Week 29 in Review – 2012

Event Related

• Bsides Cleveland 2012 Videos – irongeek.com
  These are the videos from the Bsides Cleveland conference.

Resources

• Hashcat Per Position Markov Chains – blog.spiderlabs.com
  The Markov model is a mathematical system that has had numerous uses and variations since it’s inception over a hundred years ago. Most notable, in terms of computer science, is probably its use in voice recognition systems and telephony networks.
• OWASP iOS Developer Cheat Sheet – owasp.blogspot.com
  There’s a new cheat sheet available in the OWASP cheat sheet series. This one is aimed at iOS app developers, and is available here.
• passingthehash – twitpic.com
  Passing the hash with Firefox…. A picture worth a thousand words…

Techniques

• 10 Techniques for Blindly Mapping Internal Networks – netspi.com
  Occasionally clients require that all network and system discovery is done completely blind during internal pentests (meaning no IP addresses are provided). I know that a lot of people have been exposed to ping and port scan discovery techniques, but on large networks those methods alone can be pretty time consuming. So in this blog I thought I would provide some time saving options that can be used in conjunction with the traditional methods. This blog should be interesting to network administrators, security professionals, and anyone else who wants to learn a few more ways to blindly discover live subnets and systems.
• How to Break Into Security, Bejtlich Edition – krebsonsecurity.com
  For this fourth installment of advice columns aimed at people who are interested in learning more about security as a craft or profession, I reached out to Richard Bejtlich, a prominent security blogger who last year moved from a job as director of incident response at General Electric to chief security officer at security forensics firm Mandiant.
• Pentesting like an Eastern European – blog.spiderlabs.com
  Through SpiderLabs’ Incident Response and Penetration Testing services we get a chance to both examine ‘bad actor’ techniques in the field and help our clients see how their security controls will stand up to them.
• Metasploit Generic NTLM Relay Module – webstersprodigy.net
  NTLM auth blobs contain the keys to the kingdom in most domain environments, and relaying these credentials is one of the most misunderstood and deadly attacks in a hacker’s corporate arsenal. Even for smart defenders it’s almost like a belief system; some people believe mixed mode IIS auth saves them, NTLMv2 is not exploitable, enabling the IIS extended protection setting is all you need, it was patched with MS08-068, you have to be in the middle, you have to visit a website, you have to be an administrator for the attack to matter, etc. etc.

Tools

• Top 10: The Web Application Vulnerability Scanners Benchmark, 2012 – sectooladdict.blogspot.co.il
  An Accuracy, Coverage, Versatility, Adaptability, Feature and Price Comparison of 60 Commercial & Open Source Black Box Web Application Vulnerability Scanners
• Incognito v2.0 Released – labs.mwrinfosecurity.com
  It has been a very long time since I first worked on and released incognito. One of my original design goals was to make it reliable by ensuring it operated entirely using legitimate API calls so as to let Microsoft do the hard work of making it work and ensuring its correct operation with future service packs and operating system versions.
• New Open Source Tool: Audit Parser – blog.mandiant.com
  Mandiant RedlineTM and IOC Finder TM collect and parse a huge body of evidence from a running system. In fact, they’re based on the same agent software as our flagship Mandiant Intelligent Response® product. During the course of their “audits”, these tools conduct comprehensive analysis of the file system (including hashing, time stamps, parsing of PE file structures, and digital signature checks), registry hives, processes in memory, event logs, active network connections,DNS cache contents,web browser history, system restore points, scheduled tasks, prefetch entries, persistence mechanisms, and much more.

Vendor/Software Patches

• Updated Impacket/Pcapy installers for Python 2.5, 2.6 & 2.7 – breakingcode.wordpress.com
  Hi folks! In a previous post I talked about using Impacket and Pcapy on Python 2.6. Since those installers are now out of date, here are fresh ones for various versions of Pcapy and Python, built against WinPcap 4.1.2. There’s also a new Impacket MSI installer that works against all Python versions.
• Microsoft Windows Shell Command Injection – blog.watchfire.com
  Windows File Association allows an application to define a handler that should be called for each operation on a specific file type.

