Week 15 In Review – 2011

Events Related:

• OWASP threat modeling project – myappsecurity.blogspot.com
  We are starting an OWASP threat modeling project to standardize a threat modeling approach which can be used by various companies.

Resources:

• Neil Daswani Reveals His Process for Security Research – resources.infosecinstitute.com
  In our ongoing series of interviews, this week Neil Daswani answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.
• Ethical Hacking Degrees – the good, the bad, the ugly – ethicalhack3r.co.uk
  Ethical Hacking or Information Security or Computer Security or Network Security… are all included within titles of university level undergraduate degrees within the UK. No matter what they title their courses or whether or not you agree with the use of certain terms within their titles is irrelevant as they are all attempting to teach the same things.
• Security Researchers Exploit Logic Flaws to Shop for Free Online – networkworld.com
  Security researchers from Indiana University Bloomington and Microsoft Research published a very interesting paper called How to Shop for Free Online.
• creating an as-secure-as-possible laptop — ideas? – reddit.com
  I’m interested in creating a laptop (though a desktop would be fine, too) with a big emphasis on security. what types of treatments would reddit recommend?
• We have started a security group at my University and we are trying to build up a database of tests, competitions, papers, etc – reddit.com
  Any relevant links and content are welcome! We have a dozen of tests taken from previous competitions we attended this year, but we would like to get more if possible.
• NIST publishes 50kish vulnerable code samples in Java/C/C++, is officially krad – cgisecurity.com
  NIST has published a fantastic project (its been out since late December, but I only just became aware of it) where they’ve created vulnerable code test cases for much of MITRE’s CWE project in Java and c/c++.
• ClubHack Issue 15 – terminal23.net
  New issue available.
• FISMApedia – fismapedia.org
  FISMApedia is a collection of documents and discussions focused on Federal IT security. This site is a database of current guidance, laws and directives on how the Federal government secures its IT assets.
• Burp Hacking Slides – Bsides Chicago – securityaegis.com
  Download the padding oracle vuln plugin for forms authentication (thats a mouthful) from Joel’s site: beersec.org.
• Hackito Ergo Sum 2011 Presentation Dump – slideshare.net
  A collection of everything from this security event

Tools:

• RawCap sniffer for Windows released – netresec.com
  We are today proude to announce the release of RawCap, which is a free raw sockets sniffer for Windows.
• Spooftooph: The Bluetooth Spoofer – sourceforge.net/projects/spooftooph/
  Spooftooph is designed to automate spoofing or cloning Bluetooth device information. Make a Bluetooth device hide in plain site.
• sqlmap 0.9 – sourceforge.net/projects/sqlmap/
  sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
• hackxor – hackxor.sourceforge.net
  Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc.
• SVN Digger – Better Wordlists for Forced Browsing – mavitunasecurity.com
  DirBuster ships with several wordlists, these wordlists generated via one big crawler which visited tons of websites, collected links and created most common directory / file names on the Internet.
• Patriot NG – security-projects.com
  Patriot is a ‘Host IDS’ tool which allows real time monitoring of changes in Windows systems or Network attacks.
• CVE Checker 3.1 – cvechecker.sourceforge.net
  cvechecker reports about possible vulnerabilities on your system by scanning the installed software and matching the results with the CVE database.
• OllyDbg 2.01 Alpha 3 – ollydbg.de
  OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
• Microsoft Pushes Out Two New Security Tools – threatpost.com
  In parallel with its release of 17 bulletins on Patch Tuesday this month, Microsoft also unveiled two new tools that are meant to help make a couple of common exploitation scenarios more difficult for attackers.
• smooth-sec – bailey.st
  Smooth-Sec is a ready to-go  IDS/IPS (Intrusion Detection/Prevention System) linux distribution based on the multi threaded Suricata IDS/IPS engine and Snorby, the top notch web application for network security monitoring.
• BodgeIt Store – code.google.com/p/bodgeit/
  The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to penetration testing.
• Qubes OS – qubes-os.org
  Qubes is an open source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers. In the future it might also run Windows apps.
• McAfee ShareScan – mcafee.com
  ShareScan is a free utility that enables IT security personnel to identify open Windows file shares available on the internal network. This tool can help administrators identify systems that have wide open permissions or no permissions — potential vulnerabilities that should be remediated.
• md5deep version 3.8 – jessekornblum.livejournal.com
  This version adds two new features. First, you can now use a file to indicate the input files to process. For example, you can make a file, foo.txt.
• Common Vulnerability Scoring System Version 2 Calculator – dueyesterday.net
  Allows for the creations of enums. Thanks to norvig.com/python-iaq.html
• MS10-070: Padding Oracle applied to .NET framework – bernardodamele.blogspot.com
  I followed the research closely and way before vulnerability scanners like Nessus could detect the security vulnerability on .NET applications anonymously and remotely, I coded a small script to test for the flaw based on Juliano Rizzo’s details. You might still find it useful, so I thought about publishing it on GitHub.
• IEZoneAnalyzer v3 – technet.com
  IEZoneAnalyzer is a utility for viewing and comparing Internet Explorer security zone settings. It is particularly valuable on systems controlled through Group Policy, on which the standard security settings dialog does not allow viewing of settings.

