Week 6 in Review – 2013

Resources

• “Security Engineering” now available free online – lightbluetouchpaper.org

  I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.

• The Anatomy of Unsecure Configuration: Reality Bites – blog.ioactive.com

  As a penetration tester, I encounter interesting problems with network devices and software. The most common problems that I notice in my work are configuration issues. In today’s security environment, we can accept that a zero-day exploit results in system compromise because details of the vulnerability were unknown earlier.

Tools

• Effective AMF Remoting Message fuzzing with Blazer v0.3 – blog.nibblesec.org

  Blazer v0.3 includes a few interesting new features presented during my DeepSec talk, but even more important is the result of extensive testing on Windows, Mac OS X and Linux using multiple Java Runtime Environments and recent Burp Suite releases.

• Weevely – epinna.github.com

  Weevely is a stealth PHP web shell that provides a telnet-like console. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.

• Announcing Mercury v2.1 – labs.mwrinfosecurity.com/blog

  Based on the thousands of downloads we saw when Mercury v2.0 was published last December we know that you have found it to be a must have tool whether you are a security professional or app developer.

• Stuffz – github.com
  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
• cfide-autopwn – ColdFusion CFIDE Directory Traversal Exploiter – code.google.com
  This program checks for the well known CFIDE directory traversal vulnerability in ColdFusion. It attempts to retrieve the password.properties located on the web server of which it is attempting to pentest.

Techniques

• Speedtest.net
• SpeedTest.net Pushing Java Exploit – novainfosec.com

  First of all we love SpeedTest.net. Even with its Flash-based War Games effects, it’s still our goto site when investigating slow network connections.

• Popular Site Speedtest.net Compromised by Exploit…Drive-By STOPPED by Invincea – invincea.com

  In this blog Invincea security expert Eddie Mitchell dissects the attack against speedtest.net and shows the sophistication in how the attack uses polymorphism, uses standard encoding to evade detection of binaries it downloads, and was largely unknown to anti-virus vendors at the time of the analysis.

• Password Cracking AES-256 DMGs and Epic Self-Pwnage – blog.whitehatsec.com

  FileVault is a full disk encryption feature utilizing XTS-AES 128 crypto. Enabling FileVault means that even if someone has physical possession of my computer, or obtains a full copy of the hard drive, they’d be the proud new owner of a cutting-edge machine, but unable to get any useful data off of it.

• Server-Side XSS Attack Detection with ModSecurity and PhantomJS – blog.spiderlabs.com

  Client-Side JS Overriding Limitations In a previous blog post, I outlined how you could use ModSecurity to inject defensive JS into the HTML response page sent to the client web browser. The goal of this technique was to override many common JS elements that are often used by security researchers/attackers when conducting reconnaissance testing for XSS flaws.

Vendor/Software Patches

• Evasion
• Inside Evasi0n, The Most Elaborate Jailbreak To Ever Hack Your iPhone – forbes.com

  In Apple’s eternal cat and mouse game to control what you can and can’t run on your iOS device, score another one for the mice.

• Evading evasi0n: iOS 6 Jailbreak Prevention – intrepidusgroup.com

  The latest iOS jailbreak was released yesterday. Called “evasi0n,” it can be used to bypass most all protections in iOS 6.1 on any device that supports it. It’s quite cool, and was certainly something I was looking forward to (since much of my work is greatly aided by working on a jailbroken device).

• After Evasi0n, iOS Hackers Have More Exploits In Store For Apple – forbes.com

  The icon for the evad3rs’ new jailbreak app. As Apple’s engineers scramble to fix the security flaws exploited by evasi0n, the latest jailbreak tool to crack the restrictions on its iPhones and iPads, the company may be more than just one move behind the community of hackers targeting its products.

• Adobe Flash
• Critical Flash Player Update Fixes 2 Zero-Days – krebsonsecurity.com

  Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software — flaws that attackers are already exploiting to break into systems.

• Adobe patches two vulnerabilities being exploited in the wild – labs.alienvault.com

  Yesterday, Adobe released a patch for Adobe Flash that fixed a zeroday vulnerability that was being exploited in the wild. According to Adobe, CVE-2013-0633 is being exploited using Microsoft Office files with embedded flash content delivered via email.

• Exploit Down: Analysis and Protection Against Adobe Flash Exploit CVE-2013-0634 – invincea.com

  On February 7th, 2013, Adobe published an emergency security bulletin and corresponding update for Adobe Flash based on reports of a new 0-day vulnerability being exploited in the wild.

• Packets of Death – blog.krisk.org

  Star2Star has a hardware OEM that has built the last two versions of our on-premise customer appliance. I’ll get more into this appliance and the magic it provides in another post. For now let’s focus on these killer packets.

Vulnerabilities

• Lucky Thirteen
• Lucky Thirteen attack snarfs cookies protected by SSL encryption – arstechnica.com

  Software developers are racing to patch a recently discovered vulnerability that allows attackers to recover the plaintext of authentication cookies and other encrypted data as they travel over the Internet and other unsecured networks.

• Lucky Thirteen: Breaking the TLS and DTLS Record Protocols – isg.rhul.ac.uk

  The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet.

• Operation Beebus – blog.fireeye.com

  FireEye discovered an APT campaign consistently targeting companies in the aerospace and defense industries. The campaign has been in effect for sometime now.

• Microsoft, Symantec Join Forces to Take Down Bamital Click-Fraud Botnet – threatpost.com

  Microsoft and Symantec announced the takedown of the Bamitol botnet. The botnet was responsible for millions in click-fraud losses.

• Security Firm Bit9 Hacked, Used to Spread Malware – krebsonsecurity.com

  Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.

Other News

• Secret legal review grants US president broad power to launch internet attacks – nakedsecurity.sophos.com

  A secret legal review of the US’s growing pile of cyberweapons has concluded that President Obama has “broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad.”

• Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More – wired.com

  A critical vulnerability discovered in an industrial control system used widely by the military, hospitals and others would allow attackers to remotely control access systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities, say two security researchers.

• President Obama reportedly set to enact cybersecurity order as Congress revives CISPA – theverge.com

  Bloomberg is reporting that the White House plans to introduce an executive order on cybersecurity sometime after next week’s State of the Union address. The order, which has been in the works for months at this point, would arrive after several high-profile attacks have highlighted the danger posed by online threats.