Week 14 in Review – 2012

Event Related

• AppSecDC
• AppSecDC Recap: Old Webshells, New Tricks – novainfosecportal.com
  Back in the day web shells were all the rage so I was curious what “new” was happening in this area. Ryan Kazanciyan started off with a summary of some of the more poplar web shells he’s seen in the past several years.
• AppSecDC Recap: Python Basics for Web App Pentesters – novainfosecportal.com
  I had the opportunity to attend the “Python Basics for Web App Pentesters – Part 2″ by Justin Searle. Being someone that hasn’t program for a good number of years, this Python talk really appealed to me.
• AppSecDC Recap: SharePoint Security 101 – novainfosecportal.com
  I’ve written about SharePoint security before and my opinion was that it’s getting much better however they have a lot of insecure stigma to shake off. Additionally, securing it can be done however it may become very cumbersome to manage in large environments.
• InfoSec Southwest 2012 Ripe Hashes – korelogic.com
  As part of a recent presentation for the InfoSec Southwest conference (http://www.infosecsouthwest.com/), KoreLogic scoured the Internet looking for MD5 and SHA1 password hashes.
• CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada – cansecwest.com
  Best security conference for technical people
• [AthCon 2011] Network Exploitation with Ncrack – It’s not about plain brute-forcing anymore – youtube.com
  Video for Network Exploitation with Ncrack with the speaker Fotis Hantzis
• Smart Bombs: Mobile Vulnerability and Exploitation Presentation – spylogic.net
  This week I co-presented “Smart Bombs: Mobile Vulnerability and Exploitation” with John Sawyer and Kevin Johnson at OWASP AppSec DC.

Resources

• Towards Firmware Analysis – sensepost.com
  While I was evaluating a research idea about a SCADA network router during the past week, I used available tools and resources on the Internet to unpack the device firmware and search for interesting components.
• Fusion Advancing exploit mechanisms – exploit-exercises.com
  Fusion is the next step from the protostar setup, and covers more advanced styles of exploitation, and covers a variety of anti-exploitation mechanisms.
• Ascii shellcode – Security101 – blackhatacademy.org
  Printable ascii shellcode is used to evade sanitizing on the network and software layers during buffer overflow exploitation.
• X-Frame-Options – blog.whitehatsec.com
  What is it and why should I care? X-Frame-Options (moving towards just Frame-Options in a draft spec – dropping the X-) is a new technology that allows an application to specify whether or not specific pages of the site can be framed. This is meant to help prevent the clickjacking problem.
• Getting your message across: Screenshots – blog.c22.cc
  Since I’ve finally started doing something with pentestreports.com I thought it was time to write-up some interesting content. Seeing as this one has been bugging me for a while, I thought it would make an interesting starting point. As always, comments are welcomed and encouraged!
• Dinis Cruz blog: Great description of why OWASP Summits are special – diniscruz.blogspot.com
  Abe (on the owasp-leaders list) just posted the text below in response to my Summits must be part of OWASP’s DNA reply and it provides one of the best descriptions of what makes Owasp Summit’s special and worthwhile doing.

