Week 11 in Review – 2012

Event Related

• Black Hat Europe 2012 Summaries, Updates and Tools
• BlackHat Europe 2012 Day #1 Wrap-Up – blog.rootshell.be
  BlackHat is back in Europe and, this year, they moved back to Amsterdam! This edition also introduced a new format: A three-days conference with three simultaneous tracks.
• BlackHat Europe 2012 Day #2 Wrap-Up – rootshell.be
  And I’m back with my wrap-up for the second day. Here are a review of the talks I followed today. Rafal Los and Shane MacDougall spoke about “offensive threat modeling on its head”.
• BlackHat Europe 2012 Day #3 Wrap-Up – blog.rootshell.be
  They presented their research about the security of keyword managers on smartphones. It’s recommended to not use the same password across several applications or services.
• BlackHat EU 2012 Day 1 – corelan.be
  After a 2 year detour in Barcelona, BlackHat Europe has returned to Amsterdam again this year.
• BlackHat EU 2012 Day 2 – corelan.be
  Welcome back friends, at day 2 of BlackHat Europe 2012, held in the Grand Hotel Krasnapolsky in the wonderful city of Amsterdam.
• BlackHat EU 2012 Day 3 – corelan.be
  Since doing live-blogging seemed to work out pretty well yesterday, I’ll do the same thing again today. Please join in for day 3 at BlackHat Europe 2012, in a cloudy and rainy Amsterdam.
• Black Hat Europe 2012 – Day 3 – Some thoughts on sandboxes – hp.com
  I’ve always found sandboxes interesting, particularly from a cost-benefit analysis perspective. As a developer you should be writing good code, period. But when the pace of developing new functionality outpaces the ability to do complete software security analysis we see security organizations turning to sandboxing as a method of limiting the amount of damage an exploited piece of code can do.
• Update: PDFid And pdf-parser Didier Stevens – blog.didierstevens.com
  To mark the occasion of my Malicious PDF Analysis workshop at Black Hat Europe 2012, I’m releasing version 0.0.12 of PDFiD and version 0.3.9 of pdf-parser.
• 3 Key take-aways from Amsterdam
  [Black Hat Europe 2012] – hp.com
  This blog is coming to you live from Amsterdam, one of my favorite cities in all the world for its laid-back attitude, it’s brilliant culture, and history beyond books.  The conference has grown again, and I’m having a great time learning.
• TesserCap v1.0 (Black Hat EU 2012 Edition) Released – mcafee.com
  Foundstone’s TesserCap is a GUI based, highly flexible, interactive, point and shoot CAPTCHA analysis tool with the following features.
• Pastemon v1.6 (Black Hat EU 2012 Edition) Released – github.com
  pastemon.pl is a script which runs in the background as a daemon and monitors pastebin.com for interesting content (based on regular expressions). Found information is sent to syslog.
• Black Hat Eu 2012 – notsosecure.com
  Anyways, I was privileged to speak at yet another Black Hat. This time i was a 2nd speaker and along with Tom Forbes we presented a talk on Hacking XPATH 2.0. One question which everyone wants to know, how many times have we found it in the wild? I have seen may be around 7-8 XPath injections in real life pentests and hence I agree this is not very common.
• Black Hat Europe 2012 Briefings – blackhat.com
  BlackHat Europe 2012 presentations and materials released.
• RSA Conference 2012
• Our Five Favorite Videos from RSA 2012 – tripwire.com
  It’s been a little over a week since the conclusion of the 2012 RSA Conference and Security B-Sides. Once again we had a great time interviewing and photographing lots of really smart people about information security.
• (IN)Secure Magazine Special Edition – net-security.org
  (IN) SECURE Magazine is a free digital security, to discuss some of the hottest issues of information security. (IN) magazine has been released! This is the March 2012 special edition!
• SANS Mobile Device Security Summit Recap – spylogic.net
  What I liked most about this event was that there were plenty of “real world” talks on how enterprises are deploying and managing mobile deployments. Real in the “trenches” types of talks. Here are some of the themes that I heard throughout all the talks.
• 44Penetration Testing considered harmful today – blog.thinkst.com
  Early last year we presented at 44con with a talk titled: “Penetration Testing considered harmful today”. 44con have just released the video so we figured it was worth a quick recap (for anyone not willing to tolerate the whiny voice!)

