Week 32 in Review – 2012

Event Related

• DefCon 20
• Defcon Wi-Fi hack called no threat to enterprise WLANs – networkworld.com
  Enterprise Wi-Fi networks can keep using WPA2 security safely, despite a recent Defcon exploit that has been widely, but wrongly, interpreted as rendering it useless.

• Is WPA2 Security Broken Due to Defcon MS-CHAPv2 Cracking? – revolutionwifi.blogspot.ca
  A lot of press has been released this week surrounding the cracking of MS-CHAPv2 authentication protocol at Defcon. For example, see these articles from Ars Technica and CloudCracker. All of these articles contain ambiguous and vague references to this hack affecting Wi-Fi networks running WPA2 security. Some articles even call for an end to the use of WPA2 authentication protocols such as PEAP that leverage MS-CHAPv2.
• Stamping Out Hash Corruption, Like a Boss – blog.spiderlabs.com
  
  Have you ever dumped LM and NTLM password hashes from a Windows system using the registry and never been able to crack the hashes or pass the hash? If so, maybe this blog post will be of specific interest and/or importance to you.

• Defcon 20 Day 3 Review – resources.infosecinstitute.com
  Defcon day 3 started with one of the most awaited talks of Defcon 20. It was the talk “Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2″ by Moxie Marlinspike, David Hulton and Marsh Ray. Moxie marlinspike has been one of the most popular speakers at Defcon for the past few years and as expected, the hall was full of people.

• We are Samurai CTF and we won Defcon CTF this year – reddit.com
  I should mention that people here are PMing me asking to be part of the team. That is great. I encourage it. Just be prepared to give a bit of background on yourself and your skills. Welcome to our new members!

• Black Hat USA 2012
• Black Hat USA 2012 Presentation – Targeted Intrusion Remediation: Lessons from the Front Lines – blog.mandiant.com
  Last week at Black Hat, I presented a briefing entitled, “Targeted Intrusion Remediation: Lessons from the Front Lines.” During my presentation I made three key points.

• Blackhat Arsenal 2012 Releases: AWS Scout Amazon Web Security Configuration – toolswatch.org
  The scale and variety of Amazon Web Servers (AWS) has created a constantly changing landscape. What was previously managed by enterprise IT groups is now done through a variety of Amazon-based services, leaving many questions concerning the risk and security of these environments unanswered.

• Blackhat Arsenal 2012 Releases: SAP Proxy The Arsenal 2012 Release – toolswatch.org
  The analysis and reverse engineering of SAP GUI network traffic has been the subject of numerous research projects in the past, and several methods have been available in the past for decoding SAP DIAG traffic.

• Blackhat Arsenal 2012 Releases: Peepdf (Blackhat Release) v0.2 – toolswatch.org
  peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks.

• Impressions from Black Hat, Defcon, BSidesLV and IOAsis – blog.ioactive.com
  A week has passed since the Las Vegas craziness and we’ve had some time to write down our impressions about the Black Hat, Defcon and BSidesLV conferences as well as our own IOAsis event.

• Video: Hardening Windows processes – blog.didierstevens.com
  Help Net Security recorded a video with me speaking about EMET and HeapLocker at Hack In The Box Amsterdam 2012.

Resources

• Mobile Threat Report, Q2 2012 – f-secure.com
  Here comes the Q2 2012 Mobile Threat Report, detailing the threats that F-Secure Labs analyzed between April to June 2012.

• Android Security List – code.google.com
  Some apps are not in Google play store. I will try to update the links weekly in batches as I receive email request or discover them. They are some apps that are not or borderline unrelated to Infosec in the truest sense of the form but I think you will understand why I tossed them in for the heck of it. I will add apk descriptions at later date. I’m going for quantity verse quality thus some apps are much better than others.

• Symantec Intelligence Report: July 2012 – symantec.com
  The Olympics is one of those rare occasions where the entire world comes together, setting aside various differences for the competition. The Games are a chance for each country to put their best foot forward and demonstrate their athletic skill and prowess.

• Analysis of the FinFisher Lawful Interception Malware – community.rapid7.com
  It’s all over the news once again: lawful interception malware discovered in the wild being used by government organizations for intelligence and surveillance activities. We saw it last year when the Chaos Computer Club unveiled a trojan being used by the federal government in Germany, WikiLeaks released a collection of related documents in the Spy Files, we read about an alleged offer from Gamma Group to provide the toolkit FinFisher to the Egyptian government, and we are reading once again now with the same one being delivered to human rights activists in Bahrain along with some spearphishing attacks.

• List of Run Commands in Windows 8 – nirmaltv.com
  Windows 8, the latest OS from Microsoft comes with many new features and improvements over Windows 7. Run commands are commands in Windows, which allows you to quickly access features and applications which are default in Windows.

Techniques

• Sulley and Ronin fuzzing while debugging with Immunity of allmediaserver – 5x5sec.blogspot.com
  As I mentioned in the previous article that I wanted to do a write up on using different fuzzers and debuggers for the allmediaserver. If you haven’t read the previous article you might want to check it out. http://5x5sec.blogspot.com/2012/07/looking-into-exploitation-of.html . Ok lets dive in and see what we get.

