• Research for SharePoint (MOSS) – owasp.org
  This page contains research notes on Microsoft’s SharePoint MOSS and WSS
• MS SQL – Useful Stored Procedures for SQL Injection and Ports Info – pentesticles.com
  The following post lists and describes various useful stored procedures and port information for MS SQL.
• Portable Executable 101 – a windows executable walkthrough – code.google.com
  This graphic (PDF JPG) is a walkthrough of a simple windows executable, that shows its dissected structure and explains how it’s loaded by the operating system.
• SAP Slapping – labs.mwrinfosecurity.com
  Dave Hartley delivered his “SAP Slapping” presentation at the CRESTCon and BSides London security conferences recently. The talk provides a high level overview of common SAP system vulnerabilities and misconfigurations.
• Scanning the Web with Ammonite – resources.infosecinstitute.com
  Ammonite is a Fiddler extension used to scan web applications for common vulnerabilities like verbose and blind SQL injection, OS commanding, local file inclusion, buffer overflows, format string vulnerabilities etc.
• Exploiting Windows 2008 – esec-pentest.sogeti.com
  Internal network pentesting involving domain controllers requires a few steps in order to gain domain administrator access. One of them usually requires to gain local administrator access to a workstation.

Tools

• Gason - BurpSuite Plugin’s Project – Google Project Hosting - code.google.com
  This project contains a plugin to extend BurpSuite proxy. And know you can run gason stand alone!!
• Skipfish version 2.06b Update – code.google.com
  Skipfish is a fully automated, active web application security reconnaissance tool.

Techniques

• Android
• Android Emulator, Trusted CA, and Persistent Storage – carnal0wnage.attackresearch.com
  Android periodically updates it’s SDK and somtimes when this happens, old methods for importing a Trusted CA, necessary to proxy SSL traffic, will fail and you must find a new solution.
• Update – Android & SSL Cert – carnal0wnage.attackresearch.com
  Thanks to the comments left by Zach from our last Android post here, it has been brought to my attention there is an easier way to do all of this with the latest AVD (4.0.3).
• SecurityStreet: Unsupported Browser – rapid7.com
  The purpose of this post is to point out a little-known jewel — the -m flag to meterpreter’s execute command.

Vendor/Software Patches

• Microsoft Security Bulletin
• MS12-029 – Critical : Vulnerability in Microsoft Word Could Allow Remote Code Execution (2680352) – technet.microsoft.com
  This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• MS12-032 – Important : Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338) – technet.microsoft.com
  This security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
• Bulletin Management Process and the May 2012 Bulletins - blogs.technet.com
  Have you ever wondered why bulletins group particular issues together? Or one set of products and not another? Well today Jonathan Ness has posted an insightful Security Research & Defense (SRD) blog discussing some of the nuances and packaging decisions that went into MS12-034.
• Microsoft patches 23 Windows flaws, warns of risk of code execution attacks – zdnet.com
  The Patch Tuesday batch for May 2012 covers at least 23 documented vulnerabilities in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework and Microsoft Silverlight.
• Adobe, Microsoft Push Critical Security Fixes – krebsonsecurity.com
  Adobe and Microsoft today each issued updates to address critical security flaws in their software.
• PHP-CGI Vulnerability Exploited in the Wild – blog.sucuri.net
  When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Vulnerabilities

• Thousands of Twitter passwords exposed – news.cnet.com
  It’s unclear who’s responsible for posting passwords for Twitter accounts to a public Web site. The exact number of accounts is also unclear, as Twitter says many are duplicates and many had already been suspended.

Other News

• FBI Warns Travelers Using Hotel Networks About New Attack – darkreading.com
  The FBI says attackers are trying to trick users into installing malware with promises of software updates.
• Sniffer tool displays other people’s WhatsApp messages – h-online.com
  WhatsApp Sniffer is an app able to display messages from other WhatsApp users connected to the same network as the app user.

• CanSecWest
• CanSecWest evolving – blog.securiteam.com

  Let me say, right off the top, that I love CanSecWest. I am tired of “vendor” conferences, where you pay outrageous fees for the privilege of sitting through a bunch of sales pitches. At least CanSecWest has real information, as opposed to virtual information.

