• Research for SharePoint (MOSS) – owasp.org
  This page contains research notes on Microsoft’s SharePoint MOSS and WSS
• MS SQL – Useful Stored Procedures for SQL Injection and Ports Info – pentesticles.com
  The following post lists and describes various useful stored procedures and port information for MS SQL.
• Portable Executable 101 – a windows executable walkthrough – code.google.com
  This graphic (PDF JPG) is a walkthrough of a simple windows executable, that shows its dissected structure and explains how it’s loaded by the operating system.
• SAP Slapping – labs.mwrinfosecurity.com
  Dave Hartley delivered his “SAP Slapping” presentation at the CRESTCon and BSides London security conferences recently. The talk provides a high level overview of common SAP system vulnerabilities and misconfigurations.
• Scanning the Web with Ammonite – resources.infosecinstitute.com
  Ammonite is a Fiddler extension used to scan web applications for common vulnerabilities like verbose and blind SQL injection, OS commanding, local file inclusion, buffer overflows, format string vulnerabilities etc.
• Exploiting Windows 2008 – esec-pentest.sogeti.com
  Internal network pentesting involving domain controllers requires a few steps in order to gain domain administrator access. One of them usually requires to gain local administrator access to a workstation.

Tools

• Gason - BurpSuite Plugin’s Project – Google Project Hosting - code.google.com
  This project contains a plugin to extend BurpSuite proxy. And know you can run gason stand alone!!
• Skipfish version 2.06b Update – code.google.com
  Skipfish is a fully automated, active web application security reconnaissance tool.

Techniques

• Android
• Android Emulator, Trusted CA, and Persistent Storage – carnal0wnage.attackresearch.com
  Android periodically updates it’s SDK and somtimes when this happens, old methods for importing a Trusted CA, necessary to proxy SSL traffic, will fail and you must find a new solution.
• Update – Android & SSL Cert – carnal0wnage.attackresearch.com
  Thanks to the comments left by Zach from our last Android post here, it has been brought to my attention there is an easier way to do all of this with the latest AVD (4.0.3).
• SecurityStreet: Unsupported Browser – rapid7.com
  The purpose of this post is to point out a little-known jewel — the -m flag to meterpreter’s execute command.

Vendor/Software Patches

• Microsoft Security Bulletin
• MS12-029 – Critical : Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352) – technet.microsoft.com
  This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-032 – Important : Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338) – technet.microsoft.com
  This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
• Bulletin Management Process and the May 2012 Bulletins - blogs.technet.com
  Have you ever wondered why bulletins group particular issues together? Or one set of products and not another? Well today Jonathan Ness has posted an insightful Security Research & Defense (SRD) blog discussing some of the nuances and packaging decisions that went into MS12-034.
• Microsoft patches 23 Windows flaws, warns of risk of code execution attacks – zdnet.com
  The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.
• Adobe, Microsoft Push Critical Security Fixes – krebsonsecurity.com
  Adobe and Microsoft today each issued updates to address critical security flaws in their software.
• PHP-CGI Vulnerability Exploited in the Wild – blog.sucuri.net
  When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Vulnerabilities

• Thousands of Twitter passwords exposed – news.cnet.com
  It’s unclear who’s responsible for posting passwords for Twitter accounts to a public Web site. The exact number of accounts is also unclear, as Twitter says many are duplicates and many had already been suspended.

Other News

• FBI Warns Travelers Using Hotel Networks About New Attack – darkreading.com
  The FBI says attackers are trying to trick users into installing malware with promises of software updates.
• Sniffer tool displays other people’s WhatsApp messages – h-online.com
  WhatsApp Sniffer is an app able to display messages from other WhatsApp users connected to the same network as the app user.

• Breaking in to Security – Survey Conclusions, Part 1 – digininja.org

  To collect the data I created an online survey and sent it out through as many sources as I could, to date I’ve got over 300 results and I’d like to say a huge thanks to everyone who completed it and helped with the advertising. If you want to see the full raw data I’ve published it and intend to try to keep it fairly up-to-date as more people answer the survey.

• oclHashcat Examples of lots of different hash types – phillips321.co.uk

  So you’ve got oclHashcat and you want to practice cracking hashes but you’ve got no hashes? Fear not! There are hashes listed below for you to play with or if you would like to generate hashes yourself download my perl module here and have a play with making them and then cracking yourself.

