Week 28 in Review – 2012

Event Related

• S16 Networks: Presentations – si6networks.com
  The complete list of our presentations is available here.

Resources

• Low Hanging Fruit – averagesecurityguy.info
  I decided to write a Python script to automate this task for me. Lhf.py takes a single Nessus v2 XML file and prints a summary HTML file with all of the low hanging fruit found in the Nessus file. Currently, lhf.py checks for the following.
• Advanced Exploitation of Internet Explorer Heap Overflow (Pwn2Own 2012 Exploit) – vupen.com
  In this new blog, we will share our technical analysis and advanced exploitation including ASLR/DEP bypass of a heap overflow vulnerability which was discovered by our team and used at Pwn2own 2012 to compromise a fully patched Internet Explorer 9 on Windows 7 SP1.
• Tutorial of Weevely – github.com
  Weevely is a PHP web shell that provide telnet-like console to execute system commands and automatize administration and post-exploitation tasks.
• Tweaking Metasploit Modules To Bypass EMET – Part 2 – badishi.com
  We continue our series of tweaking Metasploit modules to bypass EMET, without changing Metasploit’s payloads. Last time, we talked about bypassing EMET’s EAF using SEH. Since this technique may not necessarily fit your exploit, we present a second technique that bypasses EMET’s EAF without using SEH or changing Metasploit’s payload.
• InstalledPrograms.xls – blog.didierstevens.com
  Here is a new spreadsheet that lists all installed programs. It does this by enumerating registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
• Dissecting Traffic from Springpad for iOS – ceriksen.com
  My research over the last couple of months has focused on the security ghetto of WordPress plugins. But recently @arnimarhardar turned me to the subject of mobile applications. As they often use HTTP, I felt right at home. I decided to download a few random applications onto my iPad and then go to town. I personally use my iPhone on a daily basis, so what I’m about to describe to you was quite the eye-opener for me in terms of what sort of data is sent about you to third-parties and such. Let me present to you, an extremely popular application: SpringPad.
• Hacks that work just by changing the URL – securesolutions.no
  Some examples require URL encoding to work (usually done automatically by browser)
• OPENSECURITYTRAINING.INFO Welcome Message – opensecuritytraining.info
  In the spirit of OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.
• Exploits – 1337day.com
  Request exploit is hidden.
• 154 Billion NTLM/sec on 10 hashes – blog.cryptoaze.com
  Yes, that’s 154B – as in Billion. It was done entirely with AMD hardware, and involved 9×6990, 4×6970, 4×5870, 2×5970, and 1×7970 – for a total of 31 GPU cores in 6 physical systems. We had another 11 cards with 15 GPU cores left over – we didn’t have systems to put them in (mostly nVidia).

Tools

• OWASP WebGoat .NET Released – owasp.blogspot.com
  Over the weekend, I pushed out the newest version of WebGoat.NET – the first major release. I’ve used this version to teach several .NET classes, and the application was received very well, and provided a great playground for developers who want to learn about application security.
• HIDIOUS: HID Injection Over Usb Suite – hackfromcave.com
  HIDIOUS (HID Injection Over Usb Suite) is an Arduino library for Keystroke injection. The library provides functions to run user defined commands, scripts, or binaries against Windows, Linux, and OSX. Configuration of the payloads is offloaded to a Micro SD card.

Techniques

• How to Break Into Security, Grossman Edition – krebsonsecurity.com
  I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.
• 5 Ways to Find Systems Running Domain Admin Processes – netspi.com
  Migrating to Domain Admin processes is a common way penetration testers are able to impersonate Domain Admin accounts on the network. However, before a pentester can do that, they need to know what systems those processes are running on. In this blog I’ll cover 5 techniques to help you do that. The techniques that will be covered include.
• Sniffing on the 4.9GHz Public Safety Spectrum – blog.opensecurityresearch.com
  Probably the most important thing to mention about the 4.9GHz spectrum is that you need a license to operate in it! If you don’t have a license (I’m pretty sure you don’t) – IT MAY BE ILLEGAL TO INTERACT WITH THIS BAND.
• Using Nmap to Screenshot Web Services Troubleshooting – pentestgeek.com
  Recently a member from the Trustwave SpiderLabs team created an nmap NSE script that could be used to take a screenshot of webpages as it scanned the network. Working for a top 10 accounting firm, I conduct a lot of internal penetration tests for clients that operate on very large networks, and sometimes I’m required to audit entire counties.

