Week 21 in Review – 2013

Event Related

• SOURCE Dublin
  • SOURCE Dublin Wrap-Up Day #1 – blog.rootshell.be
    I flew on Wednesday evening to Dublin, Ireland to attend the SOURCE conference (previously, it was organised in Barcelona). The conference was held in the Trinity College, in the centre of the city.
  • SOURCE Dublin Wrap-Up Day #2 – blog.rootshell.be
    This second day started with Vincenzo Lozzo‘s keynote. Lorenzo gave first, some facts. From an economic point of view, Internet will generate nice business in the coming years (2012: $60B, in 2016: $86B – according to Gartner).
• ISSA Kentuckiana Web Pen-Testing Workshop – irongeek.com
  Below are the videos form the Kentuckiana ISSA’s Web Pen-Testing Workshop. It was put on in part to raise funds for Hackers For Charity.
• Scanner identifies malware strains, could be future of AV – net-security.org
  At the annual AusCert conference held this week in Australia a doctorate candidate from Deakin University in Melbourne has presented the result of his research and work that just might be the solution to this problem.
• NoSuchCon13 and crashing Windows with two instructions – j00ru.vexillium.org
  The first edition of the NoSuchCon security conference held in Paris ended just a few days ago. Before anything else, I would like to thank all of the organizers (proudly listed at nosuchcon.org) for making the event such a blast!

Resources

• Interview With A Blackhat
  • Interview With A Blackhat (Part 1) – blog.whitehatsec.com
    Over the last few years, I have made myself available to be an ear for the ‘blackhat community.’ The blackhat community, often referred to as the internet underground, is a label describing those participating on the other side of the
    [cyber] law, who willingly break online terms of service and software licensing agreements, who may trade in warez, exploits, botnets, credit card numbers, social security numbers, stolen account credentials, and so on.
  • Interview With A Blackhat (Part 2) – blog.whitehatsec.com
    This is part 2/3 of my interview with “Adam” – a blackhat who has decided to go legit.
• OWASPs 2013 Web Vulnerabilities List Will Shuffle the Top Ten – resources.infosecinstitute.com
  The OWASP Top 10 list publicizes the most critical web application security flaws as determined by Open Web Application Security Project (OWASP), a nonprofit, vendor-independent IT security organization formed in 2001. In this article, we preview the 2013 edition of this popular security resource.
• Reverse Engineering Obfuscated Assemblies – resources.infosecinstitute.com
  In previous articles that talked about .NET reverse engineering, we covered almost every aspect of reversing .NET assemblies, we explained how this kind of binary is compiled, executed, how we can compile it, decompile it, how to apply patches, as well as the concept of round trip engineering and how to bypass strong name signatures.
• Five Common Corporate Pitfalls in Cyber Security Management – blog.rsa.com
  This blog discusses five of the high level missteps common to organizations that have experienced needlessly prolonged negative effects of cyber security incidents.
• Alert-driven vs Exploration-driven Security Analysis – blogs.gartner.com
  Is alert-driven security workflow “dead”?! It is most certainly not.
• YouTube – Practical Exploitation – Effective NTLM / SMB Relaying – youtube.com
  Using ZackAttack, Responder and proxychains we can utilize relayed credentials more effectively than previously available.

Tools

• th3l33k/php-nessus-api – github.com
  The Nessus Vulnerability Scanner provides an API interface via XMLRPC.
• Download Multiple Nessus Reports via the Nessus XML-RPC API – security.sunera.com
  Several months back I began to look at various ways to automate some of the common tasks that are usually performed within the Nessus GUI. I was familiar with nessuscmd, and had leveraged that tool within some scripts, but it didn’t fit the bill for a lot of the administrative activity that I thought could be automated, or at least made more efficient.
• MoVP II – 2.1 – RSA Private Keys and Certificates – volatility-labs.blogspot.com
  Those of you who downloaded the Volatility Cheat Sheet v2.3 may have noticed a plugin named dumpcerts, which is a relatively new addition to the plugin scene for Windows. Its based on the work by Tobias Klein called Extracting RSA private keys and certificates from process memory.
• zfasel/ZackAttack – github.com
  ZackAttack! is a new Tool Set to do NTLM Authentication relaying unlike any other tool currently out there.
• Dissecting Blackberry 10 An initial analysis – sec-consult.com
  In 2013, Blackberry has presented a brand new operating system which significantly differs from others presented on the smartphone market. A very high security level is announced, and the expectations are corresponding. Some analytics consider this as the last chance for Blackberry “to get back in the big game” and stand in the row with such giants as iOS and Android.

