Infosec Events » Security Vulnerabilities

Week 20 in Review – 2012

Roxanne — Mon, 21 May 2012 05:28:36 +0000

Resources

Mobile Threat Report, Q1 2012- f-secure.comIt’s time to publicly release our latest Mobile Threat Report, covering the 1st quarter of 2012. Our Q4 2011 report was quite popular and this new one for Q1 is even better. More content (and pages) for your reading pleasure.
A closer look into the RSA SecureID software token- sensepost.comWidespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms.
IPv6 Videos- isc.sans.eduWe are in the process of creating some videos to illustrate the impact IPv6 may have on your network. IPv6 may seem far away to you, and you may not have a plan to implement it. However, modern operating systems will frequently enable IPv6 tunneling protocols by default. As a result, you end up with covert channels bypassing your perimeter protection. These videos will focus on this issue.

Tools

Introducing EMET v3- blogs.technet.comWe are pleased to announce the release of a new version of our Enhanced Mitigation Experience Toolkit (EMET) – EMET 3.0. EMET it is a free utility that helps prevent vulnerabilities in software from being successfully exploited for code execution.
TrueCrack Beta Brute-Force Password for TrueCrypt Released- code.google.comTrueCrack is a brute-force password cracker for TrueCrypt volume files. It works on Linux and it is optimized with Nvidia Cuda technology.
quarkspwdump – windows credentials extraction- code.google.comQuarks PwDump is a native Win32 tool to extract credentials from Windows operating systems.
Frogger 1.2 – VLAN Hopping Script- commonexploits.comIt saves manually sniffing packets, going through and noting down the VLAN IDs etc. It is a fast way to discover live devices within each VLAN ID. Let’s say you have 100 VLAN IDs it will take you some time manually find devices or VLANs of interest.

Techniques

Reversing 101 – Solving a protection scheme- corelan.beIn this post, we’ll look at an application reversing challenge from HTS (hackthissite.org) resembling a real-life protection scheme. You can find a copy of the challenge here: http://www.hackthissite.org/missions/application/app17win.zip Put simple, the program creates a key for your username, and compares it to the one you enter. This tutorial is not meant as a spoiler for HTS since for every username a dedicated password will be computed. This tutorial is purely written to allow you to understand how some (even real-life) protection schemes are implemented.
Mallory MITM + FIX SSL Decryption- blog.opensecurityresearch.comIn this post I’ll cover how I approached testing this protocol and the tools I used to test it. I won’t be discussing the FIX protocol in much detail beyond what can be found on the FIX site or various FIX wikis on the net. This post will focus primarily on how to set up and configure Mallory to decrypt the SSL stream from a FIX-speaking thick client.
CSS-Only Clickjacking- jsfiddle.netIf you click on any of the links below your click will be passed to a hidden Facebook Like button (Click) or a Twitter Follow button (Dont’ click) just below the links.
The magic is done with a simple CSS rule set in the style of the overlaying element.
From LOW to PWNED [9] Apple Filing Protocol (AFP)- carnal0wnage.attackresearch.comThe Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services supported including Server Message Block (SMB), Network File System (NFS), File Transfer Protocol (FTP), and WebDAV.
PHP 5.4 Win32 Code Execution- packetstormsecurity.orgPHP version 5.4.3 code execution exploit for Win32.

Vulnerabilities

ElcomSoft Helps Investigate Crime Providing Yet Another Way to Break into iOS with iCloud Attack Advanced Password Cracking Insight- crackpassword.comElcomsoft Phone Password Breaker and Elcomsoft iOS Forensic Toolkit have been around for a while, acquiring user information from physical iPhone/iPad devices or recovering data from user-created offline backups.

Other News

Popular Surveillance Cameras Open to Hackers, Researcher Says- wired.comThree of the most popular brands of closed-circuit surveillance cameras are sold with remote internet access enabled by default, and with weak password security — a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research.
Career Advice Tuesday – Why Info Sec Position Go Unfilled- infosecleaders.comBelow you will find the unedited version of my latest article for Tech Target/Search Security – Information Security Magazine. The article is designed to shed some light as to why companies have such a difficult time in filling information security roles.

Week 19 in Review – 2012

Roxanne — Mon, 14 May 2012 16:48:25 +0000

Resources

Research for SharePoint (MOSS) – owasp.org
This page contains research notes on Microsoft’s SharePoint MOSS and WSS
MS SQL – Useful Stored Procedures for SQL Injection and Ports Info – pentesticles.com
The following post lists and describes various useful stored procedures and port information for MS SQL.
Portable Executable 101 – a windows executable walkthrough – code.google.com
This graphic (PDF JPG) is a walkthrough of a simple windows executable, that shows its dissected structure and explains how it’s loaded by the operating system.
SAP Slapping – labs.mwrinfosecurity.com
Dave Hartley delivered his “SAP Slapping” presentation at the CRESTCon and BSides London security conferences recently. The talk provides a high level overview of common SAP system vulnerabilities and misconfigurations.
Scanning the Web with Ammonite – resources.infosecinstitute.com
Ammonite is a Fiddler extension used to scan web applications for common vulnerabilities like verbose and blind SQL injection, OS commanding, local file inclusion, buffer overflows, format string vulnerabilities etc.
Exploiting Windows 2008 – esec-pentest.sogeti.com
Internal network pentesting involving domain controllers requires a few steps in order to gain domain administrator access. One of them usually requires to gain local administrator access to a workstation.

Tools

Gason - BurpSuite Plugin’s Project – Google Project Hosting - code.google.com
This project contains a plugin to extend BurpSuite proxy. And know you can run gason stand alone!!
Skipfish version 2.06b Update – code.google.com
Skipfish is a fully automated, active web application security reconnaissance tool.

Techniques

Android

Android Emulator, Trusted CA, and Persistent Storage – carnal0wnage.attackresearch.com
Android periodically updates it’s SDK and somtimes when this happens, old methods for importing a Trusted CA, necessary to proxy SSL traffic, will fail and you must find a new solution.
Update – Android & SSL Cert – carnal0wnage.attackresearch.com
Thanks to the comments left by Zach from our last Android post here, it has been brought to my attention there is an easier way to do all of this with the latest AVD (4.0.3).

SecurityStreet: Unsupported Browser – rapid7.com
The purpose of this post is to point out a little-known jewel — the -m flag to meterpreter’s execute command.

Vendor/Software Patches

Microsoft Security Bulletin

MS12-029 – Critical : Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352) – technet.microsoft.com
This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
MS12-032 – Important : Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338) – technet.microsoft.com
This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
Bulletin Management Process and the May 2012 Bulletins - blogs.technet.com
Have you ever wondered why bulletins group particular issues together? Or one set of products and not another? Well today Jonathan Ness has posted an insightful Security Research & Defense (SRD) blog discussing some of the nuances and packaging decisions that went into MS12-034.
Microsoft patches 23 Windows flaws, warns of risk of code execution attacks – zdnet.com
The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.

Adobe, Microsoft Push Critical Security Fixes – krebsonsecurity.com
Adobe and Microsoft today each issued updates to address critical security flaws in their software.
PHP-CGI Vulnerability Exploited in the Wild – blog.sucuri.net
When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Vulnerabilities

Thousands of Twitter passwords exposed – news.cnet.com
It’s unclear who’s responsible for posting passwords for Twitter accounts to a public Web site. The exact number of accounts is also unclear, as Twitter says many are duplicates and many had already been suspended.

Other News

FBI Warns Travelers Using Hotel Networks About New Attack – darkreading.com
The FBI says attackers are trying to trick users into installing malware with promises of software updates.
Sniffer tool displays other people’s WhatsApp messages – h-online.com
WhatsApp Sniffer is an app able to display messages from other WhatsApp users connected to the same network as the app user.

Week 18 in Review – 2012

Roxanne — Mon, 07 May 2012 15:57:27 +0000

Resources

Breaking in to Security – Survey Conclusions, Part 1 – digininja.org
To collect the data I created an online survey and sent it out through as many sources as I could, to date I’ve got over 300 results and I’d like to say a huge thanks to everyone who completed it and helped with the advertising. If you want to see the full raw data I’ve published it and intend to try to keep it fairly up-to-date as more people answer the survey.
oclHashcat Examples of lots of different hash types – phillips321.co.uk
So you’ve got oclHashcat and you want to practice cracking hashes but you’ve got no hashes? Fear not! There are hashes listed below for you to play with or if you would like to generate hashes yourself download my perl module here and have a play with making them and then cracking yourself.
getting from seh to nseh – thesprawl.org
There are several approaches to doing this with the ‘POP-POP-RET’ being the most popular. Let’s see exactly why this approach works and analyze potential alternatives such as JMP DWORD PTR [EBP+0x30], POPAD and ROP.
iPhone Forensics Analysis of iOS 5 backups : Part 1 – infosecinstitute.com
iPhone forensics can be performed on the backups made by iTunes or directly on the live device. This Previous article on iPhone forensics detailed the forensic techniques and the technical challenges involved in performing live device forensics.

Tools

CERT

CERT Linux Triage Tools 1.0 Released – cert.org
As part of the vulnerability discovery work at CERT, we have developed a GNU Debugger (GDB) extension called “exploitable” that classifies Linux application bugs by severity. Version 1.0 of the extension is available for public download here. This blog post contains an overview of the extension and how it works.
CERT Basic Fuzzing Framework 2.5 Released – cert.org
Hi folks, Allen Householder here. In addition to the recent introduction of our new Failure Observation Engine (FOE) fuzzing framework for Windows and Linux Triage Tools, we have updated the CERT Basic Fuzzing Framework (BFF) to version 2.5. This post highlights the significant changes.

psychomario/ntlmsspparse – github.com
ntlmsspparse – Parses ntlmssp netlm[v2] hashes out of a pcap file for use with a password cracker.

Techniques

Three Areas You Need To Test When Assessing Mobile Applications – securestate.com
Having spoken at both at the SANS Mobile Device Security Summit as well as OWASP AppSec DC recently about testing mobile applications I’ve encountered that like the old saying goes “There are many ways to skin a cat”, there are also many ways to assess a mobile application.
Command Injection to Code Execution with PowerShell – obscuresecurity.blogspot.com
A common scenario that testers face involves leveraging command injection vulnerabilities into a full-blown shell. A lot of people view command injection as an old technique, but it is very relevant today. There are many different types of attacks that end in command injection (e.g. SQL injection), so testers need a way to turn Windows commands into shell access.
Decrypting the iPhone keychain from backups SECURITYLEARN – securitylearn.wordpress.com
In iTunes backup, the iPhone Keychain sqlite database is stored as a PList file. The Keychain file gets stored with 51a4616e576dd33cd2abadfea874eb8ff246bf0e file name in the iTunes backup folder.
Interesting Directives in php.ini (for Pen Testers and Devs) – pentesticles.com
This post aims to pin-point the directives that developers should be familiar with and also show penetration testers the nuts and bolts of the issues they’re seeing so that they may better advise their clients.