Techniques:

• Full Disclosure:Barracuda Networks Hacking via SQL Injection – hmsec.tumblr.com/
  The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection.
• Parsing CDP Packets With Scapy – darkoperator.com
  In this blog post I will cover how to use one of the new parsers  to parse CDP packets included in version 2.2 of scapy. Cisco Discovery Protocol (CDP) is a proprietary Layer 2 Data Link Layer network protocol used to share device information with devices connected on the same subnet.
• Mozilla Firefox Internals & Attack Strategies – chmag.in
  This paper aims to detail some of the techniques and methods that exist to subvert a fully patched and functioning browser Firefox.
• BackTrack 5 on a Motorola Xoom – offensive-security.com
  In the past few days we have been toying with some Motorola hardware, and have managed to get a basic build of BackTrack 5 (+ toolchain) on a Motorola Xoom.
• Things overheard on the WiFi from my Android smartphone – freedom-to-tinker.com
  Today in my undergraduate security class, we set up a sniffer so we could run Wireshark and Mallory to listen in on my Android smartphone. This blog piece summarizes what we found.
• Execute Metasploit payloads bypassing any anti-virus – bernardodamele.blogspot.com
  Most of the shellcode launchers out there, including proof of concepts part of many security books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems.
• [Video] Playing With Traffic (Squid) – g0tmi1k.blogspot.com
  The attacker installs Squid3 cache proxy via the Operating System (Backtrack 4 R2) repository. Squid is the “backbone” to this attack and after configuring it to work on the Local Area Network (LAN) and to be transparent (the proxy “works” without any configuration to the browser), the attacker chooses which script to first try out (asciiImages.pl is the first one) and adds it to the configuration file.
• Pulling and finding APKs without root on Android – intrepidusgroup.com
  Since we’re not root, we can’t list the /data/app directory to locate the name of the APK file we want to pull. There’s a few ways you can tackle finding the name of the APK file, but what I find is the quickest way for me is to pull the packages.xml file.
• Reverse connection: ICMP shell – bernardodamele.blogspot.com
  Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell.
• KB2506014 kills TDL4 on x64 – eset.com
  Not so long ago, Microsoft released a security patch addressing the way Windows x64 operating systems check integrity of the loaded modules. In our recent report (The Evolution of TDL4: Conquering x64) we described a method used by the TDL4 bootkit to load its malicious unsigned driver on 64-bit systems, even though those systems have an enforced kernel-mode code signing policy.
• Uh Ah! I Happened To Use POP ESP – ragestorm.net
  I had to call a C++ function from my Assembly code and keep the return value untouched so the caller will get it. Usually return values are passed on EAX, in x86 that is. But that’s not the whole truth, they might be passed on EDX:EAX, if you want to return 64 bits integer, for instance.
• More certs may indicate less security – rdist.root.org
  If a website has a multiple servers with different certs, the browser may often generate spurious errors for that site. But could this be a symptom of a genuine security problem?
• Filejacking: How to make a file server from your browser (with HTML5 of course) – r00tsec.blogspot.com
  How can a website access user’s files? Traditionally, user has to upload the file. Users commonly share photos, videos upload their files for online conversion tools etc. You could (theoretically) be tricked into uploading a sensitive file into a malicious website (“please submit your private key for checking it’s strength”), but, seriously, who falls for that?
• Proxmark3/RFID Goodness – zonbi.org
  There are two “types” of RFID in common use. High frequency runs at the 13.56MHz range. The MiFare stuff is in this range, although it’s slightly different to the ISO14443 A and B standard used in the CSC stuff floating around ie. $train card.
• Padding Oracle Post-Explotation: Abusing ASP.NET Forms Authentication with Burp – beersec.org
  So you found an web site vulnerable to the ASP.NET Padding Vulnerability, used Minded Security’s web.config bruter and now you have the applications web.config file. Now what?
• Payload bypass AV. with encoding – r00tsec.blogspot.com
  This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems.

