Week 2 in Review – 2010

Resources:

• HITB eZine ‘Reloaded’ – Issue #001 – security-database.com
  Hack in the Box releases free ezine pdf.
• Threat Classification References Mapping Proposal – webappsec.pbworks.com
  A table for classifying security threats
• An excellent improvement to Adobe Reader security – msmvps.com
  You can disable Javascript and enable Enhanced Security in the latest Adobe Reader.
• Mapping between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25 – denimgroup.posterous.com
  A table mapping and comparing vulnerabilities.
• Web Security: Are You Part of the Problem? – smashingmagazine.com
  A primer on web security, the different attacks common on the net and how to defend against them.

Tools:

• BackTrack security live CD final release
  Backtrack gets an update.
  • Backtrack v4 Final Release – security-database.com
  • back to basics – remote-exploit.org
• Kismet 2010 01 R1 – packetstormsecurity.org
  Kismet is an 802.11 layer 2 wireless network sniffer.
• Webcruiser – web vulnerability scanner v1.00 released – security-database.com
  A very simple to use Web Security scanner
• Browser Fuzzer 3 – packetstormsecurity.org
  A comprehensive web browser fuzzer that fuzzes CSS, DOM, HTML and Javascript.

Techniques:

• Gone in 60 seconds – pauldotcom.com
  Active Directories need better permission controlsto safeguard accounts.
• CSS History Knocker – samy.pl
  A CSS history hack to check the sites you’ve visited. Don’t worry, it’s safe.
• Top Ten Web Hacking Techniques of 2009 (Official) – jeremiahgrossman.blogspot.com
  A ranked list of the best exploits of last year.
• A checklist approach to security code reviews, part 4 – securityninja.co.uk
  This installment covers secure communications and error handling.
• Reproducing the “Aurora” IE Exploit – metasploit.com
  A port of the exploit into Metasploit provides an intriguing exercise.

Vulnerabilities:

• Firm to Release Database & Web Server 0days – krebsonsecurity.com
  A Russian research firm is set to release information on security holes in Zeus, Sun web servers, MySQL, DB2 and more.
• Hidden admin access on D-Link routers – h-online.com
  Some D-Link routers allow the “GetDeviceSettings” SOAP action to be executed without authentication.
• Internet Explorer Zero Day and Operation Aurora
  Some news on the vulnerability in Internet Explorer that broke Google’s security
  • Operation “Aurora” Hit Google, Others – mcafee.com
  • New IE hole exploited in attacks on US firms – snet.com
  • More Details on “Operation Aurora” – avertlabs.com
  • Google Hack Attack was Ultra Sophisticated, New Details Show – wired.com
  • “Aurora” Exploit in Google Attack Now Public – mcafee.com
  • Assessing risk of IE 0day vulnerability – technet.com
  • Operation Aurora – Enabling DEP in IE – djtechnocrat.blogspot.com

Vendor/Software Patches:

• Pidgin update addresses emoticon vulnerability – h-online.com
  The developers of this IM app have patched a flaw demostrated during the last 26C3.
• Oracle patches released – isc.sans.org
  This release covers Oracle Application Server and Oracle WebLogic Server, among others.
• Font vulnerability patched
  Vulnerability in OpenType Font Engine could allow for remote code execution.
  • January 2010 Security Bulletin Release – technet.com
  • MS10-001: Font file decompression vulnerability – technet.com
• Security update released for Adobe Reader and Acrobat – adobe.com
  The update addresses critical security issues in Reader and Acrobat.
• Sun Java JRE 6 Update 18 Released – isc.sans.org
  385 bugs are fixed in this release.

Other News:

• The FBI Wants To Know About Your IT Skills – slashdot.org
  If you are part of InfraGard, the FBI is looking to know more about your computer skills.
• Security Flaw Makes It Easy To Bypass Verizon Droid Screen Lock – techcrunch.com
  It’s as easy a hitting the Back button when receiving a call.
• Android app steals bank login details – h-online.com
  An infected app in the Android Market steals bank login details on phones it is on.
• Should users worry about new cellular hack? – sfgate.com
  How will the recent breach in GSM security affect regular cellphone subscribers?
• Twitter hackers take down Baidu – slashdot.org
  The Iranian Cyber Army strikes again, downing China’s number one search engine.
• Google leaving China behind
  A bundle of news related to Google’s relation with China
  • Google hackers targeted source code of more than 30 companies – wired.com
  • Google.cn attack part of a broad spying effort – slashdot.org
  • Keeping your data safe – googleenterprise.blogspot.com
  • A new approach to China – googleblog.blogspot.com
• Kasumi A5/3 algorithm cracked
  A related-key attack cracks open the A5/3 security used in 3G networks.
  • UMTS encryption also dented – h-online.com
  • Second 3G GSM cipher cracked – slashdot.org
• Adobe confirms ‘sophisticated, coordinated’ breach – zdnet.com
  Adobe said its corporate network systems were breached by hackers.
• The Girl who Conned the Ivy League – rollingstone.com
  How a high school dropout created the ultimate fake ID.
• L.A. Law Firm Reports Cyber Attack from China – laweekly.com
  A law firm representing a company suing China gets an attack originating from that country.
• Airport access IDs hacked in Germany – slashdot.org
  The cloned card allows unrestricted access in airports.