Week 34 in Review – 2013

Event Related

• Femtocell Presentation Slides, Videos and App – isecpartners.com
  We’re back from Las Vegas, rested, and finally ready to release the slides, videos, and our app from our presentation at Black Hat and Defcon: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell.
• BlackHat Conference: Z-Wave Security – sensepost.com
  We are publishing the research paper and tool for our BlackHat 2013 USA talk on the Z-Wave proprietary wireless protocol security.
• Simulated Attacks Show C-Level Executives Can Make Easy Targets for Spear-Phishers – blog.cyveillance.com
  Wombat Security Technologies recently talked to Security Week about the on-going problem with executives falling for spear-phishing attacks. Wombat, which specializes in testing a company’s vulnerability to phishing attacks, noted that executives are often the first to fall prey to attackers when it comes to clicking links and providing login data.
• Fibre Channel Reconnaissance – Reloaded – sans.edu
  At SANSFIRE this year I had a fun presentation on Fibre Channel (FC) recon and attack (which I promise to post as soon as I get a chance to update it!). In that talk we went through various methods of doing discovery and mapping of the fiber channel network, as well as some nifty attacks.

Resources

• Vulnerabilities that just won’t die – Compression Bombs – blog.cyberis.co.uk
  HTTP compression is a capability widely supported by web browsers and other HTTP User-Agents, allowing bandwidth and transmission speeds to be maximised between client and server. Supporting clients will advertise supported compression schemas, and if a mutually supported scheme can be negotiated, the server will respond with a compressed HTTP response.
• Introducing LinEnum – Scripted Linux Enumeration & Privilege Escalation Checks – rebootuser.com
  LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.
• Kismet Wireless: HackRF, pt 2 – GNU Radio Companion and Practical Sigint – kismetwireless.net
  Playing with keyfobs and baudline is a lot of fun, now lets try something more complex where the output data has more meaning (even if we decode the keyfob data, it’s probably not going to show anything logical other than a big random number – feel free to try though!)
• IOS Application Security Part 13 Booting a custom Ramdisk using Sogeti Data Protection tools – resources.infosecinstitute.com
  In the previous article, we looked at how we can use Keychain-Dumper and Snoop-it to analyze and dump the contents of the Keychain from an IOS device. In this article, we will look at how we can boot a non-jailbroken device using a custom ramdisk and analyze the contents of the device.
• EDSC – Embedded Device Security Conference – 2013 – edsconf.com
  The following dates and times are for EDSC 2013. Please check back as more presentations are accepted and scheduled.
• Us | Community Hacking Notes – hackingnotes.com
  A group notebook of hacking notes – Us

Tools

• levle/rdesktop-fuzzer GitHub – github.com
  rdesktop is an open source client for Microsoft’s RDP protocol. It is known to work with Windows versions such as NT 4 Terminal Server, 2000, XP, 2003, 2003 R2, Vista, 2008, 7, and 2008 R2. rdesktop currently implements the RDP version 4 and 5 protocols.

Techniques

• VMware vSphere Security and Metasploit Exploitation Framework – blog.vmtraining.net
  VMware vSphere is another layer in your overall environment to attack, in this article you will learn some of the threats, how to mitigate them and how to attack that virtual layer.
• Psst. Your Browser Knows All Your Secrets. – isc.sans.edu
  Set up an environment variable called SSLKEYLOGFILE that points to a writable flat text file. Both Firefox and Chrome (relatively current versions) will look for the variable when they start up. If it exists, the browser will write the values used to generate TLS session keys out to that file.
• Responding to Attacks on Apache Struts2 – mandiant.com
  In mid-July of 2013, CVE – a dictionary of publicly known information security vulnerabilities and exposures – identified three potential exploits against the Apache Struts2 web framework. Requests are evaluated by the Apache Struts2 framework. This allows an attacker to execute arbitrary commands on a web server.

Vulnerabilities

• Security Researcher Hacks Mark Zuckerbergs Wall To Prove His Exploit Works – techcrunch.com
  Earlier this week, security researcher Khalil Shreateh discovered a Facebook bug that allowed a hacker to post on anyone’s wall — even if they weren’t that person’s friend.

Other News

• U.S. Energy Dept admits to second big data leak this year – welivesecurity.com
  “The Department of Energy has confirmed a recent cyber incident that occurred at the end of July and resulted in the unauthorized disclosure of federal employee Personally Identifiable Information (PII). We believe about 14,000 past and current DOE employees PII may have been affected,” the letter states.
• Sentenced To 35 Years, Bradley Manning Faces Longest-Ever U.S. Prison Term For Leak To Media – forbes.com
  Bradley Manning was just 22 when he leaked his trove of Pentagon and State Department secrets to WikiLeaks in 2010. By the time he’s released from prison after serving his sentence for those leaks, he may be close to 56 years old.
• NSA bugged UN headquarters – rt.com
  The US National Security Agency (NSA) successfully cracked the encryption code protecting the United Nations’ internal videoconferencing system, according to documents seen by Germany’s Der Spiegel.