Week 16 in Review – 2010

Events Related:

• Presentation Materials from HITB Dubai available for Download – hitb.org
  Presentation materials from the 4th annual Hack In The Box Security Conference are now available for download!
• Black Hat Europe 2010 Media Archives – blackhat.com
  Presentations, video, papers and other media from this Barcelona event.
• Security BSides Boston on Flickr – flickr.com
  Pictures of this security event.

Resources:

• OWASP Top 10 for 2010 – owasp.org
  The Open Web Application Security Project (OWASP) today issued the final version of its new Top 10 list of application security risks.
• vSphere 4.0 Hardening Guide Released – vmware.com
  This version incorporates the extensive feedback from the VMware community on the previous draft release.
• NIST on Protecting Personally Identifiable Information – schneier.com
  Just published: Special Publication (SP) 800-122, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).”
• HITB Ezine – Issue #002 – hackinthebox.org
  The people of Hack In the Box, decided to make the ezine available for free in the continued spirit of HITB in “Keeping Knowledge Free”.
• Hakin9 Magazine now FREE in Digital Format – hakin9.org
  All you need to do in order to get a new issues each month is subscribe to our newsletter.

Tools:

• Fuzzdb – code.google.com/p/fuzzdb/
  A comprehensive set of fuzzing patterns for discovery and attack during highly targeted brute force testing of web applications.
• ReFrameworker v1.1 – appsec.co.il
  ReFrameworker performs the required steps of runtime manipulation by tampering with the binaries containing the framework’s classes.
• Sandcat v4.0 – syhunt.com
  Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.
• OWASP Code review Guide v2.7 – codecrawler.codeplex.com
  A tool aimed at assisting code review practitioners.
• OpenSCAP v0.5.9 – open-scap.org
  It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP.
• Xplico v0.5.6 – xplico.org
  Xplico is an open source Network Forensic Analysis Tool (NFAT).
• Security Ninja security tool, more than a sneak preview! – securityninja.co.uk
  This idea was inspired by the Application Security Portfolios blog post that Nick Coblentz published in 2009.
• Blazentoo – gdssecurity.com
  Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers.
• Skipfish v1.33B – skipfish.googlecode.com
  Skipfish is an active web application security reconnaissance tool.
• SIP Inspector – sites.google.com/site/sipinspectorsite/
  SIP Inspector is a tool written in JAVA to simulate different SIP messages and scenarios.
• Aircrack-ng v1.1 – aircrack-ng.org
  It implements the standard FMS attack along with some optimizations like KoreK attacks.

Techniques:

• PDF Ownage: It is getting ugly out there – intrepidusgroup.com
  he current news is that the Zeus botnet is being used to push a malicious PDF that attempts to abuse /Launch actions.
• Stuffing Javascript into DNS names – skullsecurity.org
  If you’ve installed nbtool, you may have noticed that, among other programs it comes with, one of them is called dnsxss.
• Metasploit Express posts
  We will be introducing Metasploit Express, an easy to use security solution that is designed to bring penetration testing capabilities to security professionals everywhere.
  • Approaching Metasploit 3.4.0 and Metasploit Express – metasploit.com
  • Metasploit Express – metasploit.com
• Optimizing John the Ripper’s “Single” Mode for Dictionary Attacks – reusablesec.blogspot.com
  I decided to optimize John the Ripper’s “Single” mode word mangling rules for use in normal dictionary based attacks.
• Near Real-Time Detection (NRT) – labs.snort.org
  Today’s client side attack threats represent a boon for the attacker in ways to obfuscate, evade, and hide their attacks methods.
• A New Detection Framework – vrt-sourcefire.blogspot.com
  I worked on deep parsing and detection on PDF files and Patrick worked on ways to provide me the full file data.
• OWASP NYNJMetro – Pentesting Adobe Flex Applications – gdssecurity.com
  I’ve uploaded my slides from the presentation I gave last week at the OWASP NYC Chapter on Pentesting Adobe Flex Applications.
• Black Hat Presentation: Abusing Adobe PDF Reader memory management – fortinet.com
  The slides include a real-world case study, involving a “former-zero-day” vulnerability (CVE-2010-1241, previously CVE-2010-2000).
• Optimizing JtR’s Single Mode Follow Up – reusablesec.blogspot.com
  One of my concerns though has always been over-training my password cracking techniques.
• Manual Verification of SSL/TLS Certificate Trust Chains using Openssl – sans.org
  Firefox 3.6.3 (the latest available version) displayed a digital certificate error when accessing the ISC login page through SSL/TLS.
• Using Meterpreter to control netcat and third party exploits – pauldotcom.com
  Metasploit has A LOT of exploits, but from time to time you will very likely need to use exploits that are not part of the framework.

Vulnerabilities:

• Security gone awry: IE 8 XSS filter exposes sites to XSS attacks – zdnet.com
  The cross-site scripting filter on Internet Explorer 8 browser can be abused by attackers to launch cross-site scripting attacks on websites otherwise be immune to this threat.
• McAfee security breach causes chaos for users
  McAfee’s “DAT” file version 5958 is causing widespread problems with Windows XP SP3.
  • How to fix the McAfee SVCHOST crash from the virus definition update – brianseekford.com
  • McAfee DAT 5958 Update Issues – sans.org
  • How McAfee turned a Disaster Exercise Into a REAL Learning Experience… – sans.org
  • A Long Day at McAfee – mcafee.com

Vendor/Software Patches:

• PayPal Patches Critical Security Vulnerabilities – darknet.org.uk
  A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal’s business and premier reports back-end system.

