Week 21 In Review

Events Related

• Cyber Defence Challenge: Analogies – holisticinfosec.blogspot.com
  I recently had the opportunity to interview Alexei Czeskis, the captain of the University of Washington (UW) team who won this year’s National Collegiate Cyber Defense Competition (CCDC). During my discussion with Alexei I was immediately drawn to the fact that his approach and tactics closely mirror those of mature security incident response teams.
• Course Review: SANS SEC 569 Combating Malware in the Enterprise – ethicalhacker.net
  Your organization will get compromised!  The convenience and ease-of-use that your employees and customers demand will expose your network to a plethora of compromises.  As much as security paranoids, like myself, would like to completely lockdown our networks to prevent this, it is not practical.

Resources

• Index of/hitbsecconf2011ams/materials – conference.hackinthebox.org
• Infiltrate 2011 Debriefing – immunityinc.com
  Breakdown of activities and lectures  for two day Infiltrate con.
• Team Shatter Reveals Their process For Security Research – resources.infosecinstitute.com
  In our ongoing series of interviews, we are doing things a little differently this week and interviewing four members of TeamSHATTER. They answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work they do.
• Malicious PDF Analysis Workshop Screencasts – blog.didierstevens.com
  After giving my Malicious PDF Analysis workshop at Hack In The Box Amsterdam, I decided to produce a screencast for each exercise (there are 20 exercises). You can find the first screencasts here. More will be produced soon.
• 4 tips tog get a conference “Call for Papers” submission accepted – blog.whitehatsec.com
  If you’ve done unique research in information security, work that others would be interested in learning, the conference circuit provides an amazing opportunity to travel the world (for free!), advance your career, and share it with others. All you have to do is respond to one of the literally hundreds of Call For Papers (CFPs) that conference organizers publish each year and get selected to present.
• Source Conference Presentations Archive – sourceconference.com
  Comprehensive archive of presentations made during last month’s three day Source Conference.
• vSphere 4.1 Security Hardening Guidelines for vCenter Configuration Manager (VCM) Released – blogs.vmware.com
  The VMware Center for Policy and Compliance is excited to announce our content release of the vSphere 4.1 Security Hardening Guidelines for vCenter Configuration Manager (VCM). CP&C is a group of folks with alphabet soup behind their names that build content, thought leadership and evangelize our Security & Compliance  strategy all over the planet.
• Wikipedia entry for ‘Timing Attack’ – en.wikipedia.org/wiki/Timing_Attack
  A timing attack is an example of an attack that exploits the data-dependent behavioral characteristics of the implementation of an algorithm rather than the mathematical properties of the algorithm itself.
• Sandbox Textbook: Isolation of processes by controlling access to kernel objects – translate.google.es

Tools

• Introducing msfvenom – community.rapid7.com
  The Metasploit Framework has included the useful tools msfpayload and msfencode for quite sometime. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules.
• scapy Cheat Sheet – packetlife.net
  As a follow-up to my Introduction to scapy earlier this week, I’ve developed a scapy cheat sheet. While it would obviously be impractical to include every aspect of scapy’s functionality, the cheat sheet covers the fundamentals of building, sending, and receiving packets.
• w3af 1.0–stable released! – professionalsecuritytesters.org
  Since our latest w3af release in mid January, and our new windows installer release a couple of months ago, we’ve got lots of encouraging words telling us we are going in the right direction. The objective was near and we could almost taste it. Having a stable code-base is no joke, it requires countless hours of writing unit-tests, running w3af scripts and most importantly: fixing bugs.
• UPDATE: fimap v09! – code.google.com/fimap/downloads/list
  fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.
• TLSSLed v1.0 – blog.taddong.com
  The purpose of the TLSSLed tool (named from the idea of your website being TLS/SSL-ed, that is, using “https;//”) is to simplify the output of a couple of commonly used tools, and highlight the most relevant security findings of any target SSL/TLS implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool.

