Week 46 In Review – 2014

Events Related

• Amazon Fire Phone, iPhone, Nexus 5, Samsung S5 All Popped At Mobile Pwn2Own – forbes.com
  A slew of the world’s most popular smartphones have been prized open at the Mobile Pwn2Own hacking contest in Tokyo, Japan this week. Hosted by the HP Zero Day Initiative, the competition offered up big cash prizes for those who could successfully show off their exploits and a handful whitehats managed to break security protections on the Amazon Fire Phone, iPhone 5S, LG Nexus 5 and the Samsung S5.
  • HP TippingPoint + Mobile Pwn2Own = Zero Day Filter Protection – h30499.www3.hp.com
    HP DVLabs are back and coming at you from Tokyo, Japan with another round of Mobile Pwn2Own. The security intelligence of HP TippingPoint’s DVLabs is partnering with the HP Zero Day Initiative (ZDI) to provide exclusive network security against a set of highly dangerous vulnerabilities. Here’s a quick recap of the 2014 contest.
  • HP TippingPoint + Mobile Pwn2Own: Day 2 – h30499.www3.hp.com
    It is day 2 at Mobile Pwn2Own Tokyo, where five of the seven exploits planned for this elite contest were completely successful against their target and the remaining two had partial execution (enough to be concerned about as a mobile user).

Resources

• Aaron Swartz Files – swartzfiles.com
  Federal law enforcement documents about Aaron Swartz, released under the Freedom of Information Act. Here U.S secret service videos, photos and documents are available.
• Cyber Attacks on U.S. Companies in 2014 – heritage.org
  This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves. Here the data breaches are listed chronologically by month of public notice.

Tools

• ExploitRemotingService – github.com
  A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. It only works on Windows although some aspects might work in Mono on *nix.
• Vivisect – github.com
  Now all as one project! Vivisect is fairly un-documented static analysis / emulation / symbolik analysis framework for PE/Elf/Mach-O/Blob binary formats on various architectures. For more in-depth docs on various topics, see here.

Techniques

• Removing Wirelurker from Your iOS or OSX Device – blog.trendmicro.com
  In this blog post, we’d like to share practices and recommendations for users and enterprises in order secure their devices from the Wirelurker malware threat. There are some simple steps for users to check whether their Apple devices are infected by this malware.
• Protecting Privileged Domain Accounts: Restricted Admin and Protected Users – digital-forensics.sans.org
  This article will cover specific updates Microsoft has provided to help protect user credentials. To summarize the changes built into Windows 8.1/2012R2, as well as the corresponding updates added to Windows 7 and higher via KB2871997, the main takeaways are described here.
• Simple guest to host VM escape for Parallels Desktop – blog.cr4.sh
  This is a little story about exploiting guest to host VM escape not-a-vulnerability in Parallels Desktop 10 for Mac. Discovered attack is not about some serious hardcore stuff like hypervisor bugs or low-level vulnerabilities in guest-host communication interfaces, it can be easily performed even by very lame Windows malware if your virtual machine has insecure settings.
• Reverse Engineer a Verisure Wireless Alarm part 1 – Radio Communications – funoverip.net
  This post is the first part of foip’s Verisure story and aims to observe radio communications between the multiple devices of the alarm. In other words, They will translate the radio communication into binary messages.

Vendor/Software patches

• SSL MiTM Vulnerability Among Vulns Patched in Pidgin – threatpost.com
  A handful of security vulnerabilities were patched in the most recent release of the Pidgin open source instant messaging client, Pidgin 2.10.10, including a SSL/TLS certificate validation issue that could be exploited in man-in-the-middle attacks.
  • Pidgin 2.10.10 -developer.pidgin.im
• Microsoft Security Updates
  Microsoft Security Bulletin MS14-066 – Critical – technet.microsoft.com
  This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.
• Microsoft Security Bulletin MS14-064 – Critical – technet.microsoft.com
  This security update resolves two privately reported vulnerabilities in Microsoft Windows Object Linking and Embedding (OLE). The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
  • IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows – securityintelligence.com
    The IBM X-Force Research team has identified a significant data manipulation vulnerability (CVE-2014-6332) with a CVSS score of 9.3 in every version of Microsoft Windows from Windows 95 onward. This complex vulnerability is a rare, “unicorn-like” bug found in code that IE relies on but doesn’t necessarily belong to.
  • CVE-2014-6332: it’s raining shells – forsec.nl
    @yuange tweeted a proof of concept for CVE-2014-6223. CVE-2014-6332 is a critical Internet Explorer vulnerability that was patched with MS-14-064.
• Adobe Patches 18 Vulnerabilities in Flash – threatpost.com
  Adobe pushed out security updates for Flash Player, addressing 18 different vulnerabilities, all critical, that could allow an attacker to take control of an affected system running the multimedia platform according to a security bulletin posted Tuesday.

Vulnerabilities

• Masque Attack: All Your iOS Apps Belong to Us – fireeye.com
  FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. They verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. They named this attack “Masque Attack”.
  • Major iOS security flaw ‘Masque Attack’ reportedly uncovered, found to ‘pose much bigger threat’ than WireLurker – 9to5mac.com
    Mobile security research firm FireEye reports it has uncovered a major iOS security flaw that it claims poses a much bigger threat to Apple users than WireLurker. According to FireEye, the new so-called “Masque Attack” security flaw was uncovered in July and exists because iOS does not enforce matching certificates for apps with the same bundle identifier.
• BASHLITE Affects Devices Running on BusyBox – blog.trendmicro.com
  Trend Micro have continuously monitored this vulnerability and on their latest research, they observed that recent samples of BASHLITE (detected by Trend Micro as ELF_BASHLITE.SMB) scans the network for devices/machines running on BusyBox, and logs in using a set of usernames and passwords.

Other News

• DarkHotel: A Sophisticated New Hacking Attack Targets High-Profile Hotel Guests – wired.com
  The hotel guest probably never knew what hit him. The sophisticated attackers who targeted him had been lurking on the hotel’s network for days waiting for him to check in. They uploaded their malware to the hotel’s server days before his arrival, then deleted it from the hotel network days after he left.
• Hackers hit US Postal Service networks, employee data grabbed – zdnet.com
  Hackers have breached US Postal Service networks, leading to a significant breach of employee data. China is high on the list of suspects as President Obama meets with the Chinese premier to discuss, among other things, cybersecurity.
  • US Postal Service Suspends Telecommuting Following Massive Data Breach – darkreading.com
    Employee VPN taken down — will not be restored until more secure version can be installed, Postal Service says after breach exposes data on 800,000 employees and 2.9 million customers.
• Chinese hack U.S. weather systems, satellite network – washingtonpost.com
  Hackers from China breached the federal weather network recently, forcing cybersecurity teams to seal off data vital to disaster planning, aviation, shipping and scores of other crucial uses, officials said.
• Polygraph.com owner indicted for training customers to beat the polygraph – arstechnica.com
  A former Oklahoma City police officer was indicted Thursday on accusations of teaching people to cheat on lie detector tests, the government announced Friday.