Other News:

• WebOS hacked thru SMS
  Security researchers have hacked into Palm’s new WebOS platform, using nothing more than text messages to exploit a slew of dangerous web app vulnerabilities.
  • Palm Pwned: Researchers Hack WebOS With Text Messages – threatpost.com
  • Palm’s WebOS hacked via SMS message – neowin.net
• Network Solutions mass hack attack revealed
  Network Solutions’ security team is battling a mysterious attack that has silently infected a “huge” number of the websites it hosts with malicious code.
  • Network Solutions customers hit by mass hack attack – theregister.co.uk
  • corpadsinc.com redirecting Network Solutions customers again – stopmalvertising.com
  • Network Solutions sites hacked again – computerworld.com
  • We feel your pain and are working hard to fix this – networksolutions.com
  • Network Solutions Again Under Siege – krebsonsecurity.com
  • Network Solutions Cleaning Up After Second Round Of Attacks – darkreading.com
• Truth in Caller ID Act posts
  The bill aims to prevent misrepresentation of the called-from number on voice calls through any channel.
  • House Passes Bill Outlawing Caller-ID Spoofing – ecommercetimes.com
  • Caller ID Spoofing Ban is Bad for Business – pcworld.com
• Follow up stories about the Google hack last December
  The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December.
  • Cyberattack on Google Said to Hit Password System – nytimes.com
  • Google CEO: ‘We’re now paranoid’ about security – cnet.com
• Mozilla Disables Insecure Java Plugin in Firefox – krebsonsecurity.com
  Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a Java security hole.
• Second-hand photocopiers might be carrying sensitive information on your company
  Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.
  • Digital Photocopiers Loaded With Secrets – cbsnews.com
  • Health Insurer Notifies More Than 409,000 Of Potential Breach – darkreading.com
  • Stored images on photocopiers a security risk – h-online.com
• PasswordCard Hides Mentally Encrypted Passwords in Your Wallet – lifehacker.com
  The PasswordCard itself is printed in color, and has different symbols heading each column, and a different color for each row.
• Gmail accounts hit by spammers
  Google is investigating a growing number of reports that hackers are breaking into legitimate Gmail accounts and then using them to send spam messages.
  • Drug-dealing Spammers Hit Gmail Accounts – pcworld.com
  • Checking if your Gmail has been breached – google.com
• Dmitry Naskovets of CallService.biz, Meet the FBI – garwarner.blogspot.com
  When the FBI designed to take over the management of the CallService.biz website, they did a little relocation first.
• Microsoft Recommends NoScript – hackademix.net
  The technical core of this research is very worth reading, if you’re interested in XSS attack and defense techniques.
• Someone might be able to hack into your cellphone privacy
  The first part of the operation involves getting a target’s cell phone number from a public database that links names to numbers for caller ID purposes.
  • Legal spying via the cell phone system – cnet.com
  • New Hack Pinpoints Cell Phone User’s Location, Personal And Business Relationships – darkreading.com
• Why Employees Break Security Policy (And What You Can Do About It) – darkreading.com
  Companies that monitor network behavior say many employees still break rules in order to get their jobs done.
• Researcher Demonstrates How To Counterattack Against A Targeted Attack – darkreading.com
  Proof-of-concept turns the tables on attackers who wage targeted attacks on enterprises.
• Hundreds of high profile sites unprotected from domain hijacking – zdnet.com
  A MarkMonitor review shows that less than 10% of the top 300 most highly trafficked sites were protected using it.
• Local computer security expert investigates police practices – seattlepi.com
  Rachner discovered through sleuthing that police had withheld video-recorded evidence in his case.
• Can America win a cyberwar – newsweek.com
  The United States economy depends on the Internet more than any other developed country in the world.
• Blippy Reveals Credit Card Numbers On Google – gizmodo.com
  It’s a huge, huge privacy concern, and if you have a Blippy account I’d recommend taking immediate action.
• HP researchers propose human-centric web app security tests – searchsecurity.techtarget.com.au
  Two application security experts are working on a way to improve the testing of Web applications by incorporating application data flow maps.
• Microsoft pulls faulty patch, plans re-release – cnet.com
  A patch for the hole, which could allow an attacker to take control of a system, was released during Patch Tuesday last week.
• Facebook hacker claims to be in NZ – nzherald.co.nz
  A Russian hacker who says he is living in New Zealand attempted to sell the login details of millions of Facebook users.
• Peeking Into Users’ Web History – technologyreview.com
  A team of European researchers found that they were able to hijack Google’s personalized search suggestions to reconstruct users’ Web search histories.
• Facebook checked out, 1.5 million accounts overdue for password changes? – eset.com
  It remains to be seen if so many accounts have indeed been breached or if Kirllos the criminal hacker is perhaps running an audacious scam on fellow fraudsters.
• A New Law Could Change the Way You Build Database Applications – sqlmag.com
  Massachusetts recently passed a sweeping new data security law that will have a profound impact on the way the United States manages and develops data-centric applications.