Week 22 In Review

Events Related

• PH-Neutral, My First and Last One – blog.rootshell.be
  What differentiate  PH-Neutral from the other conferences? It’s different that’s all! Don’t try to find something equivalent on earth! It’s a mix of party, drinks, talks (yes, there was and good ones!) and social networking. Honestly I never saw so many top-notch hackers per square meter at the same place.

Resources

• Beyond r57 slideshow – slideshare.net
• CMSC 838G, Spring 2011 Syllabus – cs.umd.edu
  OS-level and hardware protection cannot solve the security problem alone.  We need ways to establish the trustworthiness of software, to augment or even replace these mechanisms.  For example, OS-level mechanisms fail to protect against SQL injections, cross-site scripting, stack smashing, and other attacks.
• Stefan Esser Reveals His process For Security Research – resources.infosecinstitute.com
  Stefan Esser is best known as the PHP security guy…Part of his research has been the development of an ASLR implementation for a jailbroken iPhone that he demonstrated at the end of 2010, several months before Apple added this feature to the stock iOS. In 2011 he provided an iOS kernel exploit that is the key ingredient in all current iPhone jailbreaks.
• Formal Social Engineering Methodology Released – kgb.to
  Social engineering has been around for tens of thousands of years so it is time we approach the topic in a professional manner. The Social Engineering Vulnerability Evaluation and Recommendation (SEVER) Project is one way to help penetration testers become more consistent.  I also intend for it to be the best way to teach novices about social engineering concepts.
• Brendan O’Connor’s Vulnerabilities In Not-So Embedded Systems – kgb.to
  If you are looking for Brendan O’Connor’s Black Hat 2006 Presentation Vulnerabilities in Not-So Embedded Systems you have come to the right place.

Tools

• Introducing Faceniff
  FaceNiff is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to. It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks. It’s kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!).
  • Faceniff app – faceniff.ponury.net
  • FaceNiff makes Facebook hacking a portable, one-tap afair – engadget.com

• Using Kon-Boot From A USB Flash Drive – piotrbania.com
  Kon-Boot is sort of a boot loader that let’s you bypass having to use valid credentials when the OS finishes booting. Unfortunately, CDs are hard to put in your pocket, and many machines don’t have floppies any more.
• Microsoft Releases free AV software that boots from CD or USB – connect.microsoft.com
  Microsoft has published a beta of its Standalone System Sweeper software, a bootable recovery tool that can be used to identify and remove rootkits, as well as other advanced malware.

Techniques

• Remote DLL injection with Meterpreter – room362.com
  Recently Didier Stevens wrote ‘Suspender.dll’ which is a DLL that will suspend a process and all of it’s child processes after a delay. 60 seconds is it’s default but you can rename the DLL to add a number (as such ‘Suspender10.dll’ for 10 seconds) to make the delay whatever you wish.
• JSON Hijacking – thespanner.co.uk
  There isn’t a lot of information about JSON hijacking out there at the minute, I will aim to provide a “news update” on the state of publicly known techniques. First off I will give a quick overview of how JSON data can be stolen and explain how JavaScript reads JSON.
• NMAP/Metasploit/MSSQL – zonbi.org
  Recently I’ve been playing around with nmap/metasploit and Microsoft SQL server (2005/2008). Not really on the exploitation side of things but certainly not boring at all. I thought I’d share some of this here (mostly so I don’t forget it in the future).
• Using O2 To Exploit HacmeBank – diniscruz.blogspot.com
  On HacmeBank have you seen the O2 Scripts that automate a number of its exploits?
• Bruteforcing a Windows Password Using A Graphic Card – mytechencounters.wordpress.com
  GPGPU computing is getting lots of attention these days. GPGPU computing simply means doing general calculations on graphic cards (GPUs) rather than CPUs. Traditionally, GPUs were used only for getting graphical output, rendering frames in games and other purposes related to graphics.
• Anatomy of a PDF Hack – readwriteweb.com
  PDFs are widely used business file format, which makes them a common target for malware attacks. Because PDFs have so many “features,” hackers have learned how to hide attacks deep under the surface. By using a number of utilities, we are able to reverse engineer the techniques in malicious PDFs, providing insight that we can ultimately use to better protect our systems. We’ll take you through the process that a hacker uses to insert a piece of malware into a sample PDF.
• Using Nmap to audit your MySQL database – cqure.net
  I’ve been working on a Nmap script for auditing MySQL databases against the CIS 1.0.2 benchmark for a while. I haven’t committed it to subversion yet, but it’s available to download for anyone who feels up to testing it. While it isn’t perfect nor does it contain all CIS controls, it provides Nmap users with the possibility to quickly scan a database to see whether it complies with the CIS recommendations or not.

