Week 17 in Review – 2010

Events Related:

• HacKid Conferences: A Very Cool Thing – infosecramblings.com
  The idea really revolves around providing an interactive, hands-on experience for kids and their parents.
• Black Hat Europe 2010 – blackhat.com
  Many Black Hat talks are available in audio and video formats.
• LEET ’10 Media – usenix.org
  Session papers are available to workshop registrants immediately and to everyone beginning April 27, 2010.
• Source Boston 2010 Conference Notes – chuvakin.blogspot.com
  Here is my delayed account of the awesomeness of Source Boston 2010.
• Cyber Security Challenge – cybersecuritychallenge.org.uk
  The Challenge is just being set up and we are not ready yet for candidates to register for competitions.
• Allison Miller – Protecting Customers from Online Threats – sourceboston2010.blip.tv
  A presentation from PayPal’s head of Global Risk Management

Resources:

• About the Microsoft Security Intelligence Report
  This report provides an in-depth perspective on malicious and potentially unwanted software, software exploits, security breaches and software vulnerabilities (both in Microsoft software and in third-party software).
  • Microsoft Security Intelligence Report volume 8 (July – December 2009) – microsoft.com
  • Microsoft Security Intelligence Report (Vol.8) – sans.org
• Password DB – cirt.net/passwords
  Updates to this online tool include an RSS feed, a new OSVDB field and more.
• Penetration Testing in the Real World – offensive-security.com
  It’s a quick reconstruction of a Security Audit we preformed over a year ago, replicated in our labs.
• HITB eZine Issue 002 out now – hackinthebox.org
  The second quarterly HITB eZine (issue 002) has been released.
• Hakin9 May 2010 issue – hakin9.org
  Inside are threat modeling basics, tool reviews and an interview with Ferruh Mavituna among others.
• Book Review: The Art of Assembly Language, 2nd Edition – hexblog.com
  In his book, Randall introduces the reader to the HLA (High Level Assembler) compiler which will be used as a tool to learn the x86 assembly language.
• Web Vulnerability Scanner Comparison, Continued – cenzic.com
  Follow-on to the Larry Suto web vulnerability scanner comparison
• SKIPFISH Review – stateofsecurity.com
  It’s certainly not going to replace any of the other tools in our Web Application Assessment toolkit, but it is a good supplement.

Tools:

• FOCA v2.0.1 – informatica64.com
  FOCA 2 has a new algorithm which tries to discover as much info related to network infrastructure as possible.
• Joedoc –  joedoc.org
  Joedoc is a novel automated runtime system for detecting exploits in applications running on end-user systems.
• Bruter v1.0 – sourceforge.net/projects/worawita
  Bruter is a parallel network login brute-forcer on Win32. This tool is intended to demonstrate the importance of choosing strong passwords.
• Nessus Parsing Tools v1.3.1 – westcoasthackers.net
  A set of tools to parsing the results of a report.
• WhatWeb v0.4.2 – morningstarsecurity.com
  Identifying content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more.
• PDFiD v0.0.11 – didierstevens.com
  I release a new PDFiD version to detect (and disarm) the /Launch action.
• Bluebear: Exploring Privacy Threats in BitTorrent – www-sop.inria.fr
  The goal of this project is to explore the severity of the privacy threats faced by BitTorrent users.
• OpenDLP v0.1 – code.google.com/p/opendlp/
  OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL.
• DAVTest: Quickly Test & Exploit WebDAV Servers – sunera.com
  When facing off against a WebDAV enabled server during a penetration test, there are two main things to find out: can you upload files, and if so, can you upload executable files?
• Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10 – irongeek.com
  What I’m attempting to do with Mutillidae is implement the OWASP Top 10 in PHP, and do it in such a way that it is easy to demonstrate common attacks to others.

Techniques:

• Using grep to find 0days – bonsai-sec.com
  Simple but effective “grep dorks” can discover dirty pieces of code in, for example, PHP open source software.
• A new place to hide web-based malware: php.ini + cgi-bin – sucuri.net
  So if you ever have to clean a hacked web site, don’t forget to check the cgi-bin directory and the php.ini file.
• Remote Downloader ActiveX: old exploits, new malware – zscaler.com
  I recently stumbled upon a page using no fewer than 8 different ActiveX exploits on the same page.
• Hacking Your Bank – snosoft.blogspot.com
  The goal of the penetration test was to penetrate into the bank’s IT Infrastructure and see how far we could get without detection.
• Arbitrary Code Execution on Examiner Systems via File Format Vulnerabilities – sans.org
  The specific vulnerability in question appeared to actually exist in the Outside-In component, and was not triggered until the malicious file was actually viewed inside EnCase or FTK.
• Blocking automated SQL injection attacks – msdn.com
  SQL injection attacks have been on the rise in the last two years, mainly because of automated tools.
• Using a PDF file as a downloader – sunbeltblog.blogspot.com
  It uses a script in a PDF file to install a back door that starts up whenever Internet Explorer is launched.
• Android Emulator & BurpSuite – cktricky.blogspot.com
  I just wanted to give some instructions on using BurpSuite when attempting to proxy traffic coming from the Android Emulator.
• Who needs exploits when you have social engineering? – sans.org
  For last couple of years we have been all witnessing a huge rise in number of social engineering attacks.
• Good Bye Critical Jboss 0day – mindedsecurity.com
  The impact of a security bypass vulnerability depends, from a technical perspective, on what you could be able to do when you are authenticated.
• Kernel debugging with IDA Pro / Windbg plugin and VirtualKd – hexblog.com
  The other day we received an email support question asking if IDA Pro / Windbg debugger plugin works with VirtualKd.
• Remotely Attacking Network Cards (or why we do need VT-d and TXT) – theinvisiblethings.blogspot.com
  They’re exploiting a buffer overflow in the network card’s firmware by sending malicious packets to the card, and then they gain full control over the card’s firmware.
• Penetration: from Application down to OS. – descrg.com
  This whitepaper continues a series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.

