Week 21 in Review – 2010

Events Related:

• Defcon 18 CTF News
  • CTF Defcon 18 PreQuals: writeups (Solutions) – pentester.es
  • DEFCON 18 Quals: writeups collection – vnsecurity.net
  • Defcon CTF Qualifiers – redspin.com
  • Defcon 18 CTF quals writeup: Pursuit Trivial 200 – bernardodamele.blogspot.com
  • Defcon 18 CTF quals writeup: Packet Madness 200 – bernardodamele.blogspot.com
  • Defcon 18 CTF quals writeup: Pwtent Pwnables 200 – bernardodamele.blogspot.com
  • Defcon 18 CTF Writeup – Binary L33tness 500 – lollersk8ers.fatihkilic.de
  • Not Too Late To Learn From Defcon CTF Qualifiers – darkreading.com
• W2SP 2010: Web 2.0 Security and Privacy 2010 – w2spconf.com
  The goal of this one day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and establishing new collaborations in these areas.

Resources:

• Tips On Choosing Which Vulnerabilities to Test – icsalabs.com
  Based on our experience, below are five of the most important tips when it comes to choosing vulnerabilities.
• Wiping & Protecting Data from SSD/Flash Drives – rootshell.be
  As you probably already know, deleting a file using the standard system call is not enough from a security point of view.
• Smart Application Security Score Card – coffeeandsecurity.com
  There are several instances where application stakeholders struggle hard to identify necessary security SDLC activities for their applications and products.
• Browser Vulnerability Timeline – browserstats.appspot.com
  The timeline shows the percentage of users who have at least one unpatched critical-severity vulnerability (or at least one unpatched high-severity vulnerability) on an average day.
• Browserscope – browserscope.org
  The goals are to foster innovation by tracking browser functionality and to be a resource for web developers.

Tools:

• Karma – digininja.org
  Karma is a set of patches to access point software to get it to respond to probe requests not just for itself but for any ESSID requested.
• Ragweed – github.com/tduehr/ragweed
  Ragweed is a set of scriptable debugging tools written mostly in native ruby.
• CERT Basic Fuzzing Framework – cert.org
  Today we are releasing a simplified version of automated dumb fuzzing, called the Basic Fuzzing Framework (BFF).

Techniques:

• Fuzzing with Peach – The Peach Pit – nullthreat.net
  The peach pit is an XML files that lays out the protocol we are going to fuzz.
• Analysis on the carders.cc hacking
  Some wily hackers are gleaning more info on the notorious illiegal card swapping forum break in
  • Carders.cc Hacked – Initial Analysis of IP addresses – reusablesec.blogspot.com
  • Carders.cc – Analysis of Password Cracking Techniques – Part 2– reusablesec.blogspot.com
  • Fraudsters e-mail addresses : carders.cc case – bl0g.cedricpernet.net
• Revisiting the Eleonore Exploit Kit – krebsonsecurity.com
  Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software.
• Invasion of Privacy. The Sequel. – attackvector.org
  I’m using this post as a way to open peoples eyes about the seriousness of overlooking little things that could, in the right hands and a twisted mind, be used in deviant ways.
• Ruby For Pentesters – The Dark Side I: Ragweed – matasano.com
  And yes, Ragweed is now available as a gem through github.
• Download ARTeam Tutorials! – accessroot.com
  This a tutorial which explains how to reverse Android OS applications.
• Stealing A Photo From A Remote Webcam – nullpointer.dk
  This is another demonstration of the use of Metasploit like I did in my previous article Exploiting SMB on Windows.
• Corporate Information Discovery
  [Part 2] – attackvector.org
  I’ll be using console tools, but there are many websites that will provide this information as well.
• Auditing Proprietary Protocols in Control Systems – digitalbond.com
  Generally, these protocols aren’t on the “front lines”, they’re going to be behind at least a couple of firewalls, probably a DMZ.
• JNLP/JAR Hacking – infointox.net
  Now since we can decompile Java this leaves room for attacks similar to the old fashion flash game cheating.
• OpenBTS on Droid – tombom.co.uk
  The quick version: I can provide voice and SMS connectivity to local GSM handsets using nothing but a Droid and a USRP.
• Enumerating email addresses using search engines (the return!) – attackvector.org
  About a month ago I wrote a post going over some code that I wrote that basically went out and grabbed email addresses after doing search queries.
• State of the art in CRiMEPACK Exploit Pack – ef.kaffenews.com
  CRiMEPACK exploit pack is a widespread and accepted in the crime scene in this area came under the slogan “Highest Lowest rates for the price“.
• Capturing SMB Files with Wireshark – taddong.com
  While the authentication can be performed in a secure way, the information flow between the server and consumer is usually not encrypted, as it happens with the default SMB configuration.
• Injecting A Vnc Server Into A Remote Computer – nullpointer.dk
  We will deploy a VNC server on the remote machine and establish a reverse tcp tunnel back to our machine.
• Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code – ucsb.edu
  Our approach combines anomaly detection with emulation to automatically identify malicious JavaScript code and to support its analysis.

Other News:

• First cyber warfare general appointed
  The US military has appointed its first senior general to direct cyber warfare – despite fears that the move marks another stage in the militarisation of cyberspace.
  • US appoints first cyber warfare general – guardian.co.uk
  • U.S. CyberCom launches with first commander – cnet.com
• All about Tabjacking
  As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple.
  • Devious New Phishing Tactic Targets Tabs – krebsonsecurity.com
  • Interesting Phishing Concept Tabjacking – ghacks.net
  • How to foil Web browser ‘tabnapping’ – computerworld.com
• A reminder that CSRF affects more than websites – cgisecurity.com
  The interesting thing here is that since CSRF tokens are not available in FTP, the developers were forced to remove functionality in order to mitigate this.
• AMEX breaks PCI control: Encrypt transmission of cardholder data across open, public networks – securityexe.com
  AMEX is one of the five companies that founded the PCI organization and is asking all merchants accepting AMEX to follow these guidelines.
• Anti-Clickjacking Defenses ‘Busted’ In Top Websites – darkreading.com
  New research easily bypasses popular frame-busting technique.
• iPhone data access pwned by Linux
  Even with a PIN on a locked iPhone, connecting it to an Ubuntu gives easy read access to the phone’s data. Uh oh.
  • iPhone vulnerability leaves your data wide open, even when using a PIN – engadget.com
  • Ubuntu Lucid Lynx 10.04 can read your iPhone’s secrets – zdnet.com
• How Fraudsters Make Fake Credit Cards – consumerist.com
  Detective Bob Watts of Newport Beach Police Department shows how crooks take your credit card numbers they steal off the internet and turn blank plastic into a faux credit card.
• Pentagon: Let Us Secure Your Network or Face the ‘Wild Wild West’ Internet Alone – wired.com
  Defense Deputy Secretary William Lynn III said we need to think imaginatively about how to use the National Security Agency’s Einstein monitoring systems on critical private-sector networks.