Vulnerabilities:

• Another day, another Flash 0-day attack
  Hackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.
  • Adobe warns of new Flash Player zero-day attack – zdnet.com
  • Adobe confirms critical Flash zero-day bug – computerworld.com
  • Time to Patch Your Flash – krebsonsecurity.com
• MSRT April ‘11: Win32/Afcore – technet.com
  Win32/Afcore comprises two components, a dropper and installed malware that runs as a backdoor. The backdoor component is injected into running processes and connects to a remote server to retrieve commands that are executed on the affected system. Commands could include instructions to steal passwords, attack other computers and so on.

Vendor/Software Patches:

• Patch Tuesday!
  Microsoft has released its April Patch Tuesday fixes, a large group of patches that includes updates for several critical holes in Internet Explorer as well as a patch that finally fixes the SMB client bug that disclosed publicly in February.
  • April Patch Tuesday Fixes Critical IE, SMB Bugs – threatpost.com
  • April 2011 MS Patch Tuesday – 17 patches, 64 vulnerabilities – nakedsecurity.sophos.com
  • Microsoft Patch Tuesday – April 2011 – symantec.com

Other News:

• ATM Skimmers: Hacking the Cash Machine – krebsonsecurity.com
  Most of the ATM skimmers I’ve profiled in this blog are comprised of parts designed to mimic and to fit on top of existing cash machine components, such as card acceptance slots or PIN pads. But sometimes, skimmer thieves find success by swapping out ATM parts with compromised look-alikes.
• SSL Issues: Solutions, Opinions and News
  What lies ahead for SSL? The recent Comodo hack taught us that what we thought was a robust security protocol is nothing but a house of cards.
  • How is SSL hopelessly broken? Let us count the ways – theregister.co.uk
  • ssl certs: just enough security? – terminal23.net
  • SSL And The Future Of Authenticity – blog.thoughtcrime.org
• Apple’s AirTunes/AirPlay private key extracted and published – h-online.com
  Developer James Laird has extracted the AirTunes/AirPlay private key from an Apple Airport Express, opening the way for third-party applications to play back iTunes streams.
• BREAKING NEWS: Sony’s War On Hackers, Tinkerers And Innovators “Settlement In George Hotz Case” – blog.makezine.com
  Sony Computer Entertainment America (“SCEA”) and George Hotz (“Hotz”) today announced the settlement of the lawsuit filed by SCEA against Hotz in federal court in San Francisco, California. The parties reached an agreement in principle on March 31, 2011. As part of the settlement, Hotz consented to a permanent injunction.
• How Phishers Will Use Epsilon Data Against You – threatpost.com
  There has been a lot of online venting and hand-wringing in the week since customers of email services provider Epsilon began informing millions of individuals in North America and Europe that their name and e-mail address had  been stolen in a massive data breach.
• USPS.gov Website Infected with Blackhole Exploit Kit – research.zscaler.com
  As we’ve discussed previously, the Blackhole Exploit kit, a commercial exploit kit developed by Russian hackers, is being seen in an increasing number of attacks.
• Milw0rm and inj3ct0r Merge Into 1337day.com – greyhat-security.com
  Less than an hour ago, a message was sent out via the Milw0rm.com Facebook group, announcing both a merger for milw0rm.com and inj3ct0r.com, and simultaneously, a move for inj3ct0r.com into a new domain, 1337day.com.
• Government Agrees With Microsoft: Google Wasn’t Certified [Update] – readwriteweb.com
  Today, the U.S. government agreed with Microsoft’s accusation that Google had provided misleading information about whether or not its Google Apps for Government is certified under the Federal Information Security Management Act (FISMA).
• DOJ gets court permission to attack botnet – itworld.com
  The U.S. Department of Justice and U.S. Federal Bureau of Investigation have obtained a temporary restraining order allowing them to disrupt a computer virus that created an international botnet controlling more than 2.3 million computers as of early 2010, the DOJ announced Wednesday.