Week 2 in Review – 2011

Events Related

• Shmoocon CTF Warm up Contest – JavaScrimpd – blog.stalkr.net
  Last week-end was ShmooCon CTF Warmup Contest. Three challenges, the last one being an ELF binary + hostname of a server.

Tools

• OWASP Zed Attack Proxy 1.2.0 Released – vulnerabilitydatabase.com/toolswatch/2011
  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

Techniques

• Beginning Mac Hacking – mrspeaker.net
  He was a very mystical fellow, and spoke about reverse engineering with a sense of grand importance and just a pinch of spiritually – all very enticing to a nerdy youngster like myself.
• Waking up the Sleeping Dragon – thesauceofutterpwnage.blogspot.com
  On September 28, 2010 I notified Beijing based WellinControl Technology Development Co.,Ltd and CN-CERT that one of Wellintech’s products had a very serious security vulnerability, and that if properly leveraged would allow an attacker to exploit the bug and execute arbitrary code.
• Alexa Illustrates Web Securities Risks (part 1) – research.zscaler.com
  I recently needed to look at some Alexa data related to their tracking of the top web domains visited for a side project that I was working on.
• Sudo -g privilege escalation (CVE-2011-0010) – blog.c22.cc
  I noticed this bug come across the wire earlier today and thought I’d take a few minutes to take a look.
• Dumping the RMI Registry with NMAP – www.swende.se
  A while ago, I wrote a NSE script to a Java RMI Registry and dump out information about the objects in the registry. This is a blog-post to shed some light on NSE-development in general and that script in particular.
• Continuous Web Application Security Scanning With Netsparker and TeamCity – troyhunt.com
  One of the problems with software security is that it’s easy for it to appear a bit like black magic, or at least like an entirely foreign industry to software development.
• HeapLocker: NOP Sled Detector – blog.didierstevens.com
  When you enable NOP sled monitoring, HeapLocker will create a new thread to periodically check (every second) newly committed virtual pages that are readable and writable.

Vendor/Software Patches

• Microsoft Black Tuesday
  • Microsoft Security Bulletin Overview – ghacks.net
    The second Tuesday of a month is Microsoft’s patch day where the software company releases security patches and fixes for its products.
  • January 2011 Microsoft Black Tuesday Summary – isc.sans.edu
    Happy New Year Everyone!   Here is the 2011 Black Tuesday kick off with only two patches.  Enjoy!

Other News

• 10 Devious New Ways That Computer Hackers Can Take Control of Your Machines or Fix Them – i09.com
  Straight from CCC, here are ten ways hackers will subvert your computer, phone, bank card, and life in 2011.
• Security researcher, Cybercrime Foe Goes Missing – wired.com
  A well-known security researcher and cybercrime foe appears to have gone missing in Bulgaria and is feared harmed, according to a news organization that hosts a blog the researcher co-writes.

• Exploit Packs Run On Java Juice – krebsonsecurity.com
  Today, I’ll highlight a few more recent examples of this with brand new exploit kits on the market, and explain why even fully-patched Java installations are fast becoming major enablers of browser-based malware attacks.
• The Application Security Spending Conundrum – jeremiahgrossman.blogspot.com
  To obtain a quote, the online insurer asked my age, where I lived, how much I drive and where, the year, make, and model of my cars, about my driving record, and how much coverage I wanted.