Week 50 in Review – 2012

Event Related

• Legal Merits of ‘Hack Back’ Strategy – bankinfosecurity.com
  From point-of-sale hacks to malware and DDoS attacks, the top cyberthreats of 2012 have been aggressive and strong. Is it time for organizations to adopt a “hack back” strategy against perceived attackers?

Resources

• Mitigating Targeted Attacks on Your Organization – blogs.technet.com
  The Trustworthy Computing blog shares Microsoft perspectives about cloud computing. From security in the cloud to the evolution of IT, we show how Microsoft works to build a trustworthy cloud.

• National Cyber Security Framework Manual – ccdcoe.org
  What, exactly, is “National Cyber Security”? The rise of cyberspace as a field of human endeavour is probably nothing less than one of the most significant developments in world history.
• Symantec Intelligence Report: November 2012 – symantec.com

  Symantec helps consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. The Symantec Connect community allows customers and users of Symantec to network and learn more about creative and innovative ways to use Symantec products and technologies.

• Your Soldiers are Untrained -carnal0wnage.attackresearch.com
  People often try to draw analogies between computer security and the military or warfare. Lets put aside for a moment the fact that I don’t know anything about the military and continue on with this analogy.
• PCAP Files Are Great Arn’t They?? – blog.spiderlabs.com

  One of the most important skills in anyone’s armory responsible for looking after the security of a corporation’s networks should be how to analyze network capture files (PCAP files) obtained from sniffers. Putting a sniffer on the network can not only help you investigate network issues, but also give you a great insight into the “unseeable” security vulnerabilities that are occurring on a daily basis. This is probably one of the cheapest security tools you can use on the network, as it’s free, and can find a multitude of potential issues.

• Should We Exploit Every Vulnerability to Prove it Exist? – darkoperator.com

  Recently I made a comment in twitter where I said that I cringe every time a hear that to confirm a vulnerability an exploit must be ran to confirm and prove it.

• Breaking Murmur: Hash-flooding DoS reloaded – emboss.github.com

  DISCLAIMER: Do not use any of the material presented here to cause harm. I will find out where you live, I will surprise you in your sleep and I will tickle you so hard that you will promise to behave until the end of your days.

Tools

• Loki v0.2.7 for Windows – ernw.de

  Loki is a Python based framework implementing many packet generation and attack modules for Layer 3 protocols, including BGP, LDP, OSPF, VRRP and quite a few others.

• CVEChecker 3.2 – sourceforge.net

  cvechecker is an application that allows you to pull in the (latest) CVE entries and match these against your own system. The application attempts to discover the installed versions and lists those that are a potential target for an existing CVE.

• FireFart/WordpressPingbackPortScanner – github.com

  WordPress exposes a so called Pingback API to link to other blogposts. Using this feature you can scan other hosts on the intra- or internet via this server. You can also use this feature for some kind of distributed port scanning: You can scan a single host using multiple WordPress Blogs exposing this API.

• What’s New in Mercury v2? – labs.mwrinfosecurity.com

  It’s been 8 months since we released Mercury into the wild. Since then we have seen many people use the tool and share their thoughts, insight and time with up to help make Mercury even more awesome.

• Burp Extension Scanner Streamer – blog.c22.cc

  Much like everybody else, I was really looking forward to the new Burp 1.5 professional release and the new Extensions… now that there’s some API documentation and example code out their, I had a little play to see what was possible.

• wick2o/WebsiteProfiler – github.com

  Auto Recon. Contribute to WebsiteProfiler development by creating an account on GitHub.

Techniques

• IBM Mainframe User Enumeration and Bruteforcing – mainframed767.tumblr.com

  A username enumeration vulnerability is used to describe an application that allows someone to ‘guess’ usernames in an operating system or application.

• Homegrown Incognito – josho.org

  A penetration tester’s work is never done. One day, you feel like you have a good thing going – a few tricks up the sleeve, you get into a rhythm.

• Testing Your Defenses – Beaconing – blog.opensecurityresearch.com

  You have invested time, effort, and money in defenses. But, how do you know they are working? Unless you are willing to intentionally get owned or you want to introduce a piece of malware into your environment, you need safe and effective ways to test your visibility.

• WordPress plugin Asset manager upload.php Arbitrary Code Execution – ethicalhack3r.co.uk

  The ‘Inj3ct0r Team‘ compromised an ExploitHub.com database and released a file publicly which contained some of the data about the exploits that ExploitHub buy and sell.

• Abusing SAP Servers – blog.spiderlabs.com

  During some recent penetration tests I have noticed that large companies have many similarities in their IT infrastructures.

• My 5 Top Ways to Escalate Privileges – blog.spiderlabs.com

  During a penetration test, rarely will the tester get access to a system with the administrator privileges in the first attempt.

• You down with LNK? – blog.spiderlabs.com

  Oftentimes on an Internal pen test, I find myself with a limited-privilege domain user account. On a recent test, I got ahold of an account like this through various means of hackery. It didn’t have local admin anywhere, it wasn’t a member of any IT groups; it was just a super low privilege user from the Marketing department. The only real privilege it had was write access to the Marketing share. In a quest to gather more user accounts, I decided to abuse my write access to the share and drop a backdoored shortcut file.

Vendor/Software Patches

• Critical Updates for Flash Player, Microsoft Windows – krebsonsecurity.com

  Adobe and Microsoft have each released security updates to fix critical security flaws in their software. Microsoft issued seven update bundles to fix at least 10 vulnerabilities in Windows and other software.

Vulnerabilities

• Internet Explorer Data Leakage – spider.io

  On the 1st of October, 2012, we disclosed to Microsoft the following security vulnerability in Internet Explorer, versions 6–10, which allows your mouse cursor to be tracked anywhere on the screen—even if the Internet Explorer window is minimised. The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads.

• To Russia With Targeted Attack – blog.fireeye.com

  Looking at the human aspect of offensive cyber operations is one of the most interesting parts of a malware analyst’s day. Malware that was generated by an algorithm, such as a polymorphic PDF, is a little boring because you know you aren’t fighting against a human on the other side of the keyboard.

Other News

• Researchers find crippling flaws in GPS
  – scmagazine.com.au
  Researchers have developed three attacks capable of crippling Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones.
• FBI Memo Shows Hackers Accessed Commercial HVAC Systems – threatpost.com

  Hackers took control of a New Jersey company’s HVAC units after exploiting vulnerabilities in SCADA systems.

• Japan police offers first-ever reward for wanted hacker – networkworld.com

  Japan’s National Police Agency has posted a US$36,000 reward for a case in which it wrongly arrested men with hacked PCs

• How Aaron Barr correctly identified Commander X – arstechnica.com

  HBGary Federal’s Anonymous-hunting CEO didn’t know how right he was.

• Creating a Culture for Continuous Monitoring – bankinfosecurity.com

  It’s as much about people as it is technology for organizations to successfully implement a continuous monitoring program, says George Schu, senior vice president at Booz Allen Hamilton.