Week 17 In Review – 2011

Resources

• Dan Kaminsky Reveals His Process For Security Research – resources.infosecinstitute.com
  Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya and Microsoft. Dan spent three years working with Microsoft on their Vista, Server 2008 and Windows 7 releases.
• Incident Response Methodologies Worm Infection Cheat Sheet – isc.sans.edu
  The CERT Societe Generale (site is in French and English) has published a 6 Steps IRM Worm Infection cheat sheet (English only) freely available for download here. “Feel free to contact us if you identify a bug or an error in these IRMs.”

Tools

• UPDATE: Ncrack 0.4ALPHA! – nmap.org
  Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
• UPDATE John the Ripper 1.7.7 – download.openwall.net
• John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords.
• UPDATE: THC HYDRA v6.3! – freeworld.thc.org
  THC-HYDRA is a very fast network logon cracker which support many different services. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.

• OWASP Hatkit Proxy Project HTTP/TPC Intercepting Proxy Tool – darknet.org
  The primary purpose of the Hatkit Proxy is to create a minimal, lightweight proxy which stores traffic into an offline storage where further analysis can be performed, i.e. all kinds of analysis which is currently implemented by the proxies themselves.
• Introducing the Cisco IOS Software Checker – blogs.cisco.com
  This tool introduces a feature that has been long-requested from our customers and will make Cisco product security information much easier to consume and digest.
• Suspender.dll – blog.didierstevens.com
  When the suspender DLL is loaded inside a process, it will wait for 60 seconds and then suspend all the threads of the host process. If you want another delay, just change the name of the file by appending the number of seconds to sleep.
• The ultimate collection kit – integriography.wordpress.com
  Its a mix of ediscovery and forensics, with all the typical issues – custodians available only for a day, unexpectedly large hard drives, systems that cannot come down at all, 3 Sony Vaios with just one power cord, etc.
• TCDiscover – code.google.com
  We posted about TCHunt yesterday, that could help you identify TrueCrypt encrypted data on your hard drive. But, what if you are not able to load TCHunt and only have access to a backed up hard drive? If that data is backed with dd, you are in luck – for we now have  TCDiscover!
• Pitbull: An IDS/IPS Testing Framework – code.google.com
  Pytbull1 Pytbull: An IDS/IPS Testing Framework!As you must have read our old post regarding The RedWolf Security Threat Generator. It will help you test for the threats on your complete network.

Techniques

• Harddisk Password Recovery
  Quite a while ago
  [@dop3j0e] set up a password for his Thinkpad’s harddrive and chose to unlock his drive using the built-in fingerprint scanner.

  • How I Recovered My Harddisk Password – prezi.com
  • Harddrive Password hacking With An OpenBench Logic Sniffer – seedstudio.com

• pCTF 2011
  • pCTF 2011 #18 A small bug – blog.stalkr.net
  • pCTF 2011 #19 Another small bug – blog.stalkr.net
  • pCTF 2011 #22 Hashcalc1 – blog.stalkr.net
  • pCTF 2011 #26Hashcalc2 – blog.stalker.net
  • pCTF 2011 #32 That’s no bluetooth – blog.stalker.net
• Running Axillary Modules Against Multiple Hosts the Smart Way Part 2 – arnal0wnage.attackresearch.com
  Let’s take this one step further…and throw multiple aux modules against the hosts that have port 80 open.I’m going to use a resource script to do this.
• SMBRelay Bible 6: SMBRelay attacks on corporate users part 2 – dsecrg.blogspot.com
  As it was written in last blog post, we can create crafted Office’s document and send it to users (via e-mail for example). When a user opens it, an office program tries to connect our server and give us user’s credential.

• Investigating Windows Security Threads With Volatility – mnin.blogspot.com
  There are various ways of finding objects and data structures in a memory dump. Two of the popular ways include list traversal (or pointer traversal) and pool scanning.

Vendor/Software Patches

• Microsoft EMET – darkoperator.com
  Many times we are faced with the situation of not being able to patch software in time and many times do to the way companies work and handle security vulnerabilities the time of exposure is a very long one.

Other News

• The Great PlayStation Breach
  A breach that may have jeopardized the user names, addresses, passwords and credit card information of up to 70 million customers.
  • The Real Reason PSN is down – reddit.com
  • Millions of Passwords, Credit Card Numbers at Risk in Breach of PlayStation Network – krebsonsecurity.com
  • Sony PlayStation Network and Qriocity Services Hacked – blog.eset.com
  • Playstation Network hacked: Personal data of up to 70 million people stolen – nakedsecurity.sophos.com
• Researchers Propose New Steganography System For Hiding Data – threatpost.com
  A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present.
• Oak Ridge Still Not Back Online – securitywatch.eweek.com
  Ten days after IT administrators cut off Internet access at a federal research facility in Tennessee after a successful spear phishing attack, the laboratory remains disconnected.
• Feds to remotely uninstall Coreflood bot from some PCs – computerworld.com
  Federal authorities will remotely uninstall the Coreflood botnet Trojan from some infected Windows PCs over the next four weeks.
• Nikon’s image authentication algorithm cracked – computerworld.com
  Researchers have discovered a flaw in the system used by Nikon professional digital cameras to ensure images have not been tampered with.
• No Hacking Required to be Prosecuted as a Hacker – wired.com
  Employees may be prosecuted under a federal antihacking statute for taking computer files that they were authorized to access and using them in a manner prohibited by the company, a federal appeals court has ruled.