Week 18 in Review – 2010

Events Related:

• SOURCE Boston Re-Cap – tenablesecurity.com
  The SOURCE conferences, founded by Stacy Thayer, are small in size but big on content.

Resources:

• Google’s cheesy web app course
  Google has released a new online training course for Web application developers designed to teach them how to avoid common programming mistakes
  • Web Application Exploits and Defenses – jarlsberg.appspot.com
  • Google Releases Web App Security Course – threatpost.com
• Didier Stevens on PDF Hacking and Security – threatpost.com
  Dennis Fisher talks with Didier Stevens, the security researcher who developed the innovative method for using the /launch command in PDF readers to execute code on remote machines.
• My Best PCI DSS Presentation EVER! – chuvakin.blogspot.com
  Addressing an audience of about 130 mostly University IT, IT security and finance (!) professionals in charge of their payment and PCI DSS programs was a fun challenge.

Tools:

• Netsparker Community Edition – “The Sparkler” – securityaegis.com
  Netsparker announced today that it is releasing a community edition, lacking only a few features of the pro version.
• Wireshark 1.2.8, 1.0.13, and 1.3.5 Released – wireshark.org
  The new versions pack in the usual security fixes and a fix for the DOCSIS and interface bugs.
• FUU v0.1 – code.google.com/p/fuu/
  FUU (Faster Universal Unpacker) is a GUI Windows Tool with a set of tools (plugins) to help you to unpack, decompress and decrypt most of the programs packed with programs like UPX, ASPack, FSG, ACProtect, etc.

Techniques:

• Why Buffer Overflow Exploitation Took So Long to Mature, a two-part series
  Executing code via a buffer overflow was published at least as early as 1972.
  • Why buffer overflow exploitation took so long to mature – root.org
  • Why buffer overflow exploitation took so long to mature (part 2) – root.org
• Bad “Visual” PDF – pandasecurity.com
  Last week a PDF document which downloaded malware fell into my hands.
• More with Metasploit and WebDAV – carnal0wnage.attackresearch.com
  You’ll want to make sure you pay attention to the part about allowing your IUSR_WHATEVER account to have have write access or you can set up a windows account to use authentication.
• Writing WIN32 Shellcode With a C-compiler – didierstevens.com
  The advantage of my method is that you can debug your shellcode inside the Visual Studio IDE.
• Metasploit Lotus Domino Version Scanner – carnal0wnage.attackresearch.com
  I pushed out the first of a few Lotus Domino modules I’ve been working on to the metasploit trunk last nite
  [sic].
• Wireshark and TShark: Decrypt Sample Capture File (by Joke Snelders) – lovemytool.com
  In this article I will describe how you can decrypt packets in a sample capture file.
• 0day or not today: exploit in the wild – fortinet.com
  In this post I will dissect a PDF document using this trick, indeed found in the wild.
• Android SSL Apps & Burp – cktricky.blogspot.com
  The app refused to communicate with Burp because of the certificate mismatch error.
• “Identifying Load Balancers in Penetration Testing” – whitepaper – sans.org
  Here is a good whitepaper on load balancers and how to deal with them while doing penetration testing.
• 0exploit Privilege Escalation – room362.com
  This user has Read and Execute, but no Write access, and a very limited field of view to boot.
• Fuzzing and Exploit Development With Metasploit – Louisville Metasploit Class – nullthreat.net
  We start with fuzzing and go through the basic steps of development.
• Generate an NTLM hash in 3 lines of Python… – secmaniac.com
  While combing through the RFC and found that writing this was extremely easy.
• Metasploit jboss deployment file repository exploit – carnal0wnage.attackresearch.com
  MC pushed out a new exploit today.

Vendor/Software Patches:

• Foxit Reader update blocks new PDF attack tactic – computerworld.com
  Adobe Reader rival adds ‘safe mode’ to stymie embedded-malware attacks.
• Security firm reveals Microsoft’s ‘silent’ patches – computerworld.com
  Microsoft acknowledges fixing internally-found flaws without disclosing details.

Other News:

• United States Treasury Websites Hacked
  The websites involved were bep.gov (Bureau of Engraving and Printing), bep.treas.gov and moneyfactory.gov.
  • Treasury Website Hacked – avg.com
  • Hacked US Treasury websites serve visitors malware – theregister.co.uk
  • U.S. Treasury Website Hacked Using Exploit Kit – pandasecurity.com
  • U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise – ddanchev.blogspot.com
  • Malware Injection Campaign: A Retaliation? – eset.com
• Metasploit’s HD Moore from (almost) rags to (not quite) riches – networkworld.com
  Metasploit might become an example of how a fully FOSS project grows up to turn a profit.
• Former Con Man Helps Feds Thwart Alleged ATM Hacking Spree – wired.com
  A North Carolina grocery worker is being held on attempted computer hacking charges after inadvertently partnering with an undercover FBI agent in an alleged citywide ATM-reprogramming caper.
• Cybersecurity Act of 2010 is a bad bill – threatchaos.com
  It is time for the security industry to take a close look at this $1.82 billion bill as it contains some pretty drastic measures that are going to be very disruptive, and I believe detrimental.
• Wi-Fi key-cracking kits sold in China mean free Internet – networkworld.com
  Dodgy salesmen in China are making money from long-known weaknesses in a Wi-Fi encryption standard, by selling network key-cracking kits for the average user.
• Dangerous Malware Alert – Self-Hosted Sites Hack Update – Go Daddy Responds! – wpsecuritylock.com
  We have had reports for not only WordPress installations, but Joomla, Pligg and “Simple Machines Forum” as well.
• Hacker Develops Multi-platform Rootkit for ATMs – yahoo.com
  Security researcher Barnaby Jack plans to deliver the talk and disclose a new ATM rootkit at the computer security conference.
• The ABC’s of ACH Fraud – bankinfosecurity.com
  It’d be foolish to think that ACH fraud will go away after a single symposium.
• Losing the desktop security battle
  Many organizations, particularly in the financial services industry, have gotten to the point of assuming that their customers’ desktops are compromised.
  • Ceding the desktop security battle, almost the war – jeremiahgrossman.blogspot.com
  • Have We Lost the Desktop Security Battle? – threatpost.com
• Fun with ATM Skimmers, Part III – krebsonsecurity.com
  According to the European ATM Security Team (EAST), a not-for-profit payment security organization, ATM crimes in Europe jumped 149 percent form 2007 to 2008.
• More news on the recent WordPress-related breach
  We are seeing multiple reports today of WordPress sites (running their latest version) getting compromised.
  • Breaking News: WordPress Hacked with Zettapetta on DreamHost – wpsecuritylock.com
  • New attack today against WordPress – sucuri.net
  • Simple cleanup solution for the latest WordPress hack – sucuri.net
  • WordPress Hidden Link Injection Fix – ivonson.com
• Verizon Partners With U.S. Secret Service on Data Breach Report – threatpost.com
  Verizon’s invaluable Data Breach Investigations Report will now include data from hundreds of computer crime cases investigated by the U.S. Secret Service, the company announced this week.
• Continuing attacks at Network Solutions? – sucuri.net
  This morning we started to receive reports of a very similar kind of attack against sites on their shared servers.
• Your choice of programming language doesn’t matter, they are all insecure! – securityninja.co.uk
  I believe that secure code is the product of a secure development process and real business commitment to deliver secure applications which includes developer education.
• Facebook Leaks IP Addresses – binint.com
  You will get the IP address of your friend and clicking on it will get a geolocation-based map.