Vendor/Software Patches

Adobe Flash

Critical Flash Update Fixes Zero-day Flaw Krebs on Security – krebsonsecurity.com
Adobe Systems Inc. today issued a security update to its Flash Player software. The company stressed that the update fixes a critical vulnerability that malicious actors have been using in targeted attacks.
Security update available for Adobe Flash Player – adobe.com
Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x.

Update: TaskManager.xls V0.1.3 Killer Shellcode – blog.didierstevens.com
Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.
Metasploit VMware Auxiliary Modules – eromang.zataz.com
Metasploit provide VMware auxiliary modules who allow you to gather informations, authentication brute force, execute task against ESX/ESXi.

Vulnerabilities

CVE-2012-1675 Oracle Database TNS Poison 0Day Video Demonstration – eromang.zataz.com
Demonstration of the critical remotely exploitable vulnerability CVE-2012-1675 TNS Poison affecting all Oracle database server versions.
Release of exploit code puts Oracle Database users at risk of attack – arstechnica.com
Oracle has declined to patch a critical vulnerability in its flagship database product, leaving customers vulnerable to attacks that siphon confidential information from corporate servers and execute malware on backend systems, a security researcher said.

Other News

Everyone Has Been Hacked. Now What? – wired.com
Hackers are everywhere and everyone has been hacked. So what’s a company to do?
Apple security blunder exposes Lion login passwords in clear text – zdnet.com
With the latest Lion security update, Mac OS X 10.7.3, Apple has accidentally turned on a debug log file outside of the encrypted area that stores the

Week 17 in Review – 2012

Roxanne — Mon, 30 Apr 2012 09:20:12 +0000

Event Related

Our CanSecWest 2012 slides on passive DNS and Picviz – picviz.blogspot.fr
Alexandre Dulaunoy from CIRCL.LU and Sebastien Tricaud from Picviz Labs have been talking at CanSecWest 2012 in Vancouver, Canada, on how to scrutinize a country using passive DNS and Picviz.
SyScan 2012 Singapore slides – www.xchg.info
Conference and slides of SyScan 2012 Singapore

Resources

Big ideas from Daniel Geer on digital security and the role of humans – geer.tinho.net
Everything about cyberspace is now in a positive feedback loop or, should I say, the positive feedback loop in cyberspace is creating a positive feedback loop within all cutting edge science. That loop includes cybersecurity.
Acquiring volatile memory from Android based devices with LiME Forensics, Part I – blog.opensecurityresearch.com
Up until now, most of the Android forensics research has been focused on areas like the acquisition and analysis of the internal flash NAND memory, SD Cards, understanding the YAFFS2 file system and scrutinizing APK files for malware analysis, among others.
Hack In The Box Magazine Issue #8 has been released – professionalsecuritytesters.org
Hello readers and welcome to issue #8. It’s been a while since the release of the last issue and no, we are not dead yet.
[Full-disclosure] RuggedCom – Backdoor Accounts in my SCADA network? You don’t say… – lists.grok.org.uk
RuggedCom is one of a handful of networking vendors who capitalize on the market for “Industrial Strength” and “Hardened” networking equipment.
CVSS Vulnerability Scoring Gone Wrong – labs.neohapsis.com
If you have been in the security space for any stretch of time you have undoubtedly run across the Common Vulnerability Scoring System (CVSS).
Presentation: PowerShell for Pen Testers – pen-testing.sans.org
Tim “My Shell Makes Your Shell Cry Like a Little Baby” Medin did a presentation at SANS Orlando called “PowerShell for Pen Testers”. It’s really good. It starts out with an overview of PowerShell for the uninitiated, and then quickly jumps to some really effective use cases of PowerShell for penetration testers and ethical hackers.
Security Implications of IPv6 on IPv4 Networks – tools.ietf.org
This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on “IPv4-only” networks, and describes possible mitigations for the aforementioned issues.

Tools

OWASP

OWASP ZAP SmartCard Project – blog.taddong.com
OWASP ZAP (Zed Attack Proxy) has become THE open-source web application interception proxy and security auditing tool, replacing well known open-source players in this field we have been using all over the last decade, such as Paros, WebScarab, or AndiParos.
WebGoat 5.4 Released – owasp.blogspot.com
WebGoat 5.4 was released today. Thanks to all of those who sent comments and helped get this release out the door.

Kautilya v0.2.2 payloads for Teensy Released – code.google.com
Kautilya is a toolkit which provides various payloads for Teensy device which may help in breaking in a computer. The toolkit is written in Ruby.
PdfStreamDumper version 0.9.320 update – sandsprite.com
PdfStreamDumper is a free tool for the analysis of malicious PDF documents. It also has some features that can make it useful for PDF vulnerability development.
Exploring Symbol Type Information with PdbXtract – blog.mandiant.com
Mandiant is introducing a new free tool today, PdbXtract™, which allows you to browse and search PDB-type information.
Inception – breaknenter.org
Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost any machine you have physical access to.
Plown Security Scanner v0.3 for Plone CMS released – github.com
Plown is a security scanner for Plone CMS. Although Plone has the best security track record of any major CMS and is considered highly secure, misconfigurations and weak passwords might enable system break-ins. Plown has been developed to ease the discovery of usernames and passwords, and act as an assistant to system administrators to strengthen their Plone sites.
ERPScan has released ERPScan Security Scanner for Sap 2.0 – professionalsecuritytesters.org
ERPScan has released ERPScan Security Scanner for SAP 2.0 – a complex solution to continuously monitor all areas of SAP security, from vulnerability assessment and misconfigurations to ABAP code review and analysis of business-critical privileges.
psychomario/ntlmsspparse – github.com
Parses ntlmssp netlm[v2] hashes out of a pcap file for use with a password cracker.

Techniques

Appsec Testing Tips: Edge Cases & Tool Chaining Security Aegis – securityaegis.com
At BruCon 2011 I gave a talk called The Web Application Hackers Toolchain. In this talk i outlined several non-standard additions and aides to web pentesters. One section in particular was leveraging tool chaining for better application mapping.

Vendor/Software Patches

64-bit Process Replacement in Powershell – exploit-monday.com
For those of you who follow me on Twitter, you may have noticed that I posted a few teasers related to replacing processes in Powershell. Without further ado, I am releasing Replace-x64-Process.
Metasploit 4.3 Released: Task Chains, Email Reports, Upgrades, and More Modules – community.rapid7.com
It’s been a fun and challenging month for the Metasploit team, and we’re happy to announce that Metasploit 4.3 is ready and available for you to download. Metasploit 4.3 ships with 33 new exploits, 20 new auxiliary modules, 11 new post-exploitation modules, 4 new payloads, and some nifty new features on the Metasploit Pro side. That’s a lot of new stuff, so let’s just cover the highlights for this release.
VoIP Hopper version 2.04 – sourceforge.net
VoIP Hopper is a GPLv3 licensed security tool, written in C, that rapidly runs a VLAN Hop security test.
WooThemes WooFramework exploit: Execute any shortcode as an unauthenticated visitor – gist.github.com
WooThemes has now bumped their version number and fixed the update bug so please click “Update Framework” inside of the WordPress Admin to grab and install the latest version which patches this bug.

Vulnerabilities

Microsoft MSN Hotmail

Hotmail Password Reset Bug Exploited in Wild – threatpost.com
Microsoft has issued a temporary permanent fix for a previously undisclosed bug in its MSN Hotmail Web email service that could have allowed remote attackers to reset account passwords.
Microsoft MSN Hotmail – Password Reset & Setup Vulnerability – vulnerability-lab.com
Hotmail (also known as Microsoft Hotmail and Windows Live Hotmail), is a free web-based email service operated by
Microsoft as part of Windows Live.

Weak Passwords Still Subvert IT Security – computerworld.com
A recent data breach that exposed the Social Security numbers of more than 280,000 people served as yet another reminder of the well-recognized, but often discounted, risks associated with using weak and default passwords.
Trojan Uses Motion Sensors To Steal Smartphone Data – techweekeurope.co.uk
Motion-sensor data from smartphones can be used to effectively guess what keys a user is tapping and steal sensitive data such as PINs and bank details, according to new research (PDF) from Pennsylvania State University (PSU) and IBM.
Hacker leaks source code of old VMware software – h-online.com
EMC subsidiary VMware has acknowledged that a hacker has released some of the company’s source code.
Oracle databases vulnerable to injected listeners – h-online.com
There is no patch for a serious security hole in almost all Oracle database installations; administrators themselves should therefore take immediate action to protect their systems.

Other News

Penetration Testing Deception through Vocabulary – netspi.com
This post is not of the technical nature (I’m the wrong guy) nor is it really about industry trends (maybe a little). I want to use this post to focus on some industry-specific vocabulary.

Week 16 in Review – 2012

Roxanne — Mon, 23 Apr 2012 12:40:00 +0000

Event Related

Hackito Ergo Sum 2012

TALKS // Hackito Ergo Sum 2012 – 2012.hackitoergosum.org
In this presentation we will cover critical aspects of web applications, and how these techniques can be used on real life scenario on big (and highly “secured”) websites. These bugs and methods will be able to assist you in your next bug-hunting in your pentest or (god-forbid) bounty program.
We will reveal several vulnerabilities found on real big scale and important websites.
Hackito Ergo Sum 2012 – breakingcode.wordpress.com
The event took place at the headquarters of the French Communist Party, and I have to say the conference room was quite impressive. It was an underground dome all covered with white metallic plates and lamps behind, giving a peculiar visual effect.

Notacon 9 (2012) Videos (Hacking Illustrated Series InfoSec Tutorial Videos) – irongeek.com
These are the videos from the 9th Notacon conference held April 12th-15th, 2012. Not all of them are security related, but I hope my viewers will enjoy them anyway.
SOURCE Boston Security Conference and Training 2012 Day 2 – Dan Geer Keynote, Android Modding and Cloud Security – securelist.com
Dan Geer’s fantastic Keynote Speech kicked off Day 2 of SOURCE Conference Boston this morning. The talk itself was heady and complex, something to keep up with. Notable talks also were Jeremey Westerman’s “Covering *aaS – Cloud Security Case Studies for SaaS, PaaS and IaaS”, and Dan Rosenberg’s “Android Modding for the Security Practitioner”.

