Week 3 in Review – 2011

Events Related:

• A Shmoocon Preview – blogs.macafee.com
  At about a third of the size of a larger conference like Black Hat, it’s much easier to talk to the speakers without fighting with a crowd. Past years have had good presentations on mobile phone security and this year is no exception.
• Black Hat DC 2011
  We are currently at the awesome BlackHat DC event, with hundreds of attendees coming from many different countries worldwide.
  • Black Hat itinerary – blackhat.com
  • Black Hat DC 2011: Inglourious Hackerds – blog.tehtri-security.com
  • Mobile Attacks reign At Black Hat DC – threatpost.com
  • Fake GSM base station trick targets iPhone – networkworld.com
  • Quirky moments at Black Hat DC 2011 -networkworld.com

Resources:

• Cisco 2010 Annual Security Report – reddit.com
  The Tipping Point: Cybercriminals Targeting Mobile Platforms
• Dress For Success In the Corporate Setting
  If your organization truly judges you based on what you wear, and not what you know and what you do, then you are working for the wrong organization.
  • Common traits of future Infosec leaders – terminal23.net
  • The Appearance Myth – securosis.com
  • Fashion Advice from Infosec Leaders – infosecleaders.com
• The Legality of the Certificate Authority  Trust Model – schneier.com
  We looked at the standard legal documents issued by the certificate authorities or “CAs,” including exemplar Subscriber Agreements (agreements between CAs and website operators).
• Getting Started With Corporate iPad and iPhone Mobile Security – redspin.com
  Mobile devices like the iPhone and iPad are a top security concern for 2011. The first step to addressing this risk is to put a security policy in place that addresses mobile devices.
• Cisco Explains the 7 Deadly Weaknesses of Social network Users and More in Security Report – readwriteweb.com
  Cisco released its 2010 Annual Security Report yesterday. The report covers criminals’ slow shift from targeting Windows PCs to targeting other operating systems and devices, the importance of exploiting users’ trust in their social network friends and the rise of Java exploits, and more.
• Top 10 Web Hacking Techniques of 2010 – jeremiahgrossman.blogspot.com
  Now in its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.

Tools:

• w3af: Better, Stronger, Faster – blog.rapid7.com
  By downloading this release you’ll be able to enjoy new vulnerability checks, more stable code and a about 15% performance boost in the overall speed of your scan.
• R-U-Dead-Yet version 2.2 – chaptersinwebsecurity.blogspot.com
  I forgot the fact that people develop hunger for features and bug fixes even when software is open-source and free. Oh well, I guess that’s a responsibility that comes with the will to satisfy your end users.
• AutoDiff Online – marcoramilli.blogspot.com
  AutoDiff is a project which performs automated binary differential analysis between two executable files.
• MS Attack Surface Analyzer Release
  Microsoft unveiled a new tool this week in conjunction with the Blackhat DC conference — the Attack Surface Analyzer.

• • MS Attack Surface Analyzer – digitalbond.com
  • New Tool: Announcing Attack Surface Analyzer – blogs.msdn.com

Techniques:

• Who’s who of bad password practices – troyhunt.com
  But what happens when the website won’t allow you to create a secure password? Or at least when they severely constrain your ability to create long, random, unique passwords?
• Share your nmap parameters! – reddit.com
  What parameters do you usually use in your nmap scans? Any interesting combinations? I usually go with: nmap -v -A -p1-65535 -O2 -T4 ipaddress
• Quickpost: Checking ASLR – blog.didierstevens.com
  Some people asked me for a simple way to check shell extensions for their ASLR support. You can do this with Process Explorer.
• Finding AES keys – jessekornblum.livejournal.com
  Today I’m publishing a little utility to search for AES keys. It was originally intended for searching memory images, but you can use it to search anything really.
• How To Crack Just About Any Mac App – lifehacker.com
  By walking through how I can hack your app with only one Terminal shell, I hope to shed some light on how this is most commonly done, and hopefully convince you to protect yourself against me.
• Episode 266 – pauldotcom.com
  PaulDotCom Security Weekly – Episode 226 – for Thursday January 13th, 2011.
• Return of the Sprayer – h-online.com
  If they jumped to code injected onto the stack or heap, “just like in the good old days”, data execution prevention (DEP) would trigger an interrupt and the system would terminate the carefully pwned process before it could cause any damage.
• Exploit in the wild for MS06-014 – research.zscaler.com
  Although 0day vulnerabilities receive all the attention, it’s not unusual to see attackers still taking advantage of old vulnerabilities to attack end users
• Unrestricted File Download V1.0 – soroush.secproject.com
  I do not want to talk about Insecure Direct Object References without any protection as they are obviously exploitable; Instead, I want to talk about bypassing the protected ones!
• Exploiting Smartphone-USB connectivity for fun and profit – docs.google.com
  Unfortunately, these new capabilities  coupled with the inherent trust users place on the USB physical connectivity and the lack of any protection mechanisms render the USb an insecure link, prone to exploitation.
• Mobile Device Security and Android File Disclosure – blog.metasploit.com
  Specifically, he found that it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control. The issue only garners a 3.5 CVSS score, but yet it’s still fairly serious.

Vulnerabilities:

• IBM WebSphere MQ Invalid Message Remote Buffer Overflow Vulnerability – securityfocus.com
  IBM WebSphere MQ is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
• Malware update: .co.cc malicious entries – blog.sucuri.net
  For the last weeks (actually months), we’ve been tracking a large number of malware from .co.cc domains. It seems that every .co.cc domain we find is being used to host either malware or spam.

Vendor/Software Patches:

• Oracle Black Tuesday Patch
  If you are an Oracle user, get ready for your very own Patch Tuesday, which comes tomorrow.
  • Patch Tuesday – now for 28 products in the Oracle stable – nakedsecurity.sophos.com
  • Oracle patches 66 vulnerabilities – h-online.com
  • Perspective on the latest Oracle patches – blog.imperva.com

Other News:

• Keyless cars vulnerable to hack, theft – cnet.com
  Keyless car entry and start systems make it easy to get on the road, but they could also make it easier for criminals to take off with your car. And strong encryption won’t solve the problem.
• Stuxnet vs. Iran nuclear enrichment
  Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload.
  • Stuxnet is embarrassing not amazing – rdist.root.org
  • New info on Stuxnet – f-secure.com
  • Did a U.S. Government Lab Help Israel Develop Stuxnet? – wired.com
• ATM Skimmers, Up Close – krebsonsecurity.com
  Recently, I found a guy on an exclusive online scammer forum who has been hawking a variety of paraphernalia used in ATM skimmers.
• Coming soon: a new way to hack into your smartphone – itworld.com
  More than three years after the iPhone was first hacked, computer security experts think they’ve found a whole new way to break into mobile phones — one that could become a big headache for Apple, or for smartphone makers using Google’s Android software.
• Two Charged in AT&T hack of iPad Customer Data – wired.com
  Two suspects have been charged with federal crimes for allegedly hacking AT&T’s website last year to obtain the personal data of more than 100,000 iPad owners.
• Why you should always encrypt your smartphone – arstechnica.com
  Last week, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF), holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant.
• Hacking with USBs
  Two researchers have figured out a way to attack laptops and smartphones through an innocent-looking USB cable.
  • Researchers turn USB cable into attack tool – cnet.com
  • Hacking with USB keyboard emulators – h-online.com
• Online banking trojan developing fast – h-online.com
  Trojan construction kit Carberp, which first emerged in the autumn, appears to be undergoing rapid development, according to reports from sources that include security services provider Seculert.
• Android Trojan captures credit card details – thinq.co.uk
  The team, comprised of Roman Schlegel from the City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, and Xiao Feng Wang from the Indiana University Bloomington, call their creation ‘Soundminer’ – and its implications are far-reaching.