Vendor/Software Patches

• Wireshark 1.4.7 and 1.2.17 Released – wireshark.org
  Wireshark 1.4.7 and 1.2.17 have been released. Installers for Windows, Mac OS X 10.5.5 and above (Intel and PPC), and source code are now available.

Vulnerabilities

• Automated Vulnerability Disclosure With UpSploit – tmacuk.co.uk
  The aim of the upSploit service is to provide a platform for vulnerability researchers — and other people who come across a vulnerability out of the blue — to be able to alert the vendor to the problem in the most ethical way possible while also automating the process.
• Bank of America allows you to bypass their multi-factor safe pass authentication card by using their mobile page – reddit.com
  Like any security professional I use two-factor authentication as much as possible in my personal life. So when Bank Of America released their safepass card I signed up immediately. Recently I accessed the site via their mobile URL (Linked above) and instead of being asked for my safepass code I was asked my challenge questions (Which are composed of questions that can be determined via public records or have a limited set of answers) instead of for my safepass code.

Other News

• The Great Chinese Gmail Hack
  Hundreds of Gmail accounts have been recently hacked, including the accounts of senior government and military personnel in the U.S. Additionally, officials and activists in South Korea and China were affected in the security breach.
  • Chinese Hacker Cracks Hundreds of Gmail Accounts, Including Those of U.S. Officials – gizmodo.com
  • Google: Chinese hackers monitoring Gmail of activists, journalists, officials – arstechnica.com
  • Google email accounts compromised by ‘Chinese hackers’ – bbc.co.uk
  • How to stop your Gmail account from being hacked – nakedsecurity.sophos.com
  • Feds investigate alleged attacks on Gmail accounts – news.cnet.com
  • Spotting Web-based Email Attacks – krebsonsecurity.com
  • Ensuring Your Information Is Safe Online – googleblog.blogspot.com
  • The Man-In-The-Mailbox – paloaltonetworks.com

• Reverse Engineered Skype Protocol
  Now Microsoft own the most popular VoIP service out there, and surely plans to make it an integral part of their operations and products going forward. At the same time, one researcher has decided he wants to make Skype open source by reverse engineering the protocol the service uses.
  • The Skype protocol has been reverse engineered – geek.com
  • Skype protocol reverse engineered, source available for download – thepiratebay.org
  • Skype protocol being reverse engineered – update – h-online.com
• The Latest Sony Attack
  The same hackers who recently attacked PBS.org have turned their attention back to Sony by releasing the latest dump of information stolen from Sony’s websites. While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.
  • Sony Pictures attacked again, 4.5 million records exposed – nakedsecurity.sophos.com
  • Sony Hit Yet Again, Consumer Passwords Exposed – wired.com
  • What Lockheed Martin, EMC, and SOny have taught us about security – blogs.mcafee.com
• Hardware vendor Offers Backdoor With Every Product – threatpost.com
  IT administrators know there’s nothing more frustrating than losing administrative access to your network equipment. But Allied Telesis, a Japan-based maker of switches, routers and other networking devices, has a fix: guaranteed backdoors for every product.
• Hack of PBS.org: 0Day Or Patch Forensics? – threatpost.com
  A high-profile attack on PBS, the U.S. Public Broadcasting System, was made possible by a previously unknown hole in the MoveableType content management software, according to the hacking group that claimed responsibility for the hack. However, security experts say that the hole may have been derived from studying a recent MoveableType patch.
• It’s Time To Start Sharing Attack Details – threatpost.com
  With not even half of the year gone, 2011 is becoming perhaps the ugliest year on record for major attacks, breaches and incidents. Lockheed Martin, one of the larger suppliers of technology and weapons systems to the federal government, has become the latest high-profile target of a serious attack, and while such incidents are bad news indeed for the victims, they may serve a vital purpose in forcing companies to disclose more data about breaches and attacks.
• Stolen Data Is Tracked To Hacking In Lockheed – nytimes.com
  Lockheed Martin said Friday that it had proof that hackers breached its network two weeks ago partly by using data stolen from a vendor that supplies coded security tokens to tens of millions of computer users.