• getting from seh to nseh – thesprawl.org

  There are several approaches to doing this with the ‘POP-POP-RET’ being the most popular. Let’s see exactly why this approach works and analyze potential alternatives such as JMP DWORD PTR [EBP+0x30], POPAD and ROP.

• iPhone Forensics Analysis of iOS 5 backups : Part 1 – infosecinstitute.com

  iPhone forensics can be performed on the backups made by iTunes or directly on the live device. This Previous article on iPhone forensics detailed the forensic techniques and the technical challenges involved in performing live device forensics.

Tools

• CERT
• CERT Linux Triage Tools 1.0 Released – cert.org

  As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called “exploitable” that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post contains an overview of the extension and how it works.

• CERT Basic Fuzzing Framework 2.5 Released – cert.org

  Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post highlights the significant changes.

• psychomario/ntlmsspparse – github.com

  ntlmsspparse – Parses ntlmssp netlm[v2] hashes out of a pcap file for use with a password cracker.

Techniques

• Three Areas You Need To Test When Assessing Mobile Applications – securestate.com

  Having spoken at both at the SANS Mobile Device Security Summit as well as OWASP AppSec DC recently about testing mobile applications I’ve encountered that like the old saying goes “There are many ways to skin a cat”, there are also many ways to assess a mobile application.

• Command Injection to Code Execution with PowerShell – obscuresecurity.blogspot.com

  A common scenario that testers face involves leveraging command injection vulnerabilities into a full-blown shell. A lot of people view command injection as an old technique, but it is very relevant today. There are many different types of attacks that end in command injection (e.g. SQL injection), so testers need a way to turn Windows commands into shell access.

• Decrypting the iPhone keychain from backups SECURITYLEARN – securitylearn.wordpress.com

  In iTunes backup, the iPhone Keychain sqlite database is stored as a PList file. The Keychain file gets stored with 51a4616e576dd33cd2abadfea874eb8ff246bf0e file name in the iTunes backup folder.

• Interesting Directives in php.ini (for Pen Testers and Devs) – pentesticles.com

  This post aims to pin-point the directives that developers should be familiar with and also show penetration testers the nuts and bolts of the issues they’re seeing so that they may better advise their clients.

Vendor/Software Patches

• Adobe Flash
• Critical Flash Update Fixes Zero-day Flaw Krebs on Security – krebsonsecurity.com

  Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.

• Security update available for Adobe Flash Player – adobe.com

  Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x.

• Update: TaskManager.xls V0.1.3 Killer Shellcode – blog.didierstevens.com

  Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

• Metasploit VMware Auxiliary Modules – eromang.zataz.com

  Metasploit provide VMware auxiliary modules who allow you to gather informations, authentication brute force, execute task against ESX/ESXi.

Vulnerabilities

• CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration – eromang.zataz.com
  Demonstration of the critical remotely exploitable vulnerability CVE-2012-1675 TNS Poison affecting all Oracle database server versions.

• Release of exploit code puts Oracle Database users at risk of attack – arstechnica.com

  Oracle has declined to patch a critical vulnerability in its flagship database product, leaving customers vulnerable to attacks that siphon confidential information from corporate servers and execute malware on backend systems, a security researcher said.

Other News

• Everyone Has Been Hacked. Now What? – wired.com

  Hackers are everywhere and everyone has been hacked. So what’s a company to do?

• Apple security blunder exposes Lion login passwords in clear text – zdnet.com

  With the latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the

SANS Security West : May 3 to 12 in San Diego, CA USA

GRC Summit Boston 2012 : May 8 to 10 in Boston, MA USA

TakeDownCon 2012 : May 8 to 9 in Dallas, Texas USA

Secure360 : May 8 to 9 in Saint Paul, MN USA

CarolinaCon 8 : May 11 to 13 in Raleigh, North Carolina USA

BSides Rochester 2012 : May 12 in Rochester, NY USA

IEEE Symposium on Security and Privacy 2012 : May 20 to 23 in San Francisco Bay Area, California USA

CEIC 2012 : May 21 to 24 in Summerlin, NV, USA

LayerOne : May 26 to 27 in Anaheim, CA USA

And here are the information security events in the other parts of the world:

AthCon : May 3 to 4 in Athens, Greece

Info Security Conference Malaysia 2012 : May 3 in Kuala Lumpur, Malaysia

EICAR 2012 : May 7 to 8 in Lisbon Portugal

YSTS 6th Edition 2012 : May 7 in Sao Paulo, Brazil

SecureCloud 2012 : May 9 to 10 in Frankfurt Germany

AusCERT2012 : May 14 to 18 in Queensland , Australia

CARO 2012 : May 14 to 15 in Munich, Germany

e-Crime Cloud & Virtualisation Security Forum 2012 : May 15 in London, UK

HITB Amsterdam : May 21 to 25 in Amsterdam, Netherlands

CONFidence 2012 : May 23 to 24 in ZUW Bielany, Krakow Poland

e-crime Mid-Year Meeting Middle East : May 28 in Dubai UAE

Cyber Security 2012 : May 29 to 30 in Brussels Belgium

Appsec DC 2012 : April 2 to 5 in Washington, DC USA

InfoSec World Conference & Expo 2012 : April 2 to 4 in Orlando, Florida USA

GovSec 2012 : April 2 to 4 in Washington, D.C. USA

NotaCon 2012 : April 12 to 15 in Cleveland, OH USA

BSides Charleston 2012 : April 13 to 14 in Charleston, SC USA

The Security Confab : April 15 to 17 in La Jolla, California USA

WiSec: ACM Conference on Wireless Network Security ’12 : April 16 to 18 in Arizona USA

SOURCE Boston 2012 : April 17 to 19 in Boston, MA USA

QuahogCon : April 20 to 22 in Providence, Rhode Island USA

SANS AppSec Summit : April 24 to May 2 in Las Vegas, NV USA

NSDI ’12 – 9th USENIX Symposium on Networked Systems Design and Implementation – 2012 : April 25 to 27 in San Jose, CA USA

THOTCON 2012 : April 27 in Chicago, IL USA

DakotaCon : April 27 in Madison, SD USA

BSides Chicago: April 28 in Chicago USA

And here are the information security events in the other parts of the world:

hackZA : April 4 in Johannesburg,South Africa

OWASP AppSec Asia 2012 : April 11 to 14 in Darling Harbour, Sydney Australia

Hackito Ergo Sum 2012 : April 12 to 14 in Paris, France

Info Security Conference Singapore 2012 : April 19 in Singapore, Singapore

Infosecurity Europe 2012 : April 24 to 26 in London, UK

CeCOS VI : April 25 to 27 in Prague, Czech Republic

BSides London : April 25 in London UK

SyScan Singapore : April 26 – Fri, April 27 in Singapore, Singapore

SCADA & Smart Grids Cyber Security Summit 2012 : April 26 to 27 in London UK

AtlSecCon 2012 : March 1 to 2 in Halifax, Canada

CanSecWest 2012 : March 7 to 9 in Vancouver, BC Canada

SecureIT 2012 : March 18 to 20 in Ontario, California USA

SANS 2012 : March 23 to 30 in Orlando, Florida USA

InfoSec Southwest : March 30 to April 1 in Austin, Texas USA

And here are the information security events in the other parts of the world:

RootedCON 2012 : March 1 to 3 in Madrid, Spain

SANS Singapore Secure : March 5 to 17 in Singapore, Singapore

SecAppDev 2012 : March 5 to 9 in Leuven, Belgium

eCrime Researchers Sync-Up 2012 : March 7 to 8 in Dublin, Ireland

International Conference on Security Science and Technology (ICSST) : March 10 to 12 in Hong Kong

European Smart Grid Cyber Security – Priority One; Securing the Digital Infrastructure – 2012 : March 12 to 13 in London, UK

e-crime Congress 2012 : March 13 to 14 in London, UK

Black Hat Europe 2012 : March 14 to 16 in Amsterdam, Netherlands

TROOPERS12 : March 19 to 23 in Heidelberg, Germany

2nd Annual Cyber Security China 2012 : March 22 to 23 in Bejing, China

ACK Security Conference 2012 : March 26 to 30 in Manizales, Colombia

HackCon : March 27 to 29 in Oslo, Norway

NDSS Symposium 2012 : February 5 to 8 in San Diego, California USA

ACM Conference on Data and Application Security and Privacy (CODASPY) : February 8  to 12 in San Antonio, TX USA