• CanSecWest Day 1 Pen testing, social authentication, APR and Duqu – nakedsecurity.sophos.com
  A wrap-up of the news and talks from CanSecWest 2012 in Vancouver. I highlight talks on pen testing, social authentication, vulnerability mitigation and the Duqu command and control servers.
• CanSecWest Day 2 Smartphones, mobile security, iOS 5 and NFC – nakedsecurity.sophos.com
  Day 2 at CanSecWest was dominated by mobile security talks. The highlights included anti-rooting technologies used in Android, iOS and a look at NFC enabled mobile phone security.
• Playing with Network Layers to Bypass Firewalls Filtering Policy – home.regit.org
  The slides of my CansecWest talk can now be downloaded: Playing with Network Layers to Bypass Firewalls’ Filtering Policy.
• RSA Conference
• B-Sides SF and RSAC 2012 Summary – rants.effu.se
  One of the consistent themes I heard from attendees of B-Sides SF and RSAC this year was “this was the best year yet!” That is a huge turn-around from the cynicism that was so prevalent last year.
• Invasion of the Risk Managers: Altering the Complexion of Security” – readwriteweb.com
  Article about the discussion panel on risk.

Resources

• M-Trends: The One Threat Report You Need to Read – blog.mandiant.com
  Today is a big day. If you’ve followed us for a while you know that once a year we step back and take stock of what we’ve seen on the front lines battling targeted attacks. What is the advanced persistent threat (APT) up to?

Tools

• TaskManager.xls V0.1.2 Update – blog.didierstevens.com
  This is a new version of TaskManager.xls with memory usage statistics, with code given to me by sciomathman.
• Zscaler tool can find unprotected embedded web servers – zdnet.com
  The web-based tool can scan IP ranges to find multi-function printers and photocopiers, VOIP devices and video-conferencing systems that are currently.
• Introducing Adobe SWF Investigator – adobe.com
  Today I am launching a beta of a tool on Adobe Labs called, Adobe SWF Investigator. This Adobe AIR-based application is a suite of tools that may be useful to SWF developers, quality engineers, and security researchers.
• Ettercap v0.7.4.1 Lazarus Released – ettercap.sourceforge.net
  Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
• Wireshark and Pcap-ng – blog.wireshark.org
  When Wireshark 1.8.0 is released in the next few months it will introduce two major features: the ability to capture from multiple interfaces at once and the ability to annotate packets.
• Mole v0.3 (2012-03-02) – themole.nasel.com.ar
  Command line sql injection tool
• WCE v1.3beta 32bit released – hexale.blogspot.com

  WCE v1.3beta 32bit released.

Techniques

• Testing the Security of Virtual Data Centers – community.rapid7.com
  If you are doing security assessments, you are probably running into virtual servers every day. According to analyst firm Gartner, 80% of companies now have a virtualization project or program. With the recent 4.2 release of Metasploit, your next penetration test should be much more fun.
• Why Security Assessments Must Cover IPv6, Even In IPv4 Networks – community.rapid7.com

  What’s your company doing to prepare for IPv6? Probably not an awful lot. While 10% of the world’s top websites now offer IPv6 services, most companies haven’t formulated an IPv6 strategy for the network.

• Foot printing – Finding your target… – sensepost.com
  Network foot printing is, perhaps, the first active step in the reconnaissance phase of an external network security engagement. This phase is often highly automated with little human interaction as the techniques appear, at first glance, to be easily applied in a general fashion across a broad range of targets.

Vulnerabilities

• Google Chrome Hacked
• Pwn2Own 2012: Google Chrome browser sandbox first to fall – zdnet.com

  Exploit writers at VUPEN take special pleasure in attacking Google’s Chrome browser, using a pair of zero-day flaws to defeat the browser.

• CanSecWest Pwnium: Google Chrome hacked with sandbox bypass – zdnet.com

  The attack, which included a Chrome sandbox bypass, was the handiwork of Sergey Glazunov, a security researcher who regularly finds and reports Chrome.

• Chrome Finally Breached in Google’s $1 Million Hackathon- gizmodo.com

  Google recently offered up prizes totaling $1 million for those capable of exploiting its browser Chrome. Now, at Google’s own competition called Pwnium, a student has walked away with one of the top prizes, earning $60,000 by hacking a PC running Chrome.

• After the pwnage: Critical Google Chrome hole plugged in 24 hours – arstechnica.com

  Underscoring the nimbleness of Google’s patching cycle, Chrome developers fixed a complex series of bugs less than 24 hours after they were demoed at a hacker conference.

• Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest – wired.com

  A teenage hacker known as Pinkie Pie pokes a hole in Google’s Chrome browser, an unlikely winner who’s taking home $60K and a possible job at the search giant.

• How Google set a trap for Pwn2Own exploit team – zdnet.com

  Here’s the story of how a unique signature was used to figure out if exploit writers would take aim at the Flash Player plugin in Google Chrome

• Pwn2Own Hacking Contest
• Charlie Miller skipping Pwn2Own as new rules change hacking game – zdnet.com

  The annual Pwn2Own hacker contest kicks off today with new rules, controversy over disclosure and the absence of a regular participant.

• Pwn2Own 2012: IE 9 hacked with two 0day vulnerabilities – zdnet.com

  The code execution attack, which required no user action beyond browsing to a rigged web site, also works on Internet Explorer v10.

• How to Pwn the Pwn2Own Contest – wired.com

  Finding zero-day exploits to win a hacking contest can be really hard work these days. So sometimes the better strategy is just to game the game.

• The Ruby/GitHub hack: translated – erratasec.blogspot.com
  The underlying issue is an “Insecure Direct Object Reference”, #4 on the OWASP Top 10 list of most important web-application vulnerabilities. It means that that a hacker can change what’s in the website database without having permission.

Other News

• Uncle Sam: If It Ends in .Com, It’s Seizable – wired.com

  The U.S. government says it has the right to seize any .com, .net and .org domain name because the companies that have the contracts to administer them are based on United States soil, according to Nicole Navas, an Immigration and Customs Enforcement spokeswoman.

• Sabus sordid story detailed in FBI indictment – nakedsecurity.sophos.com

  Hector Xavier Monsegur may have portrayed the exploits of Anonymous and LulzSec as a glamorous fight against “the man”, but the dark criminal realities of their exploits were exposed in his indictment. It appears he wasn’t just in it for the lulz.

• Dropbox Abused by Spammers – symantec.com

  Recently we noticed spammers abusing Dropbox, a popular cloud-based, file-hosting and synchronization tool, to spread spam. Dropbox accounts have a public folder where files can be placed and made publicly available. This function is useful to spammers, as it effectively turns Dropbox into a free hosting site.

Resources

• A look at ASLR in Android Ice Cream Sandwich 4.0 – blog.duosecurity.com
  For the uninitiated, ASLR randomizes where various areas of memory (eg. stack, heap, libs, etc) are mapped in the address space of a process.
• The Ultimate OS X Hardening Guide Collection – isc.sans.edu
  Many security professionals tend to use OS X systems. Maybe for the nice and shiny looks, or the Unix under pinnings that make it a great platform to run current tools. However, the operating system itself isn’t exactly “secure out of the box” and like all operating systems can profit from some additional hardening tricks.
• White Hat Hacker Flowchart – dankaminsky.com
  A white hat hacker flowchart by Dan Kaminsky.

Tools

• DPScan: Drupal Security Scanner – github.com
  This small tool is public and accessible for our use. It may help other auditors or penetration testers do their job faster and gather more information.
• DNSChef – thesprawl.org
  DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka “Fake DNS”) is a tool used for application network traffic analysis among other uses.
• Sqlmap plugin for BurpSuite – blog.buguroo.com
  Today we present a free plugin, developed by me, so you can use the sqlmap from BurpSuite so really comfortable.
• SIPVicious 0.2.7 – code.google.com
  SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools.
• Skipfish-2.04b – code.google.com
  Skipfish is a fully automated, active web application security reconnaissance tool.
• Social-Engineer Toolkit (SET) 3.0 released. – secmaniac.com
  Greetings all. I’m excited to release the 3.0 version of the Social-Engineer Toolkit (SET) Codename “#WeThrowBaseballs”.
• Metasploit 4.2 Released: IPv6, VMware, and Tons of Modules! – community.rapid7.com
  Since our last release in October, we’ve added 54 new exploits, 66 new auxiliary modules, 43 new post-exploitation modules, and 18 new payloads — that clocks in at just about 1.5 new modules per day since version 4.1.

