Week 18 in Review – 2013

Event Related

• Syscan 2013
  • SyScan 2013, Bochspwn paper and slides – gynvael.coldwind.pl
    In our SyScan presentation, we explained the concept of kernel race conditions in interacting with user-mode memory, gave a brief rundown on how they can be identified by using CPU-level instrumentation of an operating system session, and later focused on how they can be successfully exploited with the help of several generic techniques (on the example of three Windows vulnerabilities discovered by the Bochspwn project).
  • Syscan 2013 – antid0te.com
    Index of /syscan_2013/
• Keynote Address on Cyber Security Federal Reserve Bank Risk Conference 2013 – viaforensics.com
  Below is the keynote address by Andrew Hoog, CEO of viaForensics, on April 9, 2013, at the Federal Reserve Bank’s Sixth Annual Risk Conference in Chicago, IL.
• Memoirs of BSides London and Infosec Europe 2013 – j4vv4d.com
  It was the first day of Infosec – I had gotten up early and was already in a bit of a dilemma. I had a suit ready to wear for Infosec, but in the evening I was invited to the SC Magazine awards which was a black tie event (a dinner suit / tuxedo).

Resources

• Android FDE is weak. – twitter.com
  Hashkill now cracks Android FDE images master password. Speed is ~135k on 6870, ~270k/s on 7970. Android FDE is weak.
• The rise in the exploitation of old PDF vulnerabilities – blogs.technet.com
  Exploitation of software vulnerabilities continues to be a common way to infect computers with malware. Leveraging exploits allows malware authors to infect, disrupt, or take control of a computer without the user’s consent and typically without their knowledge.
• The Fog of Cyber Defence – f-secure.com
  The Finnish National Defence University has published a 250-page book called The Fog of Cyber Defence. The book discusses cyber warfare, cyber arms race, and cyber defense from a Nordic viewpoint.
• The State of Web Security – blog.whitehatsec.com
  After months of hard work, today we are releasing the 2013 WhiteHat Website Security Statistics Report.

Tools

• hookme –TCP Proxy (Data tamper)- code.google.com
  HookME is a software designed for intercepting communications by hooking the desired process and hooking the API calls for sending and receiving network data (even SSL clear data).
• IPv6 Toolkit v1.3.4 Released | ToolsWatch.org – The Hackers Arsenal Tools | Repository for vFeed and DPE Projects – toolswatch.org
  The SI6 Network’s IPv6 toolkit is a set of IPv6 security/trouble-shooting tools, that can be send arbitrary IPv6-based packets.
• What is new and what changed in OWASP TOP 10 2013 – mavitunasecurity.com
  Do you use the Open Web Application Security Project (OWASP) Top 10 Project as part of your web security testing program? If not, now’s a great time to get on board. There’s a new version coming out for 2013 that can be an invaluable resource.
• Building my own PwnPad Community for fun and for less than $300 – toolswatch.org
  More than 1 year ago, I have posted an entry about a hardware for doing pentesting. It was the PwnPlug by Pwnie Express folks. Since, the guys have improved a lot their hardware and released a new stuff. One toy caught my attention was the PwnPad.
• Raspberrypi Wireless Attack Toolkit – sourceforge.net
  A collection of pre-configured or automatically-configured tools that automate and ease the process of creating robust Man-in-the-middle attacks.
• nccgroup/ncccodenavi – github.com
  NCC Code Navi the Text Viewer and Searcher for Code Reviewers

Techniques

• Testing NFC Input Vectors – intrepidusgroup.com
  Can we agree that NFC is here to stay? Just about every mobile platform supports it, (I’m looking at you Apple) including simple feature phones from way back when .
• Adding PowerShell to Web Shells to get Database Access – netspi.com
  To simplify the process I rewrote an existing .aspx web shell and included PowerShell functionality to allow for database connectivity to create a new CmdSql.aspx web shell.
• ropasaurusrex: a primer on return-oriented programming – skullsecurity.org
  The main thing you have to understand to know ROP is this: a function’s entire universe is its stack frame.
• Intentional Evil: A Pen Tester’s Overview of Android Intents – sans.org
  Great pen testers strive to move through target environments seamlessly, transitioning from one platform to another. With more organizations adopting a “bring your own device” approach to mobile platforms without careful enforcement of security, attackers have new avenues for undermining organizations.
• Whistleblower Series – How to avoid getting ripped off by your penetration testing vendor. – pentest.netragard.com
  There’s been a theme of dishonesty and thievery in the Penetration Testing industry for as long as we can remember.

Vendor/Software Patches

• Part 1 K.I.A. US Dept. Labor Website Pushing Poison Ivy CVE-2012-4792 – invincea.com
  On the evening of Tuesday, April 30th 2013, we received a tip that a site hosted by the United States Department of Labor (USDOL) had been compromised and was hosting malicious code. The site has since been fixed and law enforcement is investigating.

Vulnerabilities

• Troy Hunt: Your Mac, iPhone or iPad may have left the Apple store with a serious security risk – troyhunt.com
  Macs weren’t familiar territory for us so we happily accepted the offer for a staff member to walk us through some of the nuts and bolts of OSX. That was a handy little starter and we left the store none the wiser that the machine now had a serious security risk that wouldn’t become apparent for another year.
• Twitter security for media companies – securosis.com
  Twitter is worried about all the media company accounts being hacked, and has released some guidance.

Other News

• Hacker Breached U.S. Army Database Containing Sensitive Information on Dams – wired.com
  A hacker compromised a U.S. Army database that holds sensitive information about vulnerabilities in U.S. dams, according to a news report.
• U.S. Department of Labor website hacked and redirecting to malicious code – labs.alienvault.com
  During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code.