Week 45 in Review – 2012

Event Related

• OWASP
• OWASP AppSec 2012 Presentation: SQL Server Exploitation, Escalation, and Pilfering – netspi.com
  During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings.
• XSS & CSRF with HTML5 – Attack, Exploit and Defense – shreeraj.blogspot.com
  HTML5 has empowered browser with a number of new features and functionalities. Browsers with this new architecture include features like XMLHttpRequest Object (L2), Local Storage, File System APIs, WebSQL, WebSocket, File APIs and many more.
• Countermeasure|2012 – countermeasure2012.com
  Presentations for Countermeasure 2012
• Derbycon 2012 Videos – irongeek.com
  Irongeek’s Information Security site with tutorials, articles and other information.
• PhreakNIC 16 (2012) Videos – irongeek.com
  Here are the videos from PhreakNIC 16. Big thanks to Ben the Meek and the rest of the video crew.

Resources

• DominatorPro
• DOM XSS on Google Plus One Button – blog.mindedsecurity.com
  DOMinatorPro can be very useful to find DOM Based XSS on complex JavaScript web applications.
• DOMinatorPro Fuzzer finds a DOM XSS on Google.com – blog.mindedsecurity.com
  A quite simple DOM Based XSS was found on https://www.google.com/ context using DOMinatorPro.
  What I think it’s interesting here, is to show how DOMinatorPro works in this real world case.
• Q3 2012 Mobile Threat Report is Out! – f-secure.com
  Our Mobile Threat Report is out, covering mobile threats found throughout the third quarter of 2012. 67 new families and variants of existing families were discovered, and some platforms that were previously enjoying quiet time (e.g. iOS, Windows Mobile) are now seeing their peace disturbed thanks to the multi-platform FinSpy trojan.
• Security Headers on the Top 1,000,000 Websites – veracode.com
  I would like to share with you all the results of my scan and review of the Alexa Top 1,000,000 Sites HTTP response headers as they relate to security. I was mostly curious about which sites were using Content Security Policy (CSP) but ended up becoming more interested in all of the various modern day security headers that sites specify. The results were pretty impressive and I certainly learned a lot from it.
• Video: Owning a PC via GPRS/EDGE – blog.taddong.com
  We have decided to make public a video that we have used on several talks in the past, demonstrating a network attack against a PC, performed via GPRS/EDGE (which is the important point here), using a fake GSM/GPRS/EDGE base station. The video is available for online viewing at our YouTube channel (direct link here), and for direct download, at our lab.
• InfoSec Institute Resources VMWare ESX Audit & Analysis, Part 1 – resources.infosecinstitute.com
  The VMware ESX source code (from 2004 according to VMware, Inc.) was partially leaked on November 4, 2012. Following due-diligence to determine the impact, the source code has been analyzed and audited for a number of common vulnerabilities.

Tools

• TLS Tools for Black Box MobileTesting – isecpartners.com
  iSEC is pleased to announce that the mobile testing tools presented in iSEC’s Black Hat 2012 presentation by Alban Diquet and Justine Osborne have been publicly released as open-source software on iSEC’s GitHub page.
• Patator – code.google.com
  Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Currently it supports the following modules.
• hstrings – when all strings attached. – hexacorn.com
  a new strings tool that attempts to extract localized strings e.g. French, Chinese from an input file; see example.

Techniques

• Osmocom + CatcherCatcher tutorial – opensource.srlabs.de
  In this page, you can find all the needed information to set up an IMSI Catcher Catcher based on Osmocom.
• Why Google Went Offline Today and a Bit about How the Internet Works – blog.cloudflare.com
  Today, Google’s services experienced a limited outage for about 27 minutes over some portions of the Internet. The reason this happened dives into the deep, dark corners of networking. I’m a network engineer at CloudFlare and I played a small part in helping ensure Google came back online. Here’s a bit about what happened.
• Hacking an Android Banking Application – ioactive.com
  This analysis of a mobile banking application from X bank illustrates how easily anyone with sufficient knowledge can get install and analyze the application, bypassing common protections.
• Abusing Windows Remote Management (WinRM) with Metasploit – community.rapid7.com
  WinRM is a remote management service for Windows that is installed but not enabled by default in Windows XP and higher versions, but you can install it on older operating systems as well.
• Automating HalfLMChall Hash Cracking – netspi.com
  Frequently during penetration tests, we will capture halflmchall password hashes from the network. These can come from a variety of sources, but common sources include NBNS spoofing and SQL queries/SQL injection. Both methods can be easy ways to get halflmchall hashes during a pen test.
• A blast from the past: How to protect yourself against SYSENTER/SYSCALL hooks – blog.fireeye.com
  In my last two blogs I discussed PDF exploits and shell code in general, so this time around I’ll make it a little different. Experienced Windows programmers (well, Linux can be included as well if you think about it) know that for a few years now Microsoft has been taking advantage of the evolution of microprocessors like Intel and AMD. A long time ago, when a function was called from user mode, the call would…
• Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops – j00ru.vexillium.org
  To stand by my claim that the Microsoft Windows operating system has been built on the fundamental assumption that administrative privileges would always be