Techniques

• Mobile App Permissions and Choice – pen-testing.sans.org
  Recently we’ve seen a flurry of news articles identifying a weakness in the Apple iOS architecture where application developers have unrestricted access to contact book entries on your iPhone, iTouch or iPad.
• Minimizing Vulnerabilities in Applications – Part 1 – resources.infosecinstitute.com
  During my 20+ year career, I have seen many coding virtuosos which had only one problem – they did not pay any attention to the security of their code.
• MindshaRE: a reversing tool – dvlabs.tippingpoint.com
  MindshaRE is our periodic look at some simple reverse engineering tips and tricks. The goal is to keep things small and discuss every day aspects of reversing. You can view previous entries by going through our blog history or querying a search engine for dvlabs mindshare.

Vulnerabilities

• iOS 5 Flaw Allows data access
• Paperclips pose security threat to iPhones – technolog.msnbc.msn.com
  Under the right — though easily arranged — circumstances, a simple paperclip could allow someone to circumvent your iPhone’s passcode and access your voicemail, contacts, recent call list, and other data.
• iOS 5 Flaw Allows Unfettered Access to User’s Contacts, Calls – threatpost.com
  A passcode flaw in Apple’s iOS 5 could allow unauthorized access to an iPhone user’s contacts list, recent calls, voicemail, text messages and more, according to a recent blog post from CultofMac.com.
• New Oracle ERP Vulnerabilities Unmasked – darkreading.com
  Design flaws could allow attackers to access, alter, or take over ERP systems — but will enterprises do anything about the vulnerabilities?

Other News

• Plesk control panel bug left FTC sites (and thousands more) exposed to Anons – arstechnica.com
  [needs validation]A critical vulnerability in Parallels’ Plesk Panel Web hosting administration tool left thousands of servers open to potential hijacking by hackers. And the recently hacked sites belonging to the Federal Trade Commission were among them, according to sources.
• Note to self: Encrypt data, memorize password – news.cnet.com
  In a case that serves as a reminder to: a) use encryption, and b) memorize the encryption pass-phrase, an appeals court has ruled that people have a constitutional right not to be forced to decrypt data that potentially includes evidence that could be used to prosecute them in court.

• Researchers Reveal How Attackers Can Track Cell Phone Locations – threatpost.com
  New research has found information leaked by cell towers can be used to determine your cell phone’s general location.
• Does The Cybersecurity Act Of 2012 Mark The Beginning Of The War On Cyber-terrorism? – forbes.com
  The Cybersecurity Act of 2012 is the latest effort by Congress to do something about the threat of cyber attacks and cyber crime.
• NIST, Maryland Plan New Cybersecurity Center – threatpost.com
  The US National Institute of Standards and Technology (NIST) announced plans Tuesday to break ground on a new center that will be committed to cybersecurity research.

• Who’s on…uh, at…FIRST? – windowsir.blogspot.com
  My employer is not a member of FIRST, but we were a sponsor, and we hosted the “Geek Bar”.
• La “Nuit Du Hack” in Paris – rootshell.be
  The event was split in two parts: a set of talks about security topics and, starting from midnight, a CTF contest.
• NovaInfosec Twits – novainfosecportal.com
  The Twitter account for the NovaInfosec Twits list is novainfosec.
• Hacking at Mach Speed! – trailofbits.com
  The first ever NYC SummerCon last weekend was a blast and everyone seemed to have a great time.
• Call for Papers: EC2ND’10 – honeyblog.org
  EC2ND 2010 specifically encourages submissions presenting work at an early stage with the intention to act as a discussion forum for innovative security research.
• Comments on Sharkfest Presentation Materials – taosecurity.blogspot.com
  This is the third year that CACE Technologies has organized this conference.

Resources:

• Conference on Cyber Conflict – Slides.. – thinkst.com
  The CCDCOE (Cooperative Cyber DefenceCentre of Excellence) held its Conference on Cyber Conflict in Tallinn, Estonia.
• The talks I’m looking forward to attending in Las Vegas – securityninja.co.uk
  We are getting closer to the annual geek pilgrimage to Las Vegas for the BlackHat, DEF CON and SecurityBSides conferences.
• SQL Injection Anywhere White Paper – docs.google.com
  An advanced SQL Injection exploitation technique, that allows the complete disclosure of information from (almost) any SQL Injection exposure.
• Public SSL Server Database / SSL Server Test – ssllabs.com
  Public SSL Server Database is an online service that enables you to look up the configuration of any public SSL web server.
• Live CD for Remote Incident Handling – sans.edu
  Bert Hayes is a security professional at the University of Texas.