Resources

Troy Hunt: 5 interesting security trends from Verizons 2012 data breach report
– troyhunt.com
This report is based on 855 incidents in 2011 (don’t be confused by the year in the title!) and because Verizon does this each year, there’s lots of data on how trends are changing.
VLAN Network Segmentation and Security- Chapter 5 – resources.infosecinstitute.com
In this chapter, we step through a description of VLAN technology, how to secure it (including basic switch security), and how to control packets to increase the overall strength of attack surface defense. I use the term packet instead of frame to refer to transmission entities at both the network and the data link layers.
Penetration Testing for iPhone Applications- Part 2 – resources.infosecinstitute.com
Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker.
From LOW to PWNED [0] Intro – carnal0wnage.attackresearch.com
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
Analysis of the Eleonore exploit pack shellcode – blogs.technet.com
‘Eleonore’ is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run.

Tools

InteractiveSieve – blog.didierstevens.com
Interactive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant.
Ra.2 is Blackbox DOM-based XSS Scanner tool – code.google.com
Ra.2 is a new Blackbox DOM-based XSS Scanner an approach towards finding a solution to the problem of detecting DOM-based Cross-Site Scripting vulnerabilities in Web-Application automatically, effectively and fast.
DOE Lab Releases Open-Source Attack Intelligence Tool – darkreading.com
The U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL) is offering an open-source version of a homegrown tool that gathers an additional layer of intelligence during an attack.
NfSpy ID-spoofing NFS Client Tool Mount NFS Shares Without Account – darknet.org.uk
We wrote about this tool originally last year – NfSpy – ID-spoofing NFS Client – Falsify NFS Credentials – and a new version just came out!
SQL Server 2012 Best Practices Analyzer – blogs.msdn.com
I’m pleased to announce that SQL Server 2012 Best Practices Analyzer (BPA) has been released and is available for download at http://www.microsoft.com/download/en/details.aspx?id=29302.

Techniques

Hack Tips: Good for Enterprise Exploitation – blog.opensecurityresearch.com
Good for Enterprise™ is a suite of powerful mobile device management tools that bring military-grade security, end-to-end data loss prevention, and collaboration features to today’s most popular smartphones and tablets — without compromising IT security and control.
XSS Shortening Cheatsheet – labs.neohapsis.com
In the course of a recent assessment of a web application, I ran into an interesting problem. I found XSS on a page, but the field was limited (yes, on the server side) to 20 characters.
Extracting AES keys from iPhone – securitylearn.wordpress.com
The iPhone application processor comes with two built-in encryption keys – UID, GID. OS running on the device cannot read the hardcoded keys but it can use the keys to generate other encryption keys used for data protection, media encryption and keychain encryption. The hardcoded keys can only be used from bootloader and kernel mode.

Vendor/Software Patches

Oracle patch day addresses 88 vulnerabilities – h-online.com
Oracle has released 88 security patches as part of its scheduled April Critical Patch Update (CPU), ten more than on its last patch day in January.

Vulnerabilities

Monitor OS X LaunchAgents folders to help prevent malware attacks – reviews.cnet.com
While malware scanners can detect threats once definitions for them are available, you can monitor or lock your systems’ launch agents folders to more proactively prevent attacks on your system.

Other News

15-year-old arrested for hacking 259 companies – zdnet.com
A 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of three websites per day.
3 million bank accounts hacked in Iran – zdnet.com
First, he warned of the security flaw in Iran’s banking system. Then he provided them with 1,000 bank account details. When they didn’t listen, he hacked 3 million accounts across at least 22 banks.

Week 15 in Review – 2012

Roxanne — Mon, 16 Apr 2012 19:46:51 +0000

Event Related

A cyber weapon – alexmgeorge.wordpress.com
At RSA 2012 Dave Aitel made a presentation wherein he defined cyber weapons a bit outside of how people normally think. The tried and true metaphor (which I admit to using) is that exploits or frameworks are like guns, and if they’re like guns then it’s easy to classify them as ‘cyber weapons’. There has been some recent criticism of this idea which I think is well deserved.
Adventures in Domain Takedowns – vrt-blog.snort.org
I gave a presentation entitled “Adventures in Domain Takedowns” recently at the APCERT 2012 conference in Bali, Indonesia. The conference itself was excellent – plenty of good technical material and lots of useful contacts – and the location, of course, couldn’t have been better.
2012 Verizon DBIR Cover Challenge – darthnull.org
Every year, the Verizon Business Risk Team publishes a Data Breach Investigations Report (DBIR), analyzing trends and other great statistical information gathered from working hundreds of different, well, data breaches.
Written Speech: TEDxMaui — Hack Yourself First – jeremiahgrossman.blogspot.com
Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage — nothing short of amazing — life changing.

Resources

Why Do Hackers Want Facebook Data

Part I – blog.imperva.com
Late in 2011, Max Schrems asked Facebook for a profile the social networking company assembled based on his posts, likes and friends. Max received a 1200 page PDF file with lots of personal details.
Part II – blog.imperva.com
In the first of this two-part series, we showed how Facebook profile data is very attractive to different of hackers. But how do hackers gain this information?

Introduction to Microsoft PowerShell – Working with PSDrives and Items – darkoperator.com
PowerShell provides many ways to work with files and with other sorts of structured data it treats as files. Typically as shown before we can use the same commands as in cmd.exe but they parameters change also we can call many using he names of commands found in Unix type systems, these are aliases for PowerShell cmdlets so as to make the transition to PowerShell easier for administrators.
Captcha Intruder – cintruder.sourceforget.net
Captcha Intruder is an automatic pentesting tool to bypass captchas.
Introduction to Windows Dictionary Attacks – netspi.com
Based on my experience, nine out of ten environments will have at least one account configured with a weak or default password. Those weak configurations usually lead to the compromise of the entire Windows Domain, so it is important to understand how to audit for them.
Slides from my “5 Lessons Learned From Breaking Into A Casino” Webcast – spylogic.net
For those of you that attended the webcast yesterday (and those who didn’t) I’ve uploaded my slides to my SlideShare page. Thanks to my co-presenters Richard Stiennon and Kevin Henry for presenting some great content with me! If you’re interested Richard has posted his slides to SlideShare as well.
Vulnerability Severity Using CVSS – cert.org
If you analyze, manage, publish, or otherwise work with software vulnerabilities, hopefully you’ve come across the Common Vulnerability Scoring System (CVSS). I’m happy to announce that US-CERT Vulnerability Notes now provide CVSS metrics.
Slides for Presentation on Real-World Social Engineering Attacks – blog.zeltser.com
I published the slides to my presentation “How attackers use social engineering to bypass your defenses,” which shows numerous examples of real-world social engineering examples.
Practical Malware Analysis Review – em386.blogspot.com
I recently finished my review copy of ‘Practical Malware Analysis’. I enjoyed this book for a few reasons. Each chapter concludes with some simple questions/labs to test your knowledge and give you a chance at some hands on experience related to the content you just read.
Zero-Permission Android Applications – leviathansecurity.com
There’s been a lot of research in the Android security space. The most notable examples are Jon Oberheide’s fake Twilight app, Georgia Weidman’s SMS bot, and the numerous clever root exploits. Recently in the mainstream media, there’s been buzz about apps (allegedly) misusing permissions; some of these apps include Facebook, Skype, Path, and just about every advertisement library.
HITB Magazine Issue 008 – magazine.hitb.org
The HITB (aka Hack In The Box) Magazine is a deep-knowledge technical magazine. The quarterly magazine covers articles that are more technical or that discuss new and never before seen attack methods are of more interest than a subject that has been covered several times before.
Phrack Issues – phrack.org
Phrack Issues
Microsoft EMET in The Enterprise – Microsoft EMET in The Enterprise – recxltd.blogspot.co.uk
It’s Friday, so it’s time to take a step back from the low-level and have another post on the practical steps organisations can take at little cost. Before we begin it’s probably useful to outline some of the realities of business when it come to desktop and server security.

Tools

OWASP

OWASP Zed Attack Proxy (ZAP) 1.4.0 – owasp.blogspot.com
I’m very pleased to announce that version 1.4.0 of the OWASP Zed Attack Proxy (ZAP) has now been released.
OWASP Joomscan 4.4.2012 now scans for 623 vulnerabilities – toolswatch.org
OWASP Joomscan is a tool for testing vulnerabilities on websites that use ‘Joomla’. This application allows you to view or Test the website on XSS attacks, SQL Injection, LFI, RFI, Bruteforce, etc.

Flashback Removal Tool

Flashback Removal Tool – f-secure.com
We have created a free tool that automates the detection and removal of the widespread Flashback Mac OS X malware.
Apple releases Java update with Flashback removal tool – Update – h-online.com
As expected, Apple has released an updated version of the Java implementation for its Mac OS X operating system that includes a removal tool for the Flashback trojan.

RitX Reverse Ip Lookup Tool v1.5 released – code.google.com
RitX is a Reverse IP Lookup Tool that will allows you to use an IP address or domain name to identify all currently domains hosted on a server using multiple services and various techniques
RitX is a Perl script which uses multiple web services that provide this feature.
web-sorrow – Remote Web Security Scanner (Enumeration/Version Detection etc) – darknet.org.uk
web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework.

Techniques

Mallory MiTM Proxy as a Wireless Access Point (Part 2 of 2) – pentesterconfessionsblogspot.com
In Part 1 we got an Virtual Machine partially running as a wireless access point using Virtual Box, Ubuntu, hostapd, and an Alfa wifi card. In this Post we will fully configure the AP and install/configure Mallory to MiTM anything that connects to the virtual Wireless Access Point.
Applying Security Intelligence to Patch Management – blog.coresecurity.com
Last week as Patch Tuesday (which was today) approached, I wondered about the efforts of admins everywhere to understand, test and then apply those patches that are applicable for their environment.
An Ethical Hacker’s View on Mobile Malware and How to Stop it – cio.com
As our mobile handsets become more than just a way to make and receive phone calls their appeal to criminals increases. Mobile malware, once theoretical, is now very much a reality and a growing threat.
How to Find and Remove Mac Flashback Infections – krebsonsecurity.com
A number of readers responded to the story I published last week on the Flashback Trojan, a contagion that was found to have infected more than 600,000 Mac OS X systems.
PPTP VPN and policy routing on user – blog.stalkr.net
The first part of this post describes how to use PPTP VPN on Linux, in command-line and not GUI. The second part, actually independent of VPN, describes how to set up policy routing for a user, in order to have all traffic from that user to go through a specific interface (e.g. the VPN interface).

