Week 41 in Review – 2012

Event Related

  • Hack In The Box
  • RSA Conference
    • RSA Conference Europe Wrap-Up Day #2 – blog.rootshell.be
      This is my wrap-up of the second day of RSA Europe. As said yesterday, the panel of speakers was broader and much more interesting. Let’s go!
    • RSA Conference Europe Wrap-Up Day #3 – blog.rootshell.be
      The third day is already over! It started very (too?) early with Candid Wuest (Symantec) presented ”Dissecting Advanced Targeted Attacks – Separating myths from facts“. Not easy to speak so early and not a lot of people present in the room.
  • mDNS – Telling the world about you (and your device) – blog.spiderlabs.com
    Luiz Eduardo ( @effffn ) and Rodrigo Montoro ( @spookerlabs ) have presented “Mobile Snitch – Devices telling the world about you” at conferences around the world. Today we share a bit about the mDNS protocol and how it impacts the security landscape.
  • Solving the GrrCon Network Forensics Challenge with Volatility – volatility-labs.blogspot.com
    In this post, we will walk through the process that MHL (@iMHLv2) and I (@attrc) went through to solve the @GrrCon network forensics challenge. Although participants were provided a memory sample, packet capture, and file system timeline, as a personal challenge our goal was to use only the provided memory sample.
  • Virus Bulletin 2012 Slides – blog.eset.com
    As you’ll know if you’ve read this month’s ESET Global Threat Report, ESET had quite a few papers and presentations accepted at this year’s Virus Bulletin conference. Many of those (along with many excellent presentations by other security researchers) can now be found on the Virus Bulletin conference slides page.

Resources

  • Pentesting Java Thick Applications with Burp JDSer – netspi.com
    After a little bit of Google searching, I came across this very well-written article about Java serialization and tried out his tool: BurpDSer. After scratching my head off for a few hours, installing dependencies, and still not getting it to work (there’s some problem with IRB Shell not popping up), I began searching for alternative solutions. Luckily I found this excellent SANS blog which outlined high level steps to make a Burp Deserialization plugin.
  • Symantec Intelligence Report: September 2012 – symantec.com
    In this month’s report, we take a look at an often-overlooked side of malicious code: how attackers administer the Web servers that they use to spread spam and malicious code. We highlight a PHP-based tool in particular that is often used to control and manipulate the configuration of these Web servers.
  • Microsoft Security Intelligence Report Volume 13 Released – blogs.technet.com
    The latest report, SIRv13, is over 800 pages of data and analysis with deep dives for 105 countries/regions around the world. It is designed to provide in-depth perspectives on software vulnerabilities and exploits, malicious code threats and potentially unwanted software based on data from over 600 million systems, 280 million Hotmail accounts and billions of web pages scanned by Bing.
  • SIRv13: Be careful where you go looking for software and media files – blogs.technet.com
    The Internet is a great place to share; we share information, ideas, experiences, software, and media through many different services over the Internet. The Internet is also a great place to do business and to shop for great deals on software, movies, and music as well as other goods and services. Unfortunately, malware distributors take advantage of people’s desire to share and find the best deals by using social engineering in attempt to infect computer systems.
  • Apple’s Combined Patching – pen-testing.sans.org
    With the release of Apple iOS 6, Apple announced the resolution of 197 security flaws on theApple Product Security mailing list.Reading through the vulnerabilities is entertaining with flaws ranging from “Passwords may autocomplete even when the site specifies that autocomplete should be disabled” to “A person with physical access to the device may be able to bypass the screen lock” and many more.
  • Mindmaps – amanhardikar.com
    Check out these mindmaps.
  • “Defending the Nation from Cyber Attack” (Business Executives for National Security) – defense.gov
    As Delivered by Secretary of Defense Leon E. Panetta, New York, New York, Thursday, October 11, 2012

