Week 31 in Review – 2012

Event Related

• DEFCON 20
• DEFCON 20: Day 2 Interesting Presentations – it.toolbox.com
  Day 2 of DEFCON, and things are jamming. There is a tremendous amount of energy at this 20 year celebration of the Con. People are behaving, and the talks are pretty interesting.
• Defcon Day 2 Talk Notes – The DCWG Debriefing – novainfosecportal.com
  In November of 2011 a multinational force of feds and wizards took down Rove Digital’s on-line infrastructure including the DNS Changer name servers. Under contract to the FBI, employees of Internet Systems Consortium (ISC) installed “clean” replacement DNS servers to take care of a half million DNS Changer victims.
• The tl;dr version of Moxie’s MSCHAPv2 – erratasec.blogspot.com
  I couldn’t figure out what the deal is with Moxie’s MSCHAPv2 talk, as cracking the challenge/response for weak passwords has been known for the last decade. In addition, the press has enormously hyped this talk beyond any reasonable degree.
• End of Days for MS-CHAPv2 – isc.sans.edu
  Moxie Marlinspike and David Hulton gave a talk at Defcon 20 on a presentation on cracking MS-CHAPv2 with 100% success rate. This protocol is still very much in use with PPTP VPNs, and WPA2 Enterprise environments for authentication.
• Defcon is 20 Years Old in 2012 – securelist.com
  Defcon 2012 marked its 20th anniversary with unexpected speakers, some pretty tough content, and the cultural dark magic that buzzes the conference every year.
• Defcon focus on the Fed comes with conflicting emotions – blog.eset.com
  After my colleague Stephen Cobb stood in a huge line at Defcon waiting to get into the Friday keynote by NSA chief General Alexander, plus a swarm of interest shown at the two-part “Meet the Fed” panel presentation the next day, it’s becoming clear that multiple agencies of the federal government are focused on hackers, and vice versa. But to what end?
• Defcon And Black Hat Wrap-Up: Wifi And VPN Crypto Cracked, NSA Chief Asks For Hackers’ Help, Android Vulnerable To Brute Force Attack – forbes.com
  The annual five-day, back-to-back Las Vegas security conferences Black Hat and Defcon provide the main stage for the information security community’s biggest stunts and revelations–more than any one reporter can cover. So here are a few of the highlights from this year’s hacker bonanza that I haven’t already written about.
• DEFCON 20 CTF Network – s3.amazonaws.com
  This is a torrent file.
• Cryptohaze Cloud Cracking Slides & Writeup – blog.cryptohaze.com
  In the event that you missed my talk at Defcon 20, I’m putting a written version of it up here, along with my relevant presentation slides. I’ll link the video when it goes up. This is a summary of what I talked about, and does include more information that was not available at the time of the actual talk.
• Huawei’s routers of vulnerability – h-online.com
  “Hacking
  [redacted] Routers” was the title of a lecture at Defcon by security expert Felix Lindner (also known as FX) and Gregor Kopf of the Berlin-based Recurity Labs. The “censored” routers were quickly established as being the AR18 and AR28 routers from the Chinese manufacturer Huawei.
• Defcon 20 slides – ia600505.us.archive.org
  Here are the slides for Defcon 20.
• Tracing Bugs in Wireshark – isisblogs.poly.edu
  So word spread pretty quickly about the wireshark bugs being thrown around Defcon 20 CTF. After I got my hands on acme pharms packet capture I quickly set out to recover the evil packets and weaponize them 🙂
• What you need to know about the vulnerabilities in MSCHAPv2 – blog.zoller.lu
  There was a talk at Defcon 20 entitled “Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2”, by Moxie and David Hulton – the talk announced the implementation of a tool that reduced the security of MS-CHAPv2 to the strength of a single DES encryption.
• “Crack Me If You Can” – DEFCON 2012 – contest-2012.korelogic.com
  The initial feeling this year was that the contest had become overly complicated. The KoreLogic team introduced several new rules which seemed designed to handicap the larger teams, while we definitely appreciate the idea of getting more people involved in password cracking, as a large team, we felt rules such as those to be biased.
• 2012 AIDE Conference
• Video: Pen Testing HTML 5 Web Storage – community.rapid7.com
  Recorded at the 2012 AIDE conference, this video covers a presentation given by Jeremy Druin; a professional web application and network pen-tester. The topic is pen-testing html5 web storage which is a client-side storage technology available in html5-aware browsers. Web storage is discussed from two perspectives: altering your own web storage and altering the web storage of a remote user.
