Week 44 in Review – 2010

Events Related:

• Getting Into Information Security Intelligence Gathering: A BlueHat v10 Retrospective from Speakers Ian Iftach Amit and Fyodor Yarochkin – technet.com
  Having a chance to share this kind of research and finding like-minded individuals who are busy working the same angles is a real treat, and one of the major quality assurance measures we should all factor into our work… scientists call it peer-review!
• Hack.lu: Why it’s all about building bridges – technet.com
  Where other conferences often provide day-long training sessions, Hack.lu chooses a different model by filling its first few days with short, incredibly potent workshops.
• B-Sides DE – securepla.net
  Just got back from B-Sides Delaware and it’s always good to see what other hackers are working on.

Resources:

• Slides from CSI 2010 Posted – gdssecurity.com
  For those of you that didn’t attend, I spoke about lessons learned, hints and tips we’ve utilized during a deployment of an enterprise code scanning program at a large financial services institution.
• Creating a Cyber Defense Team – threatchaos.com
  New threats and new measures to counter them call for a reorganization of IT security teams so that they can focus on defending the organization from targeted attacks.

Tools:

• w3af: 1.0-rc4 is ready for you to download! – sourceforge.net
  For the first time in the project’s life, we have a roadmap
  [0] , a prioritized backlog [1] and a structured development process we follow to deliver new features and fixing bugs.
• SSLTest: A SSL Security Testing Tool! – pentestit.com
  SSLTest is an open source Perl script that is based off another similar tool – Cryptonark.
• ZigBee ACL – digitalbond.com
  One bug with the fixed MAC address utility that occurs after approximately 20 association packets are sent is a ‘Semantical Error’.
• toolsmith: Confessor & Mole for IR & security analysis – holisticinfosec.blogspot.com
  We find these tools incredibly useful and are very pleased to be able to release them for public consumption as freely available and open source.
• NessusDB v1.0 Release – hammackj.com
  The report templates are very extendable and generate as PDF’s.
• The Social-Engineer Toolkit v1.0 “Devolution” Release – secmaniac.com
  This version adds several key components including new attack vectors, a web GUI interface, a way to automate SET behavior, and a slew of bug fixes.

Techniques:

• Adobe XML Injection Metasploit Module – carnal0wnage.attackresearch.com/
  So against a patched host or someone that has disabled the service in ColdFusion you’ll see one of two things; either 404’s for the checks or 200 for /flex2gateway/ and 500 for the http or https check.
• Attacking Cisco Router over TCL – sectechno.com
  When you first log to Cisco router you are in user EXEC mode (level 1) from this mode you can have just some information such as interfaces status, view routes in the routing table.
• Statistics Don’t Lie… Or Do They? – tllod.com
  What particularly stands out about the EFTPS exploit toolkit is their admin interface.

Vulnerabilities:

• Heads up… 0-day in an exploit kit – avg.com
  It’s fairly well known (well, well-known if you’re a security geek) that CVE-2010-3962 is in the Wild, but over the last couple of days, we’ve begun detecting it in the Eleonore Exploit Kit.

Vendor/Software Patches:

• Flash Update Plugs 18 Security Holes – krebsonsecurity.com
  The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner.

Other News:

• Read ‘Em All: Pentagon’s 193 Mind-Numbing Cybersecurity Regs – wired.com
  Developed by the DASD CIIA (that’s the Deputy Assistant Secretary of Defense for Cyber, Identity & Information Assurance), the goal of the chart is to “capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme.”
• Online services security report card – digitalsociety.org
  Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years.
• More Firesheep news
  Some discussions on the ethics, underlying exploits and legality of the recent Firefox add-on
  • Firesheep, a week later: Ethics and Legality – codebutler.com
  • Understanding Firesheep Attack – michael-coates.blogspot.com
  • Spotting Websites Vulnerable to Firesheep – michael-coates.blogspot.com
• Metasploit and SCADA exploits: dawn of a new era? – zdnet.com
  Often, there is no security point-of-contact at the vendor.  Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.
• Gaping holes in Bank Apps found, plugged
  The central problem is that the apps, which run on Apple Inc.’s iPhone and Android-based devices from Google Inc., are storing a user’s information in the memory of a cellphone, a basic lapse that the security researcher who found the flaws said could allow a cybercriminal to access a person’s financial accounts.
  • Banks Rush to Fix Security Flaws in Wireless Apps – wsj.com
  • Firm finds security holes in mobile bank apps – cnet.com