Techniques

  • The “I Know” Series
    • Introducing the “I Know…” series – blog.whitehatsec.com
      The “I Know…” series builds upon earlier work where I revealed relatively simple tricks
      [malicious] websites can use to coax a browser into revealing information that it probably should not.
    • I Know A LOT About Your Web Browser and Computer – blog.whitehatsec.com
      Web browser hacking techniques are frequently platform dependent. Creating stable and cross-platform proof-of-concept code is often challenging. So it is helpful for a [malicious] website, such as http://maliciouswebsite/, to learn everything it can about a visiting browser before executing a real-world attack. We can loosely describe this process as “browser interrogation.”
    • I Know The Country, Town, and City You Are Connecting From (IP Geolocation) – blog.whitehatsec.com
      Every browser leaves a log of their public IP address when it connects to any website – if it didn’t, the website would have no idea where to send the requested Web page. What many people do not realize is the tremendous amount that websites can learn about a visitor — instantly — just from their IP address.
    • I Know What Websites You Are Logged-In To (Login-Detection via CSRF) – blog.whitehatsec.com
      Now that we know a lot about a visitor’s browser, we can mix and match several techniques – six, by my count — that http://maliciouswebsite/ can use to learn what other websites a visiting browser is logged in to – an online bank, social network, email provider, a local home router’s Web interface, and basically anything else.
    • I Know Your Name, and Probably a Whole Lot More (Deanonymization via Likejacking, Followjacking, etc.) – blog.whitehatsec.com
      Building on the previous section, where we learned a variety of ways that http://maliciouswebsite/ can detect what other websites a browser is logged in to, we’ll move onto the next step — deanonymizing visitors. Deanonymization refers to a website like http://maliciouswebsite/ surreptitiously uncovering a visitor’s full real name.
    • I Know Who You Work For – blog.whitehatsec.com
      Other than asking a visitor directly, there are five ways I know of for http://maliciouswebsite/ to find out where a visitor is employed. Depending on the visitor’s browser set-up, most of the time one of them should be able to get the job done.
    • I Know Your [Corporate] Email Address, and more… – blog.whitehatsec.com
      Let’s assume that with the techniques in the previous section, http://maliciouswebsite/ is able to ascertain a visitor’s full name and where they work. It may then use this information to infer the corporate email address of a visitor.
    • Summary and Guidance for the “I Know…” series – blog.whitehatsec.com
      When it’s all said and done, who do these Web and browser security and privacy problems belong to? We could point the finger at the browser vendors for allowing such Web technology abuses without providing adequate controls. Maybe the fault lies with website owners and Web developers who demand and implement features without fully understanding or appreciating the risks.
  • UPEK
    • UPEK Windows Password Decryption – adamcaudill.com
      On August 28th ElcomSoft announced that they had determined a method to extract Windows passwords from the registry for users of UPEK’s fingerprint readers and Protector Suite software (UPEK is now owned by AuthenTec, which is now owned by Apple). What they didn’t announce was the technical details of how they did it. Myself and Brandon Wilson have been working to recreate their research – and we have.
    • UPEK + Lenovo = Insecure Password Storage – netspi.com
      Recently Adam Caudill and ElcomSoft identified vulnerabilities in the way that UPEK fingerprint readers store Windows passwords in the registry. Adam has released a great proof-of-concept tool to decrypt these poorly encrypted passwords.
  • Exploiting a MIPS Stack Overflow – devttys0.com
    Although D-Link’s CAPTCHA login feature has a history of implementation flaws and has been proven to not protect against the threat it was intended to thwart, they continue to keep this feature in their products. Today we’ll be looking at the CAPTCHA implementation in the D-Link DIR-605L, which is a big-endian MIPS system running Linux 2.4.

Tools

  • Compiling and Release of Netview – room362.com
    If you haven’t caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 – we released 2 tools, Netview, and Ditto. Here I’ll walk you through compiling Netview yourself, in the next blog post we’ll go over compiling Ditto and how you can remove it’s icon to reduce the size if you want. But for Netview it’s pretty straight forward.
  • Compiling and Release of Ditto – room362.com
    If you follow the exact same steps you did for Netview: http://www.room362.com/blog/2012/10/8/compiling-and-release-of-netview.html
    then you already have the steps needed to create a compiled version of ditto from the repo here.
  • THC-IPV6 v2.0 Update – thc.org
    The THC IPV6 ATTACK TOOLKIT (THC-IPV6) is a complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library.
  • wick2o – github.com
    Offline Security Focus Database
  • Inception – breaknenter.org
    Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any machine you have physical access to.
  • Everything you need to know about hash length extension attacks – skullsecurity.org
    Awhile back, my friend @mogigoma and I were doing a capture-the-flag contest at https://stripe-ctf.com. One of the levels of the contest required us to perform a hash length extension attack. I had never even heard of the attack at the time, and after some reading I realized that not only is it a super cool (and conceptually easy!) attack to perform, there is also a total lack of good tools for performing said attack!
  • DNSSEC Walker – josefsson.org
    This is a proof-of-concept of a utility to download DNS zone contents even when AXFR is disabled on the server, assuming DNSSEC is used. Optionally it can also verify all digital signature RRs within a zone against the zone key.

Vendor/Software Patches

  • Microsoft Updates
    • Microsoft Patches Critical Word Flaw; Certificate Key Length Changes are Official – threatpost.com
      Microsoft rolled out seven security updates today, including a fix for a critical remotely exploitable Word vulnerability. In all, 20 vulnerabilities were repaired by Microsoft, which also issued an advisory regarding poorly generated digital certificates that have to be replaced and the distribution of an automated mechanism that will check for certificate key lengths and revoke any shorter than 1024 bits.
    • Welcome to the 1024-bit world and the October security updates – blogs.technet.com
      As previously mentioned in the Advance Notification blog on Thursday, today we’re releasing seven bulletins, one Critical-class and six Important-class bulletins. Before we discuss those releases, let’s take a closer look at the Security Advisories we also released today.
    • Assessing risk for the October 2012 security updates – blogs.technet.com
      Today we released seven security bulletins addressing 20 CVEs (7 Microsoft and 13 Oracle CVE’s). Only one of the bulletins is rated Critical. The other six have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
  • Critical Adobe Flash Player Update Nixes 25 Flaws – krebsonsecurity.com
    Adobe has issued an update for its Flash Player software that fixes at least 25 separate security vulnerabilities in the widely-installed program. The company also pushed out a security patch for its Adobe AIR software.