Vendor/Software Patches

Microsoft Security Bulletin

Microsoft Security Bulletin MS11-100-Critical – technet.microsoft.com
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site.
Assessing risk for the April 2012 security updates – blogs.technet.com
Today we released 6 security bulletins. Four have a maximum severity rating of Critical with the other two addressing Important class vulnerabilities. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
MS12-027: Enhanced protections regarding ActiveX controls in Microsoft Office documents – blogs.technet.com
Security Update MS12-027 addresses a code execution vulnerability in MSCOMCTL.OCX, the Windows Common Controls ActiveX control. By default, this component is included with all 32-bit versions of Microsoft Office.
MS12-025 and XBAP: No longer a driveby threat – blogs.technet.com
One of the security bulletins released today, MS12-025, addresses a code execution vulnerability in the .NET Framework. To exploit the vulnerability, an attacker would build a malicious XBAP application and lure victims to a malicious website serving the XBAP.

SAMBA

SAMBA “root” credential remote code execution – isc.sans.edu
Samba – “a Windows SMB/CIFS fileserver for UNIX” seems to have a serious security vulnerability that samba versions 3.6.3 and all versions prior to it have a vulnerability that allows remote code execution as the “root” user from an anonymous connection.
Linux Users Beware: Patch New Samba Flaw ‘Immediately’ – darkreading.com
A dangerous vulnerability in a pervasive tool for running Linux systems in a Windows environment leaves the door open for an attacker to access these systems without requiring any authentication.
Samba fixes critical remote code execution vulnerability – h-online.com
The Samba developers have patched a critical security vulnerability that effects all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which was released in January.

OWTF 0.13 “HackPra” update – github.com
The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make penetration testing more efficient. The purpose of this tool is to automate the manual, uncreative part of penetration testing.
theHarvester 2.2 update – code.google.com
theHarvester is a tool for gathering emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tools is intended to help Penetration testers in the early stages of the project.
Social Engineer Toolkit 3.2.3 update – secmaniac.com
The Social Engineering Toolkit (SET) is an open source, python-driven, social-engineering penetration testing framework of custom tools which solely focuses on attacking the human element of penetration testing. It was designed in order to arm penetration testers and security researchers with the ability to effectively test heavily advanced social-engineering attacks armed with logical methods. SET leverages multiple attack vectors that take advantage of the human element of security in an effort to target attackers.
OSX

OSX.Flashback.K – Suffering a Slashback – Infections Down to 270,000 – symantec.com
OSX.Flashback initially arrived on the scene in late 2011. It has come a long way from its humble beginnings as a social-engineering scam trying to pass off as a fake Flash update using digital certificates purporting to come from Apple. Flashback is now leveraging the latest Java vulnerability (BID 52161 – Oracle Java SE Remote Java Runtime Environment Denial Of Service Vulnerability ) in order to deliver its payload.
New targeted Mac OS X Trojan requires no user interaction – zdnet.com
A new Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is also exploiting Java vulnerabilities in a way that requires no user interaction. It is being used in targeted attacks.

Vulnerabilities

Medicaid Hacked

Medicaid hacked: over 181,000 records and 25,000 SSNs stolen – zdnet.com
The Utah Department of Health has been hacked. 181,604 Medicaid/CHIP recipients have had their personal information stolen. 25,096 have had their Social Security numbers (SSNs) compromised.
Medicaid hack update: 500,000 records and 280,000 SSNs stolen – zdnet.com
The Utah Department of Health hack has grown once again, and the FBI is now involved. The latest total is 780,000 victims: 500,000 records and 280,000 Social Security numbers (SSNs) stolen.

Adobe, Microsoft Critical Updates

Adobe Reader X (10.1.2) msiexec.exe Planting – blog.acrossecurity.com
Adobe today issued an update for Adobe Reader X (new version is 10.1.3), which, among other issues, fixes the outside-the-sandbox msiexec.exe EXE planting vulnerability (CVE-2012-0776) I roughly demonstrated during my RSA Conference US talk last month titled “Advanced (Persistent) Binary Planting.”
Adobe, Microsoft Issue Critical Updates – krebsonsecurity.com
Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.

Warning over medical implant attacks – bbc.com
Many medical implants are vulnerable to attacks that could threaten their users’ lives, according to studies.
FBI: Smart Meter Hacks Likely to Spread – krebsonsecurity.com
A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity.
MSRT April 2012: Win32/Claretore – blogs.technet.com
We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool – Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.
Weak passwords still the downfall of enterprise security – computerworld.com
A recent data breach that exposed the Social Security numbers of more than 255,000 people in Utah has once again highlighted the longstanding but often underestimated risks posed to organizations by weak and default passwords.
Thieves Replacing Money Mules With Prepaid Cards? – krebsonsecurity.com
Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules.

Other News

CISPA

Why CISPA Is a Really Bad Bill – yro.slashdot.org
We’ve heard recently of CISPA, the Cyber Intelligence Sharing and Protection Act, a bill currently making its way through Congress that many are calling the latest incarnation of SOPA. Reader SolKeshNaranek points out an article at Techdirt explaining exactly why this bill is bad, and how its backers are trying to deflect criticism by using language that’s different and rather vague.
It’s imperfect, but CISPA isn’t the devil in disguise
– gigaom.com
CISPA still needs work to clear up what, exactly, it allows for, but strong congressional and industry support might make it a lot harder to stop than was the Stop Online Piracy Act of 2011, or SOPA, that created an online firestorm earlier this year.

Not Your Parent’s Wireless Threat – isc.sans.edu
Back in the good old days, wireless threats could be summarized in “security your 802.11x access point by picking a strong passphrase and do not connect to evil unknown access points”.
Navy Hires Contractor to Data-Mine Gaming Consoles – threatpost.com
The U.S. Navy recently hired an outside contractor, Obscure Technologies, to develop computer forensics tools capable of analyzing network traffic and stored data on gaming consoles.
Java: The OSX and Cross-Platform Nightmare – threatpost.com
For a few days now I’ve been asking myself the following question: Which is more important: The fact we had a 500k-strong OSX botnet fly under the radar or the culprit that enabled the malware to infect so many machines?
Marriott Puts An End To Shady Ad Injection Service – techcrunch.com
Late last week, one Justin Watt discovered something suspicious going on with the Wi-Fi at his hotel, the Times Square Marriott.
Court Rebukes DOJ, Says Hacking Required to be Prosecuted as Hacker – wired.com
Employees may not be prosecuted under a federal anti-hacking statute for simply violating their employer’s computer use policy, a federal appeals court ruled Tuesday, dealing a blow to the Obama administration’s Justice Department, which is trying to use the same theory to prosecute alleged WikiLeaks leaker Bradley Manning.
No Permissions Android Application Can Harvest, Export Device Data – threatpost.com
The term “permissions” may be a relative one for Google’s Android operating system, which grants applications with no permissions access to a wide range of user and device data, according to research from the company Leviathan Security Group.
Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections – forbes.com
Until it was revealed last week that more than half a million Macs were infected with Flashback malware, Apple had little experience working with the community of security researchers who aim to dissect and shut down botnets.
Final Stats On Heartland Payment Systems Class Action: $1,925 To 11 People, $600k To Lawyers – techdirt.com
We’ve been discussing for years just how broken the “class action” lawsuit system is in the US. The idea behind it sounds like it makes sense: if a company wrongs a bunch of people, the ability to bundle them all into a class, and get recompense via a single lawsuit seems like a good idea.
American Universities Infected by Foreign Spies Detected by FBI – bloomberg.com
The CIA couldn’t confirm that the company wasn’t an arm of Iran’s government. Simon rejected the offer and shut down undergraduate programs in Dubai, at a loss of $3.7 million.
Code Not Physical Property, Court Rules in Goldman Sachs Espionage Case – wired.com
Former Goldman Sachs programmer Sergey Aleynikov, who downloaded source code for the investment firm’s high-speed trading system from the company’s computers, was wrongly charged with theft of property because the code did not qualify as a physical object under a federal theft statute, according to a court opinion published Wednesday.
Appeals Court Rules Computer Code Is Not “Property” and Can’t Be Stolen – gizmodo.com
Sergey Aleynikov, an ex-Goldman-Sachs programmer, spent a year in prison for downloading source code of the firm’s high-speed trading software before his sentence was overturned in February.
It’s Not a Crime to Break a Terms of Service Agreement (So It’s Okay to Never Read Them) – gizmodo.com

The ruling that breaking a user agreement was totally okay and not a crime was made in the case of US vs Nosal.
Cybersecurity Is About Risk, Not War, Says Former DHS Cyber Chief – readwriteweb.com
The word The Wall Street Journal used in its headline was “war,” which always gets people’s attention. In a March 28th story headlined, “U.S. Outgunned in Hacker War,” outgoing FBI Executive Assistant Director Shawn Henry was quoted as saying, with respect to the ongoing battle against cyber threats, “We’re not winning.” As the story made its rounds through the Web, “not winning” quickly became “losing.”
Biggest Threats Come From Inside The Enterprise, Survey Says – darkreading.com
Security pros are more worried about the lack of visibility into their networks and about insider threats than they are about being hacked by outsiders, according to a new survey.

Week 14 in Review – 2012

Roxanne — Mon, 09 Apr 2012 12:15:56 +0000

Event Related

AppSecDC

AppSecDC Recap: Old Webshells, New Tricks – novainfosecportal.com
Back in the day web shells were all the rage so I was curious what “new” was happening in this area. Ryan Kazanciyan started off with a summary of some of the more poplar web shells he’s seen in the past several years.
AppSecDC Recap: Python Basics for Web App Pentesters – novainfosecportal.com
I had the opportunity to attend the “Python Basics for Web App Pentesters – Part 2″ by Justin Searle. Being someone that hasn’t program for a good number of years, this Python talk really appealed to me.
AppSecDC Recap: SharePoint Security 101 – novainfosecportal.com
I’ve written about SharePoint security before and my opinion was that it’s getting much better however they have a lot of insecure stigma to shake off. Additionally, securing it can be done however it may become very cumbersome to manage in large environments.

