Week 28 in Review – 2013

Event Related

• ToorCon Seattle 2013 – Weaponizing your coffee pot – danielbuentell0.blogspot.com
  As SoC price continue to drop and their implementation continues to rise, connected “appliances” (Internet of Things) will be become an attractive avenue for cyber criminals. Due to the fact they provide no traditional feedback (monitor) or input (mouse/keyboard), If one were able to compromise an embedded host it would be the perfect vantage point for a MITM attack or a beachhead to launch other attacks.

• U.S. Federal Agents Blacklisted at DEF CON
  • Hackers convention ask government to stay away over Snowden – reuters.com
    The annual Def Con hacking convention has asked the U.S. federal government to stay away this year for the first time in its 21-year history, saying Edward Snowden’s revelations have made some in the community uncomfortable about its presence.
  • Feds ‘not welcome’ at DEF CON hacker conference – zdnet.com
    Last year NSA Director Keith Alexander keynoted the annual DEF CON hacker conference in Las Vegas. This year, DEF CON organizers warn that U.S. government Federal agents are explicitly not welcome.

Resources

• Hardware Recon – danielbuentell0.blogspot.com
  In the software world if you want to start probing a system you have your go to tools (nmap, whois, web app scanners, etc…). They automate a lot of the grunt work and generally give you somewhere to start looking for bugs. In the hardware world you have… well you don’t really have much. Or so it may seem.

• Securing Microsoft Windows 8: AppContainers – news.saferbytes.it
  Recently, we have been conducting an analysis concerning the new Windows 8 security features. There are few documents available in Internet about this topic and no one of them explains the entire implementations in detail.

• ModSecurity Advanced Topic of the Week: Detecting Banking Trojan Page Modifications – blog.spiderlabs.com
  Banking Trojan software such as Zeus and SpyEye have become extremely sophisticated and can manipulate a wide range of user interactions with the web application.  One of the techniques used by the banking trojans is to attempt to phish extra user data during login.  The banking trojan will monitor HTTP stream data via the wininet.dll library and will modify content on the fly.  The data modification capability within Zeus is controlled by a file called webinjects.txt.

• Good Exploits Never Die: Return of CVE-2012-1823 – community.rapid7.com
  According to Parallels, “Plesk is the most widely used hosting control panel solution, providing everything needed for creating and offering rich hosting plans and managing customers and resellers, including an intuitive User Interface for setting up and managing websites, email, databases, and DNS.” (source: Parallels). On Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow for remote command execution:

• How elite security ninjas choose and safeguard their passwords – arstechnica.com
  If you felt a twinge of angst after reading Ars’ May feature that showed how password crackers ransack even long passwords such as “qeadzcwrsfxv1331”, you weren’t alone. The upshot was clear: If long passwords containing numbers, symbols, and upper- and lower-case letters are this easy to break, what are users to do?

• Web Application Security Testing should be part of QA Testing – mavitunasecurity.com
  A typical software and web application development company has a testing department, or a QA (quality assurance) team that constantly tests the software and web applications developed by the company to ensure that the products work as advertised and have no bugs. Larger software companies also invest hundreds of thousands, if not millions of dollars on software to automate some of the testing procedures and ensure that the product is of a high end quality.

Tools

• Scan Your Device for the Android Master Key Vulnerability – bluebox.com
  The Bluebox Security Scanner app produced by our research team allows you to directly check if your Android device has been patched for this vulnerability without the hassle of having to contact the device manufacturer or mobile carrier.  It will also scan devices to see if there are any malicious apps installed that take advantage of this vulnerability.  Once we discovered the bug we set out to create a tool to help individuals to evaluate their risk and that app is now available for free at both Google Play, Amazon AppStore for Android and GetJar.

• properssl/sslcertx GitHub – github.com
  sslcertx is a command line tool to extract the X.509 certificate of a remote server. It connects to the remote server and prints the server certificate it receives in the SSL handshake.

• Introducing RiskRater – a free tool for benchmarking endpoint, mobile and user risk management programs – community.rapid7.com
  After lurking for a little while, I’m starting to write on SecurityStreet today in order to introduce RiskRater, a tool we’ve been working on recently. RiskRater is an interactive free tool designed to give security professionals a quick snapshot of how they are doing in terms of their security controls for endpoints, mobile devices and user-based risk.

Techniques

• Quick Reversing – WebEx One-Click Password Storage – blog.opensecurityresearch.com
  The One-Click Client has the ability to save a user’s password, so I decided to take a quick look at that functionality – in about an hour I was able to determine the storage, reverse the method it used to encrypt the password, and write a proof of concept tool to decrypt the local storage of the password. The aim of this blog post is to document that process and maybe encourage you to do some reversing!

