Week 50 In Review – 2013

Events Related

• Baythreat 4 – thesprawl.org
  Baythreat Day Two. Here are the writeups of another series of excellent presentations from the breaker track for the remainder of the day.
• The AppSec Program Maturity Curve 4 of 4 – veracode.com
  This is the final post in a series on the Application Program Maturity Curve. In this series, Veracode have advocated that Application Security is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk.

Resources

• Those Look Just Like Hashes! – isc.sans.edu
  Have you ever during a penetration test collected a list of values that look very much like hashes, and thought “I could maybe start cracking those, if I only knew what algorithm was used to calculate those hash values”. Rob VandenBrink had exactly this happen recently.
• RAT-a-tat-tat – sensepost.com
  Following on from Jeremy’s talk (slides) He is releasing the NMAP service probes and the Poison Ivy NSE script as well as the DarkComet config extractor.
• OSCP FAQ – buffered.io
  Since publishing the article that detailed OJ Reeves experiences with the PWB labs and the OSCP exam, he had received scores of emails from potential and current students searching for more information and (quite often) hints. This post stands instead of those emails as a point of reference for common OSCP-related questions.
• Intro to Metasploit Class at IU Southeast – irongeek.com
  This is a class irongeek did to introduce students to Metasploit at IU Southeast. Special guest lecturer Jeremy Druin.

Tools

• THC-Hydra 7.5 Released – Fast Parallel Network Logon Cracker – darknet.org.uk
  Hydra is a parallelized network logon cracker which supports numerous protocols to attack, new modules are easy to add, beside that, it is flexible and very fast.
• Acquiring Memory Images with Dumpit – isc.sans.edu
  This diary is about using tools which is Dumpit. Dumpit is a free tool written by Matthieu Suiche from MoonSols. Dumpit support both 64-bit and 32-bit Windows operating systems .
• OWASP STeBB – owasp.org
  OWASP STeBB is a free and opensource security testing browser bundle. OWASP STeBB ( Security Testing Browser Bundle ) is an all in one web security toolkit for web application security testers.

Techniques

• Removing the Android Device Lock from any Mobile App – blog.dinosec.com
  Last week, a new Android vulnerability was disclosed. It affects Android Jelly Bean (JB) 4.3 devices, as well as earlier version based on Raul Siles’s own testing, such as Android Ice Cream Sandwich (ICS) version 4.0.3. The flaw allows any mobile application to remove the passcode or lock protection of Android mobile devices, no matter the lock mechanism in place: PIN code, password or passphrase, dot pattern or gesture, or face unlock.
• Remote Code Execution exploit in WordPress 3.5.1 – vagosec.org
  This blog post showed an example exploit for the PHP Object vulnerability in WordPress installations before version 3.6.1. The exploit made use of classes defined in the Lightbox Plus ColorBox plugin, which has close to 1 million downloads.
• A browser is only as strong as its weakest byte – Part 2 – blog.exodusintel.com
  Last week exodusintel managed to trick IE9 into doing an INC
  [ADDRESS] for them where they could specify the address. Now it is time to see how much damage you can do with just that.
• How We Decoded Some Nasty Multi-Level Encoded Malware – blog.sucuri.net
  From time to time, Ante Kresic come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases.
• Timing Attacks Against File Systems – blog.wallarm.com
  Time is one of the key parameters in a pentester’s work. It can either interfere with security analysis efforts by reminding you about the deadline and an eager client, or help you out when performing an audit. How?
• Abusing Websphere MQ – shellsherpa.nl
  On a recent engagement Jan Kadijk encountered a Websphere MQ installation. After some digging around he was able to read queues, alter messages etc.
• Using Cold Boot Attacks and Other Forensic Techniques in Penetration Tests – ethicalhacker.net
  Many applications keep passwords within memory. The point is, memory houses much of the valuable information that the system needs at a moment’s notice. Getting to it requires using some of the same forensics techniques employed by attackers. This article helps add some of those techniques to your pentesting toolkit.

Vendor/Software patches

• Zero-Day Fixes From Adobe, Microsoft – krebsonsecurity.com
  Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing at least two dozen flaws in Windows and other software.
  • Adobe ships patches for flash shockwave players -threatpost.com
    Adobe published two security bulletins, resolving a pair of vulnerabilities in both Shockwave and Flash Player.
  • Omphaloskepsis and the December 2013 Security Update Release -blogs.technet.com
    Microsoft had 11 bulletins and 3 new advisories released on October 10. Dustin C. Childs thought it would be helpful to step back and take a closer look at some of the terminology they use frequently. Let’s begin by taking a look at the bulletins for December.
  • Microsoft Security Bulletin Summary for December 2013 -technet.microsoft.com
    This bulletin summary lists security bulletins released for December 2013.

Vulnerabilities

• NDProxy Privilege Escalation (CVE-2013-5065) – penturalabs.wordpress.com
  In the last few days everyone is raving about CVE-2013-5065, a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, Andy came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC for CVE-2013-5065.
• Loophole in Safari – securelist.com
  In our search for various types of malicious code for Mac, Kaspersky Lab recently came across a rather interesting peculiarity in Safari. It turns out that Safari for Mac OS, like many other contemporary browsers, can restore the previous browsing session.

Other News

• FLASH: Disqus cracked – security flaw reveals user e-mail addresses – cornucopia-en.cornubot.se
  The Swedish company Resarchgruppen has cracked the Disqus commenting system, enabling them to identify Disqus users by their e-mail addresses. The crack was done in cooperation with the Bonnier Group tabloid Expressen, in order to reveal politicians commenting on Swedish hate speech-sites.
• Never mind the spies: the security gaps inside your phone – sensepost.com
  For the last year, Glenn and Daniel had been obsessed with their phones; especially with regard to the data being leaked by a device that is always with you, powered on and often provided with a fast Internet connection. From this obsession, the Snoopy framework was born and released.
• Operation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs – fireeye.com
  This week, FireEye released a report detailing how Chinese-speaking advanced persistent threat (APT) actors systematically attacked European ministries of foreign affairs (MFAs). Within 24 hours, the Chinese government officially responded.
• Security Professionals: Top Cyber Threat Predictions for 2014 – blogs.technet.com
  As we near the end of 2013, it’s a perfect time to reflect on recent security events, the state of the industry and provide a glimpse into the future on how Microsoft anticipate the threat landscape to evolve in 2014.