DOJ Cyber Security Conference : February 8 to 9 in Washington, D.C. USA

The Anti-Conference: Suits & Spooks II – Shaping a Revolution in Security Affairs : February 8 in Rosslyn, VA USA

SANS Phoenix : February 13 to 18 in Phoenix, AZ USA

BSides PHX 2012 : February 18 in Tempe, Arizona USA

RSA Conference 2012 : February 27 to March 2 in San Francisco, California USA

BSides San Francisco 2012 : February 27 to 28 in San Francisco, CA USA

Metricon : February 27 in San Francisco, Ca USA

And here are the information security events in the other parts of the world:

Kaspersky Lab Threat Post Security Analyst Summit 2012 : February 1 to February 5 in Cancun, Mexico

NullCon : February 15 to 18 in Goa, India

HITBGSEC 2012 : February 20 to 23 in Mumbai, India

DoD Cybercrime Conference 2012: January 20 to January 27 in Atlanta

ShmooCon USA : January 27 to Januaryin Washington, DC

And here are the information security events in the other parts of the world:

BSides Vienna: January 21 in Vienna

eCrime Germany: January 31 in Frankfurt

• How Modern Cars Can Be Cracked – autosec.org
• SOURCE Barcelona Resources from September 2011 – sourceconference.com
  Links, articles, and media from the event.
• OSCP-My Review – proactivedefender.blogspot.com
  The OSCP certification is an offensive security course which teaches the attacking side of Information Security and is largely aimed at those wanting to become penetration testers. My personal motivation for taking the course and exam were to better understand the methodology, tools and techniques that attackers employ to breach networks and systems.

Tools

• hashcat-gui v0.5.0 – hashcat.net/hashcat-gui/
• p0f is back! – lcamtuf.coredump.cx/p0f3/
  Version 3 is a complete rewrite, bringing you much improved SYN and SYN+ACK fingerprinting capabilities, auto-calibrated uptime measurements, completely redone databases and signatures, new API design, IPv6 support (who knows, maybe it even works?), stateful traffic inspection with thorough cross-correlation of collected data, application-level fingerprinting modules (for HTTP now, more to come), and a lot more.
• Large Scale Pcap Analysis – geek00l.blogspot.com/2012/01/large-scale-pcap-analysis.html
  It seems that the storage is not much an issue when comes to packet capture anymore, looking at terabytes become general everywhere, and many network analysis tools seem to gear toward large scale pcap data analysis, bro-ids has extended their functionality by using tons of community hardware and timemachine to capture and  analyze network data, and now I just come to read about people in RIPE NCC are doing this using apache hadoop
• Cheap WiFi Bridge For Pentesting or Otherwise – hackaday.com
  Twenty three dollars. That’s all this tiny pen-testing device will set you back. And there really isn’t much to it. [Kevin Bong] came up with the idea to use a Wifi router as a bridge to test a wired network’s security remotely. He grabbed a TP-Link TL-WR703N router, a low-profile thumb drive, and a cellphone backup battery; all cheaply available products.
• Sandia Labs Offers DNSSEC Tool - darkreading.com
  A Sandia National Laboratories computer scientist has developed a free visualization tool to help the federal government and other organizations with their Domain Name System Security (DNSSEC) implementations.

Techniques

• Old Meets New: Microsoft Windows SafeSEH Incompatibility – accuvant.com
  In recent years, Microsoft has made great strides to improve product security. This momentum can be seen clearly in their investments in security-focused processes, development, and research. The release of anti-exploitation features such as DEP, ASLR, Stack Cookies and SafeSEH are products of their commitment to security.
• Show Me Your SSID’s, I’ll Tell Who You Are - blog.rootshell.be
  The idea of this article came from a colleague of mine. He wrote a first version of the script described below. I found it very useful and asked his permission to re-use it and to write this blog article. Thanks to him! In the mean time, during my researches, I also found that a friend, Didier Stevens, published on his blog the same kind of script but for an AirCap adapter. Mine uses any adapter capable to be switched to “monitor” mode.
• Introducing Shazzer: A Shared online fuzzer – thespanner.co.uk
  I lost inspiration for coding a while ago and had this idea I was sitting on for a while, I’m often stuck at the design stage before I write a line of code and I will refuse to continue without a clear picture in my head on how an app is going to work. After the Christmas break I got my inspiration back and started to formulate pretty quickly how Shazzer might work.
• Hacking MS Access For Fun and Profit – tdsne.blogspot.com
  I spent a great many years of my early career making amazing things with MS Access databases and VBA.  I’ve lost most of these skills nowadays, but I remember a lot about how things are constructed internally and how I used to go about securing things.
• How To Run Penetration Tests From The Amazon Cloud – Without Getting Into Trouble – community.rapid7.com
  This is especially useful since several team members can use the same instance of Metasploit Pro in the cloud at the same time through Metasploit Pro’s web-based user interface, even if team members are working on different projects at the same time.
• Sanitize Input – carnal0wnage.attackresearch.com/2011/12/sanitize-input.html
  When application security was still in it’s infancy, there were discussions on how to protect applications from newly discovered injection vulnerabilities. “Sanitize Input” was a popular solution that rolled off the tongue nicely and was not overly complicated to explain. It was also, a very generic solution that would (hopefully) be part of a more complete approach.