Vendor/Software Patches

• Microsoft Security Updates
  • Assessing risk for the July 2012 security updates – blogs.technet.com
    Today we released nine security bulletins addressing 16 CVE’s. Three of the bulletins have a maximum severity rating of Critical and the other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
  • Microsoft Security Bulletin MS12-043 – Critical – technet.microsoft.com
    This security update resolves a publicly disclosed vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker’s website.
  • Microsoft Security Bulletin MS12-044 – Critical – technet.microsoft.com
    This security update resolves two privately reported vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • Microsoft Security Bulletin MS12-045 – Critical – technet.microsoft.com
    This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• NIST Updates Mobility Guidance– bankinfosecurity.comDeploying software that centralizes device management at the organization level is one of the better approaches to help secure mobile devices, new draft guidance from the National Institute of Standards and Technology recommends.

Vulnerabilities

• Formspring
  • Formspring Hacked – 420,000 Passwords Leaked – securityweek.com
    Formspring, the Social Q&A portal focused on conversations and personal interests, admitted to being breached on Tuesday. The compromise led to the loss of 420,000 hashed passwords, forcing the website to reset the passwords used by every member.
  • Formspring Breach – Let the Password Cracking Commence – novainfosecportal.com
    Some of you may have seen my tweet late last night around midnight that I received a cryptic email an hour so earlier from Formspring, a service that I once used to help answer other peoples’ questions, saying that they were requiring a password reset upon the next login.
• Yahoo!
  • Yahoo sub-domain compromised – 456k passwords dumped – stratumsecurity.com
    Rumors are running around in a few places that a Yahoo! web property was hacked via SQL injection. Looking at the dump file there are a few clues that it is in fact from Yahoo. This will, no doubt cause many users headaches. Here are some statistics of interest that use culled from the dump with Pipal.
  • What do Sony and Yahoo! have in common? Passwords! – troyhunt.com
    Another week, another breach. This time Yahoo! was the target with 453,491 email addresses and passwords from their Voices service being exposed for all to see. Whilst unfortunate for those involved, these breaches do give us some unique insight into password practices and as is usually the case, it’s not pretty.
  • Passwords of Plenty*: what 442773 leaked Yahoo! accounts can tell us – blog.eset.com
    While the ongoing floods of leaked account credentials from Formspring, LinkedIn et al. are potentially disastrous for the owners of those accounts, analysis of those data doesn’t only provide a way of seeing whether our own accounts are at risk. It also provides an incentive for us all to re-examine our own password (and passcode) selection strategies by the insight they give us into whether we are using the same far-from-unique passwords as so many of the victims of these breaches.
  • Analysis of Yahoo Voice Password Leak – 453,441 Passwords Exposed – blog.sucuri.net
    We recently heard that a massive leak of Yahoo passwords has been floating on the interwebs for a few days. According to Ars Technica, the dump is from Yahoo Voice and the data was released in clear-text (yes, clear text in 2012). It seems they were not storing the passwords securely.
  • Yahoo Password Dump Analyzed -cyberarms.wordpress.com
    Wow, not one, but two password dumps in one day. Hackers leaked a very large number of Billabong and Yahoo passwords in plain text with no need to try to crack them. We looked at the Billabong one earlier today using the password analysis tool Pipal, now let’s take a look at the Yahoo dump.
• Billabong
  • Billabong Password Dump Analysis – cyberarms.wordpress.com
    Over 20,000 passwords, supposedly leaked from Billabong have been floating around. And as usual, I like to grab the passwords and analyze them for patterns. So I took 21,435 of them and ran them through the password analysis program Pipal.
  • Password Leaks Continue: Billabong, NVIDIA Accounts Compromised – threatpost.com
    UPDATE: A string of high-profile hacks against online forums and companies continued on Thursday, with news that forums hosted by the technology firm NVIDIA as well as the surf-ware vendor Billabong.
• Web exploit figures out what OS victim is using, customizes payload – arstechnica.com
  Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform.
• XSS in iPhone iOS – laplinker.com
  I am going to share my thoughts on an XSS vulnerability I discovered in Apple iPhone iOS.
• Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux – zdnet.com
  A new cross-platform Trojan downloader has been discovered. It detects if you’re running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform.
• Hackers can break into your Cisco TelePresence sessions – zdnet.com
  Major security holes in the Cisco TelePresence product line could allow attackers to execute arbitrary code, cause a denial-of-service condition, or inject commands.

Other News

• NSA Chief Says Today’s Cyber Attacks Amount to ‘Greatest Transfer of Wealth in History’ threatpost.com
  The general in charge of the National Security Agency on Monday said the lack of national cybersecurity leglislation is costing us big and amounting to what he believes is “the greatest transfer of wealth in history.”
• The fallacy of remote wiping – zdnet.com
  Thomas Porter argues that remote wiping of mobile device should not be relied upon as a security control.
• US urged to recruit master hackers to wage cyber war on America’s foes – guardian.co.uk
  Instead of prosecuting elite computer hackers, the US government should recruit them to launch cyber-attacks against Islamist terrorists and other foes, according to a leading military thinker and government adviser.