• ShmooCon 2012 Updates, Videos, Slides and Presentation
• Five Ways We’re Killing Our Own Privacy – scribd.com/doc
  Slides from ShmooCon and Firetalks Presentation
• Attacking Prox Card Systems – opensecurityresearch.com
  Slides and Code from Brad Antoniewicz’s awesome talk on Attacking Prox Card Systems
• Shmoocon 2012 – tombom.co.uk
  In the absence of an “official” download link for these so far (although I’m sure they’ll be up on the Shmoocon page soon enough), my slides from Shmoocon this year. Seems it got a little press coverage and a whole bunch of attention on Twitter, so I figured I should get these out ASAP.
• RFCAT released! – atlas.r4780y.com
  I should probably post *new* slides here within a week. Subscribe to the rss feed to be notified when I post them. I’m going to see if I can’t nail down a few more details that were bugging me on the demo’s, and actually talk to the insulin pump.
• Changes to Apple MDM for iOS 5.x – intrepidusgroup.com
  I presented an updated talk on Apple’s iOS MDM system at ShmooCon 8. I had a great time, and really enjoyed all the questions and nice comments I received afterwards. I thought I’d mention a couple of the changes that iOS 5 provide.
• ShmooCon 2012 FireTalks – Update 7 (Videos from Friday) – novainfosecportal.com
  This post is dedicated to the talks on Friday night. Thanks to Bulb Security and IronGeek for recording and processing the videos so fast!
• Georgia Weidman’s videos – vimeo.com
• Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets – forbes.com
  Pull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” thattriangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing.
• Education and Information Sharing Top Priority at 2012 DoD Cyber Crime Conference – blog.mandiant.com
  This was my first time heading to the DoD Cyber Crime Conference in Atlanta. The DoD Cyber Crime Center (DC3) hosts the conference every year. DC3first started as a resource for DoD and Law Enforcement and has grown over the years to include many different organizations that work together to combat Cyber Crime.

Resources

• DatabaseAndroidMalwares – code.google.com
• {book review} The Tangled Web – blog.c22.cc
  The Tangled Web is split into 3 parts, starting off with a concise walk-through of the underlying technologies of the web. Unlike so many other books that take for granted that the reader is already up to par on the backstory, Zalewski takes the time to really dig deep into the tools, protocols and RFCs that run the modern web.
• (IN)SECURE Magazine Issue #33 Released – net-security.org
  (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.

Tools

• Keychain Dumper Updated for iOS 5 – labs.neohapsis.com
  I’ve received a few issue submissions on github regarding various issues people have had getting Keychain Dumper to work on iOS 5. I meant to look into it earlier, but I was not able to dedicate any time until this week. Besides a small update to the Makefile to make it compatible with the latest SDK, the core issue seemed to have something to do with code signing.
• An Update on Android.Counterclank – symantec.com
  Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users.
• UPDATE: inSSIDer v2.1.0.1379! – metageek.net
  inSSIDer is an award-winning free, open-source Wi-Fi network scanner for Windows Vista andWindows XP. Because NetStumbler doesn’t work well with Vista and 64-bit XP, the authors built an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems.
• Passware claims FileVault 2 can be cracked in under an hour, sells you the software to prove it – engadget.com
  Lunch hours may never feel safe again. That is, if you have a Mac running Lion / FileVault 2, like leaving your computer around, or have unscrupulous colleagues. Data recovery firm Passware claims its “Forensic” edition software can decrypt files protected by FileVault 2 in just 40 minutes — whether it’s “letmein” or “H4x0rl8t0rK1tt3h” you chose to stand in its way.

Techniques

• Windows Loader and ASLR on Binaries – marcoramilli.blogspot.com
  Summing up for newer readers, Windows Loader looks for a specific FLAG into the PE Header. In the PE Header, specifically in the IMAGE_OPTIONAL_HEADER section there is a flag called DLL Characteristics that defines many features for the executable during its loading time, 1 of them being ASLR.
• x64 Windows Shellcode – blog.didierstevens.com
  Last year I found great x64 shellcode for Windows on McDermott’s site. Not only is it dynamic (lookup API addresses), but it even handles forwarded functions.
• Ubertooth: Bluetooth Address Breakdown – intrepidusgroup.com
  The IG crew is just heading back from ShmooCon, which reminds me of last year’s awesome talk on the Ubertooth One. Intrepidus backed the kickstarter project and, as promised, got 2 Ubertooths. We recently started playing with it, and have a couple of tips and a supplementary script.

Vendor/Software Patches

• Android and Security – googlemobile.blogspot.com
  The last year has been a phenomenal one for the Android ecosystem. Device activations grew 250% year-on-year, and the total number of app downloads from Android Market topped 11 billion. As the platform continues to grow, we’re focused on bringing you the best new features and innovations – including in security.

Vulnerabilities

• TDL4- Purple Haze
• TDL4 – Purple Haze (Pihar) Variant – sample and analysis – contagiodump.blogspot.com
  I recently ran into an interesting piece of malware that was downloaded on a victim’s computer. I thought it was TDL/TDSS or maybe a new version of it as it had same components as TDL4 bootkit with a functionality of a mass scale PPC (pay-per-click) fraud. TDL had this functionality too and it is most likely spread by the same Russian-speaking gangs using the Blackhole exploit kit.
• TDL4 reloaded: Purple Haze all in my brain – blog.eset.com
  This week we received an untypical sample of Win32/Olmarik.AYD (TDL4) from Mila (of the contagiodump blog). We have already spent a long time tracking TDL4 bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system.
• Android.Counterclank Found in Official Android Market – symantec.com
  Symantec has identified multiple publisher IDs on the Android Market that are being used to push outAndroid.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.
• Build Up Your Phone’s Defenses Against Hackers – nytimes.com
  Technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. The smartphone security company Lookout Inc.estimates that more than a million phones worldwide have already been affected.
• Exploiting CVE-2011-2140 another flash player vulnerability – abysssec.com
  Before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses.
  So as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago.
• MS11-087 (aka Duqu) : Vulnerability in Windows kernel-mode drivers could allow remote code execution – exploitshop.wordpress.com
  Since many folks are asking more about MS11-087, I’m posting some of interesting questions I’ve got.
• Hackers outwit online banking identity security systems – bbc.co.uk
  Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned.
• Webkit normalize bug for android 2.2 (CVE-2010-1759) – exploit-db.com
• MS12-005 : embedded object package allow arbitrary code execution – exploitshop.wordpress.com
  MS12-005 is much more dangerous than I thought. Very easy to exploit, and 100% reliable. Now no user interactions are required. Exploit is available.

Other News

• US officials say cyber crimes will overtake terrorism as top threat – slashgear.com
  Just as authentication service VeriSign admitted it has been hit by very strong hacking attacks a couple years ago, US officials have revealed that computer crimes will be more of a threat to the country than terrorism. VeriSign is an example of how cyber attacks can affect tens of millions of civilians, but government offices are also the target of malicious hackers.
• Verisign hacked, data stolen – scmagazine.com.au
  Verisign has admitted it was hacked repeatedly in 2010 and could not pin down what data was stolen.
• Half of Fortune 500 firms infected with DNS Changer – computerworld.com
  Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake websites and puts organizations at risk of information theft, a security company said today.

• Shmoocon 2012
• ShmooCon 2012: Raising The White Flag – blog.c22.cc
  Whitelisting is often touted as a replacement for AV. Despite the fact that something better than AV is needed, application whitelisting isn’t the solution. Their purpose seems good, for the execution is lacking. Things are headed in the right direction, but using simple bypass techniques it’s possible to bypass these whitelisting protections.
• ShmooCon 2012: Java backdoors and Cross Framework Abuse – blog.c22.cc
  Java has a number of different archive formats. This talk covers the J2SE / J2EE type archives. The goal here is to show how simple it is to add potentially malicious software to three of the most common format.
• Pwn2Own to Offer $150K in Prizes - threatpost.com
  The Pwn2Own contest at the CanSecWest conference has become one of the landmark events on the calendar each year, as researchers gather with nervous vendors in a tiny room to see who can own which browser on which platform and how quickly. But this year’s contest will have a much different look than past editions, with participants vying for more than $100,000 in cash by amassing points over the course of three days.
• TEDxMaui – Hack Yourself First – jeremiahgrossman.blogspot.com
  Ten years ago if you would have told me that I’d be back living in Hawaii, founder of a fast growing technology company, and a TED speaker — I would’ve said, “What’s a TED?” Preparing for TEDxMaui was extremely difficult.
• First 2012 OWASP Belgium Chapter Meeting Wrap-Up – blog.rootshell.be
  A new year started and why change good habits? I’m just back from the first OWASP Belgium Chapter meeting of 2012. Here is my quick wrap-up. The organization remains the same, the first few minutes were dedicated to some news from the OWASP organization given by Seba.
• SOURCE Boston 2011 - blip.tv
  SOURCE Boston 2011 session videos now released

Resources

• From CVE-2010-0738 to the recent JBoss worm – owasp.org
  This presentation is an extended version of a talk delivered during the OWASP Bay Area Chapter Meeting (November 30, 2011)
• NIST Issues Public Cloud Computing Guidance - bankinfosecurity.com
  Users – not providers – have ultimate responsibility for the security and privacy of data stored on the public cloud, new guidance from the National Institute of Standards and Technology says.
  