Vulnerabilities

• Here’s why we keep getting hacked – clear and present Billabong failures – troyhunt.com
  It happened again last week. No, not Yahoo! Voices, not the Phandroid Android forums, not NVidia and not Formspring, this time it was Billabong, our legendry Aussie surf brand. As is often the way with these breaches, credit was quickly claimed via Twitter.
• Safe Browsing – Protecting Web Users for 5 Years and Counting – googleonlinesecurity.blogspot.com
  It’s been five years since we officially announced malware and phishing protection via our Safe Browsing effort. The goal of Safe Browsing is still the same today as it was five years ago: to protect people from malicious content on the Internet. Today, this protection extends not only to Google’s search results and ads, but also to popular web browsers such as Chrome, Firefox and Safari.
• {Quick Post} Mail headers – blog.c22.cc
  Following an email to a unnamed company, threw up a couple of interesting facts that companies should really be aware of. Information disclosure is always present, but email headers and failure notices are a goldmine of information if you take the time to dig into them.

Other News

• More Password Hashes to Crack
  • More Password Hashes to Crack – The Oil Company Edition – novainfosecportal.com
    Nothing super large but @digitalsec4u pointed out some recent postings on Pastebin by Anonymous with a good possible supply of hashes you may want to test your cracking skillz against. In an apparent attempt to #SaveTheArtic the data includes emails and passwords from various oil companies including Exxon Mobil, Shell, BP, Gazprom, and Rosneft.
  • More Password Hashes to Crack … from Wall Street IT Recruiter – novainfosecportal.com
    As reported on CIO.com’s “Hacker Claims Breach of 50,000 Accounts From Wall Street IT Recruiting Firm” article (originally from ComputerWorld.com), it looks like hashes from ITWallStreet.com may have been released into the wild for all you amateur password crackers out there.
  • 68,000 Password Hashes from Fish Enthusiast Forum – novainfosecportal.com
    Ahhh … YAPHB (yet another password hash breach)… this time on the Cichlids Forums. The site that we originally read this story on is CyberWarNews.info where they referenced some basic email address stats from OZDC.net (i.e., OZ Data Centa). This time around it was Yahoo! Mail that had the highest registrant count with almost 15K followed closely by Hotmail.
• Apple
  • Apple tries to block iOS in-app purchase hack, fails – zdnet.com
    Apple is working hard to fight the hacking of its In-App Purchase program for iOS. So far though, the company’s attempts have not deterred Russian developer Alexey Borodin who apparently wants Cupertino to fix the underlying problem rather than just trying to block his in-appstore.com service.
  • Apple Mac in-app purchases hacked; everything free like on iOS – zdnet.com
    While Apple is working hard to fight the hacking of its In-App Purchase program for iOS, the same hacker has pulled off almost an almost identical scheme for the Mac. Just like on iOS, this means you can purchase in-app Mac content without actually paying.
• Barack Obama
  • Cybersecurity Bill Backed By Obama Won’t Protect U.S., Experts Agree – idealab.talkingpointsmemo.com
    President Barack Obama penned an op-ed in The Wall Street Journal published online late Thursday calling on the Senate to pass a new cybersecurity bill sponsored by Sen. Joseph Libereman (I-CT) called the Cybersecurity Act of 2012.
  • Taking the Cyberattack Threat Seriously – online.wsj.com
    In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.
• Hacker Opens High Security Handcuffs With 3D-Printed And Laser-Cut Keys – forbes.com
  The security of high-end handcuffs depends on a detainee not having access to certain small, precisely-shaped objects. In the age of easy 3D printing and other DIY innovations, that assumption may no longer apply.
• Charlie Miller: ‘Difficult to write exploits’ for Android 4.1 – zdnet.com
  Android 4.1 Jelly Bean is the most secure version yet. Android now fully implements Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Unfortunately, most Android users will never get to use Jelly Bean on their device.
• The Man Who Hacked Hollywood – gq.com
  They’ve become a part of the pop-culture landscape: sexy, private shots of celebrities (your Scarletts, your Milas) stolen from their phones and e-mail accounts. They’re also the center of an entire stealth industry. For the man recently arrested in the biggest case yet, hacking also gave him access to a trove of Hollywood’s seamiest secrets—who was sleeping together, who was closeted, who liked to sext. What the snoop didn’t realize was that he was being watched, too.
• Nike hacker steals over $80,000 – zdnet.com
  Brad Stephenson went on a five-month shopping spree after he found a loophole in one of Nike’s website. When the Secret Service caught up with him, he had stolen $81,419.58 in Nike merchandise.
• Oracle won’t patch critical hole in Database – zdnet.com
  A serious security flaw in Oracle Database 11g and 10g flagged by the company in April will not get a permanent fix as the work is too tricky, the company has said.
• Russian man held in cyberattacks on Amazon, other online retailers – seattletimes.com
  International authorities have arrested a Russian man in Cyprus on charges that he was behind cyberattacks on Seattle-based Amazon.com and other online retailers in 2008.