Week 39 In Review – 2014

Resources

• (IN)Secure Magazine issue 43 (September 2014) available – net-security.org
  (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. You can download it now.
• A Guide to Gary McGraw’s AppsecUSA Keynote – cigital.com
  Here is a quick guide to the key ideas in the talk. Hope you find this little guide helpful.
• Hacking Apple TouchID on the iPhone 6 – youtube.com
  Using a fake fingerprint to bypass Apple’s TouchID fingerprint reader on the iPhone 6.
• latest grok-DerbyCon2014-final.pdf – atlas.r4780y.com
  grokking all the shizzle – a passionate way to be excellent at binary and computer systems.
• Derbycon 2014 Videos – irongeek.com
  These are the videos of the presentations from Derbycon 2014. You can download the videos from here.
• Derbycon “Attacking Kerberos” talk I’ll be checking out — and you should too! – securityweekly.com
  This post is riddled with spoilers for Tim Medin’s talk, But this is with Tim’s explicit permission. He also was kind enough to proofread this posting to ensure misstate anything.
• VB2014: Slides day one – virusbtn.com
  Few days ago, a lively panel discussion closed what we can only describe as a fantastic conference. A number of speakers have made their presentation slides available to the attendees, as well as to those eager to find out what they missed; speakers make their presentation slides available. You can download these from here.
  • VB2014: Slides day two – virusbtn.com
    The second day of VB2014 was just as successful as the first one, and saw 22 interesting presentations, divided over two parallel streams, on a wide range of security topics. Speakers make their presentation slides available. You can download these from here.
  • VB2014: Slides day three – virusbtn.com
    Many of Friday’s speakers make their presentation slides available. You can download these from here.

Tools

• drozer – The Leading Security Testing Framework For Android – darknet.org.uk
  drozer (formerly Mercury) is the leading security testing framework for Android. drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

Techniques

• Arris Cable Modem Backdoor – I’m a technician, trust me. – console-cowboys.blogspot.com
  Vendor backdoors are the worst. Sloppy coding leading to unintentional “bugdoors” is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris.
• Tastic RFID Thief: Silent, But Deadly – bishopfox.com
  It’s high time you put a silencer on your Tastic RFID Thief – the weaponized, long-range badge reader. Fran Brown will show you how to avoid the embarrassingly loud beep when turning on your RFID badge stealer during your next physical penetration test.

