Week 39 in Review – 2010

Events Related:

• EnergySec Summit Recap – digitalbond.com
  The “Intersection of Security and Compliance” conference theme turned out to be largely an indictment of NERC CIP.
• What I learned at Brucon 2010 – pauldotcom.com
  Bottom line: Brucon was awesome! And now my “trademark” post on what I learned (with lots of pictures)
• BruCon 2010 Training & Conference Wrap-up – tenablesecurity.com
  It’s a decent sized conference of about 300 people total, including speakers and attendees. Everyone at the conference was extremely nice and very hospitable.
• Sangria, tapas and hackers: SOURCE Barcelona 2010 – net-security.org
  Apart from the one in Barcelona, there are two more affiliated SOURCE conferences that will be held throughout the year: the “original” one in Boston and the one they will be premiering mid June next year in Seattle.

Resources:

• Free Malicious PDF Analysis E-book – didierstevens.com
  This is a document I shared with my Brucon workshop attendees.
• BruCON 2010 slides, podcasts and other coverage – brucon.org
  We will publish the remaining slides as soon as we can. Of course, it’s much more interesting to see the videos.
• Transferring files on isolated remote desktop environments Turbo Talk – hexale.blogspot.com
  The slides for the turbo talk “Transferring files on isolated remote desktop environments” I presented at Ekoparty are up for download here.
• eEye Zero-Day Tracker: Your Vulnerability Watchlist – eeye.com
  The tracker catalogs the latest Zero-Day vulnerabilities and provides detailed analysis of each, including affected software, severity level, potential impact, and mitigation and protection procedures.
• [BruCON] GSM security: fact and fiction – c22.cc
  Even if 2 cellphones are on the same BTS, calls are routed all the way up to the MSC and back down. This is due to billing and legal wiretaps.
• [BruCON] Top 5 ways to destroy a company – c22.cc
  Step 1: Your opinion doesn’t matter (unless you’re one of the execs that really are in the know).
• Virus Bulletin 2010 papers – eset.com
  By kind permission of Virus Bulletin, we’ve already put two of the papers written or co-authored by ESET researchers up on the White Papers page.
• AppSec USA 2010’s videos – vimeo.com
  All the videos we have on the AppSec USA presentations

Tools:

• HackAri – HackBar for Safari – 0x0lab.org
  It is not exactly the same as HackBar, and it has a lot of limitations compared to it (e.g. you cannot resize the request, post data panels).
• FireMaster: The Firefox Master Password Recovery Tool! – pentestit.com
  According to the author, FireMaster is the first ever built tool to recover the lost master password of Firefox.
• UA-Tester 1.0 released: Now with 38% more pimp! – c22.cc
  After a few months of playing around with the UA-Tester Alpha release, I’ve finally got the code to a point where I’m happy enough to do a 1.0 release… UA-Tester 1.0, codename Purple Pimp!
• New Version of PadBuster Available for Download – gdssecurity.com
  Today we have released version 0.2, which includes some bug fixes and a few enhancements.
• inspathx – code.google.com/p/inspathx/
  A tool that uses local source tree to make requests to the url and search for path inclusion error messages.
• JBroFuzz – sourceforge.net/projects/jbrofuzz/
  The OWASP JBroFuzz Project is a web application fuzzer for requests being made over HTTP and/or HTTPS.
• Web Security Dojo v1.0 – sourceforge.net/projects/websecuritydojo/
  A preconfigured, stand-alone training environment for Web Application Security. Virtualbox and VMware versions for download.
• exploit.co.il Vulnerable Web App – sourceforge.net/projects/exploitcoilvuln/
  exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques.
• On Free Log Management Tools – chuvakin.blogspot.com
  The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident.
• Tools Released at DEF CON – defcon.org
  This page is a repository for the great and innovative tools that have accompanied DEF CON talks over the years.
• cvechecker 1.0 – cvechecker.sourceforge.net
  The tool however needs your help as well. The most work is to tell cvechecker how to detect which software is installed and what version.
• dirtyJOE – dirty-joe.com
  dirtyJOE – Java Overall Editor is a complex editor and viewer for compiled java binaries (.class files).
• THC-Hydra – thc.org
  Good news: hydra is now maintained again by me! (as of June 2010), and is now under GPLv3!
• tit – code.google.com/p/tit/
  “TCP Input Text” implements the Google SOAP Search API to extract TCP Ports and Fully Qualified Domain Names (FQDN) from Google Search Results into a .csv file and individual shell scripts for nmap and nc aka netcat.
• Ostinato – code.google.com/p/ostinato/
  It aims to be “Wireshark in Reverse” and thus become complementary to Wireshark.