Resources

• Building Information Security Professionals – ethicalhacker.net
  A commonly posed question, particularly among people looking to get into the information security field, is “how do I get into information security?”
• Introducing the Symantec Smartphone Honey Stick Project – symantec.com
  A while back, my wife was mugged and her purse and all its contents were stolen. When she told me, I had three questions: Are you alright? Did you cancel the credit cards and call a locksmith to change our locks? Did they get your phone? My third question was about her smartphone because smartphones today are so integrated into our lives.
• Clickjacking, Cursorjacking and Common Facebook Vulnerabilities – infosecinstitute.com
  Clickjacking is one of the most used attacks by spammers on Facebook. Almost in every month, we face a new type of clickjacking attack on Facebook. Clickjacking is a new type of attack which is performed on web applications.
• Unsung Heros (the list) – blog.c22.cc
  I’ve created the following list in no particular oder, and tried my best to categorize them as best I can. Some things fall into multiple categories, but I’m sure, like many tools, you can use them for a lot of fun things.
• Web Application Pen-testing Tutorials With Mutillidae (Hacking
  Illustrated Series InfoSec Tutorial Videos) – irongeek.com
  When I started the Mutillidae project it was with the intention of using it as a teaching tool and making easy to understand video demos. Truth be told, I never did as much with it as I intended.

Tools

• WCE v1.3beta 64bit released – ampliasecurity.com
  WCE v1.3beta 64bit released. You can download it here. The same functionality recently added to the 32bit version was added to the 64bit version.
• Canape – contextis.com
  Canape is a network testing tool for arbitrary protocols, but specifically designed for binary ones. It contains built in functionality to implement standard network proxies and provide the user the ability to capture and modify traffic to and from a server.
• Open Web Application Security Project: OWASP Hacking-Lab – owasp.blogspot.com
  Hacking-Lab is providing free OWASP TOP 10 hands-on challenges to the OWASP community. This is an inner service of GEC (Global Education Commitee) as part of the Academy Portal project.

Techniques

• Fiddler and NTLM authentication – blog.opensecurityresearch.com
  I was testing a web application recently that used NTLM (over HTTP) to authenticate users. I was using Fiddler to test the web application and ran into the following problem which was hampering / slowing down my testing.
• 64-Bit System Driver Infected and Signed After UAC Bypassed – symantec.com
  What was just a theory not so long ago is now being used in-the-wild by threats such as Backdoor. Hackersdoor and its newer variant Backdoor.Conpee. Back in December we analyzed tdpipe.sys, an infected 64-bit Windows 7 system driver.
• Pwn2Own Challenges: Heapsprays are for the 99% – dvlabs.tippingpoint.com
  In case you arent familiar with the Pwn2Own rules this year, we asked people to exploit public bugs… here’s one of them. The cve in question (cve-2010-0248) is a use-after-free vulnerability in Internet Explorer 8 found by yours truly back in 2010.
• Intro to Chrome addons hacking: fingerprinting – blog.kotowicz.net
  tldr; Webpages can sometimes interact with Chrome addons and that might be dangerous, more on that later. Meanwhile, a warmup – trick to detect addons you have installed.
• Configuring Network Level Authentication for RDP – darkoperator.com
  CredSSP first establishes an encrypted channel between the client and the target server by using Transport Layer Security (TLS). Using the TLS connection as an encrypted channel; it does not rely on the client/server authentication services that are available in TLS but does uses it for validating identity.
• Drive-by FTP: a new view of CVE-2011-3544 – blog.eset.com
  Not long ago we received interesting information from an independent security researcher from Russia, Vladimir Kropotov. (We will be presenting our joint research with him at CARO 2012). We started to research this information and found an interesting way to distribute by FTP the payload for the most common java exploit, which ESET calls Java/Exploit.CVE-2011-3544.
• Framesniffing against SharePoint and LinkedIn – contextis.co.uk
  Framesniffing technique and show how it can be used by a remote attacker to steal sensitive information from users through their web browser.