• BSides Las Vegas 2012
• BSides Las Vegas 2012 Videos – irongeek.com
  These are the videos from the BSides Las Vegas conference. Thanks to all of the BSides Crew for having me out to help record and render the videos.
• Black Hat USA 2012
• Black Hat – Don’t stand so close to me: An analysis of the NFC attack surface – nakedsecurity.sophos.com
  Near field communications (NFC) technology is becoming increasingly common in our daily lives. Most of us have used a contactless credit card (PayPass, PayWave), Oyster card (public transit) or other NFC driven technology.
• Briefings – blackhat.com
  Briefings for Black Hat 2012.
• Black Hat 2012 – blog.tenablesecurity.com
  Few things spark your passion for information security the same way as a conference. It’s inspiring to talk to so many different people in the industry and listen to a variety of talks, all in one place.
• [Blackhat 2012] HTML5 Top 10 Threats Stealth Attacks and Silent Exploits – shreejaj.blogspot.com
  BlackHat 2012 was really fun and lots of interesting talks. I presented paper on HTML5 Top 10 Threats and Security. You can find slides and paper over here.
• Appthority Unveils Hidden Security Risks Of Top Mobile Apps – darkreading.com
  Appthority, The Authority in App Security™, has released its App Reputation Report to cast a spotlight on the hidden behaviors of the top free mobile apps. The report reveals the security issues raised by the “bring your own device” (BYOD) movement, app market fragmentation for developers, popular app categories and the sensitive data that apps can access.
• Another BlackHat, Another Oracle 0day – slaviks-blog.com
  I’ve attended BlackHat Vegas last week and of course went to see David Litchfield’s presentation. It started rather slow with vulnerabilities I was already familiar with but he saved the best for last. Another Oracle 0day – and I’ve got the pictures to prove it!
• Blackhat Arsenal 2012 Releases: Watobo Web Application Toolbox v0.9.9.pre3 – toolswatch.org
  WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. We are convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.
• Blackhat Arsenal 2012 Releases: Armitage Cyber Attack Management for Metasploit v.07.27.12 with Cortana – toolswatch.org
  Armitage organizes Metasploit’s capabilities around the hacking process. There are features for discovery, access, post-exploitation, and manuver. This section describes these features at a high-level, the rest of this manual covers these capabilities in detail.
• Blackhat Arsenal 2012 Releases: Smartphone Pentesting Framework v0.1 in the wild – toolswatch.org
  The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices.
• Blackhat Arsenal 2012 Releases: Vega Open Source Web Application Scanner 1.0 Beta – toolswatch.org
  Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.
• Blackhat Arsenal 2012 Releases: Tenacious Diggity – New Google Hacking Diggity Suite Tools – toolswatch.org
  The Google Hacking Diggity Project is a research and development initiative dedicated to investigating the latest techniques that leverage search engines, such as Google and Bing, to quickly identify vulnerable systems and sensitive data in corporate networks.
• Blackhat Arsenal 2012 Releases: Oyedata v0.1 for OData Protocol Assessments – toolswatch.org
  OData is a new data access protocol that is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. OData aims to provide a consistent access mechanism for data access from a variety of sources including but not limited to, relational databases, file systems, content management systems, and traditional web sites.
• Blackhat Arsenal 2012 Releases: zCore IPS & zAnti-Modern Smartphone Security – toolswatch.org
  zCore IPS™ is our comprehensive Mobile Intrusion Prevention System designed specifically for smartphones.Modern smartphones are not as safe as you might think, they suffer from the same vulnerabilities that have haunted the popular x86 architecture in PCs for years.
• 5 takeaways from Las Vegas – securelist.com
  Probably the two most important security conferences in the world are held in Las Vegas during the same week, gathering more than 15,000 attendees and offering dozens of talks.
• Hacking Embedded Devices: UART Consoles – labs.mwrinfosecurity.com
  The ‘Hardware Hacking’ scene has exploded recently, thanks largely to the widespread adoption of devices such as the Arduino and Raspberry PI by the hacking community. Applying hardware hacking techniques during product assessments can often give unrivaled levels of access to hidden or undocumented functionality particularly when reviewing embedded devices such as routers, switches and access points.

