Week 49 in Review – 2010

Events Related:

• OWASP BeNeLux Day 2010 Wrap Up – rootshell.be
  Yesterday, the three OWASP Benelux chapters organized together their annual OWASP BeNeLux day.
• Ok folks, secwest11@cansecwest.com is live and the countdown timer goes to December 29th for entries to CanSecWest 2011 Call For Papers – twitter.com, @dragosr
• BayThreat was awesome, do it again! – mckeay.net
  Which is why smaller, local events like BayThreat, DojoCon and BSides are becoming so important to security professionals around the globe; the ability to go to a small, local event far outstrips the cost to value ratio of any of the big cons and it’s so much easier to actually see the speakers you want to see.

Resources:

• Course Review: Cracking the Perimeter by Offensive Security – ethicalhacker.net
  Building on material in the earlier course, Pentesting with Backtrack (PWB – Read Review), this offering provides intermediate students with a learning platform that can be used to become advanced practitioners of certain exploit methodologies.
• EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis – iseclab.org
  Our paper on detecting malicious domains by passively analyzing DNS is now online.
• DNS Tampering and Root Servers – renesys.com
  Enable DNSSEC. Don’t pass your queries across the GFW (if you can help it). If your government requires DNS-based technical controls, install them at the resolver.
• Neurosurgery with Meterpreter – securityaegis.com
  Really thought provoking talk by Colin Ames from Attack Research on meterpreter manipulation of memory and processes (SOURCE Boston 2010).
• Escaping from Microsoft’s Protected Mode Internet Explorer – verizonbusiness.com
  The level of protection offered by Protected Mode Internet Explorer ® is not well understood and there are common misconceptions about its status as a security feature.
• SQLi filter evasion cheat sheet (MySQL) – websec.wordpress.com
  This week I presented my experiences in SQLi filter evasion techniques that I have gained during 3 years of PHPIDS filter evasion at the CONFidence 2.0 conference.

Tools:

• Runasil – didierstevens.com
  Because I didn’t find a program to start an application with a given integrity level from “Image File Execution Options”, I wrote runasil.
• JavaSnoop 1.0 FINAL released! – i8jesus.com
  After 6 release candidates, roughly a thousand bugs fixed, dozens of improvements and features added, I finally think the tool is ready for general availability.
• j0llydmper – code.google.com/p/j0llydmper/
  j0llydmper is a windows service that allows you to dump furtively and automaticaly some content of USB disks just plugged in your computer.
• OWASP Zed Attack Proxy Project – owasp.org
  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
• Armitage 12.06.10 – fastandeasyhacking.com
  Armitage is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework.
• skipfish-1.82b – code.google.com/p/skipfish
  A fully automated, active web application security reconnaissance tool.
• Zozzle (Microsoft’s Javascript-Malware Analysis Tool) – kaffenews.com
  In a sentence Zozzle is a static web-page analyzer for detecting ‘Heap-Spray Exploits’.
• Bluelog v0.9.8 – digifail.com
  Bluelog is a Linux Bluetooth scanner written to do a single task, log devices that are in discoverable mode. It is intended to be used as a site survey tool, determining how many discoverable Bluetooth devices there are in a given environment.
• Hyenae v0.35-3 – sourceforge.net/projects/hyenae
  Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant.
• OVF Tool Documentation – vmware.com
  VMware OVF Tool is a command-line utility that allows you to import and export OVF packages to and from a wide variety of VMware platform products.
• VIDigger v1.0 – layeredsec.com
  VIDigger is designed to help administrators check the configuration of ESX server and the virtual machines hosted on ESX server against the VMware Infrastructure Hardening guide and other best practices.”
• Browser Exploitation Framework v.0.4.2 – code.google.com/p/beef/
  It allows the experienced penetration tester or system administrator additional attack vectors when assessing the posture of a target.
• owasp-dos-http-post – code.google.com/p/owasp-dos-http-post/
  This tool was created and released GPLv3 Open Source for performance testing of systems and controls.

Techniques:

• The USB Stick O’ Death – spareclockcycles.org
  I’ve recently been researching and experimenting with USB malware, and I wanted to take a shot at developing my own malicious USB stick.
• Avoiding AV Detection – spareclockcycles.org
  My main goal in this research was to see how much effort it would take to become undetectable again, and the answer was ‘virtually none’.
• DOM based Cross-site Scripting vulnerabilities – acunetix.com
  Like server-side scripts, client-side scripts can also accept user input which can contain malicious code.
• Internet Explorer 9 ad blocking via “Tracing Protection” — no means yes. – jeremiahgrossman.blogspot.com
  User configurations will also be persistent across sessions, even when the browser is restarted, which is opposite to how InPrivate mode behaves. This is huge!
• Quick and Easy Oracle Default Password Enumeration – digitalbond.com
  For the purpose of this post, the SID enumeration and default account/password auditing are the most important features of oscanner.
• BlackBerry password cracking: multi-threaded, with hardware-accelerated AES – crackpassword.com
  The reason is pretty simple: we are not able to generate passwords that fast, especially when we perform all those nice mutations of wordlists passwords (changing the letter case, adding or replacing symbols etc).
• Firefox 3.6.13: damn you, corner cases – lcamtuf.blogspot.com
  As you may recall, one of the more significant shortcomings of the same-origin policy is that it does not give any guidance on handling documents with no inherent origin associated – that is, it fails to account for all the content coming from about:, data:, file:, and similar pseudo-URLs.
• On the effectiveness of DEP and ASLR – technet.com
  DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven themselves to be important and effective countermeasures against the types of exploits that we see in the wild today.
• More updates (including RAR) – golubev.com
  Obviously it isn’t possible to reach with 83.5% utilization, so I’ve made some tests with 5xMD5 again and this time speed-up is here.

Vulnerabilities:

• Canon Original Data Security System Vulnerability – elcomsoft.com
  The credibility of photographic evidence becomes vital in numerous situations for insurance companies and courts, as they may accept digital image as indisputable evidence if it can be proven genuine.

Vendor/Software Patches:

• New version of OpenSSL fixes two vulnerabilities – h-online.com
  A flaw in an older workaround for Netscape browsers and servers can be remotely exploited to make an OpenSSL server downgrade the ciphersuite to a weaker one for subsequent connections.

Other News:

• Large US hosting provider hit in web attack – sophos.com
  When innocent users browse these sites, the injected JavaScript adds an iframe element to the page in order to load further malicious content from a remote site.
• Lab Matters: The Dark Side of Jailbreaking iPhones – securelist.com
  In this Q&A with Ryan Naraine, Raiu talks about the Jailbreakme.com vulnerability and exploit and the social engineering techniques used to take advantage of the popularity of jailbreaking utilities.
• History stealing by ad networks has got everyone afluster
  Researchers have discovered that dozens of Web sites are using simple Javascript tricks to snoop into visitors’ Web browsing history.
  • History stealing for ad networks – h-online.com
  • What You Should Know About History Sniffing – krebsonsecurity.com
• How Anyone Can Fake an ATM and Steal Your Money – gizmodo.com
  But skimmers don’t exactly have an aisle at Wal-Mart. In this Gizmodo investigation, we take a look at the scary internet black market where fraudsters get their tools.
• Top Abuses of Open Web Proxies – zscaler.com
  While there is nothing new or Earth-shattering in this post, I thought I’d share what I have seen as the top abuses of open web proxies – as this is an everyday occurrence involving a large volume of web transactions and is a constant annoyance on the Internet.
• OWASP 4.0 – owasp.blogspot.com
  The time has come to measure our success not by the number of members, projects, and conferences, but by whether we are succeeding at making the world’s software more secure.
• Fix to Chinese Internet traffic hijack due in January – networkworld.com
  Policymakers disagree about whether the recent Chinese hijacking of Internet traffic was malicious or accidental, but there’s no question about the underlying cause of this incident: the lack of built-in security in the Internet’s main routing protocol.
• DHS, NIST, Financial Services Group Form Security Research Partnership – threatpost.com
  As the finger-pointing and name-calling surrounding the WikiLeaks issue continue in Washington, the White House this week facilitated a cooperative agreement among several key public and private organizations designed to spur joint information security research projects.
• Gov’t crackdown spurs initiatives to route around DNS – itworld.com
  The Net interprets censorship as damage and routes around it.
• Veracode Research Team Gives 5 Predictions for 2011 – veracode.com
  As we close out an security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011.
• US Military Bans Physical Media To Curb Leaks – techcrunch.com
  Ironically, the news comes via a leaked memo obtained by Wired’s Danger Room that insists that everyone from grunts to techs “immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET,” under pain of court-martial.
• 23-Year-Old Russian Hacker Responsible Was for One-Third of Global Spam – gawker.com
  It’s probably because of Oleg Nikolaenko, a 23-year-old who was recently arrested for flooding the world with 10 billion spam emails a day.
• Apple Ditches Jailbreak Detection API in iOS – gizmodo.com
  In a move that has been left totally unexplained, Apple has ditched its jailbreak detection API that it introduced to iOS about six months ago.
• Apple and Google Make the Department of Defense Jump Through Hoops for Mobile Device Security – networkworld.com
  Lack of cooperation forces DISA to find security workarounds in order to provide Android and iPhone support for soldiers.