InfoSec Southwest 2012 Ripe Hashes – korelogic.com
As part of a recent presentation for the InfoSec Southwest conference (http://www.infosecsouthwest.com/), KoreLogic scoured the Internet looking for MD5 and SHA1 password hashes.
CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada – cansecwest.com
Best security conference for technical people
[AthCon 2011] Network Exploitation with Ncrack – It’s not about plain brute-forcing anymore – youtube.com
Video for Network Exploitation with Ncrack with the speaker Fotis Hantzis
Smart Bombs: Mobile Vulnerability and Exploitation Presentation – spylogic.net
This week I co-presented “Smart Bombs: Mobile Vulnerability and Exploitation” with John Sawyer and Kevin Johnson at OWASP AppSec DC.

Resources

Towards Firmware Analysis – sensepost.com
While I was evaluating a research idea about a SCADA network router during the past week, I used available tools and resources on the Internet to unpack the device firmware and search for interesting components.
Fusion Advancing exploit mechanisms – exploit-exercises.com
Fusion is the next step from the protostar setup, and covers more advanced styles of exploitation, and covers a variety of anti-exploitation mechanisms.
Ascii shellcode – Security101 – blackhatacademy.org
Printable ascii shellcode is used to evade sanitizing on the network and software layers during buffer overflow exploitation.
X-Frame-Options – blog.whitehatsec.com
What is it and why should I care? X-Frame-Options (moving towards just Frame-Options in a draft spec – dropping the X-) is a new technology that allows an application to specify whether or not specific pages of the site can be framed. This is meant to help prevent the clickjacking problem.
Getting your message across: Screenshots – blog.c22.cc
Since I’ve finally started doing something with pentestreports.com I thought it was time to write-up some interesting content. Seeing as this one has been bugging me for a while, I thought it would make an interesting starting point. As always, comments are welcomed and encouraged!
Dinis Cruz blog: Great description of why OWASP Summits are special – diniscruz.blogspot.com
Abe (on the owasp-leaders list) just posted the text below in response to my Summits must be part of OWASP’s DNA reply and it provides one of the best descriptions of what makes Owasp Summit’s special and worthwhile doing.

Tools

ModSecurity Advanced Topic of the Week: Automated Virtual Patching using OWASP Zed Attack Proxy – blog.spiderlabs.com
The SpiderLabs Research Team has added an example script to the OWASP ModSecurity Core Rule Set (CRS) Project archive that will help users to quickly implement virtual patches for vulnerabilities identified by an open source web vulnerability scanning tool.
GooDork Command Line Google Dorking/Hacking Tool – darknet.org.uk
GooDork is a simple python script designed to allow you to leverage the power of Google Dorking straight from the comfort of your command line. There was a GUI tool we discussed a while back similar to this – Goolag – GUI Tool for Google Hacking.
Medusa 2.1 Release – foofus.net
What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net.
Enema is Powerful tool for SQL injection – pentestit.com
Enema is not autohacking software. This is dynamic tool for people, who knows what to do. Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
Adobe open sources Malware Classifier tool – h-online.com
Adobe has open sourced a tool for analysing and classifying malware to help security first responders, including malware analysts and security researchers. Called “Adobe Malware Classifier”, the command-line tool is written in Python and was originally created for internal use by the Adobe Product Security Incident Response Team (PSIRT) “for quick malware triage”.
Dissecting the SQL Injection Tools Used By Hackers – blog.imperva.com
Recently, during a presentation to a group of security professionals, an impromptu poll was taken asking attendees whether they were familiar with Havij, a SQL injection tool used heavily in the hacking community.
Web tool checks if your Mac is Flashback-free – cnet.com
Have you been put off by the work required to find out if your machine is one of the unlucky ones infected with the Trojan? There’s a new Web app that will check your Mac.
Intersect version 2.5 update – github.com
Intersect is a post-exploitation framework written in Python. The main goal of this project is to assist penetration testers in the automation of many post exploitation and data exfiltration tasks that they would otherwise perform manually. With the Intersect framework, users can easily build their own customised scripts from the pre-built templates and modules that are provided or they can write their own modules to add additional or specialised functionality. As of the time of writing, there are almost 30 separate modules to choose from and more are added almost daily.
Mercury: An Open Source Android Assessment Framework! – labs.mwrinfosecurity.com
Mercury is a framework that provides interactive tools that allow for dynamic interactions with the target applications running on a device.

Techniques

windows privilege escalation via weak service permissions – travisaltman.com
When performing security testing on a Windows environment, or any environment for that matter, one of the things you’ll need to check is if you can escalate your privileges from a low privilege user to a high privileged user.
Another Approach To Tracking ReadFile – dvlabs.tippingpoint.com
We often receive fuzzed file submissions, which at times can be agonizing to analyze. Tools help a lot here, as we have shown in previous posts, such as with Peter’s awesome write up on hooking ReadFile and MapViewOfFile.

Vulnerabilities

Apple Mac

Apple patches Mac Java zero-day bug – Computerworld – computerworld.com
Apple yesterday released a Java update for Mac owners that fixes a dozen security flaws, including one that has been exploited by attackers for at least two weeks.
Mac Flashback Exploiting Unpatched Java Vulnerability – f-secure.com
A new Flashback variant (Mac malware) has been spotted exploiting CVE-2012-0507 (a Java vulnerability). We’ve been anticipating something like this for a while now.
More than 600,000 Macs infected with Flashback botnet – news.cnet.com
Russian antivirus company says half the computers infected with malware designed to steal personal information are in the U.S. — with 274 located in Cupertino.
Mac Flashback Trojan: Find Out If You’re One of the 600,000 Infected – lifehacker.com
There’s a new Mac trojan that’s been floating around, and it’s terrifying everyone.
600,000+ Macs are in this botnet, including 274 in Cupertino – nakedsecurity.sophos.com
For the second time in a year there appears to be widespread malware infections affecting users of Apple’s OS X operating system.
Apple’s security code of silence: A big problem – news.cnet.com
Security industry insiders have long known the Mac platform has its holes. The Flashback Trojan is the first in-the-wild issue that’s confirmed this, and big-time. More will follow unless Apple steps up its game.
Flashback the largest Mac malware threat yet, experts say | Security – CNET News – cnet.com
Congratulations, Apple. The Mac is now popular enough to attract major attention from the bad guys.

Credit Card Hacks

Up to 1.5M credit card numbers stolen from Global Payments – news.cnet.com
Payments processor believes no names, addresses, or Social Security numbers were stolen in the security breach.
Hackers can steal credit card data from used Xbox 360s – zdnet.com
Security researchers at Drexel University and Dakota State University say they can extract credit card information from Microsoft Xbox 360s even after they have been restored to factory settings.
Global Payments: 1.5MM Cards Exported – krebsonsecurity.com
Global Payments, the credit and debit card processor that disclosed a breach of its systems late Friday, said in a statement Sunday that the incident involved at least 1.5 million accounts.

Malware

Most Popular Internet Sites Consistently Serving Up Malware – darkreading.com
According to a new malware report issued last week by Barracuda Labs, 58 of the sites listed among Alexa’s top 25,000 most popular websites are delivering drive-by downloads of malicious code, potentially affecting millions of users each day.
New Android Malware Variant Can Remotely Root Phone – threatpost.com
A new version of Android malware has been tweaked so it doesn’t require user interaction for an attacker to own the device, according to research published by Lookout Mobile Security yesterday.

SQL Injection

SQL Injection through HTTP Headers – resources.infosecinstitute.com
During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever.
SQL Injection Still Slams SMBs – darkreading.com
In spite of recent data from some firms showing the decline of SQL injection attacks as compared with other cybercrime methods, a new survey released this week shows that among SMBs concerned about database security, thwarting SQL injection attacks remains their highest priority.

Mozilla

Mozilla Adds Older Java Versions to Firefox Blocklist – threatpost.com
Mozilla has added Java to the blocklist of malicious apps in the Firefox browser because older versions of it are being exploited in attacks.
Why an outdated Java Plugin is so serious – blog.mozilla.com
Recently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically.

Microsoft readies patch for gaping IE browser security holes – zdnet.com
In all, Microsoft will release 6 bulletins this month to address at least 11 documented vulnerabilities in several software products.
Pastebin to hire staff to tackle hackers’ ‘sensitive’ posts – bbc.co.uk
The owner of Pastebin.com says he plans to hire more staff to help police “sensitive information” posted to the site.
Forget SOPA, You Should Be Worried About This Cybersecurity Bill – techdirt.com
While most folks are looking elsewhere, it appears that Congress is trying to see if it can sneak an absolutely awful “cybersecurity” bill through Congress.
Arms Race In Zero Days Spells Trouble For Privacy, Public Safety – threatpost.com
This is the second of a two-part podcast with independent security researcher Chris Soghoian.
Hotel Wifi JavaScript Injection – justinsomnia.org
I probably wouldn’t have thought much of it, except my blog had recently been hacked (someone had gained elevated access to my web hosting account and prepended every single PHP file with a base64 encoded rootkit), so I immediately decided to view the source.

Other News

Hacking in China

Anonymous hacks hundreds of Web sites in China – news.cnet.com
The online hacktivist group defaces government and commercial sites with a message predicting the downfall of the Chinese government, although no central government sites appear to have been compromised.
Hacker steals Chinese government defense contracts – zdnet.com
Hacktivist Hardcore Charlie says he has hacked China National Import & Export Corp (CEIC), a Chinese government defense contractor, and stole over 500MB worth of documents.

Massive firewall vendor lets domain expire – domainincite.com
Check Point Software, one of the world’s leading firewall vendors, forgot to renew its main domain name and it wound up parked by its registrar over the weekend.
CabinCr3w Hacker Arrested by FBI – threatpost.com
Federal authorities have arrested a Texas man accused of working for the hacking group CabinCr3w, a group that once targeted Goldman Sachs CEO LLoyd Blankfein.
Hacker jailed for stealing 8 million identities – zdnet.com
A British hacker has been sentenced to 26 months for stealing 200,000 PayPal accounts, 2,701 bank card numbers, as well as 8,110,474 names, dates of birth, and postcodes of U.K. residents.
Researchers Release New Exploits to Hijack Critical Infrastructure – wired.com
Researchers have released two new exploits that attack common design vulnerabilities in a computer component used to control critical infrastructure, such as refineries and factories.
US government hires company to hack into video game consoles – zdnet.com
The U.S. Navy is paying a company six figures to hack into used video game consoles and extract sensitive information. The tasks to be completed are for both offline and online data.
Watch Out, White Hats! European Union Moves to Criminalize ‘Hacking Tools’ – wired.com
The European Union is continuing a push to criminalize the production or sale of “hacking” tools, a move that civil liberties advocates argue could make criminals out of legitimate security researchers.