• rockyou_passpal_0.3_dump – thepasswordproject.com
  This report was generated using passpal. 218 lines/unique passwords that were not valid UTF-8 were removed prior to analysis. A few lines seem to be HTML and other web scrapings, especially some of the longer lines, but this is hard to clean up automatically.
• Slides from DoD Cyber Crime Conference – jessekornblum.livejournal.com
  As promised, I’ve published the slides and scripts I used during my talks at the 2012 DoD Cyber Crime conference.
• Johnnykv / Heralding – github.com
  Simple low interaction honeypot to log login names and password from bruteforce attacks on pop3, imap, telnet and ssh.
• Android Mind Reading - digitalforensicssolutions.com
  What We’ll Cover: Live Forensics; Traditional Linux Memory Forensics Overview; Problems with Android; Acquisition Tools (DMD); Volatility; Demo
• Router PWN – routerpwn.com

Tools

• SMBShell – Samba Pentesting Tool – theprojectxblog.net
  SMBShell is a cross platform java based multi threaded application with minimal smb client shell pentesting tool. This application uses dictionary attack method against remote samba daemon with the capability of spawning an smb client shell with every credential found if the check box ‘spawn shell’ is checked. This will help network/system administrator test the password integrity with the very basic common password attack in your Linux, BSD or Windows box with samba installed.
• Hash-identifier - code.google.com
  Software to identify the different types of hashes used to encrypt data and especially passwords.
• Metasploit Pentest Plugin Part 2 – darkoperator.com
  This is the second part of my Pentest Metasploit plugin. This part will cover the post exploitation commands this plugin adds. First I would like to cover the thought process of this commands. The commands came from some modules I pushed and then had to pull from the Metasploit Framework around summer of 2011 that sadly did not comply with some of the rules on what modules where supposed to do and the post mixin did not allowed me to do.

Techniques

• iPhone Forensics – resources.infosecinstitute.com
  iPhone forensics can be performed on the backups made by iTunes (escrow key attack) or directly on the live device. This article explains the technical procedure and the challenges involved in extracting data from the live iPhone.
• Psexec fail? Upload and Exec Instead – carnal0wnage.attackresearch.com
  I ended up having to use the smb/upload file module on a pentest. I was able to get the local admin hashes but for some reason the psexec module wouldn’t get code execution, it would act like it would work but wasn’t. So we decided to push a binary, use winexe that was modified to pass the hash to exec the binary as needed.
• Exploiting an IP Camera Control Protocol: Redux – spareclockcycles.org
  Last May, I wrote about a remote password disclosure vulnerability I found in a proprietary protocol used to control ~150 different low-end IP cameras. The exploit I wrote was tested on the Rosewill RXS-3211, a rebranded version of the Edimax IC3005.
• Kyrus Beta Testing NSRLquery Server – jessekornblum.livejournal.com
  Kyrus is beta testing a public NSRLquery server and we invite you try it out! This server allows you to submit file hashes to determine if those files are present in the National Software Reference Library (NSRL).
• Leak Sensor – Pastebin data leakage detection – chaptersinwebsecurity.blogspot.com
  As we all know, the cyber war is escalating. Hackers use Trojans and website penetrations to gain access to sensitive data. This includes email addresses, social security numbers, passwords and much more. The hacktivism movements such as Anonymous exploit Pastebin as a platform for anonymous data publishing.
• NetBIOS spoofing for attacks on browser – dsecrg.blogspot.com
  Sometime ago during pentest NetBIOS protocol got my attention. Especially, NetBIOS naming and its co-work with DNS.
  NetBIOS is an old protocol, distributed world-wide, but it doesn’t have many security mechanisms. And I think that many interesting things are born in different technologies’ interception. So I started a little research and I want to show some results of it.
• “Pass the hash” with Nexpose and Metasploitd – community.rapid7.com
  I am proud to announce that Nexpose 5.1.0 now supports “pass the hash”, a technique to remotely authenticate against a Windows machine (or any SMB/CIFS server) with the mere possession of LM/NTLM password hashes, without needing to crack or brute force them. Nexpose is able to use the hashes to perform credentialed scans to produce very detailed scan results of all sorts of local and remote vulnerabilities that may otherwise not be detectable.
• Landing another blow against email phishing – googleonlinesecurity.blogspot.com
  Email phishing, in which someone tries to trick you into revealing personal information by sending fake emails that look legitimate, remains one of the biggest online threats. One of the most popular methods that scammers employ is something called domain spoofing. With this technique, someone sends a message that seems legitimate when you look at the “From” line even though it’s actually a fake.
• Dump Windows password hashes efficiently – Part 6 – bernardodamele.blogspot.com
  When you login to a network resource like a network share, a proxy server behind NTLM authentication, a database management system, a mail server, etc, you can often instruct your client to save the password, typically by simply ticking the box “Remember my password”.

Vendor/Software Patches

• UPDATE: Mutillidae 2.1.13! – pentestit.com
  “Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application. Mutillidae can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to install or administrate their own webserver.
• UPDATE: JavaSnoop 1.1 RC2! – pentestit.com
  “JavaSnoop is a tool for testing (re: hacking) Java desktop applications or applets. It is a tool that lets you intercept methods, alter data and otherwise hack Java applications running on your computer. JavaSnoop does so by allowing you attach to an existing process (like a debugger) and instantly begin tampering with method calls, run custom code, or just watch what’s happening on the system.”
• PoC Linux privilege escalation exploits – pentestit.com
  POC proof-of-concept exploit code for a recently spotted privilege escalation flaw CVE-2012-0056 ( POC Linux privilege escalation exploits ) in the Linux kernel has left Linux vendors scrambling to push out a patch.

Vulnerabilities

• 10K Reasons to Worry About Infrastructure – wired.com
  A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.
• CVE-2012-0003 Exploited in the Wild – blogs.iss.net
  If for whatever reason you haven’t applied the critical January 2012 security update from Microsoft, now you really need to. Live web based exploitation of the vulnerability we found for handling MIDI in Windows Multimedia Library was reported by Trend Micro.
• Full-nelson.c Linux Kernel local privilege escalation - eromang.zataz.com
  This exploit leverages three vulnerabilities to get root, all of which were discovered by Nelson Elhage.
• Symantec Updates
• Security Advisories Relating to Symantec Products – Symantec pcAnywhere Remote Code Execution, Local Access File Tampeing SYM12-002 – symantec.com
  Added hotfix information for Symantec pcAnywhere versions 12.0.x and 12.1.x if customers are unable to follow the upgrade recommendations to 12.5.3. Link to Technical White Paper “Symantec pcAnywhere Security Recommendations” Updates to “Affected Products” and “Products Not Affected.”
• Symantec tells customers to disable PCAnywhere – news.cnet.com
  Symantec is urging customers to disable PCAnywhere until it issues a software update to protect them against attacks that could result from the theft of the product’s source code.
• Symantec tells users to pull pcAnywhere’s plug – computerworld.com
  Symantec this week took the highly unusual step of telling users of its pcAnywhere remote access software to disable or uninstall the software while it fixes an unknown number of bugs.
• Warnings About Windows Exploit, pcAnywhere – krebsonsecurity.com
  Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.
• Video Conferencing
• Cameras May Open Up the Board Room to Hackers – nytimes.com
  One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.
• Video conferencing mistakes make espionage easy – computerworld.com
  Tens of thousands of video conferencing setups, including some in corporate meeting rooms where the most confidential information is discussed, are vulnerable to spying attacks, researchers said this week.

Other News

• GPS Tracking/Surveillance
• Supreme Court Court Rejects Willy-Nilly GPS Tracking – wired.com
  The Supreme Court said Monday that law enforcement authorities might need a probable-cause warrant from a judge to affix a GPS device to a vehicle and monitor its every move — but the justices did not say that a warrant was needed in all cases.
• Justices rule against police, say GPS surveillance requires search warrant -edition.cnn.com
  Police erred by not obtaining an extended search warrant before attaching a tracking device to a drug suspect’s car, the Supreme Court said in a unanimous ruling Monday.
• Decrypt Laptops
• Judge: Americans can be forced to decrypt their laptops – news.cnet.com
  American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case.
• Judge Orders Defendant to Decrypt Laptop – wired.com
  A judge on Monday ordered a Colorado woman to decrypt her laptop computer so prosecutors can use the files against her in a criminal case.
• Smartcards: Still A Smart Choice? – darkreading.com
  Imagine sailing through a checkout line, paying for your groceries simply by swiping your smartphone across a terminal. Or walking into a store and being served reward coupons on your mobile device after a near-field communication (NFC) receiver detects your presence.
• Anonymous Goes After World Governments in Wake of Anti-SOPA Protests – wired.com
  Over the last week, Anonymous has launched unprecedented string of attacks on government and business sites around the world, as the anger of the hive that a year ago turned on Egypt’s Mubarak regime turned on governments around the world.
• Chinese Virus Targets DoD Common Access Card – defensenews.com
  A Chinese-based cyber attack is targeting the U.S. Defense Department’s Common Access Cards with technology that could steal information from military networks while troops and civilians work at their desks, researchers say.
• Hackers Breached Railway Network, Disrupted Service – wired.com
  Hackers attacked computers at an an unidentified railway company, disrupting railway signals for two days in December, according to a government memo obtained by Nextgov.