Techniques:

• Turning the Tables – Part I – xs-sniper.com
  Boom… I’ve just taken over a Zeus C&C.  I fire up a second, clean VM just to verify… yup it works.
• Vulnerability Assessment Testing Automation and Reporting Part III – sans.edu
  The nessus parse script has been updated as a number of people have recommended changes or improvements.
• String Replace JavaScript Bad Design – thespanner.co.uk
  After using JavaScript for a while one of the worst parts I found was the String.replace function.
• Web Application Penetration Testing – Part 4 – pauldotcom.com
  Many people are under the impression that this TRUE or FALSE questioning technique is the only way to extract data from a site that has a “Blind” SQL injection vulnerability.
• A Padding Oracle Attack Implemented In Javascript – ampliasecurity.com
  You have probably seen or at least heard about the amazing work done by Juliano Rizzo and Thai Duong where they use decryption oracles against different web applications in many different ways.
• Decompiling Android Apps: undx, dex2jar, and smali – intrepidusgroup.com
  If you have ever needed to know what a Java application is really doing, you have probably played around with a Java decompiler at some point.
• Android App Decompilation Bake-Off – intrepidusgroup.com
  Let’s take a look at the Open Source WordPress application for Android. Here is the actual source code for the signup class.
• Fuzzing for RFI with Burp Intruder – n00blet 0×01 – l1pht.com
  started tossing the idea of discovering remote file inclusion bugs and generating a list (read, scripting op) of decent fuzz values for playing with.
• Smartphone Forensics: Cracking BlackBerry Backup Passwords – crackpassword.com
  First, not only brute-force attack is available: the dictionary attack (our favorite, especially when used with permutations) is there as well.
• “Hot Video” pages: analysis of an hijacked site (Part III) – zscaler.com
  While doing the analysis, I identified other hijacked domains and found additional scripts used to create the “Hot Video” pages.
• CSAW Exploit 3 Write-up – FreeBSD local root – stalkr.net
  We can try to use @kingcope’s freebsd sendfile cache local root. Sadly it does not work out of the box because we do not have /tmp writable: we have to customize a bit the shellcode to use a different one.
• UTL_FILE in PL/SQL – I/O, I/O, it’s off to work we go – mikesmithers.wordpress.com
  Back in the mists of time, when Broadband was a way of describing a group of fat blokes with guitars, PL/SQL blinked it’s way into the world.
• Taking control of a JSP environment – net-ninja.net
  Recently I conducted two pentests in which I was faced with a JSP environment. Unfortunately, during the first pentest I had a lack of decent JSP webshell.

Vulnerabilities:

• Malware Running On Graphics Cards – slashdot.org
  Given the great potential of general-purpose computing on graphics processors, it is only natural to expect that malware authors will attempt to tap the powerful features of modern GPUs to their benefit.

Vendor/Software Patches:

• ASP.NET vuln patched
  Microsoft today issued an emergency patch for a vulnerability in its ASP.Net framework that could be used to read or tamper with data on a Web site.
  • Out of Band Release to Address Microsoft Security Advisory 2416728 – technet.com
  • Microsoft Security Bulletin MS10-070 – Important – microsoft.com
  • Microsoft fixes ASP.Net hole used in attacks – cnet.com
  • Microsoft to Release Emergency Patch For ASP.NET Bug – threatpost.com
  • MS10-070 OOB Patch for ASP.NET vulnerability – sans.edu
  • New Attack Against ASP.NET – schneier.com

Other News:

• Stuxnet: The Final Chatter (Hopefully)
  • stuxnet revisited – anti-virus-rants.blogspot.com
  • Stuxnet Analysis Backs Iran-Israel Connection – slashdot.org
• New Nessus Feature: Public Exploit Availability – tenablesecurity.com
  Nessus checks select sources for the presence of an exploit and updates this field accordingly. I purposely chose a “Medium” level vulnerability for this example, as exploits do not only have to be associated with “High” level alerts.
• The HacKid Technology Conference For Kids & Their Parents… – rationalsurvivability.com
  The gist of the idea for HacKid (sounds like “hacked,” get it?) came about when I took my three daughters aged 6, 9 and 14 along with me to the Source Security conference in Boston.