Week 13 in Review – 2012

Roxanne — Mon, 02 Apr 2012 10:59:28 +0000

Event Related

Pwn2Own

Lesson From Pwn2Own: Focus On Exploitability – darkreading.com
The Pwn2Own contest earlier this month at the CanSecWest Conference showed off the speed with which knowledgeable security professionals can code exploits for known vulnerabilities.
On the failings of Pwn2Own 2012 – scarybeastsecurity.blogspot.com
This year’s Pwn2Own and Pwnium contests were interesting for many reasons. If you look at the results closely, there are many interesting observations and conclusions to be made.

Outerz0ne 2011 Hacker Con (Hacking Illustrated Series InfoSec Tutorial Videos) – irongeek.com
The following are videos of the presentations from the Outerzone 2011 hacker conference. Thanks to Skydog, Robin, Scott, SomeNinjaMaster and the Hacker Consortium crew for the con. Also thanks to Seeblind and others for doing AV. I’m looking forward to Skydogcon and working with the guys again at Derbycon.

Resources

sqlitespy for Sqlite Database Analysis – blog.opensecurityresearch.com
Sqlite is the ubiquitous database for iPad, iPhone and Android applications. It is also used by certain internet browsers, web application frameworks, and software products for their local storage needs. While doing penetration tests, we often see sensitive information like usernames, passwords, account numbers, SSN etc… insecurely stored in these databases. Thus, every penetration test requires comprehensive analysis of the local databases being used.
The mystery of Duqu: Part Ten – securelist.com
There were virtually no traces of Duqu since then. But several days ago our colleagues in Symantec announced that they found a new “in-the-wild” driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.
Introduction to Microsoft PowerShell Basics of RunningCmdlets – darkoperator.com
You will notice that for the PowerShell commands I use the word Cmdlet, that is how Microsoft calls and spells the word. In a PowerShell shell you can execute regular windows commands in addition to the cmdlets and most work without any problem some may experience problems depending on the parameters used since PowerShell uses space as a delimiter so do keep this in mind when you are running local exe files.
Skipfish Web Vulnerability Scanner – resources.infosecinstitute.com
Web application security is a serious and an important topic to discuss nowadays, since hacking attacks are common. There are hundreds and thousands of tutorials available on blogs and forums that can help an attacker hack into a web application.
Praeda version 0.02.0b is now available for download – foofus.net
Updated release of Praeda 0.02.0b can be downloaded from HERE . This release contains a few new modules and an update to the dispatcher, allowing NMAP .gnmap as target input.

Tools

OWASP Zaproxy

ZAProxy 1.4.alpha.1 update – code.google.com
“The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. ZAProxy provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.”
OWASP Zaproxy v.1.3.4 released – code.google.com
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

OWTF 0.13 “Trooper” update – github.com
The Offensive (Web, etc) Testing Framework (aka OWTF) is an OWASP+PTES-focused try to unite great tools and make penetration testing more efficient. The purpose of this tool is to automate the manual, uncreative part of penetration testing.
Spooftooph v0.5 Spoofing Bluetooth – hackfromacave.com
Spooftooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Address. Cloning this information effectively allows Bluetooth device to hide in plain site. Bluetooth scanning software will only list one of the devices if more than one device in range shares the same device information when the devices are in Discoverable Mode (specificaly the same Address).
Wireshark v1.6.6 Released – wireshark.org
Wireshark is the world’s foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto (and often de jure) standard across many industries and educational institutions.
SSLCop v1.0 Blocking CAs Released – security-projects.com
SSLCop is a hardening tool that can block those CAs you don’t need, based in their geographical procedence. You can disable CAs sorted from countries and leave only those which make sense to you.
Kautilya v0.2.0 payloads for Teensy Released – code.google.com
Kautilya is a toolkit which provides various payloads for Teensy device which may help in breaking in a computer. The toolkit is written in Ruby and currently contains all Windows payloads written mostly in powershell.
Creepy version 0.2 – github.com
Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.
OWASP WebGoat 1.2 – owasp.blogspot.com
FYI, we released iGoat version 1.2 today. The primary change over 1.1 is the addition of a new keychain exercise, contributed by a newcomer to the team, Mansi Sheth.

Techniques

iPhone

Here’s How Law Enforcement Cracks Your iPhone’s Security Code (Video) – forbes.com
Set your iPhone to require a four-digit passcode, and it may keep your private information safe from the prying eyes of the taxi driver whose cab you forget it in. But if law enforcement is determined to see the data you’ve stored on your smartphone, those four digits will slow down the process of accessing it by less than two minutes.
iPhone passcode cracking is easier than you think – cnet.com
A report came out last fall suggesting that repeating one number in the iPhone’s four-digit security PIN made for better protection than using all unique numbers. However, that little trick doesn’t seem to go very far with Micro Systemation, a Swedish security firm that helps police and military around the world crack digital security systems.
Reading iPhone Backups – securitylearn.wordpress.com
When iPhone is connected to a computer for the first time, iTunes automatically creates a subfolder with device UDID as the folder name and takes a backup of everything available on the iPhone.

IPv6

Identifying IPv6 Security Risks in IPv4 Networks: Tools – community.rapid7.com
This post details some of the tools used in my recent IPv6 security testing webcast If you have any specific questions, please open a Discussion thread.
Finding v6 hosts by efficiently mapping ip6.arpa – 7bits.nl
A technique for quickly finding existing reverse (PTR) entries in ip6.arpa-zones occurred to me recently. A cursory internet search reveals little about the subject, suggesting nobody else may have connected these dots before.

Vendor/Software Patches

MS12-020

Understand MS12-020 – auntitled.blogspot.com
I saw many misunderstanding about MS12-020 bug. Here is my quick explanation (hope it is clear). There are 2 bugs for this bulletin. One is RCE (CVE-2012-0002). Another one is DoS (CVE-2012-0152). I use the diff result from work of people in IRC (freenode#MS12-020) http://pastie.org/private/4egcqt9nucxnsiksudy5dw.
A Tool Exploiting MS12-020 Vulnerabilities – f-secure.com
Since the public release of Microsoft’s MS12-020 bulletin, there have been plenty of attempts to exploit vulnerabilities in the Remote Desktop Protocol (RDP). Last week, we received a related sample, which turned out to be a tool called “RDPKill by: Mark DePalma” that was designed to kill targeted RDP service.

DNS Changer – circleid.com
One fine night in November 2011 I got an opportunity to get my hands dirty, working on a project for the United States Federal Bureau of Investigation (FBI). They were planning to seize a bunch of computing assets in New York City that were being used as part of a criminal empire that we called “DNS Changer” since that was the name of the software this gang used to infect a half million or so computers. I work for Internet Systems Consortium (ISC), a small non-profit company headquartered in California.
Weekly Metasploit Update: DNS payloads, Exploit-DB, and More – community.rapid7.com
This week we’ve got a nifty new shellcode delivery scheme, we’ve normalized on Exploit-DB serial numbers, and a pile of new modules, so if you don’t have Metasploit yet, you can snag it here.

New Java Attack Rolled into Exploit Packs – krebsonsecurity.com
If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.
New exploit uses old Office vulnerability for OS X malware delivery – reviews.cnet.com
While this means of exploiting Mac systems via Microsoft Office is old and has been patched, this marks the first time Office documents have been used to exploit OS X systems.

Vulnerabilities

Microsoft

Microsoft Raids Tackle Internet Crime – nytimes.com
Microsoft employees, accompanied by United States marshals, raided two nondescript office buildings in Pennsylvania and Illinois on Friday, aiming to disrupt one of the most pernicious forms of online crime today — botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers.
Microsoft Takes Down Dozens of Zeus, SpyEye Botnets – krebsonsecurity.com
Microsoft today announced the execution of a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye — powerful banking Trojans that have helped thieves steal more than $100 million from small to mid-sized businesses in the United States and abroad.
Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets – technet.com
Cybercriminals have built hundreds of botnets using variants of Zeus malware. For this action – codenamed Operation b71 – we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages.

Credit Card Processor Breach

MasterCard, VISA Warn of Processor Breach – krebsonsecurity.com
VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.
Hackers Breach Credit Card Processor; 50K Cards Compromised – wired.com
Global Payments Inc, an Atlanta-based processor, has been breached by hackers, leaving more than 50,000 card accounts potentially compromised.

Hackers steal passwords from military dating site – news.cnet.com
Hackers broke into the database for a military dating Web site and stole passwords, e-mail addresses, and other information from nearly 171,000 accounts, according to a post on the Pastebin site this weekend
Command Injection Attacks, Automated Password Guessing On The Rise – darkreading.com
Spam and several of the most common vulnerabilities are on the decline, according to a report issued this week, but there has been a marked increase in new types of attacks, such as shell command injection and automated password guessing.
LulzSec hacks CSS Corp – zdnet.com
LulzSec has hacked CSS Corp and released the company’s e-mail database to the public. The hacktivist group is also asking followers to join #LulzSecReborn on Anonymous’ IRC channel.
Critical Security Update for Adobe Flash Player – krebsonsecurity.com
Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

Other News

China on Hacking

Inside a Commission Hearing on the Chinese Threat – taosecurity.blogspot.com
This morning I testified at the U.S.-China Economic and Security Review Commission at a hearing on Developments in China’s Cyber and Nuclear Capabilities. In the picture taken by Mrs Bejtlich (thanks for attending!) I’m seated at the far right. To my left is Nart Villeneuve. To his left is Jason Healey.
China Hacked RSA, U.S. Official Says – darkreading.com
Until this week, no one has ever confirmed publicly what everyone has suspected all along: that China was behind the advanced attack against RSA’s SecurID systems last year. That was the revelation by the head of the U.S. Cyber Command in a Congressional hearing on Tuesday.