Vendor/Software Patches

• Microsoft Security Bulletin January 2012
  As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing seven security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important. These bulletins will address eight vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible.
• January 2012 Security Bulletins Released – blogs.technet.com
• January ’12 MSRT: Win32/Sefnit – blogs.technet.com
• Vulnerability in Windows Kernel Could Allow Security Feature Bypass – technet.microsoft.com
• Vulnerability in Windows Object Packager Could Allow Remote Code Execution – technet.microsoft.com
• Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege – technet.microsoft.com
• Vulnerabilities in Windows Media Could Allow Remote Code Execution – technet.microsoft.com
• Vulnerability in Microsoft Windows Could Allow Remote Code Execution – technet.microsoft.com
• Vulnerbaility in SSL/TLS Could Allow Information Disclosure – technet.microsoft.com
• Vulnerability in AntiXSS Library Could Allow Information Disclosure – technet.microsoft.com
• Wireshark 1.6.5 and 1.4.1.1 Released – wireshark.org
  Wireshark 1.6.5 and 1.4.11 have been released. Installers for Windows, Mac OS X 10.5.5 and above (Intel and PPC), and source code are now available.

Other News

• Typosquatting social web gains top Alexa ranking – community.websense.com
  These are amazing results for fraudulent Web sites, as some of them rank even better than genuine big name portals. In this campaign, the fraudulent sites pretend to be from YouTube, and they try to lure you in by saying you have been selected to complete a survey for a chance to win a gift such as an iPhone 4S. Survey scams were very common in the past year, and were usually spread within social networks like Facebook or Twitter.
• Researchers Find Way To Sniff Corporate Email Via Blackberry Playbook – threatpost.com
  Researchers and attackers have had no shortage of mobile platforms and devices to sink their teeth into in recent years, thanks to the explosion of iOS and Android phones and tablets in the consumer and enterprise markets. Now, the spotlight is slowly beginning to turn in the direction of RIM, and specifically its BlackBerry PlayBook tablet.
• Banks Coming Together To Fight Hackers, Prevent Attacks – threatpost.com
  Major banks like Morgan Stanley, Goldman Sachs Group and Bank of America are putting together plans to help identify new security threats before they happen, according to a report from the Wall Street Journal this week.
• DiskCrypt Turns Any Laptop Storage Into A Self-Encrypted Drive – arstechnica.com
  DiskCrypt takes a similar approach, providing firmware within the enclosure that performs pass-through encryption and decryption. It uses AES encryption, and has a NIST FIPS 140-2 level 1 certified cryptographic module—meaning that it has been certified by the feds for basic information security, but not for classified information, as it’s specifically single-user.
• Researchers Find Sykipot Trojan Variant For Hijacking DoD Smartcards – threatpost.com
  The research, published in a blog post Thursday, is the latest by Alien Vault to look at Sykipot, a Trojan horse program known to be used in targeted attacks against defense industrial base (DIB). The new variants, which Alien Vault believes have been circulating since March, 2011, have been used in “dozens of attacks” and contain features that would allow remote attackers to steal smart card credentials and access sensitive information.