Resources

• Flamer Analysis: Framework Reconstruction – blog.eset.com
  From the very beginning of our analysis of Win32/Flamer it was clear that this was an extremely sophisticated piece of malware which we had never seen before. It implements extremely elaborate programming logic and has an intricate internal structure. At the heart of Flame’s modularity lies a carefully designed architecture allowing all its components interoperability without causing any incompatibilities.
• The #security question du jour (ANSWERS TIME) – gse-compliance.blogspot.com
  The following page is a good introduction to Nmap.
• BYOD: Organizations Question Risk vs Benefit – blogs.technet.com
  Over the past few posts we’ve been covering the concept of the BYOD trend. We started with a foundation describing the origins and evolution of BYOD, followed by a closer examination of the pros and cons of BYOD from the employee perspective. This post will focus on BYOD from the point of view of the company or IT organization.
• Flamer Analysis: Framework Reconstruction – blog.eset.com
  Flame’s main module consists of objects that each implement specific functionality: gathering information on the compromised system; infecting other computers; communicating with C&C, and so on.
• Exploit Exercises – exploit-exercises.com
  exploit-exercises.com provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering.

Tools

• Attack Surface Analyzer
• Microsoft’s Free Security Tools – Attack Surface Analyzer – blogs.technet.com
  In this second article in my series focused on Microsoft’s free security tools, I’d like to introduce you to the Attack Surface Analyzer version 1.0. Back in January of 2011 the Security Development Lifecycle team released a beta version of the Attack Surface Analyzer and today they announced the release of version 1.0.

• Attack Surface Analyzer 1.0 Released – blogs.msdn.com
  Last year we released a beta version of our free Attack Surface Analyzer tool. The purpose of this tool is to help software developers, Independent Software Vendors (ISVs) and IT Professionals better understand changes in Windows systems’ attack surface resulting from the installation of new applications. Since the initial launch of Attack Surface Analyzer, we have received quite a bit of positive feedback on the value it has provided to customers. Today we are pleased to announce that the beta period has ended and Attack Surface Analyzer 1.0 is now available for download.

• chapcrack – github.com
  A tool for parsing and decrypting MS-CHAPv2 network handshakes.

• ASEF Android Tool Analyzes App Security and Behavior – threatpost.com
  A researcher at Qualys has released a new tool designed to allow users–even non-technical ones–to evaluate the security and behaviors of the apps installed on their Android devices.

• HTExploit – mkit.com.ar
  HTExploit (HiperText access Exploit) is an open-source tool written in Python that exploits a weakness in the way that .htaccess files can be configured to protect a web directory with an authentication process.

• BBQSQL – github.com
  A Blind SQL Injection Exploitation Tool

• NetList Script – blog.ericrafaloff.com
  NetList is a small networking and security auditing script I wrote in Ruby. Given a search term, it will query the ARIN database for an organization and all of its related networks. This can assist a pen tester in finding out which networks are owned by the target, and noting them for a later scan and audit.

Vendor/Software Patches

• Microsoft Office SharePoint Server 2007 Remote Code Execution – exploit-db.com
  This file is a part of the Metaspolit Framework and may be subject to redistribution and commercial restrictions.

Vulnerabilities

• Australia in Crosshairs with Over 2,300 Dumped Password Hashes – novainfosecportal.com
  There are four new smaller password hash dumps that we discovered on OZDC.net over the past few weeks. Of course many of the records also contained other interesting data such as emails, usernames, obfuscated credit card numbers, credit card types, names, user ids, and nicknames.

Other News

• Credit Card Roulette: Payment Terminals Pwned in Vegas – wired.com
  The vulnerabilities can also be used to make a fraudulent card transaction look like it’s been accepted when it hasn’t been, printing out a receipt to fool a salesclerk into thinking items have been successfully purchased.

• Whistleblower, Suspected of Leaking Warrantless Spying Program, Sues NSA – wired.com
  A former congressional staffer and NSA whistleblower who the authorities suspected of exposing the George W. Bush administration’s warrantless wiretapping program is suing the government, saying her constitutional rights are being violated because her computer seized five years ago has never been returned, and the feds have refused to clear her name.

• Cybersecurity Bill Fails in US Senate – securityweek.com
  A bill aimed at protecting the United States from cyber attacks failed to advance in the US Senate on Thursday, severely denting hopes for the passage of a measure backed by President Barack Obama.