Week 2 In Review – 2014

Events Related

• Why we have to boycott RSA – blog.erratasec.com
  The reason isn’t that Robert Graham is upset at RSA, or think that they are evil. He thinks RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products.

Resources

• Stupid IDN Tricks: Unicode Combining Characters – blog.dinaburg.org
  Safari will display Unicode combining diacritical marks in the URL bar. It is possible to register domains with these marks. Some of these domains will look much like legitimate domains (e.g. apple.com vs. apple͢.com).
• McAfee Security Report Suggests 2014 Will Be a Rough Years – www.computerworld.com
  McAfee’s comprehensive 2014 security report, released at the end of December, goes beyond rehashing the same set of threats in ever-increasing volume to instead reflect the impact of digital currencies, NSA leaks and social media. Going through the report, one thing becomes eminently clear: We are in no way prepared for what’s coming in 2014.
• Exploit Database Hosted on GitHub – offensive-security.com
  Offensive-security have recently completed some renovations on their Exploit Database backend systems and have taken this opportunity to transition their SVN server to an EDB repository hosted on GitHub. This means that it’s now easier than ever to copy, clone, or fork the whole repository.
• tcpflow 1.4.4 and some of its most Interesting Features – isc.sans.edu
  The latest version can of course reconstruct TCP flows but also has some interesting feature such as being able to carve files out of web traffic (zip, gif, jpg, css, etc) and reconstruct webpages. Another nice feature is the fact it provides a summary PDF report of the pcap file processed by tcpflow.
• Stefan Esser – iOS 7 Security Overview/Crashcourse – echo360.rub.de
  Here is the video of Stefan Esser’s talk about overview of iOS 7 security features and mitigation’s.

Tools

• Kali Linux 1.0.6 Released – kali.org
  Here is Kali Linux 1.0.6 with a new Kernel 3.12, LUKS nuke, Amazon AMI / Google Compute images and more! This release is really heavily laden with goodness.
• Pinpoint Tool Released – kahusecurity.com
  Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. You can find the tool here.
• NAC-bypass (802.1x) or Beagle in the Middle – shellsherpa.nl
  This is Jan Kadijk’s little project. It implements a layer2 and layer3 NAT and MitM (now also known as Beagle-in-the-Middle) built by information gathered in the passive network reconaissance stage.
  • Beagle in the Middle – github.com
• Announcing the Release of RtspFuzzer – isecpartners.github.io
  iSEC Partners is pleased to announce the release of RtspFuzzer, an open-source fuzzer for the real-time streaming protocol (RTSP). RTSP is a text-based protocol that facilitates media streaming.
  • RTSP network protocol fuzzer – github.com
• iOS 7 tool updates – isecpartners.github.io
  With the availability of the evasi0n7 jailbreak and the subsequent release two days ago of Cydia Substrate with support for iOS 7 and ARM64, a full-blown iOS 7 penetration testing environment can now be setup.

Techniques

• Metasploit Meterpreter and NAT – www.corelan.be
  In this small post by corelan team, You’ll look at how to correctly configure Meterpreter payloads and make them work when your audit box is behind a NAT device.
• Piercing SAProuter with Metasploit – community.rapid7.com
  In this article by Morrisson, you’ll see how it is possible to exploit weak saprouter configurations that can allow access to internal hosts all the way from the Internet, all this using only metasploit’s support for pentesting SAP systems. This article can help shed light on both the risks associated with saprouter deployments, as well as SAP security in general.

Vendor/Software patches

• Microsoft Expected to Patch XP Zero Day on Patch Tuesday – threatpost.com
  Microsoft announced Thursday that it plans to release four bulletins next week as part of the year’s first batch of Patch Tuesday security updates, none of which are rated critical.
  • Advance Notification Service for the January 2014 Security Bulletin Release -blogs.technet.com

Vulnerabilities

• Unsafe DLL Loading Vulnerabilities – blog.opensecurityresearch.com
  A common issue we see in applications is the order in which they import DLLs at runtime. This is referred to as a Load Order Vulnerability that can result in local privilege escalation. In this blog post Muralidharan will dissect the vulnerability, exploitation scenarios, and how to fix it.
• WordPress Plugins Exploitation Through the Big Data Prism – blogs.akamai.com
  In June 2013, Checkmarx, a source code analysis vendor released a very thorough and interesting whitepaper on the topic of WordPress Plugins Security, listing the most vulnerable plugins. While reading Checkmarx’s whitepaper, and going through the long list of vulnerable WordPress plugins, Ory Segal felt that a few critical questions were still left unanswered.
• Is XXE the new SQLi? – isc.sans.edu
  Here we can see a typical problem with untrusted input – since an attacker can control anything on the client side he can impact integrity of the XML document that is submitted to the server. Generally this should not be a problem unless the following happens.
• The Internet of Things Is Wildly Insecure — And Often Unpatchable – wired.com
  We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself — as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.
• Hackers gain ‘full control’ of critical SCADA systems – www.itnews.com.au
  Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. The findings follow the discovery of separate serious vulnerabilities in Siemens industrial ethernet switches that allowed attackers to run administrative tasks and hijack web sessions.

Other News

• Hackers Steal Card Data from Neiman Marcus – krebsonsecurity.com
  Responding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.
• Yikes! Target’s data breach now could affect 110M peoples – news.cnet.com
  Target’s data breach is much broader than once believed. The retailer now says that information taken in December’s security lapse includes names, phone numbers, and postal and e-mail addresses, and could affect up to one-third of the US population.
• Cyber-security: Small satellite dish systems called ripe for hacking – csmonitor.com
  The small dish systems, VSATs, transmit often-sensitive data from far-flung locations for critical industries. A cyber-security report found thousands with ‘their digital front doors wide open.’
• VSAT terminals are opened for targeted cyber attacks – intelcrawler.com
  Security researchers from IntelCrawler, a Los-Angeles based cyber intelligence company, announced that very-small-aperture terminal (VSAT) used for satellite communications are exposed to external cyber attacks, especially, on distributed critical infrastructures and network environments.