL4 bootkit family that we’ve been aware of since summer 2011. We started to track a new wave of activity from a new Olmasco dropper at the end of this summer. This bootkit family was the second to use VBR (Volume Boot Record) infection to bypass kernel-mode code signing policy since Rovnix (Rovnix bootkit framework updated) appeared in-the-wild.
• Virus Share – virusshare.com
  Another torrent of 26.54GB of #malware samples has been added to the tracker!

Techniques

• Hands-on: Securing iOS, pwning your kids with Apple Configurator 1.2 – arstechnica.com
  Apple recently released the latest version of Configurator, the company’s management software for iOS devices, for download in the Mac App Store. Configurator version 1.2 is intended to give organizations a way to mass-configure iPads, iPhones, and even iPods with applications, settings, and security policies.
• Pentest Scripts: Verifying NTP Reserved Mode Denial of Service – blog.opensecurityresearch.com
  I recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563, but without causing the DoS condition on the production server. The issue comes up when one NTP daemon queries another with the MODE_PRIVATE flag set.
• Extracting data protection class from files on iOS – securitylearn.net
  On iOS, every file is encrypted with an unique encryption key as illustrated in the image. The content of a file is encrypted with a per-file key, which is wrapped with a class key (data protection class key) and stored in a file’s metadata, which is in turn encrypted with the file system key (EMF key). The file system key is generated from the hardware UID. UID is unique per device and it is embedded in hardware and inaccessible to code running on CPU.
• Sidestepping Microsoft SQL Server Authentication – blog.securestate.com
  While we, as penetration testers, love compromising systems during assessments, we all know the most important portion of a penetration test is actually getting access to critical data and systems. So, post exploitation, I generally head for the database servers. However, depending on the permissions model of the target database, there may still be another hurdle to bypass.
• Setting System’s Proxy Settings with Metasploit – room362.com
  One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered).

Tools

• ThreatModeler 2.1 – myappsecurity.com
  MyAppSecurity is proud to release ThreatModeler™ 2.1. Packed with several in-demand features to easily manage threats and measure the state of security at an organization, this new release comes updated with mobile application threats mapped to their corresponding security controls to mitigate mobile application risks at your organization.
• Ettercap 0.7.5 Assimilation – sourceforge.net
  Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
• The VLAN Hopper – commonexploits.com
  Frogger is a simple, open source bash script, that automates the process of VLAN enumerating and hopping end to end with interactive menus, leveraging tools already made for the process. This is it does within the Dynamic Trunking Protocol (DTP) and is mostly targeted towards Cisco devices.
• rfcat – code.google.com
  RF ChipCon-based Attack Toolset
• Eagleeye – github.com
  In the future I can see it being useful as an internal tool for people or shops that have tens of thousands of hosts that devs sort of do ‘whatever they want’ on, and there needs to be some accountability by the security team (like how many naked jboss or tomcat installs are there with default creds?)
• The Pillager 0.7 Release – console-cowboys.blogspot.com
  For now check out Version 0.7.. Named searches and Data searches via external config files are now functioning properly as well as other bugs fixed along the way…

Vendor/Software Patches

• iOS 6
• 6 Reasons iOS 6 Jailbreaks Will Be Tough – informationweek.com
  Jailbreaking your iPhone is now legal in the United States, even if Apple has historically discouraged the process. With Apple’s release last month of iOS 6, iPhone hackers have, of course, set their sites on jailbreaking the new OS.
• A lesser-known new feature in iOS 6: It’s tracking you everywhere – theregister.co.uk
  Apple has enabled user tracking of its customers once again, with the recently released iOS 6 enabling advertisers to see which apps users have run, and which adverts they’ve seen – all for the benefit of the users, of course.
• Oracle Patch Update to Include 109 Patches – threatpost.com
  Buckle up Oracle administrators for 109 patches coming your way tomorrow. Oracle’s quarterly Critical Patch Update is due, and the company is releasing fixes for security vulnerabilities across most of its enterprise products, addressing a host of remotely exploitable flaws.
• CVE-2012-5159 phpMyAdmin 3.5.2.2 server_sync.php Backdoor Metasploit Demo – eromang.zataz.com
  This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
• Critical Java Patch Plugs 30 Security Holes – krebsonsecurity.com
  The latest versions, Java 7 Update 9 and Java 6 Update 37, are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com.
• Adobe Reader and Acrobat get another layer of security – arstechnica.com
  Adobe announced new security features this week for its Reader and Acrobat XI products, including enhanced sandboxing, Force ASLR, PDF whitelisting, and Elliptic Curve Cryptography. In addition to a number of new features enhancing Reader’s and Acrobat’s PDF-creation capabilities, these security measures add another layer atop previous changes that have improved a once “widely exploited” app over the past two years.
• Apple Makes OS X Safer By Removing Java – forbes.com
  Apple has taken another step towards making OS X safer on the web. An update released on Wednesday sees the Java plugin removed from all Mac-compatible browsers installed on the system.