• Infiltrate  Conference
• “Voight-Kampff’ing The BlackBerry PlayBook” at INFILTRATE 2012 – intrepidusgroup.com
  We gave a talk at Immunity’s awesome INFILTRATE conference in Miami Beach, FL. Our presentation, “Voight-Kampff’ing The BlackBerry Playbook”, discussed some of the blackbox style, independent research we performed on the BlackBerry PlayBook.
• Infiltrate Wrap Up – blog.opensecurityresearch.com
  Our industry is getting over saturated with conferences that are filled with stale and sometimes uninspiring content.  If we cannot collectively raise the bar, we’re not motivating ourselves to produce creative and innovative research – and if we’re not doing that, we might as well surrender our intellect, curiosity, and integrity to the vendors who would prefer to ignore the security of their customers, to increase their profits.

Tools

• Windows Phone App Analyser v1.0 released today - securityninja.co.uk
  The main reason I wanted to do the WP7 app development was to increase my knowledge about the WP7 application development and submission process.  I have done a lot of mobile security research and even presented about Android and iOS security but I didn’t want to assume that knowledge would apply to WP7 so I got my hands dirty with some app development!
• Reversing Malware with Android Reverse Engineering (A.R.E.) - sectechno.com
  Malwares on mobile system are increasing dramatically, especially on android smartphone system, this week Trendmicro security lab posted about new campaign targeting this system by infecting users over web applications.
• The SPToolkit – The Phishing Toolkit Project - professionalsecuritytesters.org
  These articles give some good insights into why phishing is on the rise and why you, as an information security professional, should be worried about it.

Techniques

• Monitoring pastebin.com within your SIEM - blog.rootshell.be
  For those who (still) don’t know pastebin.com, it’s  a website mainly for developers. Its purpose is very simple: You can “paste” text on the website to share it with other developers, friends, etc. You paste it, optionally define an expiration date, if it’s public or private data and you are good.
• Stuff I learned while writing a CTF - alexmcgeorge.wordpress.com
  This blog entry talks about some of the lessons I learned running the WebHacking class for Infiltrate 2012 which included a WarGame/CTF style hootenanny on the final day.
• Ncrack presentation   - sock-raw.org
  Just letting people know, I uploaded the slides from my AthCon presentation on Network Exploitation with Ncrack. I will probably get my hands on the video material from the conference soon.

Vendor/Software Patches

• Oracle Updates
• Fundamental Oracle flaw revealed  - infoworld.com
  Over the past two months, InfoWorld has been researching a flaw in Oracle’s flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems.
• Oracle Critical Patch Update Advisory – January 2012 - oracle.com
  A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory.

Vulnerabilities

• Security Email - blogs.zappos.com
  The most important focus for us right now is the safety and security of our customer’s information.  Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts.
• A free Windows Vulnerability for the NSA – blog.ioactive.com
  Some months ago at Black Hat USA 2011 I presented this interesting issue in the workshop “Easy and Quick Vulnerability Hunting in Windows,” and now I’m sharing it with all people a more detailed explanation in this blog post.
• Excuse me, your clouds are leaking – intrepidusgroup.com
  I recently started playing around with Gliffy, a nice online diagramming tool that has become quite popular.  Gliffy makes sharing your diagrams with the world easy.

Other News

• Offensive Research Continuing to Advance – threatpost.com
  “The ability to make a difference in the real world against dedicated offensive teams is a rare thing,” Dave Aitel, CEO of Immunity, which put on Infiltrate, said during the conference. “This stuff can change quickly.”
• A technical examination of SOPA and PROTECT IP – blog.reddit.com
  As you have probably heard, there are two pieces of legislation currently pending that we, and others like us, believe seriously threaten the internet. I wanted to take some time to delve into the text of both of these bills, and outline their potential consequences as I am able to understand them.
• Man charged with stealing NY Fed Reserve Bank source code - news.cnet.com
  Authorities arrested a computer programmer today and charged him with stealing source code worth $9.5 million from the Federal Reserve Bank of New York.

• How Modern Cars Can Be Cracked – autosec.org
• SOURCE Barcelona Resources from September 2011 – sourceconference.com
  Links, articles, and media from the event.
• OSCP-My Review – proactivedefender.blogspot.com
  The OSCP certification is an offensive security course which teaches the attacking side of Information Security and is largely aimed at those wanting to become penetration testers. My personal motivation for taking the course and exam were to better understand the methodology, tools and techniques that attackers employ to breach networks and systems.

Tools

• hashcat-gui v0.5.0 – hashcat.net/hashcat-gui/
• p0f is back! – lcamtuf.coredump.cx/p0f3/
  Version 3 is a complete rewrite, bringing you much improved SYN and SYN+ACK fingerprinting capabilities, auto-calibrated uptime measurements, completely redone databases and signatures, new API design, IPv6 support (who knows, maybe it even works?), stateful traffic inspection with thorough cross-correlation of collected data, application-level fingerprinting modules (for HTTP now, more to come), and a lot more.
• Large Scale Pcap Analysis – geek00l.blogspot.com/2012/01/large-scale-pcap-analysis.html
  It seems that the storage is not much an issue when comes to packet capture anymore, looking at terabytes become general everywhere, and many network analysis tools seem to gear toward large scale pcap data analysis, bro-ids has extended their functionality by using tons of community hardware and timemachine to capture and  analyze network data, and now I just come to read about people in RIPE NCC are doing this using apache hadoop
• Cheap WiFi Bridge For Pentesting or Otherwise – hackaday.com
  Twenty three dollars. That’s all this tiny pen-testing device will set you back. And there really isn’t much to it. [Kevin Bong] came up with the idea to use a Wifi router as a bridge to test a wired network’s security remotely. He grabbed a TP-Link TL-WR703N router, a low-profile thumb drive, and a cellphone backup battery; all cheaply available products.
• Sandia Labs Offers DNSSEC Tool - darkreading.com
  A Sandia National Laboratories computer scientist has developed a free visualization tool to help the federal government and other organizations with their Domain Name System Security (DNSSEC) implementations.

Techniques

• Old Meets New: Microsoft Windows SafeSEH Incompatibility – accuvant.com
  In recent years, Microsoft has made great strides to improve product security. This momentum can be seen clearly in their investments in security-focused processes, development, and research. The release of anti-exploitation features such as DEP, ASLR, Stack Cookies and SafeSEH are products of their commitment to security.
• Show Me Your SSID’s, I’ll Tell Who You Are - blog.rootshell.be
  The idea of this article came from a colleague of mine. He wrote a first version of the script described below. I found it very useful and asked his permission to re-use it and to write this blog article. Thanks to him! In the mean time, during my researches, I also found that a friend, Didier Stevens, published on his blog the same kind of script but for an AirCap adapter. Mine uses any adapter capable to be switched to “monitor” mode.
• Introducing Shazzer: A Shared online fuzzer – thespanner.co.uk
  I lost inspiration for coding a while ago and had this idea I was sitting on for a while, I’m often stuck at the design stage before I write a line of code and I will refuse to continue without a clear picture in my head on how an app is going to work. After the Christmas break I got my inspiration back and started to formulate pretty quickly how Shazzer might work.
• Hacking MS Access For Fun and Profit – tdsne.blogspot.com
  I spent a great many years of my early career making amazing things with MS Access databases and VBA.  I’ve lost most of these skills nowadays, but I remember a lot about how things are constructed internally and how I used to go about securing things.
• How To Run Penetration Tests From The Amazon Cloud – Without Getting Into Trouble – community.rapid7.com
  This is especially useful since several team members can use the same instance of Metasploit Pro in the cloud at the same time through Metasploit Pro’s web-based user interface, even if team members are working on different projects at the same time.
• Sanitize Input – carnal0wnage.attackresearch.com/2011/12/sanitize-input.html
  When application security was still in it’s infancy, there were discussions on how to protect applications from newly discovered injection vulnerabilities. “Sanitize Input” was a popular solution that rolled off the tongue nicely and was not overly complicated to explain. It was also, a very generic solution that would (hopefully) be part of a more complete approach.

Vendor/Software Patches

• Microsoft Security Bulletin January 2012
  As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing seven security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important. These bulletins will address eight vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible.
• January 2012 Security Bulletins Released – blogs.technet.com
• January ’12 MSRT: Win32/Sefnit – blogs.technet.com
• Vulnerability in Windows Kernel Could Allow Security Feature Bypass – technet.microsoft.com
• Vulnerability in Windows Object Packager Could Allow Remote Code Execution – technet.microsoft.com
• Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege – technet.microsoft.com
• Vulnerabilities in Windows Media Could Allow Remote Code Execution – technet.microsoft.com
• Vulnerability in Microsoft Windows Could Allow Remote Code Execution – technet.microsoft.com
• Vulnerbaility in SSL/TLS Could Allow Information Disclosure – technet.microsoft.com
• Vulnerability in AntiXSS Library Could Allow Information Disclosure – technet.microsoft.com
• Wireshark 1.6.5 and 1.4.1.1 Released – wireshark.org
  Wireshark 1.6.5 and 1.4.11 have been released. Installers for Windows, Mac OS X 10.5.5 and above (Intel and PPC), and source code are now available.