Vulnerabilities:

• Microsoft SharePoint Server 2007 XSS vuln
  Microsoft’s security response team has confirmed the existence of a serious cross-site scripting (XSS) vulnerability in the Microsoft SharePoint Server 2007 product.
  • Serious XSS flaw haunts Microsoft SharePoint – zdnet.com
  • XSS in Microsoft SharePoint Server 2007 – htbridge.ch

Other News:

• FISMA / SP800-53 is not Utopia? – digitalbond.com
  There has been a drumbeat from some big voices in the community, that is now echoed by some in Congress, that we all should use NIST’s SP800-53.
• FBI, DoJ suit-up 35 new agents; lawyers for intellectual property battle – networkworld.com
  The 15 new AUSA’s will work closely with the Criminal Division’s Computer Crime and Intellectual Property Section to aggressively pursue high tech crime, including computer crime and intellectual property offenses.
• GoDaddy hacked yet again
  This hack appears to redirect visitors upon arrival from Google and attempts to install malware on their computers.
  • Warning! Massive Number of Godaddy WordPress Blogs Hacked This Weekend – blogcastfm.com
  • Second round of GoDaddy sites hacked – sucuri.net
• Punishing Security Breaches – schneier.com
  Apple’s unfortunately public security breach has given the company an opportunity to examine its policies.
• Researchers Hijack Cell Phone Data, GSM Locations – threatpost.com
  A pair of security researchers has discovered a number of new attack vectors that give them the ability to not only locate any GSM mobile handset anywhere in the world.
• FBI Cyber Division Warns About Social Networking – eset.com
  With specialization, fraudsters no longer have to mass-deploy their schemes, but can instead focus on spear phishing specific high-level targets with administrator level or payroll system access.
• EFF Lawyer: Seizure of Gizmodo Editor’s Computers Violates State and Federal Law – laptopmag.com
  California law includes exceptions for journalists who are in receipt of information from sources.
• apache.org incident report for 04/09/2010 – apache.org
  If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised.
• S.F. Admin Guilty of Hijacking City Passwords – wired.com
  After a six-month trial, a San Francisco city admin was found guilty Tuesday of a sole felony count of hijacking the city’s computer system.
• WordPress sites hacked, again! – zscaler.com
  A big web hosting company was the target of a massive attack of hosted WordPress sites.
• Symantec acquires PGP, GuardianEdge for encryption, key management – searchsecurity.techtarget.com
  Symantec Corp. is entering the encryption market, acquiring encryption giant PGP Corp., and GuardianEdge Technologies Inc., in a $370 million deal.
• Don Bailey and Nick DePetrillo on GSM Hacking and Privacy – threatpost.com
  Dennis Fisher talks about their recent work on geolocation and tracking of GSM mobile handsets and the privacy and security implications for users.
• A Rise in Java Vulnerabilities – symantec.com
  Trends from the past few years indicate that not only have there been numerous vulnerabilities in Java, but over the years the number of issues affecting Java has been on the rise.
• US Air Force phishing test transforms into a problem – networkworld.com
  Security testers at the Guam Air Force base’s 36th Communications Squadron had to send out a clarification notice on Monday after an in-house test of how airmen would respond to a phishing e-mail worked out a little too well.
• NSA on Computer Network Attack & Defense – krebsonsecurity.com
  The 605-page PDF document reads like a listing of the pros and cons for a huge array of defensive and counterintelligence approaches and technologies that an entity might adopt in defending its networks.
• Bittorrent over Tor isn’t a good idea – torproject.org
  We’ve been saying for years not to run Bittorrent over Tor, because the Tor network can’t handle the load.
• Court OKs Unmasking Identities of Copyright Scofflaws – wired.com
  A federal appeals court is blessing the legal process by which the recording industry and other content owners unmask the identities of alleged peer-to-peer copyright infringers.
• False Start for Cyber Security Challenge? – netcraft.com
  A cross-site scripting vulnerability has been uncovered on the Cyber Security Challenge UK website, before the site has even been made ready for candidates to register.