• How to Break Into Security, Miller Edition – krebsonsecurity.com
  For this fifth edition in a series of advice columns for folks interested in learning more about security as a craft or profession, I interviewed Charlie Miller, a software bug-finder extraordinaire and principal research consultant with Accuvant LABS.

Tools

• WPScan – wpscan.org
  WPScan is a black box WordPress vulnerability scanner.

• Lotus Domino Scanner – carnal0wnage.attackresearch.com
  The module is in the trunk, you can read the post but in my experience newer version of Lotus Domino dont actually advertise that they are lotus domino in the banner, thus you need a way to identify these and once identified figure out current version so you can see if there are any exploits for it.

• zynga / hiccup – github.com
  Hiccup is a framework that allows the Burp Suite (a web application security testing tool, http://portswigger.net/burp/) to be extended and customized, through the interface provided by Burp Extender (http://portswigger.net/burp/extender/). Its aim is to allow for the development and integration of custom testing functionality into the Burp tool using Python request/response handler plugins.

• OWASP Zed Attack Proxy 1.4.1 Released – http://code.google.com
  OWASP ZAP: An easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

• The Social-Engineer Toolkit (SET) v3.6 available – toolswatch.org
  The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

Vendor/Software Patches

• Advanced Exploitation of Windows Kernel Intel 64-Bit Mode Sysret Vulnerability (MS12-042) – vupen.com
  In this new blog, we will share our advanced exploitation methods on Windows 7 SP1 x64 and Windows Server 2008 R2 SP1 x64 to reliably take advantage of an awesome vulnerability discovered by Rafal Wojtczuk (Bromium) and Jan Beulich (SUSE).
• Cracking PuTTY private keys with JtR – openwall.com
  I have added support for cracking PuTTY password protected private
  keys to JtR. My code is based on
  http://neophob.com/2007/10/putty-private-key-cracker/ by michu.

• Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService WriteToFile Message Remote Code Execution Exploit – 1337day.com
  This soap interface exposes the writeToFile function which could allow to write arbitrary files on the target server.

• Bypassing EMET 3.5′s ROP Mitigations – repret.wordpress.com
  I have managed to bypass EMET 3.5, which is recently released after Microsoft BlueHat Prize, and wrote full-functioning exploit for CVE-2011-1260 (I choosed this CVE randomly!) with all EMET’s ROP mitigation enabled.

• PTH with MSSQL and FreeTDS/SQSH – passing-the-hash.blogspot.com
  FreeTDS (TDS == Tabular Data Stream and is the protocol used by MSSQL and Sybase) and SQSH provide a method for connecting to Microsoft SQL servers under Linux. Since FreeTDS is a protocol implememntation library, sqsh (SQL Shell) is used to actually interact with the MS SQL servers. Assuming that the MS SQL servers are configured to allow Windows Integrated Authentication, we can pass the hash to login and interact with them.

• DLL Hijacking Against Installers In Browser Download Folders for Phish and Profit – reddit.com
  Often times trends dominate and suffocate a population. We naturally learn by following. But occasionally in order to keep things interesting we gotta mix it up.

Vulnerabilities

• iCloud Hacked
• Journalist blames Apple tech for allowing iCloud hack – news.cnet.com
  Former Gizmodo reporter says device wipes and Twitter breaches occurred after an AppleCare technician fell victim to a bit of social engineering.

• Apple Allowed Hackers Access To User’s iCloud Account – forbes.com
  Is your iCloud account secured by a good password? That’s not going to help you if Apple sidesteps your security and hands hackers access to your account.

• How Apple and Amazon Security Flaws Led to My Epic Hacking – wired.com
  In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

• Video: Mat Honan Details His Post-Hack Paranoia – wired.com
  If you’re a regular reader of Wired, or just a curious tech enthusiast, you’ve certainly already heard about the hacking attack suffered by Mat Honan, Gadget Lab’s senior writer. Honan himself documented how hackers assumed control of his digital life in an exhaustive report on Monday, but now we have him on video, describing what happened in greater nuance and detail.

• Dumped: how my password went public – theverge.com
  On the morning of July 14th, a Saturday, I woke up to find three successive emails in my Gmail inbox. The first, received at 1:56 am, came from the movie site IMDb. The second, sent almost exactly an hour afterwards, was from Yahoo. The third was from Twitter, and it arrived at 3:02 am, just three minutes after Yahoo’s missive. From the subject lines alone, it was pretty clear what had happened.

Other News

• Appeals Court OKs Warrantless Wiretapping – wired.com
  The federal government may spy on Americans’ communications without warrants and without fear of being sued, a federal appeals court ruled Tuesday in a decision reversing the first and only case that successfully challenged President George W. Bush’s once-secret Terrorist Surveillance Program.

• Software Runs the World: How Scared Should We Be That So Much of It Is So Bad? – theatlantic.com
  When software works, you can buy an airline ticket and sell a stock. When it fails, you can miss a flight and a bank can lose a billion dollars. Do we respect the power of software as much as we should?
• Researchers Uncover ‘Gauss,’ A Stealthy Banking Trojan Likely Created By The U.S. Government – forbes.com
  Researchers have spotted another strain of malicious software in the same family of sophisticated, state-sponsored programs tied to the Stuxnet superworm and its creator, the U.S. government. But this one has a more traditional target for computer Trojans: banking information.