• Highlights from the 28th Chaos Communications Congress – advocacy.globalvoicesonlne.org
  The Chaos Communications Congress is the annual meetup of Germany’s Chaos Computer Club, one of the oldest hacker collectives in the world. It takes place in Berlin every year at the height of the holiday season between Christmas and New Year’s Eve, a time when only the dedicated European computer obsessive would leave their family and friends to spend four days in a conference centre with like-minded hackers and geeks.
• 28th Chaos Communication Congress & Berlin Sides or a tough week in Berlin – secnerd.blogspot.com
  We carried out the same procedure as every year; Stormbringer and I meet on December 26th around 7pmish at the airport in Zürich for a beer or two. Unfortunately he was late, so I had to drink alone. No harm was done as I still had to finish the slides for my talk.
• BSidesDFW 2011 Schedule – securitybsides.com

Resources

• Mixed voltage interfacing for design and hacking – rdist.root.org
  Modern digital systems involve a wide array of voltages. Instead of just the classic 5V TTL, they now use components and busses ranging from 3.3V down to 1.0V. Interfacing with these systems is tricky, especially when you have multiple power sources, capacitive loads, and inrush current from devices being powered on.

Tools

• Technitium MAC Address Changer v6.0 – www.technitium.com/tmac/index.html#download
  Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine.
• Nmap 5.61TEST4 released – 51 New Scripts, web spidering, vuln library, and more! – seclists.org
  Hello folks, and happy new year! I’d like to start 2012 off right–with a new version of Nmap. So I’m happy to release 5.61TEST4. The version number may not sound that different than the previous 5.61TEST2, but we’ve made many big improvements in the last three months.
• Reaver Now Goes To 11 – devttys0.com
  The decision has been made to open source the Reaver command line tool. The commercial version will contain the all the features the open source command-line tool has along with a web based client, support, and service options.

Techniques

• (UAC) User Assisted Compromise – room362com
  A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to publish). This module very simply uses the ShellExecute windows function via Railgun with the undocumented (but very well known) operator of ‘runas’.
• Heap Overflows For Humans 103 – net-ninja.net
  Hi guys! Once again I’m back and here to discuss yet another important technique for heap exploitation that I do not want to see get buried in the sands of time. Lucky for me I have some time off over Christmas/New years so I can cover more of this topic.
• Targeting and Hacking a WordPress Site – resources.infosecinstitute.com
  The answer to this question may be difficult to determine, simply because there are so many ways to hack a site. Our aim in this article to show you the techniques most used by hackers in targeting and hacking your site!
• A technique for bypassing request header restriction of XMLHttpRequest – lists.webappsec.support
  Do you know that Apache HTTP Server and Lighttpd replace non-alnum characters with underscore in name of environment variables? This might be useful to bypass restrictions of XMLHttpRequest.
• New Meterpreter Extension Released: MSFMap Beta – blog.securestate.com
  Today SecureState is releasing a new extension for Metasploit’s Meterpreter called MSFMap. This new utility provides an NMap-like port scanner from within the context of a Meterpreter session.  This gives penetration testers an easily deployable and flexible port scanning utility.
• Blind WebSQL and Storage extraction for HTML5 Apps – sheeraj.blogspot.com
  HTML5 is having two important data points – WebSQL and Storage. They are controlled by well defined RFCs and specifications. These APIs can be accessed using JavaScript. Assuming we get an entry into DOM then also we are completely blind with WebSQL table names and storage keys. Here is a way to enumerate that data during pen-testing and assessments.
• Anatomy of a SCADA Exploit: Part 1 – From Overflow to EIP – poppropet.org
  SCADA applications and appliances have been receiving a lot of media attention lately for all the security problems they’re causing, most infamously being the root of the Stuxnet outbreak in 2010.  If you spend more than a few minutes looking at the applications that power our infrastructure and the systems they run on, you’ll realize it’s time to get a little nervous.
• The CSRF That Almost Was – blog.c22.cc
  A lot of the research I did into the SAP Management Console was about what an attacker could do accessing it from the internet, or directly when on the local LAN segment. Although there’s probably a lot more attackers could do with this stuff, the protections that SAP have rolled out should be enough to deter most casual attackers.

Vulnerabilities

• Apple iOS 501 hacked, untethered via to security holes – zdnet.com
  Using two different security vulnerabilities in Apple’s flagship mobile operating system, a security researcher has released a tool to untether devices running iOS 5.0.1.