Other News

• Typosquatting social web gains top Alexa ranking – community.websense.com
  These are amazing results for fraudulent Web sites, as some of them rank even better than genuine big name portals. In this campaign, the fraudulent sites pretend to be from YouTube, and they try to lure you in by saying you have been selected to complete a survey for a chance to win a gift such as an iPhone 4S. Survey scams were very common in the past year, and were usually spread within social networks like Facebook or Twitter.
• Researchers Find Way To Sniff Corporate Email Via Blackberry Playbook – threatpost.com
  Researchers and attackers have had no shortage of mobile platforms and devices to sink their teeth into in recent years, thanks to the explosion of iOS and Android phones and tablets in the consumer and enterprise markets. Now, the spotlight is slowly beginning to turn in the direction of RIM, and specifically its BlackBerry PlayBook tablet.
• Banks Coming Together To Fight Hackers, Prevent Attacks – threatpost.com
  Major banks like Morgan Stanley, Goldman Sachs Group and Bank of America are putting together plans to help identify new security threats before they happen, according to a report from the Wall Street Journal this week.
• DiskCrypt Turns Any Laptop Storage Into A Self-Encrypted Drive – arstechnica.com
  DiskCrypt takes a similar approach, providing firmware within the enclosure that performs pass-through encryption and decryption. It uses AES encryption, and has a NIST FIPS 140-2 level 1 certified cryptographic module—meaning that it has been certified by the feds for basic information security, but not for classified information, as it’s specifically single-user.
• Researchers Find Sykipot Trojan Variant For Hijacking DoD Smartcards – threatpost.com
  The research, published in a blog post Thursday, is the latest by Alien Vault to look at Sykipot, a Trojan horse program known to be used in targeted attacks against defense industrial base (DIB). The new variants, which Alien Vault believes have been circulating since March, 2011, have been used in “dozens of attacks” and contain features that would allow remote attackers to steal smart card credentials and access sensitive information.

• Highlights from the 28th Chaos Communications Congress – advocacy.globalvoicesonlne.org
  The Chaos Communications Congress is the annual meetup of Germany’s Chaos Computer Club, one of the oldest hacker collectives in the world. It takes place in Berlin every year at the height of the holiday season between Christmas and New Year’s Eve, a time when only the dedicated European computer obsessive would leave their family and friends to spend four days in a conference centre with like-minded hackers and geeks.
• 28th Chaos Communication Congress & Berlin Sides or a tough week in Berlin – secnerd.blogspot.com
  We carried out the same procedure as every year; Stormbringer and I meet on December 26th around 7pmish at the airport in Zürich for a beer or two. Unfortunately he was late, so I had to drink alone. No harm was done as I still had to finish the slides for my talk.
• BSidesDFW 2011 Schedule – securitybsides.com

Resources

• Mixed voltage interfacing for design and hacking – rdist.root.org
  Modern digital systems involve a wide array of voltages. Instead of just the classic 5V TTL, they now use components and busses ranging from 3.3V down to 1.0V. Interfacing with these systems is tricky, especially when you have multiple power sources, capacitive loads, and inrush current from devices being powered on.

Tools

• Technitium MAC Address Changer v6.0 – www.technitium.com/tmac/index.html#download
  Technitium MAC Address Changer allows you to change Media Access Control (MAC) Address of your Network Interface Card (NIC) irrespective to your NIC manufacturer or its driver. It has a very simple user interface and provides ample information regarding each NIC in the machine.
• Nmap 5.61TEST4 released – 51 New Scripts, web spidering, vuln library, and more! – seclists.org
  Hello folks, and happy new year! I’d like to start 2012 off right–with a new version of Nmap. So I’m happy to release 5.61TEST4. The version number may not sound that different than the previous 5.61TEST2, but we’ve made many big improvements in the last three months.
• Reaver Now Goes To 11 – devttys0.com
  The decision has been made to open source the Reaver command line tool. The commercial version will contain the all the features the open source command-line tool has along with a web based client, support, and service options.

Techniques

• (UAC) User Assisted Compromise – room362com
  A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to publish). This module very simply uses the ShellExecute windows function via Railgun with the undocumented (but very well known) operator of ‘runas’.
• Heap Overflows For Humans 103 – net-ninja.net
  Hi guys! Once again I’m back and here to discuss yet another important technique for heap exploitation that I do not want to see get buried in the sands of time. Lucky for me I have some time off over Christmas/New years so I can cover more of this topic.
• Targeting and Hacking a WordPress Site – resources.infosecinstitute.com
  The answer to this question may be difficult to determine, simply because there are so many ways to hack a site. Our aim in this article to show you the techniques most used by hackers in targeting and hacking your site!
• A technique for bypassing request header restriction of XMLHttpRequest – lists.webappsec.support
  Do you know that Apache HTTP Server and Lighttpd replace non-alnum characters with underscore in name of environment variables? This might be useful to bypass restrictions of XMLHttpRequest.
• New Meterpreter Extension Released: MSFMap Beta – blog.securestate.com
  Today SecureState is releasing a new extension for Metasploit’s Meterpreter called MSFMap. This new utility provides an NMap-like port scanner from within the context of a Meterpreter session.  This gives penetration testers an easily deployable and flexible port scanning utility.
• Blind WebSQL and Storage extraction for HTML5 Apps – sheeraj.blogspot.com
  HTML5 is having two important data points – WebSQL and Storage. They are controlled by well defined RFCs and specifications. These APIs can be accessed using JavaScript. Assuming we get an entry into DOM then also we are completely blind with WebSQL table names and storage keys. Here is a way to enumerate that data during pen-testing and assessments.
• Anatomy of a SCADA Exploit: Part 1 – From Overflow to EIP – poppropet.org
  SCADA applications and appliances have been receiving a lot of media attention lately for all the security problems they’re causing, most infamously being the root of the Stuxnet outbreak in 2010.  If you spend more than a few minutes looking at the applications that power our infrastructure and the systems they run on, you’ll realize it’s time to get a little nervous.
• The CSRF That Almost Was – blog.c22.cc
  A lot of the research I did into the SAP Management Console was about what an attacker could do accessing it from the internet, or directly when on the local LAN segment. Although there’s probably a lot more attackers could do with this stuff, the protections that SAP have rolled out should be enough to deter most casual attackers.

Vulnerabilities

• Apple iOS 501 hacked, untethered via to security holes – zdnet.com
  Using two different security vulnerabilities in Apple’s flagship mobile operating system, a security researcher has released a tool to untether devices running iOS 5.0.1.

Other News

• Indian Military Backdoor Access
  In a tweet early this morning, cybersecurity researcher Christopher Soghoian pointed to an internal memo of India’s Military Intelligence that has been liberated by hackers and posted on the Net. The memo suggests that, “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
• Have RIM, Nokia, and Apple provided Indian military with backdoor access to cellular comm? – zdnet.com
• Indian Intelligence Internal Memo On Backdoor Access To Mobile Devices – apple.slashdot.org
• Symantec Hacking Announcement on Facebook – facebook.com
  Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec’s Norton products for our consumer customers.
• Is Android Really Safe Enough for the DoD? – novainfosecportal.com
  I think the only anti-iOS arguments that stand on their own are the first two. Well maybe the government could create a special jailbroken version of iOS that meets their requirements since that seems to be legal after last year’s DMCA adjustments. At least they could knock the second criticism out.
• Lilupophilupop tops 1 million infected pages – isc.sans.org
  When I first came upon the attack there were about 80 pages infected according to Google searches.  Today, well as the title suggests we top a million, about 1,070,000 in fact (there will be duplicate URLs that show up in the searches. Still working on a discrete domain list for this).
• Analysis of STRATFOR Passwords Reveals Shoddy Security – threatpost.com
  Using the leaked password list from STRATFOR, the open source intelligence service that was hacked last month, reporters from The Tech Herald were able to decipher over 80,000 of the hashed passwords, around 10% of the more than 800,000 passwords stolen in the attack. The analysis showed that trivial passwords like 123456, 11111111 and 123123 were common among STRATFOR customers.
• Hacking For Privacy:  2 days for amateur hacker to hack smart meter, fake readings – networkworld.com
  In other words, smart meters do have privacy implications that translate into consumer identification. On the bright side, they showed it takes an amateur hacker only two days to hack a home energy meter and fake the smart meter readings — which could result in a utility bill showing absolutely no power consumption at all.

• Chaos Communications Congress Debriefing(s)
  …dedicated to information about the conferences and events of the CCC. Being our most important event, the annual Chaos Communication Congress is usually the main focus. But we provide announcements and background information for other CCC events as well – be it regional or international.
• Crypto talk at 28C3: Implementation of MITM Attack onHDCP-secured Links, Day 3, 18:30, Saal 1 – events.ccc.de
• Crypto talk at 28C3: TRESOR: Festplatten sicher verschlüsseln, Day 3, 14:30, Saal 2 – events.ccc.de
• Crypto talk at 28C3: Sovereign Keys – A proposal for fixing attacks on CAs and DNSSEC, Day 3, 23:00, Saal 3 – events.ccc.de
• Recordings of 28C3 talks available – events.ccc.de
• Documentation – events.ccc.de

Resources

• 2011 year In Review: Online Security Highlights and Lowlights – blog.zonealarm.com
  2011 was a big year in terms of online security. From well-publicized data breaches of major companies to the takedown of giant botnets, cybercrime made many headlines. And though hackers came up with more innovative ways to steal information and wreak havoc on the Web, the spotlight on online security vulnerabilities prompted both officials and average users to be more vigilant. Here, we recount the major online security highlights and lowlights of the year.
• Book Release: hacking and Securing iOS Applications – viaforensics.com
  Jonathan Zdziarski’s new book “Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It,” is due out next month. Pre-order your copy now!

