Week 26 in Review – 2012

Event Related

  • Workshop on the Economics of Information Security 2012 – lightbluetouchpaper.org
    I’m liveblogging WEIS 2012, as I did in 2011, 2010 and 2009. The event is being held today and tomorrow at the Academy of Sciences in Berlin.
  • Blackhat Arsenal Tools Vegas 2012 LineUp – toolswatch.org
    I’m very pleased to announce that Blackhat Team has released the Lineup for Arsenal Floor Vegas 2012. In fact, after 2 months of collecting tools, I was incredibly amazed to see such great astonishing tools. 46% of them are to be announced during the event itself.
  • SIRACon – societyinforisk.org
    The first SIRA Conference was held May 7th, 2012 in Saint Paul, MN. Thanks to all the speakers and attendees for making our inaugeral event a success!
  • Videos for ALL Cons – phx2600.org
    I would love to have a somewhat convenient compiled list of all the cons out there that have videos, and the links to the page(s) that have the videos. I will post a list of my own that I have compiled so far. If anybody knows of any other ones please feel free to reply with it.

Resources

  • eHarmony Password Dump Analysis– blog.spiderlabs.com
    Password cracking was performed on a custom built system using off-the-shelf parts totaling less than $1,500 utilizing three NVIDIA 460GTX graphics cards (GPUs) as the primary medium for the password cracking process.
  • BMC Remedy Password Descrambling– rewtdance.blogspot.com
    The BMC Remedy application scrambles the users password with client side javascript on the login.jsp page.
  • All your ASUS servers iKVM/IPMI may belong to other!– pedromadias.wordpress.com
    In this post i will describe how i found multiple implementation fails by ASUS that allows a remote attacker to grab user’s passwords and consequently access ASUS iKVM/IPMI equipped servers.
  • 6 Weeks and 60,000 Passwords Later– securityblog.verizonbusiness.com
    There were quite a few statistics that jumped out at me in this year’s data breach report, however one of them stuck in my head: 79% of all attacks were classified as “opportunistic”. We define opportunistic attacks in the report as “The victim isn’t specifically chosen as a target; they were identified and attacked because they exhibited a weakness the attacker knew how to exploit.”
  • Open Source Passive DNS Replication– users.isc.org
    This is a presentation.
  • Insecure Cryptographic Storage Explained– veracode.com
    We recently recorded Veracode Security Researcher Chris Lytle discussing Insecure Cryptographic Storage. Insecure Cryptographic Storage is a common vulnerability that occurs when sensitive data is not stored securely.

Techniques

  • How to Break Into Security, Ptacek Edition– krebsonsecurity.com
    I decided to ask some of the brightest minds in the security industry today what advice they’d give. Almost everyone I asked said they, too, frequently get asked the very same question, but each had surprisingly different takes on the subject.
  • Exploiting Windows 2008 Group Policy Preferences – Expanded– rewtdance.blogspot.com
    This follows on from the disclsoure http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences which discussed how Group Policy Preferences can be used to create Local Users on machines and the resulting passwords easily decrypted.
  • Hack Tips: CiscoWorks Exploitation– blog.opensecurityresearch.com
    This article is the third in a series (See Hack Tips: Blackberry Enterprise Server and Hack Tips: Good For Enterprise) covering, step-by-step, practical post-exploitation tips that can be used to get the most out of various common network servers.
  • Password Audit of a Domain Controller– blog.cyberis.co.uk
    Following on from our article on SAM retrieval without injection, a few people have asked if this technique is possible on a Domain Controller. Unfortunately, no, as account information, including hashes, are stored rather differently in Active Directory. The file in question is ntds.dit – an Extensible Storage Engine that basically stores all AD account information, including group membership, account status and importantly, password hashes.
  • Network Analysis With ProxyDroid, BurpSuite, and Hipster Dog– intrepidusgroup.com
    My last post gave an overview of some options to setup your environment for Android network analysis. Of the winners that I pointed out, my personal favorite way to do an assessment (depending on the app) is to use ProxyDroid to forward network traffic to BurpSuite’s proxy.

Tools

Vulnerabilities

  • RSA
    • Why RSA is misleading about SecurID vulnerability– rdist.root.org
      There’s an extensive rebuttal RSA wrote in response to a paper showing that their SecurID 800 token has a crypto vulnerability. It’s interesting how RSA’s response walks around the research without directly addressing it. A perfectly accurate (but inflammatory) headline could also have been “RSA’s RSA Implementation Contained Security Flaw Known Since 1998”.
    • RSA repeats earlier claims, but louder– rdist.root.org
      Sam Curry of RSA was nice enough to respond to my post. Here’s a few points that jumped out at me from what he wrote.

Other News

  • Researchers steal keys from RSA tokens – Update– h-online.com
    Researchers have succeeded in determining the secret RSA key from an RSA SecurID 800 Authenticator token in just 13 minutes. The attack – described in the paper “Efficient Padding Oracle Attacks on Cryptographic Hardware” by Bardou, Focardi, Kawamoto, Simionato, Steel and Tsay – is in principle nothing new.
  • Hardware Hacker Sentenced to 3 Years in Prison for Selling Rooted Cable Modems– wired.com
    Cable-modem hacker Ryan Harris has been sentenced to three years in prison for helping users steal internet access in what the authorities say was a $1 million scheme to defraud cable companies of business.
  • RIAA chief: ISPs to start policing copyright by July 1– news.cnet.com
    Comcast, Time Warner, and Verizon are among the ISPs preparing to implement a graduated response to piracy by July, says the music industry’s chief lobbyist.
  • Serious Web Vulnerabilities Dropped In 2011– it.slashdot.org
    “It’s refreshing to see a security report from a security vendor that isn’t all doom-and-gloom and loaded with FUD. Web Application Security firm WhiteHat Security released a report this week (PDF) showing that the number of major vulnerabilities has fallen dramatically. Based on the raw data gathered from scans of over 7,000 sites, there were only 79 substantial vulnerabilities discovered on average in 2011. To compare, there were 230 vulnerabilities on average discovered in 2010, 480 in 2009, 795 in 2008, and 1,111 in 2007. As for the types of flaws discovered, Cross-Site Scripting (XSS) remained the number one problem, followed by Information Leakage, Content Spoofing, Insufficient Authorization, and Cross-Site Request Forgery (CSRF) flaws. SQL Injection, an oft-mentioned attack vector online – was eighth on the top ten.”

Leave A Comment