Tools

• ModSecurity Advanced Topic of the Week: Automated Virtual Patching using OWASP Zed Attack Proxy – blog.spiderlabs.com
  The SpiderLabs Research Team has added an example script to the OWASP ModSecurity Core Rule Set (CRS) Project archive that will help users to quickly implement virtual patches for vulnerabilities identified by an open source web vulnerability scanning tool.
• GooDork Command Line Google Dorking/Hacking Tool – darknet.org.uk
  GooDork is a simple python script designed to allow you to leverage the power of Google Dorking straight from the comfort of your command line. There was a GUI tool we discussed a while back similar to this – Goolag – GUI Tool for Google Hacking.
• Medusa 2.1 Release – foofus.net
  What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net.
• Enema is Powerful tool for SQL injection – pentestit.com
  Enema is not autohacking software. This is dynamic tool for people, who knows what to do. Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
• Adobe open sources Malware Classifier tool – h-online.com
  Adobe has open sourced a tool for analysing and classifying malware to help security first responders, including malware analysts and security researchers. Called “Adobe Malware Classifier”, the command-line tool is written in Python and was originally created for internal use by the Adobe Product Security Incident Response Team (PSIRT) “for quick malware triage”.
• Dissecting the SQL Injection Tools Used By Hackers – blog.imperva.com
  Recently, during a presentation to a group of security professionals, an impromptu poll was taken asking attendees whether they were familiar with Havij, a SQL injection tool used heavily in the hacking community.
• Web tool checks if your Mac is Flashback-free – cnet.com
  Have you been put off by the work required to find out if your machine is one of the unlucky ones infected with the Trojan? There’s a new Web app that will check your Mac.
• Intersect version 2.5 update – github.com
  Intersect is a post-exploitation framework written in Python. The main goal of this project is to assist penetration testers in the automation of many post exploitation and data exfiltration tasks that they would otherwise perform manually. With the Intersect framework, users can easily build their own customised scripts from the pre-built templates and modules that are provided or they can write their own modules to add additional or specialised functionality. As of the time of writing, there are almost 30 separate modules to choose from and more are added almost daily.
• Mercury: An Open Source Android Assessment Framework! – labs.mwrinfosecurity.com
  Mercury is a framework that provides interactive tools that allow for dynamic interactions with the target applications running on a device.

Techniques

• windows privilege escalation via weak service permissions – travisaltman.com
  When performing security testing on a Windows environment, or any environment for that matter, one of the things you’ll need to check is if you can escalate your privileges from a low privilege user to a high privileged user.
• Another Approach To Tracking ReadFile – dvlabs.tippingpoint.com
  We often receive fuzzed file submissions, which at times can be agonizing to analyze. Tools help a lot here, as we have shown in previous posts, such as with Peter’s awesome write up on hooking ReadFile and MapViewOfFile.