Tools

• Lynis v1.3.0. Released – rootkit.nl/files/lynis-1.3.0.tar.gz
  Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
• Patator – Brute Forcing Multi Purpose Tool – potator.googlecode.com
  Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like.
• New Tools ByPass Wireless Router Security – krebsonsecurity.com
  Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.
• UPDATE: OWASP AJAX Crawling Tool 0.2a! – code.google.com/p/fuzzops-ng/downloads/list
  OWASP AJAX Crawling Tool is a tool which will automate the crawling of AJAX applications. It can be daisy-chained with other proxies (like ZAP or Burp) to allow the functionality of those tools to be used on aspects of a web app that traditional spidering tools will miss.
• Calculating a SSH Fingerprint From a (Cisco) Public Key – blog.didierstevens.com
  I developed a small Python program that calculates a SSH fingerprint from the public key. You store the public key in hex format in a file and use that with this new tool.

Techniques

• Java Dynamic Instrumentation Crash Course
  This is the first in a series of several ways to go about doing dynamic instrumentation in Java. I will be making use of the Javassist bytecode manipulation library for this series. In this first post, I will be going over Java dynamic instrumentation used within the main program. First, you will need Java installed (of course) and the Javassist jar file (I am using version 3.15). While the Javassist API documentation will provide a thorough description of the classes and functions involved, I will be covering the basics.
• Java Dynamic Instrumentation #1 – isisblogs.poly.edu
• Java Dynamic Instrumentation #2 – isisblogs.poly.edu

• Heap Overflows for Humans 102.5 – net-ninja.net
  Hi folks. Sometime ago, I discussed an old, but important technique for exploiting application specific heap overflows under windows XP SP3. Today, I am going to discuss another important technique  and give an introduction to my immunity debugger plug-in tool called !heaper!
• Fun With BSD-derived Telnet Demons - community.rapid7.com
  A port of this exploit to the Metasploit Framework is in progress and we just added a scanner module that can be used to identify vulnerable instances of the telnet service. This module tries to trigger the vulnerability with an invalid pointer, causing the inetd-spawned process to exit. Since this process automatically respawns, it should be safe to scan all affected inetd-based systems.
• Cracking WPA in 10 Hours or Less – devttys0.com
  The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.
• Jumping to another network with VPN pivoting – community.rapid7.com
  VPN Pivoting is one of the best but also most elusive features in Metasploit Pro, so the best way is to see it. That’s why I’ve decided to post a snippet of a recent webinar, where HD Moore shows this feature in action.
• ZoneTransfer.me – digininja.org
  When teaching, and when talking to clients, I sometimes have to explain the security problems related to DNS zone transfer. The problem usually comes when trying to demonstrate how it works and what information can be leaked, trying to remember which domains have zone transfer enabled and then hoping that they still have it turned on can make it hard. So, to ease both of these problems I’ve registered zonetransfer.me, a domain which is easy to remember and which will always have zone transfer enabled.
• Exploit Writing Tutorial Part 11 : Heap Spraying Demystified – corelan.be
  With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer browsers. I’ll start with some “ancient” (“classic”) techniques that can be used on IE6 and IE7. We’ll also look at heap spraying for non-browser applications.

Vendor/Software Patches

• Microsoft Security Bulletins MS11-100 – Critical - technet.microsoft.com
  This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

Vulnerabilities

• From 0Day to 0Data: TelnetD – dankaminsky.com
  Recently, it was found that BSD-derived Telnet implementations had a fairly straightforward vulnerability in their encryption handler. (Also, it was found that there was an encryption handler.) Telnet was the de facto standard protocol for remote administration of everything but Windows systems, so there’s been some curiosity in just how nasty this bug is operationally.
• Wi-Fi Protected Setup (WPS) PIn brute Force Vulnerability – isc.sans.edu
  Wi-Fi Protected Setup (WPS) is a Wi-Fi Alliance specification (v1.0 – available since January 2007) designed to ease the process of securely setup Wi-Fi devices and networks. A couple of days ago US-CERT released a new vulnerability note, VU#723755, that allows an attacker to get full access to a Wi-Fi network (such as retrieving your ultra long secret WPA2 passphrase) through a brute force attack on the WPS PIN.

Other News

• Anonymous vs. Stratfor
  Austin, Texas-based Strategic Forecasting, or Stratfor, disclosed over the weekend that its Web site, which remains down, was hacked and information about its corporate subscribers–who include the likes of the U.S. Army, U.S. Air Force, and Miami Police Department–was disclosed. AntiSec, an Anonymous-affiliated hacktivist group, quickly claimed responsibility and promised “mayhem” with plans to release even more documents.
• Confidential client list safe from Anonymous, Stratfor says – computerworld.com
• Report details extent of Anonymous hack on Stratfor – news.cnet.com
• Stratfor Downplays Cyber Attack Credited To Anonymous - securityweek.com
• 5 Website Security Lessons Courtesy of Stratfor – troyhunt.com

• Naval researchers pioneer TCP-based spam detection – itworld.com
  A group of researchers from the U.S. Naval Academy has developed a technique for analyzing email traffic in real-time to identify spam messages as they come across the wire, simply using information from the TCP (Transmission Control Protocol) packets that carry the messages.
• Huge portions of Web vulnerable to denial-of-service attack – arstechnica.com
  Researchers have shown how a flaw that is common to most popular Web programming languages can be used to launch denial-of-service attacks by exploiting hash tables. Announced publicly on Wednesday at the Chaos Communication Congress event in Germany, the flaw affects a long list of technologies, including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.
• QR Code Malware Picks Up Steam – darkreading.com
  As mobile marketers have latched onto the convenience and cool-factor of QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware.
• Appeals Court Revies EFF’s Challenge to Government’s Massive Spying Program – eff.org
  The 9th U.S. Circuit Court of Appeals today blocked the government’s attempt to bury the Electronic Frontier Foundation’s (EFF’s) lawsuit against the government’s illegal mass surveillance program, returning Jewel v. NSA to the District Court for the next step.
• New Year’s Resolution: Full Disk Encryption On Every Computer You Own - eff.org
  Many of us now have private information on our computers: personal records, business data, e-mails, web history, or information we have about our friends, family, or colleagues.  Encryption is a great way to ensure that your data will remain safe when you travel or if your laptop is lost or stolen. Best of all, it’s free. So don’t put off taking security steps that can help protect your private data. Join EFF in resolving to encrypt your disks 2012.

• RuxCon Presentation Materials Archive – ruxcon.org.au
• BlackHat Abu Dhabi 2011 – tmacuk.co.uk
  I am going to keep this short, but I met a lot of new people, a lot of people I had spoken to over the phone but never seen face to face and people that I knew over Twitter. This, in my eyes, is what these conferences are about – and the networking breaks that were provided were great for this.

Resources

• Cisco releases 2011 Annual Security Report – blogs.cisco.com
  Organizations are faced with providing security for employees that are rapidly adopting new technology in their personal and professional lives and expect their work environments and employers to do the same. As the data from the new Cisco 2011 Annual Security Report and the Cisco Connected World Technology Report Chapter 3 show, organizations that do not or cannot provide that type of environment are at risk of losing the ability to compete for those employees and business opportunities.
• Adam Shostack on the methods of Compromise, the New School and Learning – threatpost.com
  Dennis Fisher talks with Adam Shostack of Microsoft about the taxonomy he helped develop for classifying how PCs are compromised, what he would and wouldn’t change in The New School of Information Security and who he’s learned the most from.
• Carrier IQ Report - carrieriq.com
  Yesterday Carrier IQ released a report (PDF) which tries to answer some questions about how their system operates. Also, after reports of the FBI using Carrier IQ data, the company responded by saying, ‘Carrier IQ has never provided any data to the FBI. If approached by a law enforcement agency, we would refer them to the network operators.’
• From ROP to JOP - marcoramilli.blogspot.com
  Researchers from North Carolina State University and National University of Singapore presented an interesting paper to ASIACCS11 titled: “Jump-Oriented Programming: A New Class of Code-Reuse Attack”.
• Google Safe Browsing v2 Lookup libraries for Perl, Python and Ruby – research.zscaler.com
  Last week, I mentioned that the Google Safe Browsing API has migrated to version 2. The new protocol is much more complex than version 1 and there are only a few libraries available for version 2 (see the full list in the previous post). Some popular languages, like Ruby, don’t have any implementation at all.
• GlobalSign Security Incident Report - globalsign.co.uk
  Following recent events which have affected GlobalSign and the industry as a whole, we would like to take this opportunity to inform you that our investigations are now complete.