TSA asks congressional panel to uninvite critic Bruce Schneier – news.cnet.com
Bruce Schneier, a vocal critic of security measures used by the Transportation Security Administration, was asked to testify before Congress about TSA’s security screening initiatives but then was “formally uninvited” after the agency complained.
NSA Chief: Agency Wants to Provide Malware Signatures, Not Enter Private Networks – wired.com
The NSA continued to downplay its role in the cyberdefense of private networks when Gen. Keith Alexander told a Senate committee Tuesday that his intelligence agency absolutely did not want to be lurking in private networks monitoring data for threats.
Satellite-jamming becoming a big problem in the Middle East and North Africa – arstechnica.com
The Arab Spring has had yet another consequence—satellite jamming, and the practice is serious enough to threaten the satellite operators’ business. Two operators, Arabsat and Nilesat, complained about the jamming in the Satellite 2012 Conference in Washington, D.C. last week, according to an article in Space News.
Draft EU Law Proposes 2 Year Minimum Sentence for Hackers – techweekeurope.co.uk
The proposed directive, which was backed by 50 votes at the European Parliament’s Civil Liberties Committee compared to one against, would mean the UK would no longer rely on the Computer Misuse Act that currently has a maximum sentence of two years for a single breach of systems.
U.S. Outgunned in Hacker War – online.wsj.com
The Federal Bureau of Investigation’s top cyber cop offered a grim appraisal of the nation’s efforts to keep computer hackers from plundering corporate data networks: “We’re not winning,” he said.
Richard Clarke on Who Was Behind the Stuxnet Attack – smithsonianmag.com
America’s longtime counterterrorism czar warns that the cyberwars have already begun—and that we might be losing.
EU legislation – Digging below the FUD line – blog.c22.cc
Yesterday I started to see some chatter on Twitter about new/updated EU legislation dealing with “cyber” attacks.

Week 12 in Review – 2012

Roxanne — Mon, 26 Mar 2012 02:15:46 +0000

Event Related

CanSecWest 2012

Hardware Involved Software Attack – forristal.com
Material for CanSecWest 2012 by Jeff Forristral
Vulnerability analysis, practical data flow analysis and visualization – blogs.technet.com
Recently at CanSecWest 2012, we presented on the technology we use for analyzing malicious samples and PoC files. As malware often actively attempts to exploit software vulnerabilities these days, understanding the internals of these vulnerabilities is essential when writing defense logic.

Top 5 Things Learned at the SANS Mobile Device Security Summit – blog.securestate.com
This is a quick post about the SANS Mobile Device Security Summit that I participated in last week. I presented the latest version of my ever evolving “Attacking and Defending Apple iOS Devices” presentation.

Resources

2012 Verizon Data Breach Investigation Report (DBIR)

How to Read and Act on the 2012 Verizon Data Breach Investigations Report (DBIR) – securosis.com
Verizon just published their excellent 2012 Data Breach Investigations Report, and as usual, it’s full of statistical goodness.
Verizon Business Security Blog Blog Archive 2012 Data Breach Investigations Report Released – verizonbusiness.com
It’s hard to believe, but it’s time again for another installment of Verizon’s annual Data Breach Investigations Report. This year’s report represents our largest dataset ever, with 855 confirmed security breaches accounting for a combined 174 million compromised records.

How to Win CCDC -Slides – room362.com
Since this is a constantly updating slide deck I figured I’d post it here so I didn’t have to keep emailing it out. If you have comments or if something is wrong grammatically, technically or in any other way I’d love input. Suggestions also welcome.
ROP and deROP – marcoramilli.blogspot.com
Many different researches put theirs efforts in finding a good ways to fight ROP malware, for example Davi et Al. And Chen et Al. Implemented a threshold system able to count how many buckets of instruction followed by RETN are present in a executable, once the threshold is reached the security mechanism alerts the user about that.
CVSS – Common Vulnerability Scoring System – a critique [ Part1 ] – blog.zoller.lu
Ever since I started my career in information security I was both interested and intrigued by metrics applied to vulnerabilities (or metrics in general for that matter). CVSS is certainly not new and I had to make the choice whether to use it or not in the past and I always wanted to share some issues I had with it. This blog post laid dormant in DRAFT state since 8 months and I decided to publish it in parts rather than wait another year to finish it.
Is Threat Modeling Overrated ? – curphey.com
I few weeks ago I posted “Is Threat Modeling Overrated? I think so….” on Twitter. It was piggybacking on this blog post and my bait was a combination of a few glasses of red wine (aka “Dutch courage”) and less than 140 chars of expressiveness but I have come to think that despite the potential high value in analyzing an applications architecture from a security view point that threat modeling as generally practiced is not delivering on it’s potential.
Protecting Privileged Domain Accounts: Safeguarding Access Tokens – computer-forensics.sans.org
This is the 4th in a multi-part series on the topic of “Protecting Privileged Domain Accounts”. My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone administering and defending a Windows environment.

Tools

Smart Scapy By Lacofa – r00tsec.blogspot.com
There are many areas on which they work from a security point of view, one of them are the tests carried out on these devices that manage information. Generally speaking, we can say that devices include a protocol stack, such as TCP/IP.
Mercury – labs.mwrinfosecurity.com
Droid’s first assessment framework of its kind. A free framework for bug hunters to find vulnerabilities, write proof-of-concept exploits and play in Android.

Techniques

Top 10 Oracle Steps to a Secure Oracle Database Server – blog.opensecurityresearch.com
There are numerous resources on the Internet that detail secure configurations for Oracle; CISecurity, NIST, SANS, and Oracle just to name a few. Despite this, however, Foundstone continues to encounter vulnerable Oracle databases in our internal and external penetration tests. More often than not, we consultants are able to leverage the vulnerable Oracle databases to compromise additional hosts.
Creating WMI Filters and GPOs with PowerShell – darkoperator.com
In my last 2 blog post I covered the creation of group policy objects for distributing certificates to all computers in a domain and enable Network Level Authentication on them plus also covered how to create and use WMI filters to specify which machines a Group Policy Object should apply to.
Blog Archive windows privilege escalation via weak service permissions – travisaltman.com
When performing security testing on a Windows environment, or any environment for that matter, one of the things you’ll need to check is if you can escalate your privileges from a low privilege user to a high privileged user.

Vendor/Software Patches

An interesting case of JRE sandbox breach (CVE-2012-0507) – blogs.technet.com
The Microsoft Malware Protection Center Blog provides information on viruses, worms and other malware and spyware and explains how Microsoft antivirus products help protect your computer
Piecing the malware puzzle – Exploring a spike in exploit activity – technet.com
The Microsoft Malware Protection Center Blog provides information on viruses, worms and other malware and spyware and explains how Microsoft antivirus products help protect your computer.
Joomla! 2.5 update fixes security vulnerabilities – h-online.com
Version 2.5.3 of the open source content management system closes two "High Priority" security holes that could have been exploited by an attacker to gain escalated privileges or change a user’s password.

Vulnerabilities

Java-based Web attack installs hard-to-detect malware in RAM – computerworld.com
A hard-to-detect piece of malware that doesn’t create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to security researchers from antivirus firm Kaspersky Lab.
FreePBX Exploit Phone Home – offensive-security.com
During a routine scan of new vulnerability reports for the Exploit Database, we came across a single post in full disclosure by Martin Tschirsich, about a Remote Code Execution vulnerability in FreePBX.

Other News

The Hackers

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees) – forbes.com
Chaouki Bekrar (center) and Vupen's team of hackers at the Pwn2Own hackathon in Vancouver in March. (Photo credit: Ryan Naraine) This story appears in the April 9th issue of Forbes magazine. At a Google-run competition in Vancouver last month, the search giant’s famously secure Chrome Web browser fell to hackers twice.
Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits – forbes.com
A clever hacker today has to make tough choices. Find a previously unknown method for dismantling the defenses of a device like an iPhone or iPad, for instance, and you can report it to Apple and present it at a security conference to win fame and lucrative consulting gigs.

DuQu Mystery Language Solved With the Help of Crowdsourcing – wired.com
A group of researchers who recently asked the public for help in figuring out a mysterious language used in the DuQu virus have solved the puzzle, thanks to crowdsourcing help from programmers who wrote in to offer suggestions and clues.
EFF Says Cyber Security Bills Open Door To Government, Corporate Abuse – threatpost.com
The Electronic Frontier Foundation (EFF) is sounding alarms about a collection of overly vague cyber-security bills making their way through Congress.
63% of website owners don’t know how they were hacked – zdnet.com
It’s bad enough when your website is hacked, but it’s even worse when you don’t know how it happened. It turns out only some website owners have an idea how their sites were compromised.

Week 11 in Review – 2012

Roxanne — Tue, 20 Mar 2012 00:44:10 +0000

Event Related

Black Hat Europe 2012 Summaries, Updates and Tools

BlackHat Europe 2012 Day #1 Wrap-Up – blog.rootshell.be
BlackHat is back in Europe and, this year, they moved back to Amsterdam! This edition also introduced a new format: A three-days conference with three simultaneous tracks.
BlackHat Europe 2012 Day #2 Wrap-Up – rootshell.be
And I’m back with my wrap-up for the second day. Here are a review of the talks I followed today. Rafal Los and Shane MacDougall spoke about “offensive threat modeling on its head”.
BlackHat Europe 2012 Day #3 Wrap-Up – blog.rootshell.be
They presented their research about the security of keyword managers on smartphones. It’s recommended to not use the same password across several applications or services.
BlackHat EU 2012 Day 1 – corelan.be
After a 2 year detour in Barcelona, BlackHat Europe has returned to Amsterdam again this year.
BlackHat EU 2012 Day 2 – corelan.be
Welcome back friends, at day 2 of BlackHat Europe 2012, held in the Grand Hotel Krasnapolsky in the wonderful city of Amsterdam.
BlackHat EU 2012 Day 3 – corelan.be
Since doing live-blogging seemed to work out pretty well yesterday, I’ll do the same thing again today. Please join in for day 3 at BlackHat Europe 2012, in a cloudy and rainy Amsterdam.
Black Hat Europe 2012 – Day 3 – Some thoughts on sandboxes – hp.com
I’ve always found sandboxes interesting, particularly from a cost-benefit analysis perspective. As a developer you should be writing good code, period. But when the pace of developing new functionality outpaces the ability to do complete software security analysis we see security organizations turning to sandboxing as a method of limiting the amount of damage an exploited piece of code can do.
Update: PDFid And pdf-parser Didier Stevens – blog.didierstevens.com
To mark the occasion of my Malicious PDF Analysis workshop at Black Hat Europe 2012, I’m releasing version 0.0.12 of PDFiD and version 0.3.9 of pdf-parser.
3 Key take-aways from Amsterdam [Black Hat Europe 2012] – hp.com
This blog is coming to you live from Amsterdam, one of my favorite cities in all the world for its laid-back attitude, it’s brilliant culture, and history beyond books. The conference has grown again, and I’m having a great time learning.
TesserCap v1.0 (Black Hat EU 2012 Edition) Released – mcafee.com
Foundstone’s TesserCap is a GUI based, highly flexible, interactive, point and shoot CAPTCHA analysis tool with the following features.
Pastemon v1.6 (Black Hat EU 2012 Edition) Released – github.com
pastemon.pl is a script which runs in the background as a daemon and monitors pastebin.com for interesting content (based on regular expressions). Found information is sent to syslog.
Black Hat Eu 2012 – notsosecure.com
Anyways, I was privileged to speak at yet another Black Hat. This time i was a 2nd speaker and along with Tom Forbes we presented a talk on Hacking XPATH 2.0. One question which everyone wants to know, how many times have we found it in the wild? I have seen may be around 7-8 XPath injections in real life pentests and hence I agree this is not very common.
Black Hat Europe 2012 Briefings – blackhat.com
BlackHat Europe 2012 presentations and materials released.

