Week 5 in Review – 2012

Event Related

• ShmooCon 2012 Updates, Videos, Slides and Presentation
• Five Ways We’re Killing Our Own Privacy – scribd.com/doc
  Slides from ShmooCon and Firetalks Presentation
• Attacking Prox Card Systems – opensecurityresearch.com
  Slides and Code from Brad Antoniewicz’s awesome talk on Attacking Prox Card Systems
• Shmoocon 2012 – tombom.co.uk
  In the absence of an “official” download link for these so far (although I’m sure they’ll be up on the Shmoocon page soon enough), my slides from Shmoocon this year. Seems it got a little press coverage and a whole bunch of attention on Twitter, so I figured I should get these out ASAP.
• RFCAT released! – atlas.r4780y.com
  I should probably post *new* slides here within a week. Subscribe to the rss feed to be notified when I post them. I’m going to see if I can’t nail down a few more details that were bugging me on the demo’s, and actually talk to the insulin pump.
• Changes to Apple MDM for iOS 5.x – intrepidusgroup.com
  I presented an updated talk on Apple’s iOS MDM system at ShmooCon 8. I had a great time, and really enjoyed all the questions and nice comments I received afterwards. I thought I’d mention a couple of the changes that iOS 5 provide.
• ShmooCon 2012 FireTalks – Update 7 (Videos from Friday) – novainfosecportal.com
  This post is dedicated to the talks on Friday night. Thanks to Bulb Security and IronGeek for recording and processing the videos so fast!
• Georgia Weidman’s videos – vimeo.com
• Hacker’s Demo Shows How Easily Credit Cards Can Be Read Through Clothes And Wallets – forbes.com
  Pull out your credit card and flip it over. If the back is marked with the words “PayPass,” “Blink,” thattriangle of nested arcs that serves as the universal symbol for wireless data or a few other obscure icons, Kristin Paget says it’s vulnerable to an uber-stealthy form of pickpocketing.
• Education and Information Sharing Top Priority at 2012 DoD Cyber Crime Conference – blog.mandiant.com
  This was my first time heading to the DoD Cyber Crime Conference in Atlanta. The DoD Cyber Crime Center (DC3) hosts the conference every year. DC3first started as a resource for DoD and Law Enforcement and has grown over the years to include many different organizations that work together to combat Cyber Crime.

Resources

• DatabaseAndroidMalwares – code.google.com
• {book review} The Tangled Web – blog.c22.cc
  The Tangled Web is split into 3 parts, starting off with a concise walk-through of the underlying technologies of the web. Unlike so many other books that take for granted that the reader is already up to par on the backstory, Zalewski takes the time to really dig deep into the tools, protocols and RFCs that run the modern web.
• (IN)SECURE Magazine Issue #33 Released – net-security.org
  (IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.

Tools

• Keychain Dumper Updated for iOS 5 – labs.neohapsis.com
  I’ve received a few issue submissions on github regarding various issues people have had getting Keychain Dumper to work on iOS 5. I meant to look into it earlier, but I was not able to dedicate any time until this week. Besides a small update to the Makefile to make it compatible with the latest SDK, the core issue seemed to have something to do with code signing.
• An Update on Android.Counterclank – symantec.com
  Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users.
• UPDATE: inSSIDer v2.1.0.1379! – metageek.net
  inSSIDer is an award-winning free, open-source Wi-Fi network scanner for Windows Vista andWindows XP. Because NetStumbler doesn’t work well with Vista and 64-bit XP, the authors built an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems.
• Passware claims FileVault 2 can be cracked in under an hour, sells you the software to prove it – engadget.com
  Lunch hours may never feel safe again. That is, if you have a Mac running Lion / FileVault 2, like leaving your computer around, or have unscrupulous colleagues. Data recovery firm Passware claims its “Forensic” edition software can decrypt files protected by FileVault 2 in just 40 minutes — whether it’s “letmein” or “H4x0rl8t0rK1tt3h” you chose to stand in its way.

