Week 36 in Review – 2010

Resources:

• Malware Dashboards
  • Very beautiful Dashboard about malware on http://www.malwaregroup.com/ (using the google API, i think) @ToolsWatch
  • Another great Malware & Attacks Dashboard https://lebahnetmini.honeynet.org.my/account/login (author is @m4ysix) @ToolsWatch
• The Usability of Passwords – mcafee.com
  Take the time to read this and please pass it on to your friends. We all use passwords every day – and his solution is not difficult to use or remember.
• WASC WHID Bi-Annual Report for 2010 – tacticalwebappsec.blogspot.com
  The Web Hacking Incident Database (WHID) is a project dedicated to maintaining a record of web application-related security incidents.
• Interview with a Mentee…Mentee X – infosecmentors.blogspot.com
  I tried to choose individuals that have been paired up for at least two months and I also chose to keep the participants anonymous as I thought I’d receive more honest answers, both praise and critique of the program.

Tools:

• Hyenae 0.35-2 – sourceforge.net/projects/hyenae/
  Hyenae is a highly flexible platform independent network packet generator.
• Nikto 2.1.3 available! – cirt.net
  Nikto is an open source web server scanner which performscomprehensive tests against web servers for multiple items, includingover 6400 potentially dangerous files/CGIs, checks for outdated versionsof over 1000 servers, and version specific problems on over 270 servers.
• rpc-client – code.google.com/p/rpc-client/
  The tool is designed to make, in command line, easily XML-RPC packet to a remote server and offering the possibility of being used in scripts for automation.
• TrueCrypt 7.0a released – h-online.com
  According to the developers, TrueCrypt 7.0a is a maintenance release that includes a workaround for an issue in some custom, non-Microsoft storage device controller drivers.
• Released DllHijackAuditor v2 with New & Smart Interception Engine – securityxploded.com
  DllHijackAuditor is the FREE tool to Audit against the  DLL Hijacking Vulnerability for any Windows application.
• DVWA 1.0.7 is here! – ethicalhack3r.co.uk
  After 9 months since the last release we are proud to present the all new Damn Vulnerable Web Application version 1.0.7.
• upSploit – Public Beta Release – webantix.net
  The aim is for upSploit to become a service/framework that security researchers can depend on when disclosing vulnerabilities to vendors.
• Social-Engineer Toolkit 0.7 Codename “Swagger Wagon” and Online Tutorials – secmaniac.com
  The new version of SET incorporates two brand new web attack vectors, slew of bug fixes, and two new Teensy attack based payloads.
• cvechecker 0.6 – cvechecker.sourceforge.net
  Indeed, this is not a bullet-proof method and you will most likely have many false positives, yet it is still better than nothing, especially if you are running a distribution with little security coverage.
• Update on Upcoming Release of SpyDLLRemover & StreamArmor – securityxploded.com
  With all these coming together, the expected release of SpyDllRemover 4.0 will be around the end of this month.
• Ncrack 0.3ALPHA release – seclists.org
  The post-SoC Ncrack 0.3ALPHA release is finally ready! This summer brings you new cracking modules for two of the most ubiquitous and famous protocols out there
• HexInject – hexinject.sourceforge.net
  HexInject is a very versatile packet injector and sniffer, that provide a command-line framework for raw network access.
• WinAPIOverride32 – jacquelin.potier.free.fr/winapioverride32
  It tries to fill the gap between classical API monitoring softwares and debuggers.

Techniques:

• Everybody Loves REMnux – holisticinfosec.blogspot.com
  A quick read of the SANS Forensics blog, courtesy of Gregory Pendergast, and you’ll get a feel for all the positive feedback for Lenny Zeltser’s REMnux.
• Integrity Levels and DLL Injection – didierstevens.com
  For processes, this means that a process with low integrity level can’t open a handle with full access to a process with medium integrity level.
• Apple’s secret “wispr” request – erratasec.blogspot.com
  There is more complexity to this feature than the simple HTTP request; there is probably a way to attack it.
• PDF XSS (CVE-2010-0190) – xs-sniper.com
  PDFs support  JavaScript from within the PDF.  Unfortunately, the script executed from within the PDF will not have access to the browsers DOM.
• Re-visiting JAVA De-serialization: It can’t get any simpler than this !! – andlabs.org
  Many people that I spoke to recently said to me that modifying objects programatically using the IRB shell in DSer would be difficult and it would require the penetration tester to have indepth knowledge of the application’s source code.
• Directory traversal exploitation: no more problems with double quotes – itsecuritylab.eu
  Alternatively short file names can be used (see above). But what if I would try to double-quote not the entire string but a parts of it?
• Bossing with JBOSS – securepla.net
  The main issue with JBoss is the fact that the JMX-Console, which is a web interface to MBeans, has a default configuration which is vulnerable.
• Vendor Response to Backdoor in Accton Switches Post – attackvector.org
  I’m sure there are a lot of people who run Accton based switches that will find this information useful.
• Rapid Fire PSEXEC for Metasploit – room362.com
  Exploit modules inside of metasploit don’t have the ability to run on multiple hosts with one swing of the bat. So I created some code to facilitate that

Vulnerabilities:

• New Adobe Acrobat/Reader flaw emerges
  In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the wild.
  • Adobe advises on new Reader and Acrobat vulnerability – sophos.com
  • Attackers Exploiting New Acrobat/Reader Flaw – krebsonsecurity.com
  • Return of the Unpublished Adobe Vulnerability – metasploit.com
  • New Adobe PDF zero-day under attack – zdnet.com
  • Adobe Exploit Bypasses ASLR and DEP, Drops Signed Malicious File – threatpost.com
  • New Adobe 0day Demonstration – attackvector.org
• SQL Injection and XSS vulnerabilities in CubeCart version 4.3.3 – acunetix.com
  In this blog post, we will look into the details of a number of security problems discovered by Acunetix WVS in CubeCart .
• New Email Worm Turns Back the Clock on Virus Attacks – threatpost.com
  There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending malicious emails to all of the names in a user’s email address book.
• DLL hole now affects EXE files – h-online.com
  In a security advisory for the recently updated Safari browser, security service provider ACROS explains the problem.

Vendor/Software Patches:

• As expected, MS offers new fix for DLL security hole
  With the broad range of software impacted this vulnerability has the potential to wreak havoc within the enterprise and admins are encouraged to implement the workaround using the new Microsoft tool to afford the necessary risk mitigation.
  • Use EMET 2.0 to block Adobe Reader and Acrobat 0-day exploit – technet.org
  • Digital Forensics Practitioners Take Note: MS DLL Hijacking – sans.org

Other News:

• NSA Director Says U.S. Has a Duty to Secure the Internet – threatpost.com
  The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country’s top military cybersecurity official said Tuesday.
• Behind the scenes and inside workings of a CERT – net-security.org
  This particular CERT differs from what you can find in most other countries, since it’s not government-backed and relies mainly on the good will of several security professionals.
• RBS WorldPay Hacker Gets Suspended Sentence for $9 Million Heist – wired.com
  One of the masterminds behind the $9 million hack into RBS WorldPay received a six-year suspended sentence in Russia, according to local reports Wednesday.
• DHS Cybersecurity Watchdogs Miss Hundreds of Vulnerabilities on Their Own Network – wired.com
  The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.
• Cybercriminals Creating 57,000 Fake Web Sites Every Week – securityweek.com
  In a recent investigation, it was discovered that cybercriminals are creating 57,000 new “fake” websites each week looking to imitate and exploit approximately 375 high-profile brands.
• NSS Labs To Open Marketplace For Buying And Selling Exploits – darkreading.com
  Exploit Hub is an iPhone App Store-style type marketplace that will provide researchers with a way to make money for the exploits they write for the open-source Metasploit pen-test framework.
• Guess What, You Don’t Own That Software You Bought – wired.com
  A federal appeals court said Friday that software makers can use shrink-wrap and click-wrap licenses to forbid the transfer or resale of their wares, an apparent gutting of the so-called first-sale doctrine.
• Rogue employees sell passport data of World Cup fans – net-security.org
  This serious breach of trust could have been avoided if FIFA had monitored – and secured – the access to football fans personal data by their staff, as well as the association’s files and databases.