Other News

• Indian Military Backdoor Access
  In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India’s Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
• Have RIM, Nokia, and Apple provided Indian military with backdoor access to cellular comm? – zdnet.com
• Indian Intelligence Internal Memo On Backdoor Access To Mobile Devices – apple.slashdot.org
• Symantec Hacking Announcement on Facebook – facebook.com
  Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec’s Norton products for our consumer customers.
• Is Android Really Safe Enough for the DoD? – novainfosecportal.com
  I think the only anti-iOS arguments that stand on their own are the first two. Well maybe the government could create a special jailbroken version of iOS that meets their requirements since that seems to be legal after last year’s DMCA adjustments. At least they could knock the second criticism out.
• Lilupophilupop tops 1 million infected pages – isc.sans.org
  When I first came upon the attack there were about 80 pages infected according to Google searches.  Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this).
• Analysis of STRATFOR Passwords Reveals Shoddy Security – threatpost.com
  Using the leaked password list from STRATFOR, the open source intelligence service that was hacked last month, reporters from The Tech Herald were able to decipher over 80,000 of the hashed passwords, around 10% of the more than 800,000 passwords stolen in the attack. The analysis showed that trivial passwords like 123456, 11111111 and 123123 were common among STRATFOR customers.
• Hacking For Privacy:  2 days for amateur hacker to hack smart meter, fake readings – networkworld.com
  In other words, smart meters do have privacy implications that translate into consumer identification. On the bright side, they showed it takes an amateur hacker only two days to hack a home energy meter and fake the smart meter readings — which could result in a utility bill showing absolutely no power consumption at all.

• Chaos Communications Congress Debriefing(s)
  …dedicated to information about the conferences and events of the CCC. Being our most important event, the annual Chaos Communication Congress is usually the main focus. But we provide announcements and background information for other CCC events as well – be it regional or international.
• Crypto talk at 28C3: Implementation of MITM Attack onHDCP-secured Links, Day 3, 18:30, Saal 1 – events.ccc.de
• Crypto talk at 28C3: TRESOR: Festplatten sicher verschlüsseln, Day 3, 14:30, Saal 2 – events.ccc.de
• Crypto talk at 28C3: Sovereign Keys – A proposal for fixing attacks on CAs and DNSSEC, Day 3, 23:00, Saal 3 – events.ccc.de
• Recordings of 28C3 talks available – events.ccc.de
• Documentation – events.ccc.de

Resources

• 2011 year In Review: Online Security Highlights and Lowlights – blog.zonealarm.com
  2011 was a big year in terms of online security. From well-publicized data breaches of major companies to the takedown of giant botnets, cybercrime made many headlines. And though hackers came up with more innovative ways to steal information and wreak havoc on the Web, the spotlight on online security vulnerabilities prompted both officials and average users to be more vigilant. Here, we recount the major online security highlights and lowlights of the year.
• Book Release: hacking and Securing iOS Applications – viaforensics.com
  Jonathan Zdziarski’s new book “Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It,” is due out next month. Pre-order your copy now!

Tools

• Lynis v1.3.0. Released – rootkit.nl/files/lynis-1.3.0.tar.gz
  Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
• Patator – Brute Forcing Multi Purpose Tool – potator.googlecode.com
  Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like.
• New Tools ByPass Wireless Router Security – krebsonsecurity.com
  Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.
• UPDATE: OWASP AJAX Crawling Tool 0.2a! – code.google.com/p/fuzzops-ng/downloads/list
  OWASP AJAX Crawling Tool is a tool which will automate the crawling of AJAX applications. It can be daisy-chained with other proxies (like ZAP or Burp) to allow the functionality of those tools to be used on aspects of a web app that traditional spidering tools will miss.
• Calculating a SSH Fingerprint From a (Cisco) Public Key – blog.didierstevens.com
  I developed a small Python program that calculates a SSH fingerprint from the public key. You store the public key in hex format in a file and use that with this new tool.

Techniques

• Java Dynamic Instrumentation Crash Course
  This is the first in a series of several ways to go about doing dynamic instrumentation in Java. I will be making use of the Javassist bytecode manipulation library for this series. In this first post, I will be going over Java dynamic instrumentation used within the main program. First, you will need Java installed (of course) and the Javassist jar file (I am using version 3.15). While the Javassist API documentation will provide a thorough description of the classes and functions involved, I will be covering the basics.
• Java Dynamic Instrumentation #1 – isisblogs.poly.edu
• Java Dynamic Instrumentation #2 – isisblogs.poly.edu