Techniques

• Improving the security of your SSH private key files – martin.kleppmann.com
  When you start reading about “crypto stuff”, you very quickly get buried in an avalanche of acronyms. I will briefly mention the acronyms as we go along; they don’t help you understand the concepts, but they are useful in case you want to Google for further details.
• Re: exploitation ideas under memory pressure – seclists.org
  The question is how to get PATHALLOC() to succeed under memory pressure so we can make this exploitable, my first thought was have another thread manipulating the free pool, but I can’t figure out how to synchronize that. Getting code execution should be trivial after this.
• Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks – netspi.com
  In order to meet business requirements and client demand for remote access, many companies choose to deploy applications using Terminal Services, Citrix, and kiosk platforms. These platforms are commonly deployed in both internal networks as well as internet facing environments.
• Java Web Vulnerability Mitigation on Windows – tojoswalls.blogspot.com
  The ubiquity of the Java browser plug-in has made it one of the largest attack surfaces on Windows clients for web-based attacks, particularly making it easy to perform undetectable drive-by download and “poisoning the well” attacks.

Vendor/Software Patches

• A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094) – timetobleed.com
  This article is going to explain how a recent privilege escalation exploit for the Linux kernel works. This exploit affects CentOS 5 and 6 as well as other Linux distributions. Linux kernel version 2.6.37 to 3.8.9 are affected by this exploit.

Vulnerabilities

• WordPress Under Attack – cylance.com
  In the last few weeks, Internet hacking attacks have increased and thousands of sites have already been compromised. Many security observers have seen 1,000,000s of scans of their WordPress installation on a single day in April, as noted by the Sucuri Blog on April 11, 2013 – see http://blog.sucuri.net/2013/04/the-wordpress-brute-force-attack-timeline.html.

Other News

• If You Didnt Care About HIPAA Before, You May Need to Now – blog.cisco.com
  The HIPAA Omnibus Final Rule, released January 2013, greatly expands the number of organizations that must comply with HIPAA beyond the known ‘Covered Entities.’
• Teenage burglar with electronic tag pulls a fast one on G4S security official – telegraph.co.uk
  A 16-year-old burglar sentenced to a home curfew pulled a fast one on the
  security company which was setting up his electronic tag, a court heard.
• FedRAMP seal of approval clears Amazon for more government work – gigaom.com
  AWS is the first major cloud provider to get its FedRAMP certification which should make it easier for government agencies to put more workloads on Amazon’s cloud.
• Power company targeted by 10,000 cyberattacks per month – arstechnica.com
  A Congressional survey of utility companies has revealed that the country’s electric grid faces constant assault from hackers, with one power company reporting a whopping 10,000 attempted cyberattacks per month.
• US Department of Justice lays out cybersecurity basics every company should practice – networkworld.com
  Speaking at the Georgetown Cybersecurity Law Institute this week, Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, combat cyber threats through better prevention, preparedness, and incidence response.
• Climbing the InfoSec Career Ladder – bankinfosecurity.com
  Breaking into the information security field – a male-dominated profession – is a challenge for women. Lisa Xu, CEO of NopSec, identifies the hurdles she’s had to overcome and offers strategies for women to grow in their careers.
• DHS Workers’ PII Exposed for Nearly 4 Years – bankinfosecurity.com
  A Department of Homeland Security system used to conduct background checks may have exposed personally identifiable information of employees and contractors for nearly four years.