Week 50 in Review – 2010

Events Related:

• RSnake, Web Security and a few beers – andlabs.org
  Reminiscing Black Hat Abu Dhabi.
• DojoCon Follow-Up – novainfosecportal.com
  Although there was a formal CFP, everything else followed a traditional unconference format.
• SANS SEC660: Post Mortem – c22.cc
  The class is designed to cover the ground between the SEC560 Network Penetration Testing class and the SEC709/710 that Stephen Sims has been running for a while now (Exploit development).

Resources:

• Will it Blend? – xs-sniper.com
  I’m always humbled when I learn of what others are doing in the security community and even more humbled when asked to present.
• DOJOCON 2010 Videos – irongeek.com
  Below are the videos from the conference, at least the ones I can show :), enjoy.
• IOS Crash Analysis and Rootkit Wiki – recurity.com
  Almost everything you need to know about Cisco IOS Forensics

Tools:

• Zozzle: Low-overhead Mostly Static JavaScript Malware Detection – microsoft.com
  In this paper, we propose ZOZZLE, a low-overhead solution for detecting and preventing JavaScript malware that can be deployed in the browser.
• Websecurify 0.8Alpha4 – code.google.com/p/websecurify/
  Websecurify is a powerful web application security testing platform designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies.
• All about Heaplocker
  HeapLocker allows you to set a maximum to the amount of private virtual memory a process is using. If the maximum is exceeded, HeapLocker will suspend the process and inform the user.
  • HeapLocker: Private Memory Usage Monitoring – didierstevens.com
  • HeapLocker Tool Protects Against Heap-Spray Attacks – threatpost.com
• Netglub – netglub.org
  Really Open Source Information Gathering
• Gruyere – google-gruyere.appspot.com
  This codelab is built around Gruyere – a small, cheesy web application that allows its users to publish snippets of text and store assorted files.
• Metasploit Framework 3.5.1 Released! – metasploit.com
  This minor version release adds 47 new modules, including exploit covereage for recent bugs in the news: Exim4, Internet Explorer, and ProFTPd.
• Mantra Security Toolkit – getmantra.com
  The Mantra is a powerful set of tools to make the attacker’s task easier. The alpha version of Mantra contains following tools built into it.
• Squid-Imposter – github.com/koto/squid-imposter/
  Squid-imposter makes it easy to create Squid based proxy injecting your own content to chosen website URLs.
• pwnshell – a better jsp shell – i8jesus.com
  The world needs a JSP shell that really helps a blackbox attacker pivot to important assets, so I took a stab at it. It’s called quite lamely called pwnshell.

Techniques:

• Port Scanning with HTML5 and JS-Recon – andlabs.org
  Since even closed ports can be identified we can extend this technique to perform network scanning as well as internal IP detection.
• Capturing Windows Logons with Smartlocker – metasploit.com
  One of the most effective ways to capture the clear-text user password from a compromised Windows machine is through the “keylogrecorder” Meterpreter script.
• Attacking Windows Operating System over PowerShell – sectechno.com
  Now if you are on a penetration testing mission you start by running nmap searching for the live windows hosts on the network basically with 1433 active port (Mssql).
• Watch out for exim! – skullsecurity.org
  My strategy was to keep running ‘make’ and fixing what it complained about until it shut up and compiled.
• Conducting a Phishing Campaign in Metasploit Pro – carnal0wnage.attackresearch.com
  Only gripe is the lack of configuration ability in the exploit payload section. I’ve been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.
• Mallory and Me: Setting up a Mobile Mallory Gateway – intrepidusgroup.com
  Improving the user experience from the initial code checkout to helping users “Mallorize” traffic is a key goal for the project.
• Metasploit and VNC Password Bruteforcing – carnal0wnage.attackresearch.com
  You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.

Vulnerabilities:

• Ouch! HP Storage Device Admin Credentials Hardcoded, Security Experts Facepalm
  Hewlett Packard said in a statement that it has identified a “potential security issue” with one of its storage area networking (SAN) products and is readying a fix for the issue.
  • HP StorageWorks P2000 G3 MSA hardcoded user – sans.edu
  • HP Storage Hardware Harbors Secret Back Door – threatpost.com
• MS Bulletins
  • Microsoft Security Bulletin MS10-090 – Critical – microsoft.com
  • Microsoft Security Bulletin MS10-091 – Critical – microsoft.com

Vendor/Software Patches:

• Patch Tuesday cometh
  As part of our usual cycle of monthly security updates, today Microsoft is releasing 17 bulletins addressing 40 vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint Server and Exchange.
  • December 2010 Security Bulletin Release – technet.com
  • Microsoft Patch Tuesday – December 2010 – symantec.com
  • Microsoft Patches 40 Security Holes – krebsonsecurity.com
  • Microsoft Closes Door on Stuxnet with December Patch – threatpost.com
• Over 500 patches for SAP – h-online.com
  On Tuesday, SAP – one of the largest manufacturers of business applications and enterprise software – released a huge number of so-called Security Notes.

Other News:

• Gawker hacked linked to Acai berry spam in Twitter
  Over the weekend, up to 1.3 million passwords were stolen off of Gawker’s servers by a hacker group called Gnosis and then publicly shared on torrent site The Pirate Bay, for anyone and everyone to download.
  • Acai Berry spam attack connected with Gawker password hack, says Twitter – sophos.com
  • Gawker websites, Twitter hacked and spammed by ‘Gnosis’ – latimes.com
  • Gawker Media Websites Hacked, Staff and User Passwords Leaked – wired.com
  • Twitter Spam Attack Tied to Gawker Security Breach – readwriteweb.com
  • FAQ: Compromised Commenting Accounts on Gawker Media – lifehacker.com
  • Gawker hacked, 1.3m passwords stolen, 540k w/email addresses, check this table for yours: http://bit.ly/gYMsr – @hdmoore, twitter.com
  • The Top 50 Gawker Media Passwords – wsj.com
  • Semipublic Password Dumps – metasploit.com
  • Gawker: DES crypt fun using John the Ripper with MPI – intrepidusgroup.com
  • How can I encrypt my own passwords so they look like the gawker full_db.txt dump, so I know what password the internet has of mine? – reddit.com
• Major Ad Networks Found Serving Malicious Ads – threatpost.com
  Two major online ad networks–DoubleClick and MSN–were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.
• Jailbreaks, iPhone, iPad, and MDM – intrepidusgroup.com
  This article will start with device security and gradually focus outward to a discussion on MDM. Today we will also make some comments on the thorny issue of jailbroken iOS devices.
• The Internet Goes to War – arbornetworks.com
  In general, getting accurate data about Internet attacks can be a challenge. Namely, a) companies avoid publicly discussing most attacks and b) the attacks can be difficult to measure or at least consistently compare.
• NSA considers its networks compromised – net-security.org
  The problem with cyber defense – especially when it comes to attacks backed by governments and intelligence organizations – is that attackers are usually highly motivated and often very well funded.
• UN mulls internet regulation options – itnews.com.au
  The United Nations is considering whether to set up an inter-governmental working group to harmonise global efforts by policy makers to regulate the internet.
• Why the US Government Attacking Wikileaks is a Bad Idea – zeropaid.com
  Whatever your take on this hot button topic is, few would argue that this story hasn’t caught a huge amount of international attention and draws a seemingly unprecedented amount of attention to the internet.
• Why Speed & Frequency of Software Security Testing Matter, A LOT – jeremiahgrossman.blogspot.com
  Therefore the speed and frequency of the testing process whether going with dynamic scanning, binary analysis, pen-testing, static analysis, line-by-line source code review, etc. matters a great deal.