Techniques

• Windows Loader and ASLR on Binaries – marcoramilli.blogspot.com
  Summing up for newer readers, Windows Loader looks for a specific FLAG into the PE Header. In the PE Header, specifically in the IMAGE_OPTIONAL_HEADER section there is a flag called DLL Characteristics that defines many features for the executable during its loading time, 1 of them being ASLR.
• x64 Windows Shellcode – blog.didierstevens.com
  Last year I found great x64 shellcode for Windows on McDermott’s site. Not only is it dynamic (lookup API addresses), but it even handles forwarded functions.
• Ubertooth: Bluetooth Address Breakdown – intrepidusgroup.com
  The IG crew is just heading back from ShmooCon, which reminds me of last year’s awesome talk on the Ubertooth One. Intrepidus backed the kickstarter project and, as promised, got 2 Ubertooths. We recently started playing with it, and have a couple of tips and a supplementary script.

Vendor/Software Patches

• Android and Security – googlemobile.blogspot.com
  The last year has been a phenomenal one for the Android ecosystem. Device activations grew 250% year-on-year, and the total number of app downloads from Android Market topped 11 billion. As the platform continues to grow, we’re focused on bringing you the best new features and innovations – including in security.

Vulnerabilities

• TDL4- Purple Haze
• TDL4 – Purple Haze (Pihar) Variant – sample and analysis – contagiodump.blogspot.com
  I recently ran into an interesting piece of malware that was downloaded on a victim’s computer. I thought it was TDL/TDSS or maybe a new version of it as it had same components as TDL4 bootkit with a functionality of a mass scale PPC (pay-per-click) fraud. TDL had this functionality too and it is most likely spread by the same Russian-speaking gangs using the Blackhole exploit kit.
• TDL4 reloaded: Purple Haze all in my brain – blog.eset.com
  This week we received an untypical sample of Win32/Olmarik.AYD (TDL4) from Mila (of the contagiodump blog). We have already spent a long time tracking TDL4 bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system.
• Android.Counterclank Found in Official Android Market – symantec.com
  Symantec has identified multiple publisher IDs on the Android Market that are being used to push outAndroid.Counterclank. This is a minor modification of Android.Tonclank, a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device.
• Build Up Your Phone’s Defenses Against Hackers – nytimes.com
  Technology experts expect breached, infiltrated or otherwise compromised cellphones to be the scourge of 2012. The smartphone security company Lookout Inc.estimates that more than a million phones worldwide have already been affected.
• Exploiting CVE-2011-2140 another flash player vulnerability – abysssec.com
  Before going future we are sorry to not update blog regularly, but it’s due to we are busy with stack of projects and also working on our expert training courses.
  So as we didn’t post any blog post here we go with another flash player exploit we wrote long time ago.
• MS11-087 (aka Duqu) : Vulnerability in Windows kernel-mode drivers could allow remote code execution – exploitshop.wordpress.com
  Since many folks are asking more about MS11-087, I’m posting some of interesting questions I’ve got.
• Hackers outwit online banking identity security systems – bbc.co.uk
  Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned.
• Webkit normalize bug for android 2.2 (CVE-2010-1759) – exploit-db.com
• MS12-005 : embedded object package allow arbitrary code execution – exploitshop.wordpress.com
  MS12-005 is much more dangerous than I thought. Very easy to exploit, and 100% reliable. Now no user interactions are required. Exploit is available.

Other News

• US officials say cyber crimes will overtake terrorism as top threat – slashgear.com
  Just as authentication service VeriSign admitted it has been hit by very strong hacking attacks a couple years ago, US officials have revealed that computer crimes will be more of a threat to the country than terrorism. VeriSign is an example of how cyber attacks can affect tens of millions of civilians, but government offices are also the target of malicious hackers.
• Verisign hacked, data stolen – scmagazine.com.au
  Verisign has admitted it was hacked repeatedly in 2010 and could not pin down what data was stolen.
• Half of Fortune 500 firms infected with DNS Changer – computerworld.com
  Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake websites and puts organizations at risk of information theft, a security company said today.