Tools

• Exploit Pack Security Tool – exploitpack.com
  Exploit Pack  is an open source security tool and it comes to fill a need, a framework for exploit writers and security researchers, with a GPL license and Python as engine for its modules. Also it is based on Java and SWT to get real cross-platform. GPL license is used for the entire project and thus ensure the code will always be free.
• DNS Brute Force - blog.0x0lab.org
  This python program, bfdomain.py, was written to identify valid hosts of a domain that deny zone transfers.
• UPDATE: wavsep v1.1.0! – code.google.com/p/wavsep/downloads/list
  Wavsep, the Web Application Vulnerability Scanner Evaluation Project is a vulnerable web application designed to help assessing the features, quality and accuracy of web application vulnerability scanners. This evaluation platform contains a collection of unique vulnerable web pagesthat can be used to test the various properties of web applicationscanners.

Techniques

• Guide To Dumping Windows Password Hashes
  Generally, dumping operating system users’ password hashes is a common action following a compromise of a machine: getting access to the password hashes might open the doors to a variety of attacks including, but not limited to, authenticate with the hash over SMB to other systems where passwords are reused, password policy analysis and pattern recognition, password cracking, etc.
• Dump Windows Password Hashes Efficiently (Part 1) - bernardodamele.blogspot.com
• Dump Windows Password Hashes Efficiently (part 2) - bernardodamele.blogspot.com

• WireShark and SMB2
  Although Wireshark does not have a nice feature to export SMB2 objects, you can extract transferred files from the capture files. In this article I will show you how to extract small files, a pdf and a exe, from Wireshark capture files.
• Extract Files Part 1 – lovemytool.com
• Extract Files Part 2 – lovemytool.com
• rrhunter: Detecting Rogue IPv6 Routers – blog.rootshell.be
  It’s a fact: Pv6 deployments are on the raise. We are close to the end of 2011 and this year was really some kind of a kick-off year to deploy the new protocol or to make live tests. I won’t come back on all the new features implemented in the sixth version of our beloved protocol but one of them is interesting amongst the others: the auto-discovery. Of course, it was already possible to let IPv4 hosts configure themselves via DHCP but here, it’s directly integrated in the stack.
• Not Owning that ColdFusion Server but Helping… – carnal0wnage.attackresearch.com
  I thought I’d add to the conversation with some stuff I found doing CF research. The code he wrote and the metasploit module works great if things are in their default locations. Of course, this will never be the case when you are on a PT and need to break into that mofro.
• Evading COntent Security Policy With CRLF Injection –  blog.opensecurityresearch.com
  Content Security Policy (CSP) was developed with the aim of reducing content injection attacks like Cross Site Scripting. CSP allows the developers to specify the permitted content sources for their web applications and relies on HTTP response headers to enforce content restrictions.
• Using Pastebin For Malicious Sample Collection – dvlabs.tippingpoint.com
  Services like Malware Domain List, Virus Watch and MalC0de are great for finding URLs of malicious content that may be interesting to collect and they provide us with a great deal of information that we use for further analysis. There are times when I am looking for specific samples and these services can’t be used, that’s when I turn to Pastebin.
• Inside Adobe Reader Zero-Day Exploit – blogs.mcafee.com
  As online shoppers rush to buy presents in the run up to Christmas, security researchers have put out a warning to beware of “typosquatters,” who prey on cack-handed typists that misspell domain and website names.
• MiTM and certificate setup on Android 4.0 – intrepidusgroup.com
  The Nexus Galaxy and Android’s Ice Cream Sandwich (ICS) are finally here. If you’ve done Android application testing in the past, you’ve probably have tried to install your own Certificate Authority (CA) cert on to an Android device or emulator. This process was somewhat painful and required root level access on physical devices. We have an old blog post here on that process, but that all changes now with ICS.
• Injecting Payloads Into Memory Meterpereter – darkoperator.com
  Recently at Derbycon 2010 I had a chance to see Egyp7 (James Lee) from the metasploit project do some demos for students of his Metasploit class and I saw he was using the multimeterinject script I wrote to create a secondary shell in case the main one died.
• Intro To JavaScript Malware Analysis – h-i-r.net
  I am by no means an expert on this stuff. A few weeks ago, I ran across some suspicious links in spam and decided to see where they led. Some of them claimed to be from financial institutions that I have absolutely no connection to, and claimed that some transaction had failed to occur.

Vendor/Software Patches

• Microsoft December Bulletins
  Hello. As I previously mentioned in the Advance Notification Service blog post on Thursday, today we are releasing 13 security bulletins, three of which are rated Critical in severity, and 10 Important. These bulletins will increase protection by addressing 19 unique vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on these critical updates.
• The December Bulletins Are Released – blogs.technet.com
• Assessing The Risk of the December 2011 Updates – blogs.technet.com
• More Information on the December 2011 ActiveX Kill Bits Bulletin – blogs.technet.com
• More Information on MS11-087 – blogs.technet.com
• Microsoft Patch Tuesday – December 2011 – symantec.com
• Security Problem in PuTTY SSH Fixed – h-online.com
  The open source SSH client for Windows, PuTTY, has been updated to version 0.62. Developer Simon Tatham announced the bugfix release which includes a fix for a security issue where passwords were retained.

Vulnerabilities

• Hack to get free WiFi on Virgin America flights exploiting Chrome Book promo (Save $12.95) – comicmac.com
  So I’m currently a couple thousand feet up in the air on a Virgin America flight to San Francisco from Boston and Google are doing this cool thing where they loan you a Chrome Book for the flight, apart of this, you get free wifi on the Chrome Book, whilst on any other device you need to pay like $12.95. I figured out by faking the User Agent to be that of the Chrome Book, you can get free wifi.

Other News

• Typosquatting Crash Course
  A Naked Security reader recently asked us to investigate the scale and the risk of typosquatting, after she accidentally put herself in harm’s way by mistyping a popular URL.She meant to visit posterous.com, but typed the linguistically-similar posterious.com by mistake. She was immediately and automatically deviated to a site which was blocked by Sophos Endpoint Security because it contained malware. Indeed, posterious.com redirects at the whim of its operator, taking you to different sites each time you visit.
• What Happens When You Mistype A Website Name? - nakedsecurity.sophos.com
• Beware Typosquatters – type carefumbly this Christmas! - youtube.com
• Typosquatters Target Christmas Shoppers - cio.com

• China-Based Hacking of 760 Companies Shows Cyber-Based Cold War – bloomberg.com
  Google Inc. (GOOG) and Intel Corp. (INTC) were logical targets for China-based hackers, given the solid-gold intellectual property data stored in their computers. An attack by cyber spies on iBahn, a provider of Internet services to hotels, takes some explaining.

• PacSec 2011 Presented Material – pacsec.jp
  English/Japanese versions of PacSec 2011 Tokyo event last month.
• @OWASP Tokyo Webservices: Attack, defenses, and hardening – twitter.com
• Archives for ClubHack 2011 Videos – clubhack.tv
• MalCon 2011 YouTube Channel – youtube.com

Resources

• Opensecuritytraining.info Welcome Message – opensecuritytraining.info
  New open source, creative commons powered teaching portal on computer security.
• Free Commercial Security Products? – reddit.com
  I just found out that ArcSight Logger is free for personal/home use (within some reasonable log size limits), and I’m wondering what other commercial enterprise security products are also free for personal use. I don’t mean trial/eval licenses that limit the user to 15 or 30 days, I’m looking for full blown, feature-full enterprise software that is free for personal use within reasonable limits.

Tools

• Router Audit Tool (RAT) – gse-compliance.blogspot.com
  The Router Audit Tool or RAT was designed to help audit the configurations of Cisco routers quickly and efficiently. RAT tests Cisco router configurations against a baseline. After performing the baseline test, it not only provides a list of the potential security vulnerabilities discovered but also a list of commands to be applied to the router in order to correct the potential security problems discovered.
• UPDATE: Cain & Abel v4.9.43! – www.oxid.it/downloads/ca_setup.exe
  Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of  passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
• UPDATE: Ettercap 0.7.4! –  sourceforge.net/projects/ettercap/files/ettercap/0.7.4-Lazarus/
  Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. It is a suite for man-in-the-middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
• Cookie Decoder: F5 BIG-IP – blog.taddong.com
  I still remember with excitement the first time I found my first F5 BIG-IP load balancer persistent cookie, disclosing the network details of the internal hosts: IP address and TCP port. Although it was a few years ago during a pen-test, still today is very common to find them on lots of target environments.
• Announcing SQL Invader – manvswebapp.com
  Today, we announced SQL Invader, a new free GUI-based tool that enables testers to easily and quickly exploit a SQL Injection vulnerability, get a proof of concept with database visibility and export results into a csv file. In just a few clicks, users will be able to view the list of records, tables and user accounts on the back-end database.
• CSRF Scanner v1.0 Released – vulnerabilitydatabse.com
  CSRFScan is a tool designed to find CSRF security flaws on forms. The tool uses a static analysis of pages to determine if the form is protected or not. It is written in Python and published under GPL v3. This tool analyse only forms present in an authenticated session, so it needs authenticated cookies to perform the analysis.