Vendor/Software Patches

• Flash
• Adobe, now ‘married’ to Microsoft, moves Flash updates to Patch Tuesday – computerworld.com
  Adobe on Tuesday announced that it will pair future security updates for its popular Flash Player with Microsoft’s Patch Tuesday schedule.
• Security updates for Flash and Air – h-online.com
  Several security holes discovered by Google’s Security Team have been closed in the latest update to Flash Player. A high priority on the Windows update suggests that exploits may well be in the wild
• Nmap NSE to Detect CoDeSys Insecurity Issues – digitalbond.com
  Reid Wightman and HD Moore wrote up an Nmap NSE script to detect if your PLC running the CoDeSys ladder logic runtime lacks effective authentication to access the application command shell, transfer files, … the insecure by design issues covered on the Project Basecamp CoDeSys page.
• Cisco TACACS+ Authentication Bypass – isc.sans.edu
  Cisco has released a patch that addresses a TACACS+ Authentication Bypass vulnerability. Exploitation is likely very easy. If you are using Cisco ACS for authentication you should probably take note of this announcement.
• WS-Attacker version 1.2 Update – sourceforge.net
  WS-Attacker the modular framework for web services penetration testing has been updated to version 1.2.

Vulnerabilities

• Adobe Reader
• Experts Warn of Zero-Day Exploit for Adobe Reader Krebs on Security – krebsonsecurity.com
  Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground.

• Adobe Reader X/XI zero-day flaw found by Group-IB – youtube.com
  This is a video Adobe Reader zero-day flaw found.
• Apple’s iOS 6.0.1 still has Wi-Fi bugs – zdnet.com
  For some Apple iPhone and iPad users, iOS 6.0.1’s Wi-Fi is still busted. Yes, still.
• 7 Ways Vulnerability Scanners May Harm Website(s) and What To Do About It – blog.whitehatsec.com
  Whether we like it or not, whether we want them to or not, whether it’s legal or not, there are some unsavory people out there who will try to hack into our website(s).
• Researchers find vulnerability in Call of Duty: Modern Warfare 3 – computerworld.com.au
  Luigi Auriemma and Donato Ferrante of ReVuln also showed a vulnerability in the CryEngine 3 gaming platform.

Other News

• Signing in with a picture password – blogs.msdn.com
  Picture password is a new way to sign in to Windows 8 that is currently in the Developer Preview. Let’s go behind the scenes and see how secure this is and how it was built. One of the neat things about the availability of a touch screen is that it provides an opportunity to look at a new way to sign in to your PC.
• Coke Gets Hacked And Doesnt Tell Anyone – bloomberg.com
  FBI officials quietly approached executives at Coca-Cola Co. on March 15, 2009, with some startling news.
• Security Researchers Warn New Jersey’s Emergency Email Voting Could Be An Insecure, Illegal Nightmare – forbes.com
  Updated below. New Jersey’s decision to allow voters stranded by superstorm Sandy to vote by email in Tuesday’s election may be an innovative experimental response to a badly-timed natural disaster. But security researchers are warning that the unprecedented move could leave another more political storm in its wake.
• Russian Underground Offers Cybercrime Services at Dirt-Cheap Prices – wired.com
  Want to buy a botnet? It will cost you about $700. If you just want to hire someone else’s botnet to rent for an hour, it could cost you as little as $2, according to new report about the Russian underground, which offers top-notch cybercrime services at dirt-cheap prices.
• 1.7M mobile apps analyzed: Users tracked and put at risk, and it’s unjustified – zdnet.com
  Network security company Juniper Networks investigated 1.7 million mobile apps. It concluded that free apps cost us our privacy, expose us unnecessarily, and most app permissions are unjustified.
• Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines – threatpost.com
  A group of researchers has proved that an attacker could use a side-channel attack to steal a cryptographic key from a virtual machine located on the same host as the attacker’s VM.
• U.S. panel labels China largest cyberspace threat, report says – news.cnet.com
  China is increasingly using hackers to infiltrate U.S. military computers and defense contractors, according to a draft of Congressional report obtained by Bloomberg. Read this article by Roger Cheng on CNET News.
• Google security researcher: Keep Sophos away from high value systems – cso.com.au
  Sophos too slow for organisations using it to defend against motivated attackers.
• Portrait of a Full-Time Bug Hunter Abdul-Aziz Hariri – wired.com
  Abdul-Aziz Hariri earned more than enough to live on doing freelance bug hunting, during a period when he couldn’t find a job. Hariri, a 27-year-old Lebanese-Canadian, began submitting bugs full-time after he emigrated from Lebanon to Canada in January 2010 and couldn’t find work. He did it full-time for a year and a half until he found a corporate job doing malware analysis.
• With Millions Paid in Hacker Bug Bounties, Is the Internet Any Safer? – wired.com
  Ever since Mozilla launched its bug bounty program eight years ago to pay researchers for finding and disclosing security holes in its software, Google and others have followed suit with their own bug bounty programs, paying out millions of dollars to researchers to make internet users more secure. But have the programs made us more secure?
• That’s an affirmative on BlackBerry 10 security certification, sir – engadget.com
  RIM may be falling out of favor with certain government departments, but it’s not removing the earpiece or pocketing the shades just yet.
• Meet The Texas Lawyer Suing Hundreds Of Companies For Using Basic Web Encryption – forbes.com
  Dallas lawyer and TQP founder Erich Spangenberg The small Dallas, Texas firm TQP technically has two employees. One is Michael Jones, whose job there largely consists of having filed a 1989 patent application for an "Encrypted Data Transmission System Employing Means For Altering The Encryption Keys.”
• Support Forums Reveal Soft Underbelly of Critical Infrastructure – securityledger.com
  We hear a lot about vulnerabilities in industrial control system (ICS) software. In fact, that’s all we seem to hear about these days. The truth is: there’s a lot to write about.