• How to speed up OWASP ZAP scans – blog.mozilla.org
  So you’ve used OWASP ZAP to scan your web application, and its taking far too long. Is that it, do you have to lump it or leave it? There are actually many things you can do, but the first thing you have to do is work out why its taking a long time.

Vendor/Software Patches

• Adobe, Microsoft Release Critical Updates Krebs on Security – krebsonsecurity.com
  Patch Tuesday is upon us once again. Adobe today pushed out security fixes for its Flash and Shockwave media players. Separately, Microsoft released seven patch bundles addressing at least 34 vulnerabilities in Microsoft Windows and other software. At least one of the Windows flaws is already being exploited in active attacks.

• Microsoft Updates July 2013 – Serious flaws in IE, DirectShow and Multiple TrueType Font Handling Code Paths – securelist.com
  As promised in Microsoft’s July Advance Notification, Microsoft ships seven security bulletins this month (MS13-052 – MS13-058). At least 34 CVE are being patched. Six of the Security Bulletins are rated “critical” due to remote code execution issues. The vulnerabilities being fixed this month enable RCE across all versions of Windows operating systems, but most of these serious flaws have all been privately reported and there is no indication that they are publicly known or exploited yet. Some however, are publicly known and drew attention from a number of exploit developers.

• Assessing risk for the July 2013 security updates – blogs.technet.com
  Today we released seven security bulletins addressing 34 CVE’s. Six bulletins have a maximum severity rating of Critical, and one has a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Vulnerabilities

• How Easily Can a Moving Car Be Hacked? – motherboard.vice.com
  Shortly after Rolling Stone contributing editor Michael Hastings died in a fiery auto crash in Los Angeles, conspiracy theories began to pop up online. The mysterious circumstances practically begged for a new brand of ’70s-era Nixonian paranoia.

• Some Emergency Alert System decoders vulnerable to hacking – theverge.com
  Some key parts of the Emergency Alert System are vulnerable to hacking, according to a report from security research firm IOActive. The EAS, which replaced the old Emergency Broadcast System and can now be utilized to send alerts to phones as well as television stations, uses direct digital and analog communication that involves local application servers called decoders.

• An Empirical Study of Vulnerability Rewards Programs – cs.berkeley.edu
  Some software vendors pay security researchers for the responsible disclosure of a security vulnerability. Programs implementing the rules for this exchange are known as vulnerability rewards programs (VRPs) or bug bounty programs. The last couple of years have seen an upsurge of interest in VRPs, with some vendors expanding their existing programs
  [1, 19], others introducing new programs [3,34,38], and some companies offering to act as an intermediary between security researchers and vendors offering VRPs [53].

• Making a Mountain Out of a Mole Hill Combining Low Severity Vulnerabilities to Devastating Effect – nccgroup.com
  There are four common web application security flaws that when present weaken an application’s authentication mechanism. They range from in severity from informational to medium in isolation, so are often overlooked when they appear in a penetration assessment report. When all four vulnerabilities are present in an application though, it is almost guaranteed that accounts can be compromised, and consultants often do so to demonstrate the risk to clients.

Other News

• US Economic Development Administration Fixes Malware Infection, Destroys Everything (Mice Included) – forbes.com
  There’s been a huge upswing in awareness of and concern about cybersecurity in the last few months. In particular threats such as nation state hackers (we’re looking at you, China) and the likes of Anonymous infiltrating both private and US government networks has many IT people seriously worried about security. So, what to do when you discover that your network has suffered a security breach?

• Proving the skeptics wrong – sethgodin.typepad.com
  Here’s the thing about proving skeptics wrong: They don’t care. They won’t learn. They will stay skeptics. The ones who said the airplane would never fly ignored the success of the Wright Bros. and went on to become skeptical of something else. And when they got onto an airplane, they didn’t apologize to the engineers on their way in.

• Four Lies You Tell Yourself About Productivity (and How to Stop) – lifehacker.com
  It’s easy to spot when people are lying to themselves—like when a co-worker confidently starts a huge project at 4:30, but has a 5pm deadline. “Who’s he kidding?” you might chuckle. But when you’re telling lies to yourself—well, that’s another story.

• How Microsoft handed the NSA access to encrypted messages – guardian.co.uk
  Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian.

• Discovering Names Of Secret NSA Surveillance Programs Via LinkedIn – techdirt.com
  So, over the weekend, the Washington Post revealed some of the code names for various NSA surveillance programs, including NUCLEON, MARINA and MAINWAY. Chris Soghoian has pointed out that a quick LinkedIn search for profiles of people in Maryland with codenames like MARINA and NUCLEON happen to turn up profiles like this one which appear to reveal more codenames.