Techniques

• VLAN Hacking How To
  In Virtual LAN or VLAN is a group of hosts communicate with each other, even thoughthey are in different physical location. Virtual LAN provides location independence to the users, able to save the bandwidth, manage the device, cost effective for the organization are some of the facilities provided by the Virtual LAN.
• VLAN Hacking - resources.infosecinstitute.com
• Reddit Thread on VLAN Hacking - reddit.com

• Shellcode Detection Using Python – dvlabs.tippingpoint.com
  DVLabs has been collecting a large number of documents and files that are flagged as malicious and we’re trying to decrease the number that we have to do a full manual analysis on. One of the methods we’re using to aid in this is shellcode detection.
• Path of Least Resistance - fishnetsecurity.com
  I (Tim Medin) do a good number of internal penetration tests, and I have found one particular series of techniques that tend to be very quick and efficient at gaining Domain Administrator-level access. Of course, the viability of this depends on the environment and the configurations, and since this technique depends on default configurations, it is usually very effective because defaults aren’t usually changed.
• Aggressive Mode VPN — IKE-Scan, PSK Crack, and Cain – carnal0wnage.attackresearch.com
  In IKE Aggressive mode the authentication hash based on a preshared key (PSK) is transmitted as response to the initial packet of a vpn client that wants to establish an IPSec Tunnel (Hash_R). This hash is not encrypted. It’s possible to capture these packets using a sniffer, for example tcpdump and start dictionary or brute force attack against this hash to recover the PSK.
• Understanding Firefox and SQLite Tables For Computer Forensics – resources.infosecinstitute.com
  I was showing off a trick to export Firefox SQLite tables to a spread sheet, and while she is a forensics person, she had never ever heard of this trick. It is neat enough to know when working off an image to pull the entire history of a Firefox user by using the SQLite table manager Firefox plugin. You can also find this plugin for Chrome that makes things just as easy. This article though will focus on SQLite and Firefox.
• SQLMap — Searching Databases for Specific Columns/Data & Extracting from Specific Columns – carnal0wnage.attackresearch.com
  So assuming we have some sort of SQL Injection in the application (Blind in this case) and we’ve previously dumped all the available databases (–dbs), we now want to search for columns with ‘password’ in them.

Vendor/Software Patches

• Microsoft Updates
  With the release of the security bulletins for December 2011, this bulletin summary replaces the bulletin advance notification originally issued December 8, 2011. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.
• Microsoft Security Bulletin Summary for 2011 – technet.microsoft.com
• Microsoft Unveils new Windows Defender Offline Tool – threatpost.com

Vulnerabilities

• Adobe, Acrobat Attacks
  Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.
• Attackers Hit New Adobe Reader, Acrobat Flaw – krebsonsecurity.com
• New Zero-Day Adobe Attack Under Way – darkreading.com
• Newest Adobe Flash 11.1.102.55 And Zero Day Update – isc.sans.edu

Other News

• The Carrier IQ Controversy
  Security researchers who have investigated the inner workings of the Carrier IQ software and its capabilities say that the application has some powerful, and potentially worrisome capabilities, but that as it’s currently deployed by carriers it doesn’t have the ability to record SMS messages, phone calls or keystrokes.
• Researchers Say Carrier IQ Not Logging Texts or Emails, But Has Some Worrisome Capabilities - threatpost.com
• How to find out if Carrier IQ is installe din your phone with one tap – bgr.com
• All Your Shreds Belong To Us – shredderchallenge.com
  Today’s troops often confiscate the remnants of destroyed documents in war zones, but reconstructing them is a daunting task. DARPA’s Shredder Challenge called upon computer scientists, puzzle enthusiasts and anyone else who likes solving complex problems to compete for up to $50,000 by piecing together a series of shredded documents.
• Google Researchers Propose Way Out Of The SSL Dilemma – h-online.com
  In a paper entitled Certificate Authority Transparency and Auditability, Google researchers Adam Langley and Ben Laurie have proposed new measures for improving the trustworthiness of the public key infrastructure (PKI) underpinning HTTPS. The researchers’ idea is based on a public list of all certificates ever issued by certificate authorities.

• OWASP ATL Presentation – intrepidusgroup.com
  I recently gave a presentation at OWASP ATL on the OWASP Mobile Top 10 and how to assess mobile applications. This was a light weight discussion of the OWASP Mobile Top 10 and some topical and technical concerns related to securing mobile applications.
• OWASP Benelux Days 2011 – blog.rootshell.be
  The OWASP Benelux Days is a two-days event organized by three OWASP chapters (Belgium, Netherlands and Luxembourg). The 2010 edition was organized in Eindhoven(NL). This year, it was organized in Luxembourg. After a safe trip, sharing my car with a friend, we arrived at the Luxembourg University.
• BSIMM Community Conference – cigital.com
  Cigital recently hosted a second BSIMM Community Conference near Portland, Oregon. The Conference was outstanding, and was a great opportunity for like-minded software security professionals to compare notes.

Resources

• Netsec’s Q4 2011 Information Security Hiring Thread – reddit.com
  If you have open positions at your company for information security professionals and would like to hire from the/r/netsec user base, please leave a comment detailing any open job listings at your company.
• Restricted Character Set Vulnserver Exploit Tutorial – resources.infosecinstitue.com
  Vulnserver is a Windows server application that deliberately includes a number of exploitable buffer overflow vulnerabilities, and was designed to act as a target application to teach and practice basic fuzzing, debugging and exploitation skills. More information on Vulnserver, including a download link, is available here.
• November 2011 OWASP Newsletter – owasp.blogspot.com
  November OWASp newsletter now available for download.

Tools

• Pipal, Password Analyser – digninja.org
  On most internal pen-tests I do I generally manage to get a password dump from the DC. To do some basic analysis on this I wrote Counter and since I originally released it I’ve made quite a few mods to it to generate extra stats that are useful when doing reports to management.
• Intercepter NG-An Advanced Sniffing Tool! – intercepter.nerf.ru/Intercepter-NG.v09.zip
  Intercepter-NG is a new and improved sniffing tool with many added features. It supports several sniffing modes. For instance, in raw mode, it acts like a pure sniffer with appearance similar to Wireshark, providing enough functionality to perform a quick research of the network traffic. In the eXtreme mode Intercepter-NG will analyze all TCP packets without checking ports.
• USRP For NFC Part 1 - intrepidusgroup.com
  The USRP from Ettus Research is an awesome tool for radio analysis. It’s a really complex tool that is capable of doing almost anything involving radio signals (see these two previous Insight posts by Corey and myself, and Raj). That doesn’t even scratch the surface, though. This post will go into the detailed hardware setup for investigating NFC over the air communication using the USRP.
• Signed TaskManager – blog.didierstevens.com
  This new version 0.1.1 of my TaskManager spreadsheet is exactly the same as version 0.1.0, except that it is digitally signed.
• Android Web Content Resolver – labs.mwrinfosecurity.com
  When assessing Android devices and applications we regularly come across vulnerabilities in Android Content-Providers. These vulnerabilities are often similar to those found in web application security tests. In particular SQL Injection and directory traversal vulnerabilities are common problems in Content-Providers.
• How To Find Android 0Day In No Time – labs.mwrinfosecurity.com
  Today we are releasing WebContentResolver, an Android assessment tool which allows you to find Content-Provider vulnerabilities in no time. A Content-Provider is one of Androids IPC endpoints; it is commonly used to implement data storage in applications and to offer access to this data to other applications on the device.
• The Mole – Automatic SQL Injection SQLi Exploitation Tool – darknet.org.uk
  The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

Techniques

• DNS Hacking (Beginner to Advanced) – resources.infosecinstitute.com
  DNS is a naming system for computers that converts human readable domain names e.g. (infosecinstitute.com) into computer readable IP-addresses. However some security vulnerabilities exist due to misconfigured DNS nameservers that can lead to information disclosure about the domain.
• POP POP RET: SEH Exploiting Process – marcoramilli.blogspot.com
  This morning I want to talk a little bit about Structured Exception Handling (SEH) exploitation. Some readers, during a Skype meeting early last week, pointed me out that I never wrote about it, se lets talk a little bit about it.
• "Hacking" Printers – PJL Basics – hackonadime.blogspot.com
  A short while later in my career, I got to be known as the AIX “hacker” because I knew more about AIX than even some IBM techs I’d talk to on the phone. That’s why the term “Hacking” in the title has quotes. What we’re going to talk about today is understanding some very basic features that most people have forgotten about and being able to manipulate those features to help us do some bad stuff.
• CSRF with JSON – Leveraging XHR and CORS – sheeraj.blogspot.com
  Same Origin Policy (SOP) dictates cross domain calls and allows establishment of cross domain connections. SOP bypasses allow CSRF attack vector, an attacker can inject a payload on cross domain page that initiate a request without consent or knowledge of the target user.
• Embedding A Link To A Network Share In A Word Doc – carnal0wnage.attackresearch.com
  Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn’t THAT easy… In office 2010 when I’d go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.
• SQL Injection Attack Happening ATM – isc.sans.edu
  Typically it is inserted into several tables.  From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation.  If you find that you have been infected please let us know and if you can share packets, logs  please upload them on the contact form.

Vulnerabilities

• 1% of CMS-Powered Sites Expose Their Database Passwords – feross.org
  Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.
• Researchers Find Big Leaks In Pre-Installed Android Apps – arstechnica.com
  Researchers at North Carolina State University have uncovered a variety of vulnerabilities in the standard configurations of popular Android smartphones from Motorola, HTC, and Samsung, finding that they don’t properly protect privileged permissions from untrusted applications.