Vulnerabilities

• Apple Mac
• Apple patches Mac Java zero-day bug – Computerworld – computerworld.com
  Apple yesterday released a Java update for Mac owners that fixes a dozen security flaws, including one that has been exploited by attackers for at least two weeks.
• Mac Flashback Exploiting Unpatched Java Vulnerability – f-secure.com
  A new Flashback variant (Mac malware) has been spotted exploiting CVE-2012-0507 (a Java vulnerability). We’ve been anticipating something like this for a while now.
• More than 600,000 Macs infected with Flashback botnet – news.cnet.com
  Russian antivirus company says half the computers infected with malware designed to steal personal information are in the U.S. — with 274 located in Cupertino.
• Mac Flashback Trojan: Find Out If You’re One of the 600,000 Infected – lifehacker.com
  There’s a new Mac trojan that’s been floating around, and it’s terrifying everyone.
• 600,000+ Macs are in this botnet, including 274 in Cupertino – nakedsecurity.sophos.com
  For the second time in a year there appears to be widespread malware infections affecting users of Apple’s OS X operating system.
• Apple’s security code of silence: A big problem – news.cnet.com
  Security industry insiders have long known the Mac platform has its holes. The Flashback Trojan is the first in-the-wild issue that’s confirmed this, and big-time. More will follow unless Apple steps up its game.
• Flashback the largest Mac malware threat yet, experts say | Security – CNET News – cnet.com
  Congratulations, Apple. The Mac is now popular enough to attract major attention from the bad guys.
• Credit Card Hacks
• Up to 1.5M credit card numbers stolen from Global Payments – news.cnet.com
  Payments processor believes no names, addresses, or Social Security numbers were stolen in the security breach.
• Hackers can steal credit card data from used Xbox 360s – zdnet.com
  Security researchers at Drexel University and Dakota State University say they can extract credit card information from Microsoft Xbox 360s even after they have been restored to factory settings.
• Global Payments: 1.5MM Cards Exported – krebsonsecurity.com
  Global Payments, the credit and debit card processor that disclosed a breach of its systems late Friday, said in a statement Sunday that the incident involved at least 1.5 million accounts.
• Malware
• Most Popular Internet Sites Consistently Serving Up Malware – darkreading.com
  According to a new malware report issued last week by Barracuda Labs, 58 of the sites listed among Alexa’s top 25,000 most popular websites are delivering drive-by downloads of malicious code, potentially affecting millions of users each day.
• New Android Malware Variant Can Remotely Root Phone – threatpost.com
  A new version of Android malware has been tweaked so it doesn’t require user interaction for an attacker to own the device, according to research published by Lookout Mobile Security yesterday.
• SQL Injection
• SQL Injection through HTTP Headers – resources.infosecinstitute.com
  During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever.
• SQL Injection Still Slams SMBs – darkreading.com
  In spite of recent data from some firms showing the decline of SQL injection attacks as compared with other cybercrime methods, a new survey released this week shows that among SMBs concerned about database security, thwarting SQL injection attacks remains their highest priority.
• Mozilla
• Mozilla Adds Older Java Versions to Firefox Blocklist – threatpost.com
  Mozilla has added Java to the blocklist of malicious apps in the Firefox browser because older versions of it are being exploited in attacks.
• Why an outdated Java Plugin is so serious – blog.mozilla.com
  Recently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically.
• Microsoft readies patch for gaping IE browser security holes – zdnet.com
  In all, Microsoft will release 6 bulletins this month to address at least 11 documented vulnerabilities in several software products.
• Pastebin to hire staff to tackle hackers’ ‘sensitive’ posts – bbc.co.uk
  The owner of Pastebin.com says he plans to hire more staff to help police “sensitive information” posted to the site.
• Forget SOPA, You Should Be Worried About This Cybersecurity Bill – techdirt.com
  While most folks are looking elsewhere, it appears that Congress is trying to see if it can sneak an absolutely awful “cybersecurity” bill through Congress.
• Arms Race In Zero Days Spells Trouble For Privacy, Public Safety – threatpost.com
  This is the second of a two-part podcast with independent security researcher Chris Soghoian.
• Hotel Wifi JavaScript Injection – justinsomnia.org
  I probably wouldn’t have thought much of it, except my blog had recently been hacked (someone had gained elevated access to my web hosting account and prepended every single PHP file with a base64 encoded rootkit), so I immediately decided to view the source.

Other News

• Hacking in China
• Anonymous hacks hundreds of Web sites in China – news.cnet.com
  The online hacktivist group defaces government and commercial sites with a message predicting the downfall of the Chinese government, although no central government sites appear to have been compromised.
• Hacker steals Chinese government defense contracts – zdnet.com
  Hacktivist Hardcore Charlie says he has hacked China National Import & Export Corp (CEIC), a Chinese government defense contractor, and stole over 500MB worth of documents.
• Massive firewall vendor lets domain expire – domainincite.com
  Check Point Software, one of the world’s leading firewall vendors, forgot to renew its main domain name and it wound up parked by its registrar over the weekend.
• CabinCr3w Hacker Arrested by FBI – threatpost.com
  Federal authorities have arrested a Texas man accused of working for the hacking group CabinCr3w, a group that once targeted Goldman Sachs CEO LLoyd Blankfein.
• Hacker jailed for stealing 8 million identities – zdnet.com
  A British hacker has been sentenced to 26 months for stealing 200,000 PayPal accounts, 2,701 bank card numbers, as well as 8,110,474 names, dates of birth, and postcodes of U.K. residents.
• Researchers Release New Exploits to Hijack Critical Infrastructure – wired.com
  Researchers have released two new exploits that attack common design vulnerabilities in a computer component used to control critical infrastructure, such as refineries and factories.
• US government hires company to hack into video game consoles – zdnet.com
  The U.S. Navy is paying a company six figures to hack into used video game consoles and extract sensitive information. The tasks to be completed are for both offline and online data.
• Watch Out, White Hats! European Union Moves to Criminalize ‘Hacking Tools’ – wired.com
  The European Union is continuing a push to criminalize the production or sale of “hacking” tools, a move that civil liberties advocates argue could make criminals out of legitimate security researchers.