Vulnerabilities

• Encryption found insufficient in many Android apps – h-online.com
  Researchers have discovered catastrophic conditions when analysing Android applications that use encryption: more than 1,000 of the 13,500 most popular Android apps showed signs of a flawed and insecure implementation of the SSL/TLS encryption protocol.

Other News

• New Cyberwar Rules Of Engagement: Will The U.S. Draft Companies To Fight? – readwriteweb.com
  Last week’s call from U.S. Secretary of Defense Leon Panetta for an expanded offensive role in cyberwar activities may have the ring of Hollywood drama, but the real-world implications for U.S. companies could be just as dramatic. Some observers speculate that American enterprises could be conscripted in order to create a coherent national response to cyber threats.
• Zero-day attacks are meaner, more rampant than we ever thought – arstechnica.com
  Computer attacks that target undisclosed vulnerabilities are more common and last longer than many security researchers previously thought. The finding comes from a new study that tracked the number and duration of so-called zero-day exploits over three years.
• Cyberthieves loot $400,000 from city bank account – computerworld.com
  Cybertheft comes just days after RSA issued a warning that criminal gang planned massive attacks against U.S. banking customers.
• Never Attribute to Malice, but Always Verify – veracode.com
  When I read the New York Time BITS article “The Dangers of Allowing an Adversary Access to a Network” by John Markoff, I thought the fear of trojaned vendor products is misplaced.
• How a single DMCA notice took down 1.45 million education blogs – arstechnica.com
  Web hosting firm ServerBeach recently received a Digital Millennium Copyright Act (DMCA) violation notice from Pearson, the well-known educational publishing company.
• Of Cyber Doom, Dots, and Distractions – forbes.com
  On October 11, Secretary of Defense Leon Panetta gave a speech on “Defending the Nation from Cyber Attack” to the Business Executives for National Security in New York City. On the whole, the speech was unremarkable. It repeated what have become the standard, policy-maker talking points about cyber threats.
• Hackers Exploit ‘Zero-Day’ Bugs For 10 Months On Average Before They’re Exposed – forbes.com
  Software vendors are constantly on the watch for so-called “zero day” vulnerabilities–flaws in their code that hackers find and exploit before the first day companies become aware of them. But the term “zero-day” doesn’t capture just how early hackers’ head-starts often are: Day zero, it seems, often lasts more than 300 days.
• Cryptohaze now supports Lotus hashes! – blog.cryptohaze.com
  New algorithm support (and what I believe is the fastest implementation out there at this point in time): Lotus Domino hashes. Unsalted only, for now.
• Manchester police pay off £150,000 fine for unencrypted USB key – nakedsecurity.sophos.com
  The UK Information Commissioner’s Office (ICO) in the UK recently fined the Greater Manchester Police £150,000 for a data breach.
• The FBI’s “Cyber Surf Island” game aims to promote internet safety amongst students – nakedsecurity.sophos.com
  The FBI seems to have gotten the message with their latest online safety program, which ditches huggable spokes-creatures in favor of slick graphics, game play and some serious fantasy.
• DARPA-Funded Radio HackRF Aims To Be A $300 Wireless Swiss Army Knife For Hackers – forbes.com
  Since the days of Alan Turing, the promise of a digital computer has been that of a universal machine, one that can be a word processor one minute and a robot brain the next. So why are radios, a technology even older than computers, still designed stubbornly to do one thing–like 3G, Wifi, FM, or GPS–for their entire lives?
• 42% of lost mobiles have no security in place to protect data, says report – nakedsecurity.sophos.com
  f the UK is any indication, we’re letting our precious mobile devices drop from our bags and pockets, scattering our unprotected data throughout the land at an alarming rate.
• Why the Government’s Cybersecurity Plan Will End in Catastrophe – computerworld.com
  Last week Defense Secretary Leon E. Panetta presented his case for an invasive system to monitor the nation’s private systems in order to better identify and respond to cyber threats.