Other News

• Trevor Eckhart vs. Android Phones
  The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.
  • Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything – wired.com
  • BUSTED! Secret app on millions of phones logs keys – theregister.co.uk
  • Android handsets secretly logging keystrokes, SMS messages? – news.cnet.com
  • Is Carrier IQ A Big Data Mercenary? – gigaom.com
  • Carrier IQ Admits Holding ‘Treasure Trove’ of Consumer Data, But No Keystrokes – wired.com
  • Carrier IQ Is tracking Your iPhone Too, But It’s Easy To Turn Off - lifehacker.com
  • Carrier IQ Tracking iPhone Customers Too, Researchers Say – news.cnet.com
  • Carrier IQ: How Big A Threat Is It? – news.cnet.com
• Exclusive: Millions of Printers Open To Devastating Attack, Researchers Say – redtape.msnbc.nbc.com
  Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?
• Staff To Be Banned From Sending Emails – telegraph.co.uk
  Thierry Breton, CEO of Atos and a former French finance minister, wants a "zero email" policy to be in place within as early as 18 months, arguing that only 10 per cent of the 200 electronic messages his employees receive per day on average turn out to be useful. Instead he wants them to use an instant messaging and a Facebook-style interface.
• Targeted Attack Steals Credit Cards From Hospitality And Educational Institutions – nakedsecurity.sophos.com
  A little more than a week ago SophosLabs became aware of a resurgence of an attack against the education and hospitality industries. In at least one case the malware has shown up at a financial services company.
• Researchers Say oracle Leaves Databases Needlessly Vulnerable – darkreading.com
  Is Oracle just paying lip service to database security? Some researchers within the database community think so, complaining that as the software juggernaut has grown with acquisitions such as the blockbuster Sun deal it hasn’t maintained enough resources to securely develop database products and resolve vulnerabilities disclosed by researchers in a timely fashion.
• Java Is The Largest Malware Target According To Microsoft – h-online.com
  In a posting on the Microsoft Security Blog, Tim Rains, a director of Microsoft’s Trustworthy Computing Group, has written of the huge number of Java exploits being found in the wild. In the second half of 2010 and first half of 2011, between a half and a third of all exploits observed by Microsoft’s Malicious Software Removal Tool attacked vulnerabilities in Java.
• The Mystery of Duqu: Part Six (The Command and Control Servers) – securelist.com
  Over the past few weeks, we have been busy researching the Command and Control infrastructure used by Duqu. It is now a well-known fact that the original Duqu samples were using a C&C server in India, located at an ISP called Webwerks. Since then, another Duqu C&C server has been discovered which was hosted on a server at Combell Group Nv, in Belgium.
• Public Java Exploit Amps Up Threat Level – krebsonsecurity.com
  I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike.
• UK "Cyber Strategy" : Stuxnet, censorship, and cyber specials – arstechnica.com
  On Friday, the UK government released its "Cyber Security Strategy," acknowledging the importance of the Internet to modern life, but also the risks it poses from criminals, terrorists, and nation states. Over the next four years, and at a cost of £650 million ($1 billion), the National Cyber Security Programme (NCSP) has four objectives: "tackle cyber crime," make the UK more resilient to "cyber attacks," create an open and stable "cyberspace," and ensure that the UK has the skills and knowledge to provide all "cyber security" needs.
• EFF Asks US Copyright Office To Exempt Jailbreaking From DMCA – nakedsecurity.sophos.com
  Currently under the Digital Millennium Copyright Act (DMCA) in the United States it is illegal to circumvent Digital Rights Management (DRM) technology in a device.
• Research Team Finds Disk Encryption Foils Law Enforcement – physorg.com
  A joint U.S./UK research team has found that common encryption techniques are so good that law enforcement, from local to highly resourceful federal agencies, are unable to get at data on a computer hard disk that could be used to prove the guilt of people using the computer to perpetuate crimes.

• Source Barcelona 2011 Materials - blog.pentestify.com/source-barcelona-2011-materials
  Quick post to link our information from Source Barcelona 2011. @kernelsmith & i discussed alternative use cases for the Metasploit Framework. The presentation was shotgun / AHA! style, meaning we had a number of 5 minute mini-presentations within the larger 50 minute preso.
• DeepSec Diary - blog.c22.cc/2011/11/22/deepsec-2011-quick-roundup/
  The first day started off with the usual 6am start to get to Vienna in time for registration. I arrived a few minutes late for the keynote, but quickly got into the swing of things. The keynote (How Terrorists Encrypt) was a discussion of how terrorist organisations (mostly Al Qaeda and connected cells) use encryption to communicate.

Resources

• A Duqu Briefing – blog.opensecurityresearch.com
  The landscape of malware has drastically changed in the last few years. It has hardly been a year since the security community identified Stuxnet, which some believe was the most menacing malware in history… And now we have Duqu making the news. The Laboratory of Cryptography and System Security at Budapest University of Technology and Economics identified a worm on October 14th 2011 and named the threat Duqu [dyü-kyü] because it creates files with the name prefix “~DQ”.
• Ask Hacker And Security Gadfly Moxie Marlinspike – interviews.slashdot.org
  I’ve worked as a software engineer, hacker, sailor, captain, and shipwright. I’m currently a fellow at the Institute For Disruptive Studies, run a cloud-based password cracking service, and am a co-founder of Whisper Systems. I like computer security, particularly areas around secure protocols, cryptography, privacy, and anonymity. I have to admit that I’m more inspired by software engineers who become interested in computer security, rather than the other way around.

Tools

• UPDATE: NetworkMiner 1.2! – sourceforge.net/projects/networkminer/files/networkminer/
  NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.
• UPDATE: John The Ripper v1.7.9! – download.openwall.net/pub/projects/john/1.7.8/
  John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types commonly found on Unix systems, as well as Windows LM hashes.
• sqlsus 0.7.1 Released – MySQL injection and takeover tool – sourceforge.net/projects/sqlsus/files/sqlsus/sqlsus-0.7.1.tgz/download
  sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…Whenever relevant, sqlsus will mimic a MySQL console output.
• PowerSyringe – PowerShell-based Code/DLL Injection Utility - exploit-monday.com
  So I decided to expand upon my previous post and create a slightly more full-featured Powershell-based code/DLL injection utility. Behold, PowerSyringe. As the name implies, I based some of the code on the original Syringe toolkit.
• PMCMA tool resources and links – pmcma.org
  Pmcma is a tool aimed at determining if a given software bug is an exploitable vulnerability by automatically writting an exploit for it. Like every powerful tool made by human beings, it is double edged : it can be used for good or evil.
• VoIP Hopper 2.01 Released – IP Phone VLAN Hopping Tool – darknet.org.uk
  VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop into the Voice VLAN on specific ethernet switches. VoIP Hopper does this by mimicking the behavior of an IP Phone, in Cisco, Avaya, and Nortel environments.
• WPScan 1.1. Released – ethicalhack3r.co.uk
  I am pleased to announce, after 5 months of work, that WPScan version 1.1 has been released!
• Windows Privesc Check - code.google.com
  Windows-privesc-check is standalone executable that runs on Windows systems (tested on XP, Windows 7 only so far). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

Techniques

• 802.bah – Beware the SiriSheep Attack! - rationalsurvivability.com
  On the heels of a French group reverse-engineering the Siri protocol by intercepting requests to the Internet-based server that Apple sends Siri requests to, Pete Lamonica, a first-time Ruby developer has produced another innovative hack.
• Hacking PLC From The Internet Part1.1 (Edited) – dsecrg.blogspot.com
  So many of you guys probably know that SCADA systems can be found in the internet. It is not so hard. You just need to know google or shodanhq search strings. But what is more important is that PLC devices that must be much more secured from the outside than SCADA are also available from the internet!
• Oracle Web Hacking Part II - ethicalhacker.net
  In Part 2 of 3 of this ongoing series of columns, I’ll dive into attacking the Oracle Application Server Portal (OracleAS Portal).  I’ll focus on Oracle 9i and 10g up to Release 2.  With 11g (10.3.x) Oracle moved to Weblogic, and it’s completely different and therefore out of the scope of this series.  But there are plenty of shops out there still using 9i and 10g, which gives us plenty of opportunity for breaking stuff.  So, let’s get to it.
• SCADA Hacks Published On Pastebin – isc.sans.edu
  pastebin.com has become a simple platform to publish evidence of various attacks. Lenny a few months back already noted that it may be useful for organizations to occasionally search pastebin for data leakage. Recently, an individual using the alias of pr0f published evidence of attacking the South Houston water system.
• Quick Tip: Pastebin Monitoring & Recon – isc.sans.edu
  One reader wrote in to say that you could use Google Alerts to monitor Pastebin for names and keywords of interest to you, but you may prefer a Google Custom Search instead. Configure it to monitor Pastebin and other similar sites; set names and keywords that are relevant for your needs.

Vulnerabilities

• Mass Disclosure of Vulnerabilities In SAP From ERPScan Specialists – erpscan.com
  This month ERPScan specialists published 8 vulnerabilities of different criticality, found in SAP products.   Vulnerabilities representing almost all risks from the OWASP Top 10: from path traversal and XSS to authorization bypass and code injection – were published on ERPScan.com.

Other News

• Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System – threatpost.com
  The hacker, using the handle “pr0f” took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems used by South Houston, a community in Harris County, Texas.
• Mobile ‘Rootkit’ Maker Tries To Silence Critical Android Dev – wired.com
  A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.