Techniques

• Hacking Exposed VoIP/SIP –  sectechno.com
  VoIP systems becoming increasingly popular, attracted people are not only legitimate users that are looking to use it in their business but those who would like to make free calls at other people’s expense. SIP devices are often attacked, with the intent of finding the username/password of accounts on that device.
• Cookiejacking: Another way of Attack Technique – sites.google.com/site/tentacoloviola
  Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim’s cookies without any XSS. Any cookie. Any website. Clickjacking attacks have been widely adopted by attackers worldwide on popular websites (eg Facebook) in order to perform some drive to download attacks,click forging, message sending and so on. so beware before clicking!!!
• EMET 2.1 Deployment – irhowto.wordpress.com
  If you have not used Microsoft EMET and your in charge of managing or securing Windows PC’s then you need to start looking at it. In short, EMET uses a number of techniques (DEP, ASLR, HeapSpray prevention ect…) to make it much more difficult to exploit an application.
• Recent Developments In Java Signed Applets – community.rapid7.com
  The best exploits are often not exploits at all — they are code execution by design. One of my favorite examples of this is a signed java applet. If an applet is signed, the jvm allows it to run outside the normal security sandbox, giving it full access to do anything the user can do.
• Use HxD to edit capture files (by Joke Snelders) – lovemytool.com
  In this article I show you how to use a hex editor to edit pcap capture files. You can use Microsoft Calculator in Scientific mode to convert decimal numbers to hexadecimal numbers or, for instance, an online conversion table.
• Customizing SQLMap to ypass weak input filters – blog.mindedsecurity.com
  SQLMap is the most flexible Sql injection tool I have ever seen: written in python, opensource and fully customizable. Many times during penetration testing activities you will face the need to customize SQLMap. In the following example the tool is not able to extract any data in it’s default configuration since the application is filtering some particular characters.

Vulnerabilities

• Symantec AMS Intel Alert Handler Design Flaw – foofus.net
  This is a very interesting flaw that I came across in Symantec Antivirus Corporate edition in July 2009 while trying to recreate the XFR.EXE design flaw (CVE-2009-1431). At first I thought this was the same flaw, but while running a serious of test against multiple versions of SAVCE. I realized I had tested it against the latest patched 10.1.8 version of the product and the vulnerability was still there.
  

Other News

• Lockheed Martin Security Breach
  Lockheed Martin Corp (LMT.N), the Pentagon’s No. 1 supplier, is experiencing a major disruption to its computer systems that could be related to a problem with network security, two sources familiar with the issue said on Thursday.
  • Lockheed Network Suffers Major Disruption – reuters.com
  • Exclusive: hackers breached US defense contractors – reuters.com
  • Lockheed says frequent cyber target from around world – reuters.com
  • RSA SecurID breach linked to hacker attack on Lockheed Martin; other US military contractors may be affected – boingboing.net
  • Lockheed Martin says it thwarted ‘tenacious’ cyber attack – msnbc.msn.com
  • RSA SecureID hackers may have accessed Lockheed Martin trade secrets, cafeteria menus (update: no data compromised) – engadget.com

• Siemens’ SCADA Problem
  SCADA systems — computer systems that control industrial processes — are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It’s not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it’s bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways.
  • New Siemens SCADA Vulnerabilities Kept Secret – schneier.com
  • Siemens To Issue Patches For SCADA Products ‘In next few Weeks’ – darkreading.com

• OWASP Mobile Top 10 Risks
  The OWASP Mobile Top 10 Risks is an overview of a generic list of the most common risks found in mobile applications. We see these risks in mobile applications every day. When we see them they often show up as vulnerabilities in the applications we are assessing.
  • Top Ten Mobile Risks – owasp.org
  • The OWASP Mobile Top 10 Risks for iOS Developers – intrepidusgroup.com

• The CAPTCHA Issue
  A team of researchers at Stanford University has developed a system that can be used to crack the audio captchas used by many web sites. Captchas (Completely Automated Public Turing test to tell Computers and Humans Apart) are used as a protection against automated scripts when, for example, creating mail accounts and to thwart spammers.
  • Audio Captchas: most can be cracked – h-online.com
  • Hotmail Exploit Silently Scooped & Microsoft Audio CAPTCHA Easily Defeated – networkworld.com
  • Microsoft Hotmail Exploit Stealing Email – What’s the Exposure? – paloaltonetworks.com