Vulnerabilities

• iOS Security
  iOS 7.1.x Exploit Released (CVE-2014-4377) – isc.sans.edu
  Haven’t upgraded to iOS 8 yet? Aside from a lot of new features, Apple also fixed a number of security vulnerabilities in iOS 8. For example CVE-2014-4377, a memory corrupion issue in iOS’s core graphics library. An exploit is now available for this vulnerability.
  • Bypassing iOS Lock Screens: A Comprehensive Arsenal of Vulns – blog.dinosec.com
    The iOS mobile platform has been subject to numerous lock screen bypass vulnerabilities across multiple versions. it is important for information security professionals and pen testers to pay close attention to the current unfixed lock screen bypass scene at any given time, evaluate its risks, and promote enforcing physical security and tight access controls on iOS devices.
  • Despite Apple’s Privacy Pledge, Cops Can Still Pull Data Off a Locked iPhone – wired.com
    A reminder to iPhone owners cheering Apple’s latest privacy win: Just because Apple will no longer help police to turn your smartphone inside out doesn’t mean it can prevent the cops from vivisecting the device on their own.
  • iOS8 MAC Randomization – Analyzed! – blog.airtightnetworks.com
    Apple announced that the Wi-Fi scanning behavior of their devices would change starting with iOS8. They would start using randomized and locally administrated Wi-Fi MAC addresses in the probing state.
• Shellshock/Bash Bug vulnerability
  Some Personal Shellshock Stats – blog.rootshell.be
  Last week, a new storm in the Internet with “shellshock” or best known as CVE-2014-6271! This new bug affects the bash UNIX shell.
  • Shellshock DHCP RCE Proof of Concept – www.trustedsec.com
    Just about any DHCP string value should work for the exploit. Value 114 is URL, which is a string and should be reliable for use.
  • Everything You NEED To Know About Shellshock Bug In BASH – darknet.org.uk
    Is this going to effect the average consumer? No not really, does it effect the average company? Probably yes it will, but not at the core of your production systems which should be fairly immune to this vulnerability.
  • Update: XORSearch With Shellcode Detector – blog.didierstevens.com
    XORSearch allows you to search for strings and embedded PE-files brute-forcing different encodings. Now Didier Steven added shellcode detection.
  • Exploiting and Verifying Shellshock: CVE-2014-6271 – resources.infosecinstitute.com
    A new critical vulnerability, remotely exploitable, dubbed “Bash Bug”, is threatening billions of machines all over the world. It affects Linux and Unix command-line shell, aka the GNU Bourne Again Shell, and for this reason it is potentially exposing websites, servers, PCs, OS X Macs, various home routers, and many other devices to risk of cyber attacks.
  • Shellshock–CVE-2014-6271-Exploits in the wild – blog.netinfiltration.com
    For those who run web applications that could be an attack vector for the BashBug, a.k.a Shellshock, you may want to take this VERY seriously. There are already 4 Metasploit modules in the works.
  • Shellshock Test List – www.r00tsec.com
    The Bash vulnerability that is now known as Shellshock had an incomplete fix at first. There are currently 4 public and one supposedly non-public vulnerability.
  • Shellshock: A Collection of Exploits seen in the wild – isc.sans.edu
    Ever since the shellshock vulnerability has been announced, is is seen a large number of scans probing it. Here is a quick review of exploits that our honeypots and live servers have seen so far.
  • Shellshock: Vulnerable Systems you may have missed and how to move forward – isc.sans.edu
    You are well on your way to patch your Linux systems for the bash code injection vulnerabilities. At this point, you should probably dig a bit deeper and try to find more “hidden” places that may be vulnerable.
  • Update on CVE-2014-6271: Vulnerability in bash (shellshock) – isc.sans.edu
    The vulnerability has now become known as “shellshock”. Two CVE numbers have been assigned. The first CVE (CVE-2014-6271) was assigned for the vulnerability discovered by Stephane, the second CVE (CVE-2014-7169) was assigned to the modified injection technique discovered by Tavis.
  • Attackers exploiting Shellshock (CVE-2014-6721) in the wild – alienvault.com
    The new vulnerability allows attackers to execute arbitrary commands formatting an environmental variable using a specific format. The vulnerability is critical since it can be exposed on web servers that use mod_cgi or code that calls the bash shell.
  • Shellshock makes Heartbleed look insignificant – zdnet.com
    The new vulnerability in the Bash shell is the worst we’ve seen in many years. No software on critical systems can be assumed as safe.
  • Bash – ShellShocker – Attacks Increase in the Wild – Day 1 – blog.sucuri.net
    The Bash ShellShocker vulnerability was first disclosed to the public on 2014/Sep/24. Just a few hours after the initial release, sucuri team started to see a few scans looking for vulnerable servers.
• Jimmy John’s Confirms Breach at 216 Stores – krebsonsecurity.com
  More than seven weeks after this publication broke the news of a possible credit card breach at nationwide sandwich chain Jimmy John’s, the company now confirms that a break-in at one of its payment vendors jeopardized customer credit and debit card information at 216 stores.
  • Signature Systems Breach Expands – krebsonsecurity.com
    Hackers had installed card-stealing malware on cash registers at some of its store locations. Jimmy John’s said the intrusion — which lasted from June 16, 2014 to Sept. 5, 2014 — occurred when hackers compromised the username and password needed to remotely administer point-of-sale systems at 216 stores.