Vulnerabilities

  • HTML 5
    • Proof-of-Concept Exploits HTML5 Fullscreen API for Social Engineering – threatpost.com
      Independent security researcher, web designer, and Stanford Computer Science student Feross Aboukhadijeh has developed an attack concept that exploits the fullscreen application programming interface in HTML5 in order to carry out phishing attacks.
    • Using the HTML5 Fullscreen API for Phishing Attacks – feross.org
      The Fullscreen API (see W3C docs and MDN docs) allows web developers show web content that fills up the user’s screen completely. You’ve seen this functionality in action whenever you watch a fullscreen video on YouTube (if you use their new HTML5 player, which you should do!) or look at a fullscreen photo on Facebook.
  • Flaws allow 3G devices to be tracked – scmagazine.com.au
    The vulnerabilities could be exploited with cheap commercial off-the-shelf technology to reveal the location of phones and other 3G-capable devices.
  • Content Smuggling – xs-sniper.com
    A few years ago, I discovered a peculiar design decision described in the PDF specification. This design flaw allows for an attacker to conduct XSS attacks against some websites that would not normally have XSS vulnerabilities.

Other News

  • Banks Take Action After Alert, Attacks – bankinfosecurity.com
    It’s been nearly three weeks since the Financial Services Information Sharing and Analysis Center issued its warning about new online threats facing U.S. banking institutions (see High Risk: What Alert Means to Banks).
  • Security Manager’s Journal: I hired a hacker – computerworld.com
    A very important piece of my budget is the quarterly allotment for security assessments. I usually focus on physical penetration testing of our major facilities or assessments of critical applications or our own products. This quarter, though, I decided to hire a hacker.
  • Human Rights Groups Report A Surge In Highly Targeted Malware For Macs – forbes.com
    The security world has long cautioned Mac users that the lack of malware targeting their machines has been a function of cybercriminals’ focus on Windows’ larger market share, not of Apple’s brilliant security.
  • Exclusive: Anatomy Of A Brokerage IT Meltdown – informationweek.com
    Regulators last year issued the SEC’s first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.
  • Call for Volunteers – Help Create an Easy to Use Open Source Risk Equation – blog.securestate.com
    For many years now, the information security industry has attempted to adapt existing Risk Management practices for the task of managing information security. Numerous frameworks have been devised over the years, including FAIR, OCTAVE, ISO 27001/27005 and NIST 800-53/NIST 800-39, just to name a few.
  • – stripe.com/blog
    The last flag has been captured, and the final tallies are in. Over 16,000 people from around the world participated in Capture the Flag 2.0 during its week-long run, and it’s been a blast exploring web application security with all of you.
  • Facebook confirms researcher exploited privacy settings to quickly collect user phone numbers – thenextweb.com
    On Friday, a researcher by the name of Suriya Prakash claimed that the majority of phone numbers on Facebook are not safe. It’s not clear where he got his numbers from (he says 98 percent, while another time he says 500 million out of Facebook’s 600 million mobile users), but his demonstration certainly showed he could collect countless phone numbers and their corresponding Facebook names with very little effort.
  • Real Bad Guys Create Fake Bad Piggies Game: Infect 80,000 Angry Birds Fans – readwriteweb.com
    People love to play the bad guy, so it’s no surprise that Bad Piggies, the spin off of Rovio’s popular Angry Birds game franchise, has done very well worldwide, earning the top spot in the iPhone App Store hours after its release in late September.
  • Lone packet cripples telco networks – scmagazine.com.au
    Telecommunications infrastructure is riddled with security holes so severe that a handful of malformed packets could take down GSM communications systems, according to veteran pen tester and founder of Qualys, Philippe Langlois.
  • Corporate Attacks Hint Of A Coming ‘Cyber Pearl Harbor’ – forbes.com
    Hackers have already unleashed World War III in World of Warcraft, killing the avatars of thousands of innocent gamers. Is the real world next?
  • Task Force Tells DHS to Offer ‘Cool’ Cybersecurity Jobs to Gov. Workers and Test Them Like Pilots – wired.com
    In order to attract the highly skilled and qualified cybersecurity workers the Department of Homeland Security needs to fulfill its mission of protecting government computer systems and overseeing the security of critical infrastructure systems, DHS has to reserve its coolest cybersecurity jobs for federal workers, not contractors, according to a task-force report submitted to DHS this month.
  • ReVuln Emerges as New Player in Vulnerability Sales Market – threatpost.com
    It’s getting difficult these days to keep track of all of the companies, public and otherwise, that are buying and selling vulnerabilities or information on bugs, and now there’s another group on the scene: ReVuln. But, unlike other companies in the industry, ReVuln is mostly focusing its efforts on vulnerabilities in SCADA and ICS software, the applications that run utilities, industrial systems and other sophisticated systems.
2017-03-12T17:39:44-07:00 October 15th, 2012|Security Conferences, Security Tools, Security Vulnerabilities, Week in Review|0 Comments

Share This Story, Choose Your Platform!

Leave A Comment