• Elcomsoft iOS Decryption
  ElcomSoft researchers were able to decrypt iPhone’s encrypted file system images made under iOS 4. While at first this may sound as a minor achievement, ElcomSoft is in fact the world’s first company to do this.
  • ElcomSoft Breaks iPhone Encryption, Offers Forensic Access To File System Dumps – blog.crackpassword.com
  • Russian company releases commercial iOS decryption toolset – arstechnica.com

• Mac Defender Malware Issue
  In the case of Mac Defender (aka Mac Protector and Mac Security), infected users soon began seeing porn windows popping up everywhere (at least, that’s their story and they’re sticking to it). ZDNet’s Ed Bott, who’s been leading the charge on this story — and taking a lot of flak from Apple fanboys along the way — details many of the complaints he found on more than 200 discussion strings in Apple’s support forums.
  • Apple Malware Evolved No Password Required – nakedsecurity.sophos.com
  • The Real Mac Security threat Isn’t Malware: It’s Apple – pcworld.com
  • Use Safari On Your Mac? Make Sure You Change The Default Settings – nakedsecurity.sophos.com

• Challenging The PROTECT IP Act
  A group of leading DNS experts have released a paper detailing serious concerns over the proposed DNS filtering requirements included as part of the bill recently introduced in the U.S. Senate named Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011.
  • Experts Urge Congress to reject DNS filtering from PROTECT IP Act, serious technical concerns raised – circleid.com
  • Blacklists, ahoy! PROTECT IP Act sails on to Senate floor – arstechnica.com
  • Sen. Ron Wyden places a “hold” on the PROTECT IP Act – arstechnica.com

• Skype Privacy Compromised
  Chatting over internet phone networks like Skype may not be as secure as once thought: security researchers have shown that encrypted voice-over-internet-protocol (VoIP) conversations can be partially understood by an eavesdropper.
  • Linguists Break into Skype Conversations – newscientists.com
  • Chapel Hill Computational Linguists Crack Skype Calls – news.slashdot.org

• LinkedIn profiles at hijack risk – scmagazine.com.au
  Vulnerabilities in how cookies were handled on LinkedIn profiles laid user profiles at risk of tampering, a security researcher said.
• LulzSec Leak Sony’s Japanese website Database! – thehackernews.com
  LulzSec Hacking team today Release the Sony’s Japanese website Database dump via their Twitter Account. This is the 9th Attack on Sony. This attack is also using SQL Injection method.
• A Brief History of Physical Memory Forensics – fasthorizon.blogspot.com
  Lately, we have been doing a lot of work around physical memory forensics. Recently, we released the free, community edition of our Responder™ product and plan to release the fourth generation of our memory analysis engine later this year.
• Another Comodo SSL Registrar Hacked – h-online.com
  ComodoBR, the Brazilian partner of the Comodo Certificate Authority (CA), appears to have fallen victim to an attack. During the incident, parts of the company’s database, including customer data and submitted certificate requests, were accessed via SQL injection.
• DHS Publishes Best ICS Vuln Statistics Available – digitalbond.com
  In 2008 DHS issued the first edition of Common Cybersecurity Vulnerabilities in Industrial Control Systems based on 15 ICS security assessments of either products or deployed systems they performed from 2004 to 2008.
• Security researcher finds ‘cookiejacking’ risk in Internet Explorer – news.cnet.com
  A security researcher in Italy has discovered a flaw in Internet Explorer that he says could enable hackers to steal cookies from a PC and then log onto password-protected Web sites.Referring to the exploit as “cookiejacking,” Rosario Valotta claims that a zero-day vulnerability found in every version of Microsoft’s IE under any version of Windows allows an attacker to hijack any cookie for any Web site.
• Vendor’s List of Backdoor Accounts Leaked Online – threatpost.com
  An internal document listing the backdoor accounts for switches manufactured by networking equipment vendor Allied Telesis was circulating online Friday, a day after an internal support page providing instructions on accessing hard coded back door accounts in the company’s products was found to be publicly accessible.