Week 11 In Review – 2014

Events Related

• Pwn2Own 2014: A recap – hp.com
  Two record-setting days of payouts for zero-day vulnerabilities brought the 2014 Pwn2Own contest tantalizingly close to the first million-dollar competition, with $850,000 paid to eight entrants. $385,000 of potential prize money remained unclaimed.
  • Researchers pocket record $400K at Pwn2Own hacking contest’s first day – computerworld.com
    Researchers on Wednesday cracked Microsoft’s Internet Explorer 11 (IE11), Mozilla’s Firefox and Adobe’s Flash and Reader at the Pwn2Own hacking contest, earning $400,000 in prizes, a one-day record for the challenge.

Resources

• BSides Huntsville 2014 Videos – www.irongeek.com
  These are the videos from the BSides Huntsville conference. Download and watch the videos from here.
• WordPress XML-RPC PingBack Vulnerability Analysis – blog.spiderlabs.com
  There were news stories this week outlining how attackers are abusing the XML-PRC “pingback” feature of WordPress blog sites to launch DDoS attacks on other sites. This blog post will provide some analysis on this attack and additional information for websites to protect themselves.
• Guidelines for Setting Security Headers – blog.veracode.com
  Veracode feels security headers are an important layer of defense and wishes to enable developers to easily and correctly configure their site. If unsure about a particular header or setting, there is a wonderful resource that tracks browser support.
• Samsung Galaxy Back-door – redmine.replicant.us
  This page contains a technical description of the back-door found in Samsung Galaxy devices. This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices.
• viaForensics Presentations at RSAConference 2014
  • Beginners Guide to Reverse Engineering Android Apps – Slides and PDF – viaforensics.com
    viaForensics Mobile Security Engineer Pau Oliva Fora (@pof) spoke at RSAConference 2014 in San Francisco. His presentation, titled “Beginners Guide to Reverse Engineering Android Apps” focused on extracting and modifying Android apps from a mobile device.
  • Why Mobile Should Stop Worrying and Learn to Love the Root – Slides and PDF – viaforensics.com
    viaForensics CEO Andrew Hoog (@ahoog42) spoke at RSAConference 2014 in San Francisco. His presentation, titled “Why Mobile Should Stop Worrying and Learn to Love the Root” focused on embracing root privileges as a benefit to mobile security.
  • Hacking iOS on the Run: Using Cycript – Slides and PDF – viaforensics.com
    viaForensics Mobile Security Researcher Sebastián Guerrero (@0xroot) spoke at RSAConference 2014 in San Francisco. His presentation, titled “Hacking iOS on the Run: Using Cycript” focused on reading and modifying iOS applications and their behaviors using Cycript.
  • Mobile Analysis Kung Fu, Santoku Style – Slides and PDF – viaforensics.com
    viaForensics CEO Andrew Hoog (@ahoog42) and Mobile Security Analyst Sebastián Guerrero (@0xroot) presented at RSAConference 2014 in San Francisco. Their presentation, titled “Mobile Analysis Kung Fu, Santoku Style” focused on mobile security analysis using F/OSS tools such as Santoku Linux.

Tools

• tilde_enum – github.com
  Takes a URL and checks the system for the tilde enum vuln and then find the files. You feed this script a URL and also a word list of potential file names. The script will look up the file roots in your word list and then try them with appropriate extensions.
• Nsdtool – curesec.com
  Nsdtool is a toolset of scripts used to detect netgear switches in local networks. The tool contains some extra features like bruteforce and setting a new password.
• Ubertooth Release 2014-02-R2 – ubertooth.blogspot.com
  After a very long break, Project Ubertooth are pleased to announce a new release of Ubertooth and libbtbb code. You can find the release here.

Techniques

• Sanitize your outputs: Apple ID Password Logfile Disclosure – intrepidusgroup.com
  Collecting log data from an iPhone is pretty easy: Connect the phone via USB and use an application like iPhone Configuration Utility (IPCU) or Xcode to read and save the console log. Can we do that on an Apple TV?
• Webmin Brute Forcing – carnal0wnage.attackresearch.com
  CG took the approach to throw 5 passwords at webmin, if its not something super obvious then he’d move along. maybe not the best solution but he wanted to make sure it wasn’t root/root or webmin/webmin and move on.
• How-To: Implementing a Baseline for IPv6 Controls – fishnetsecurity.com
  Many organizations have IPv6 in their line of sight but are not ready to implement. Because the IPv6 protocol stack is enabled as a default on most systems, environments may be inadvertently running an ad-hoc IPv6 instance on their networks. Instituting a baseline of controls can help mitigate inadvertent IPv6 traffic from traversing a network – or at least minimize noise on a network.
• Retrospective decryption of SSL-encrypted RDP sessions – labs.portcullis.co.uk
  This post describes how network eavesdroppers might record encrypted RDP sessions and at some later time (after a server compromise) be able to decrypt them. This could expose any data sent over the RDP connection including keystrokes, usernames and passwords.

Vendor/Software patches

• Apple iOS 7.1 – isc.sans.edu
  Here is detailed information on recent Apple releases – both iOS and Apple TV were updated.
  • Apple security updates -support.apple.com
  • Apple iOS 7.1 Fixes More Than 20 Code-Execution Flaws -threatpost.com
    Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1.
• Adobe, Microsoft Push Security Updates – krebsonsecurity.com
  Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late.
  • Security updates available for Adobe Flash Player -helpx.adobe.com
    Adobe has released security updates for Adobe Flash Player 12.0.0.70 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.341 and earlier versions for Linux.
  • The March 2014 Security Updates -blogs.technet.com
    This month Microsoft released five bulletins to address 23 unique CVEs in Microsoft Windows, Internet Explorer and Silverlight.Here’s an overview of this month’s release.
• Proxmark3 vs Kantech ioProx -penturalabs.wordpress.com
  Earlier this week Penturalabs released a patch into the Proxmark3 community for initial support of the LF 125kHz ioProx tags from Kantech. Current operations are FSK-demodulation and card/tag cloning.

Other News

• Defense Department Adopts NIST Security Standards – darkreading.com
  In a significant change in security policy, the Department of Defense (DOD) has dropped its longstanding DOD Information Assurance Certification and Accreditation Process (DIACAP) and adopted a risk-focused security approach developed by the National Institute of Standards and Technology (NIST).