• Heap Overflows for Humans 102.5 – net-ninja.net
  Hi folks. Sometime ago, I discussed an old, but important technique for exploiting application specific heap overflows under windows XP SP3. Today, I am going to discuss another important technique  and give an introduction to my immunity debugger plug-in tool called !heaper!
• Fun With BSD-derived Telnet Demons - community.rapid7.com
  A port of this exploit to the Metasploit Framework is in progress and we just added a scanner module that can be used to identify vulnerable instances of the telnet service. This module tries to trigger the vulnerability with an invalid pointer, causing the inetd-spawned process to exit. Since this process automatically respawns, it should be safe to scan all affected inetd-based systems.
• Cracking WPA in 10 Hours or Less – devttys0.com
  The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.
• Jumping to another network with VPN pivoting – community.rapid7.com
  VPN Pivoting is one of the best but also most elusive features in Metasploit Pro, so the best way is to see it. That’s why I’ve decided to post a snippet of a recent webinar, where HD Moore shows this feature in action.
• ZoneTransfer.me – digininja.org
  When teaching, and when talking to clients, I sometimes have to explain the security problems related to DNS zone transfer. The problem usually comes when trying to demonstrate how it works and what information can be leaked, trying to remember which domains have zone transfer enabled and then hoping that they still have it turned on can make it hard. So, to ease both of these problems I’ve registered zonetransfer.me, a domain which is easy to remember and which will always have zone transfer enabled.
• Exploit Writing Tutorial Part 11 : Heap Spraying Demystified – corelan.be
  With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer browsers. I’ll start with some “ancient” (“classic”) techniques that can be used on IE6 and IE7. We’ll also look at heap spraying for non-browser applications.

Vendor/Software Patches

• Microsoft Security Bulletins MS11-100 – Critical - technet.microsoft.com
  This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

Vulnerabilities

• From 0Day to 0Data: TelnetD – dankaminsky.com
  Recently, it was found that BSD-derived Telnet implementations had a fairly straightforward vulnerability in their encryption handler. (Also, it was found that there was an encryption handler.) Telnet was the de facto standard protocol for remote administration of everything but Windows systems, so there’s been some curiosity in just how nasty this bug is operationally.
• Wi-Fi Protected Setup (WPS) PIn brute Force Vulnerability – isc.sans.edu
  Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 – available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN.

Other News

• Anonymous vs. Stratfor
  Austin, Texas-based Strategic Forecasting, or Stratfor, disclosed over the weekend that its Web site, which remains down, was hacked and information about its corporate subscribers–who include the likes of the U.S. Army, U.S. Air Force, and Miami Police Department–was disclosed. AntiSec, an Anonymous-affiliated hacktivist group, quickly claimed responsibility and promised “mayhem” with plans to release even more documents.
• Confidential client list safe from Anonymous, Stratfor says – computerworld.com
• Report details extent of Anonymous hack on Stratfor – news.cnet.com
• Stratfor Downplays Cyber Attack Credited To Anonymous - securityweek.com
• 5 Website Security Lessons Courtesy of Stratfor – troyhunt.com

• Naval researchers pioneer TCP-based spam detection – itworld.com
  A group of researchers from the U.S. Naval Academy has developed a technique for analyzing email traffic in real-time to identify spam messages as they come across the wire, simply using information from the TCP (Transmission Control Protocol) packets that carry the messages.
• Huge portions of Web vulnerable to denial-of-service attack – arstechnica.com
  Researchers have shown how a flaw that is common to most popular Web programming languages can be used to launch denial-of-service attacks by exploiting hash tables. Announced publicly on Wednesday at the Chaos Communication Congress event in Germany, the flaw affects a long list of technologies, including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.
• QR Code Malware Picks Up Steam – darkreading.com
  As mobile marketers have latched onto the convenience and cool-factor of QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware.
• Appeals Court Revies EFF’s Challenge to Government’s Massive Spying Program – eff.org
  The 9th U.S. Circuit Court of Appeals today blocked the government’s attempt to bury the Electronic Frontier Foundation’s (EFF’s) lawsuit against the government’s illegal mass surveillance program, returning Jewel v. NSA to the District Court for the next step.
• New Year’s Resolution: Full Disk Encryption On Every Computer You Own - eff.org
  Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues.  Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. Best of all, it’s free. So don’t put off taking security steps that can help protect your private data. Join EFF in resolving to encrypt your disks 2012.