Vendor/Software Patches

• Microsoft Patch Tuesday
• March 2012 Microsoft Black Tuesday – isc.sans.edu
  Overview of the March 2012 Microsoft patches and their status.
• Strength, flexibility and the March 2012 security bulletins – blogs.technet.com
  Today we’re releasing six security bulletins – one Critical-class, four Important and one Moderate – addressing seven issues in Microsoft Windows, Visual Studio, and Expression Design. We recommend that customers focus on MS12-020, our sole critical-class bulletin, as the March deployment priority.
• MS 12-020
• Microsoft Terminal Services – aluigi.org
  The Microsoft Remote Desktop Protocol (RDP) provides remote display
  and input capabilities over network connections for Windows-based
  applications running on a server. RDP is designed to support different
  types of network topologies and multiple LAN protocols
• Details about the ms12-020 proof-of-concept leak – aluigi.org
  The ms12-020 patch was released the 13 Mar 2012 (CVE-2012-0002).
  The bug was found by me in May 2011 and reported to Microsoft by
  ZDI/TippingPoint in August 2011.
• Why We Rated the MS12-020 Issue with RDP “Patch Now” – isc.sans.edu
  Microsoft’s March 2012 “Black Tuesday” announcement included the MS12-020 patch, which fixes a vulnerability in Microsoft’s implementation of RDP.
• CVE-2012-0002: A closer look at MS12-020’s critical issue – blogs.technet.com
  Microsoft Security Research & Defense: Microsoft information on security mitigations, workarounds, and other technical leadership for better actionable guidance.
• Microsoft warns: Expect exploits for critical Windows worm hole – zdnet.com
  There’s a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.
• MS12-020 Vulnerabilities in Remote Desktop Could Allow Remote Code Execution – exploitshop.wordpress.com
  Crash PoCs are available now by cool guys from freenode co-work.
• Microsoft confirms MAPP proof-of-concept exploit code leak – zdnet.com
  The smoking gun that the leak came from Microsoft’s information was contained in a string found in the Chinese proof-of-concept.
• RDP and the Critical Server Attack Surface – dankaminsky.com
  MS12-020, a use-after-free discovered by Luigi Auriemma, is roiling the Information Security community something fierce. That’s somewhat to be expected — this is a genuinely nasty bug. But if there’s one thing that’s not acceptable, it’s the victim shaming.
• PoC code uses super-critical Windows bug to crash PCs – theregister.co.uk
  Security watchers have discovered proof-of-concept code that attempts to exploit a high-risk Windows security hole, causing computers to crash.
• INFOCON Yellow – Microsoft RDP – MS12-020 – isc.sans.edu
  As we feared the MS12-020 bulletin from last black Tuesday caused a race for finding an exploit.
  The last few evolutions in that process cause our worries to increase significantly. In order to help raise awareness and call administrators to action, we’re raising our INFOCON to YELLOW for 24 hours.
• Exploit code published for RDP worm hole; Does Microsoft have a leak? – zdnet.com
  The code publication has set off alarm bells in the corridors at Redmond because there are clear signs that Microsoft’s pre-patch vulnerability sharing program has been breached or has suffered a major leak.
• Microsoft Security Bulletin MS11-030 – Critical : Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) – technet.microsoft.com
  This security update resolves a privately reported vulnerability in Windows DNS resolution. The vulnerability could allow remote code execution if an attacker gained access to the network and then created a custom program to send specially crafted LLMNR broadcast queries to the target systems. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the LLMNR ports should be blocked from the Internet.
• The MAPP zero-day protection scam – erratasec.blogspot.com
  In the news, it appears that Chinese hackers got hold of the secret proof-of-concept (PoC) exploit for the recent Microsoft RDP bug. The most likely culprit was Microsoft’s MAPP program, which gives PoCs to security vendors 24 hours ahead of the patch so that they update their products to protect against the bug, to provide “zero-day” protection.

Other News

• FBI Can’t Cracked Android Phones
• FBI Can’t Crack Android Pattern-Screen Lock – wired.com
  Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation.
• Google subpoenaed by FBI to access a pimps pattern-locked Samsung smartphone – nakedsecurity.sophos.com
  The story of the Pimpin Hoes Daily gang founder Dante Dears, his pattern-locked Samsung phone, the feds, google, and subpoenas. Why couldn’t the FBI get into the locked phone? Get the popcorn – this is interesting.
• Passphrases: Maybe Not as Secure as You Think – readwriteweb.com
  The conventional wisdom seems to be that passphrases are much more secure than passwords, even if the password is complex. Passphrases are likely to be more secure than …
• GCHQ-backed competition names Cyber Security Champion – bbc.co.uk
  A 19-year-old university student has been named the UK’s “Cyber Security Champion” following a competition sponsored by the intelligence agency GCHQ and several leading tech firms.
• The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say) – wired.com
  The National Security Agency’s immensely secret project in the Utah desert will intercept, analyze, and store yottabytes of the world’s communications—including yours.
• Loose-lipped iPhones top the list of smartphones exploited by hacker – arstechnica.com
  Hackers looking for a way into high-value networks often consider smartphones the chink in an otherwise hardened defense. Topping the list is Apple’s iPhone, which indiscreetly broadcasts the unique identifiers of wireless routers it has recently accessed.