Week 38 In Review

Events Related

Resources

• PDFXray Files – github.com
• Clickjacking for Shells – morningstarsecurity.com
  Two years after the world was warned about clickjacking, popular web apps are still vulnerable and no web app exploits have been published. With many security pros considering clickjacking to have mere nuisance value on social networks, the attack is grossly underestimated. I will demonstrate step by step how to identify vulnerable applications, how to write exploits that attack web apps and also how to protect against clickjacking.

Tools

• Qubes Beta 2 Released – theinvisiblethings.blogspot.com
  We faced quite a few serious problems with this release that were caused by an upgrade to Xen 4.1 (from Xen 3.4) that we used in Beta 1. But finally we managed to solve all those problems and all in all I’m very happy with this release. It includes many performance optimizations compared to Beta 1 (CPU- and memory-wise) and also many bugfixes.
• tftptheft – code.google.com
  TFTP Theft is a tool which allows one to quickly scan/bruteforce a tftp server for files and download them instantly.

Techniques

• Crawling For Domain Admin With Tasklist – pauldotcom.com
  The scenario is this. You’ve used a tool such as NBTEnum to enumerate Domain Admin account names. You’ve also managed to gain Local Administrator credentials by dumping and cracking the hashes of a vulnerable system on the network. Like most of corporate America, the target organization is using a universal Local Administrator account across most of their enterprise.
• A Brave New Wallet, First Look At Decompiling Google Wallet – intrepidusgroup.com
  For the record, I welcome our new contactless payment overlords. I truly see the value in having the ability to make a payment transaction with our mobile devices. This opens up an opportunity to make these transactions more secure, give customers a better user experience, and also give them more control over payment options.
• ARM, Pipeline and GDB, oh my! – intrepidusgroup.com
  This post off will start with an important question. Look at Listing 1 below; after executing the instruction located at main+12, what values will be stored in r0 andr1? Take a moment to consider this.
• hack.lu CTF 2011 nebula DB systems – vnsecurity.net
  While you were investigating the Webserver of Nebula Death Stick Services, we, the Galactic’s Secret Service, put our hands on a SSH account of one of the Nebula Death Stick Services founders.
• simple-shellcode-generator.py – blog.didierstevens.com
  Why is using malware a bad idea? It’s dangerous and not reliable. Say you use a trojan to test your sandbox. You notice that your machine is not compromised. But is it because your sandbox contained the trojan, or because the trojan failed to execute properly? It might surprise you, but there’s a lot of unreliable malware out in the wild.

Vulnerabilities

• OS X Lion Password Flaw
  In OS X, user passwords are encrypted and then are stored in files called “shadow files” which are placed in secure locations on the drive. Based on system permissions, the contents of these files can then only be accessed and modified by the user, or by administrators provided they first give appropriate authentication.
• OS X Lion Passwords Can Be Changed By Any Local User – reviews.cnet.com
• Flaw in OS X Lion Allows Unauthorized Password Changes – nakedsecurity.sophos.com
• Security Duo Finds Another Pair of Vulnerabilities In Android – reviews.cnet.com
  Remember the duo who released an Angry Birds spoof application last fall in effort to highlight some of Android’s vulnerabilities? If so, perhaps you also recall hearing that Google had to implement the remote kill feature in Android about the same time. Well, those guys are back and, judging by their latest finding, things still don’t look to be all that secure.
• EFF’s Open Source Security Audit Uncovers Security Vulnerabilities in Messaging Software – eff.org
  We recently did a security audit in which we uncovered and helped to fix vulnerabilities in the popular open source messaging clients Pidgin and Adium. We were motivated by our desire to bolster the security of cryptographic software that we often recommend to individuals and organizations as a defense against surveillance.

Vendor/Software Patches

• Adobe to rush out Flash Player patch to thwart zero-day attacks – zdnet.com
  Adobe is planning to rush out a critical Flash Player patch later today (September 21, 2011) to fix security holes that are being used in targeted zero-day attacks.

Other News

• The BEAST Attacks
  The attack, developed by Juliano Rizzo and Thai Duong, will be presented at the Ekoparty conference in Argentina on Friday, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol.
• New Attack Breaks Confidentiality Model of SSL, Allows Theft of Encrypted Cookies – threatpost.com
• Chrome and the Beast – imperialviolet.org
• Hackers Break SSL Encryption Used By Millions of Sites – theregister.co.uk
• Tool Cracks SSL Cookies In Just 10 Minutes – h-online.com
• TLS 1.2 Look before You Leap! – isc.sans.edu
• Hard Lesson About Hacking And Proxy Services – blogs.cisco.com
  Note that I was not sad to see the good guys bust a cybercriminal, but I was sad to see a nice guy I had met and talked to briefly at BlackHat Las Vegas 2011 turn out to be a suspect wanted by the FBI.
• The Danger of Second Order Vulnerabilities – threatpost.com
  These less-noticed vulnerabilities are the ones that penetration testers–and more worryingly, attackers–use to dig deep into a target network once they’ve already gotten a foothold in the environment.
• 7 Lessons: Surviving A Zero Day Attack – informationweek.com
  When Pacific Northwest National Laboratory detected a cyber attack–actually two of them–against its tech infrastructure in July, the lab acted quickly to root out the exploits and secure its network. PNNL then did something few other cyber attack victims have been willing to do. It decided to talk openly about what happened.
• Japan Defence Firm Mitsubishi Heavy In Cyber Attack – bbc.co.uk
  Mitsubishi Heavy Industries (MHI) said viruses were found on more than 80 of its servers and computers last month. The government said it was not aware of any leak of sensitive information.
• OnStar Tracks Your Car Even When You Cancel Service – wired.com
  Navigation-and-emergency-services company OnStar is notifying its six million account holders that it will keep a complete accounting of the speed and location of OnStar-equipped vehicles, even for drivers who discontinue monthly service.