RSA Conference 2012

Our Five Favorite Videos from RSA 2012 – tripwire.com
It’s been a little over a week since the conclusion of the 2012 RSA Conference and Security B-Sides. Once again we had a great time interviewing and photographing lots of really smart people about information security.
(IN)Secure Magazine Special Edition – net-security.org
(IN) SECURE Magazine is a free digital security, to discuss some of the hottest issues of information security. (IN) magazine has been released! This is the March 2012 special edition!

SANS Mobile Device Security Summit Recap – spylogic.net
What I liked most about this event was that there were plenty of “real world” talks on how enterprises are deploying and managing mobile deployments. Real in the “trenches” types of talks. Here are some of the themes that I heard throughout all the talks.
44Penetration Testing considered harmful today – blog.thinkst.com
Early last year we presented at 44con with a talk titled: “Penetration Testing considered harmful today”. 44con have just released the video so we figured it was worth a quick recap (for anyone not willing to tolerate the whiny voice!)

Resources

Building Information Security Professionals – ethicalhacker.net
A commonly posed question, particularly among people looking to get into the information security field, is “how do I get into information security?”
Introducing the Symantec Smartphone Honey Stick Project – symantec.com
A while back, my wife was mugged and her purse and all its contents were stolen. When she told me, I had three questions: Are you alright? Did you cancel the credit cards and call a locksmith to change our locks? Did they get your phone? My third question was about her smartphone because smartphones today are so integrated into our lives.
Clickjacking, Cursorjacking and Common Facebook Vulnerabilities – infosecinstitute.com
Clickjacking is one of the most used attacks by spammers on Facebook. Almost in every month, we face a new type of clickjacking attack on Facebook. Clickjacking is a new type of attack which is performed on web applications.
Unsung Heros (the list) – blog.c22.cc
I’ve created the following list in no particular oder, and tried my best to categorize them as best I can. Some things fall into multiple categories, but I’m sure, like many tools, you can use them for a lot of fun things.
Web Application Pen-testing Tutorials With Mutillidae (Hacking
Illustrated Series InfoSec Tutorial Videos) – irongeek.com
When I started the Mutillidae project it was with the intention of using it as a teaching tool and making easy to understand video demos. Truth be told, I never did as much with it as I intended.

Tools

WCE v1.3beta 64bit released – ampliasecurity.com
WCE v1.3beta 64bit released. You can download it here. The same functionality recently added to the 32bit version was added to the 64bit version.
Canape – contextis.com
Canape is a network testing tool for arbitrary protocols, but specifically designed for binary ones. It contains built in functionality to implement standard network proxies and provide the user the ability to capture and modify traffic to and from a server.
Open Web Application Security Project: OWASP Hacking-Lab – owasp.blogspot.com
Hacking-Lab is providing free OWASP TOP 10 hands-on challenges to the OWASP community. This is an inner service of GEC (Global Education Commitee) as part of the Academy Portal project.

Techniques

Fiddler and NTLM authentication – blog.opensecurityresearch.com
I was testing a web application recently that used NTLM (over HTTP) to authenticate users. I was using Fiddler to test the web application and ran into the following problem which was hampering / slowing down my testing.
64-Bit System Driver Infected and Signed After UAC Bypassed – symantec.com
What was just a theory not so long ago is now being used in-the-wild by threats such as Backdoor. Hackersdoor and its newer variant Backdoor.Conpee. Back in December we analyzed tdpipe.sys, an infected 64-bit Windows 7 system driver.
Pwn2Own Challenges: Heapsprays are for the 99% – dvlabs.tippingpoint.com
In case you arent familiar with the Pwn2Own rules this year, we asked people to exploit public bugs… here’s one of them. The cve in question (cve-2010-0248) is a use-after-free vulnerability in Internet Explorer 8 found by yours truly back in 2010.
Intro to Chrome addons hacking: fingerprinting – blog.kotowicz.net
tldr; Webpages can sometimes interact with Chrome addons and that might be dangerous, more on that later. Meanwhile, a warmup – trick to detect addons you have installed.
Configuring Network Level Authentication for RDP – darkoperator.com
CredSSP first establishes an encrypted channel between the client and the target server by using Transport Layer Security (TLS). Using the TLS connection as an encrypted channel; it does not rely on the client/server authentication services that are available in TLS but does uses it for validating identity.
Drive-by FTP: a new view of CVE-2011-3544 – blog.eset.com
Not long ago we received interesting information from an independent security researcher from Russia, Vladimir Kropotov. (We will be presenting our joint research with him at CARO 2012). We started to research this information and found an interesting way to distribute by FTP the payload for the most common java exploit, which ESET calls Java/Exploit.CVE-2011-3544.
Framesniffing against SharePoint and LinkedIn – contextis.co.uk
Framesniffing technique and show how it can be used by a remote attacker to steal sensitive information from users through their web browser.

Vendor/Software Patches

Microsoft Patch Tuesday

March 2012 Microsoft Black Tuesday – isc.sans.edu
Overview of the March 2012 Microsoft patches and their status.
Strength, flexibility and the March 2012 security bulletins – blogs.technet.com
Today we’re releasing six security bulletins – one Critical-class, four Important and one Moderate – addressing seven issues in Microsoft Windows, Visual Studio, and Expression Design. We recommend that customers focus on MS12-020, our sole critical-class bulletin, as the March deployment priority.

MS 12-020

Microsoft Terminal Services – aluigi.org
The Microsoft Remote Desktop Protocol (RDP) provides remote display
and input capabilities over network connections for Windows-based
applications running on a server. RDP is designed to support different
types of network topologies and multiple LAN protocols
Details about the ms12-020 proof-of-concept leak – aluigi.org
The ms12-020 patch was released the 13 Mar 2012 (CVE-2012-0002).
The bug was found by me in May 2011 and reported to Microsoft by
ZDI/TippingPoint in August 2011.
Why We Rated the MS12-020 Issue with RDP “Patch Now” – isc.sans.edu
Microsoft’s March 2012 “Black Tuesday” announcement included the MS12-020 patch, which fixes a vulnerability in Microsoft’s implementation of RDP.
CVE-2012-0002: A closer look at MS12-020′s critical issue – blogs.technet.com
Microsoft Security Research & Defense: Microsoft information on security mitigations, workarounds, and other technical leadership for better actionable guidance.
Microsoft warns: Expect exploits for critical Windows worm hole – zdnet.com
There’s a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.
MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution – exploitshop.wordpress.com
Crash PoCs are available now by cool guys from freenode co-work.
Microsoft confirms MAPP proof-of-concept exploit code leak – zdnet.com
The smoking gun that the leak came from Microsoft’s information was contained in a string found in the Chinese proof-of-concept.
RDP and the Critical Server Attack Surface – dankaminsky.com
MS12-020, a use-after-free discovered by Luigi Auriemma, is roiling the Information Security community something fierce. That’s somewhat to be expected — this is a genuinely nasty bug. But if there’s one thing that’s not acceptable, it’s the victim shaming.
PoC code uses super-critical Windows bug to crash PCs – theregister.co.uk
Security watchers have discovered proof-of-concept code that attempts to exploit a high-risk Windows security hole, causing computers to crash.
INFOCON Yellow – Microsoft RDP – MS12-020 – isc.sans.edu
As we feared the MS12-020 bulletin from last black Tuesday caused a race for finding an exploit.
The last few evolutions in that process cause our worries to increase significantly. In order to help raise awareness and call administrators to action, we’re raising our INFOCON to YELLOW for 24 hours.
Exploit code published for RDP worm hole; Does Microsoft have a leak? – zdnet.com
The code publication has set off alarm bells in the corridors at Redmond because there are clear signs that Microsoft’s pre-patch vulnerability sharing program has been breached or has suffered a major leak.

Microsoft Security Bulletin MS11-030 – Critical : Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) – technet.microsoft.com
This security update resolves a privately reported vulnerability in Windows DNS resolution. The vulnerability could allow remote code execution if an attacker gained access to the network and then created a custom program to send specially crafted LLMNR broadcast queries to the target systems. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the LLMNR ports should be blocked from the Internet.
The MAPP zero-day protection scam – erratasec.blogspot.com
In the news, it appears that Chinese hackers got hold of the secret proof-of-concept (PoC) exploit for the recent Microsoft RDP bug. The most likely culprit was Microsoft’s MAPP program, which gives PoCs to security vendors 24 hours ahead of the patch so that they update their products to protect against the bug, to provide “zero-day” protection.

Other News

FBI Can’t Cracked Android Phones

FBI Can’t Crack Android Pattern-Screen Lock – wired.com
Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation.
Google subpoenaed by FBI to access a pimps pattern-locked Samsung smartphone – nakedsecurity.sophos.com
The story of the Pimpin Hoes Daily gang founder Dante Dears, his pattern-locked Samsung phone, the feds, google, and subpoenas. Why couldn’t the FBI get into the locked phone? Get the popcorn – this is interesting.

Passphrases: Maybe Not as Secure as You Think – readwriteweb.com
The conventional wisdom seems to be that passphrases are much more secure than passwords, even if the password is complex. Passphrases are likely to be more secure than …
GCHQ-backed competition names Cyber Security Champion – bbc.co.uk
A 19-year-old university student has been named the UK’s “Cyber Security Champion” following a competition sponsored by the intelligence agency GCHQ and several leading tech firms.
The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say) – wired.com
The National Security Agency’s immensely secret project in the Utah desert will intercept, analyze, and store yottabytes of the world’s communications—including yours.
Loose-lipped iPhones top the list of smartphones exploited by hacker – arstechnica.com
Hackers looking for a way into high-value networks often consider smartphones the chink in an otherwise hardened defense. Topping the list is Apple’s iPhone, which indiscreetly broadcasts the unique identifiers of wireless routers it has recently accessed.