Week 45 in Review – 2010

Events Related:

• HTML5 goodness at BlackHat Abu Dhabi this week – andlabs.org
  In addition to covering some of the interesting HTML5 attacks already released during 2010 by myself and other researchers, it has two new sections – HTML5 based port scanning and HTML5 Botnets.

Resources:

• Google Hacking Database Reborn – exploit-db.com
  Johnny Long of Hackers for Charity started the Google Hacking Database (GHDB) to serve as a repository for search terms, called Google-Dorks, that expose sensitive information, vulnerabilities, passwords, and much more.
• Sector 2010 Presentations Now Online – liquidmatrix.org
  The presentations from the Sector Security Conference 2010 are now online. Albeit the keynotes are still not up but, the should follow in short order.
• How to Get Started With Malware Analysis – sans.org
  The process also allows security professionals to assess the scope, severity and repercussions of the incident, and may help the organization bring the parties responsible for the incident to justice.

Tools:

• Blacksheep outs Firesheep users
  BlackSheep is a Firefox add-on which warns users if someone is using Firesheep on their network. It also indicates the IP address of the machine that is spying on you.
  • BlackSheep – A Tool to Detect Firesheep – zscaler.com
  • Update to BlackSheep – zscaler.com
• UPDATE: Plecost v0.2.2-9-beta! – pentestit.com
  WordPress finger printer tool, plecost searches and retrieves information about the plugins versions installed in WordPress systems.
• ThreatFactor NSIA – threatfactor.com
  ThreatFactor NSIA is a website scanner that monitors websites in real-time in order to detect defacements, compliance violations, exploits, sensitive information disclosure and other issues.
• Metasploit Framework 3.5.0 – Win32 respin – metasploit.com
  The new installer still contains everything you need to run msfgui, scan a network, and store the results for use with db_autopwn out of the box.
• UPDATE: OWASPBWA v0.92rc1! – pentestit.com
  Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products.
• UPDATE: Skipfish-1.70b! – pentestit.com
  Skipfish is a fully automated, active web application security reconnaissance tool.
• Virtualization ASsesment TOolkit – nibblesec.org
  VASTO is a Virtualization ASsessment TOolkit, a collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutions.
• Wi-fEye: A Multi-Pronged Network Penetration Tester! – pentestit.com
  Wi-fEye can be considered as a GUI to almost all tools that we use daily. It is designed to be the ultimate point-and-shoot tool.

Techniques:

• JAVA Malware evading decompilation – inreverse.net
  It seems that the bytecode of the above class is thwarting the decompilation in some way.
• Java Exploits – sans.edu
  The recent Java JRE patch bundle released by Oracle contained a long list of security fixes, several of which for vulnerabilities that allow drive-by exploits.
• Security hero – pyrit.wordpress.com
  Chester proposes to use WPA/WPA2-PSK with a universal, non-secret password; for example “free”.
• SAP Application Server Security essentials: default passwords – dsecrg.blogspot.com
  So if you thing that you are great GRC Expert and trying to secure your SAP environment trying to solve a 5-dimentional cross-system SOD conflicts there are some things you must do right now.
• Searching for Sensitive Data Using URL Shorteners – rootshell.be
  So simple that such services can also be used by the bad guys to distribute malicious URLs in pseudo-safe addresses.
• Where’s the 0x1337beef? – metasploit.com
  When working through the plethora of issues published in October’s patch-extravaganza, there was one particular vulnerability that I felt compelled to investigate.

Vulnerabilities:

• CVE-2010-3654 Adobe Reader 0 day + CVE-2010-2883 Flash 10.1.102.64 + Reader 9.4.0.195 PDF Federal Benefits – contagiodump.blogspot.com
  CVE-2010-3654 Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

Other News:

• Computer glitch takes out ATMs, online banking on a massive scale? – computerworld.com
  According to the Orange County Register, some customers of Bank of America and Wells Fargo were unable to access online banking.
• Researchers Working Toward Processor-Specific Attacks – threatpost.com
  Now research out of Frances  Ecole Superiore d’Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
• All-in-One Skimmers – krebsonsecurity.com
  The model displayed here is designed to work on specific Diebold ATMs, and can hold a battery charge for two to four days, depending on ambient temperature and the number of customers who pull money out of the hacked ATM.
• Angry Birds Trojan – f-secure.com
  To demonstrate this, Jon had also uploaded several other applications to Marketplace: Fake Contact Stealer, Fake Location Tracker and Fake Toll Fraud. These would be launched by the Angry Birds trojan.
• Fedora criticised for hacker tool ban – h-online.com
  In the end, the Fedora board decided against the tool to prevent potential legal claims against Fedora – even the sharing of hacker tools is an offence in some countries.
• PGP Disk Encryption Bricks Upgraded Macs – threatpost.com
  Some Apple Mac users who rushed to upgrade their systems with the company’s latest security patch were left to scramble for help after a conflict with disk encryption software from PGP rendered the upgraded Macs un-bootable.
• VERIS Community application launched – securityblog.verizonbusiness.com
  Last March, we publicly released the Verizon Enterprise Risk and Incident Sharing (VERIS) framework used to collect data for the DBIR series.