Week 7 in Review – 2013

Event Related

• S4x13 Video: Atlas on RF Comms Security and Insecurity – digitalbond.com

  RF Comms are often ignored in SCADA assessments. Big mistake as atlas 0f d00m shows RF hacking session at S4x13.

• #Shmoocon Presentation Links – mainframed767.tumblr.com

  So I talked fast and furious and ran out of time, but 20 minutes is not a lot of time to talk about mainframes!

Resources

• Cybersecurity Executive Order
• President Obama’s Cybersecurity Executive Order Scores Much Better Than CISPA On Privacy – forbes.com

  President Obama released a long-awaited cybersecurity executive order Tuesday night along with his fifth State of the Union address, outlining new policies aimed at stemming the tide of cyberespionage on American companies and government agencies, as well as shoring up the defenses for American critical infrastructure vulnerable to cyberattacks.

• Obama signs cybersecurity executive order ahead of State Of The Union – zdnet.com

  President Obama unexpectedly signed an executive Order on cybersecurity prior to tonight’s State of the Union address. UPDATED: Links to the Order and “new” CISPA added.

• Cybersecurity executive order – scribd.com

  Cybersecurity executive order – Free download as PDF File (.pdf), Text File (.txt) or read online for free. President Obama’s executive order on cybersecurity

• Obama’s cybersecurity executive order: What you need to know – zdnet.com

  Embargoed until the delivery the State of the Union address, US President Obama signed the expected and highly anticipated cybersecurity executive order. With potentially serious implications for US and foreign citizens’ privacy, here’s what you need to know.

• Obama’s Cybersecurity Action Reaches Too Far – forbes.com

  Since nothing has been happening in Washington lately except speeches, President Obama seized the moment and ended his State of the Union day by issuing an Executive Order (EO) and Presidential Policy Directive 21 (PPD-21) on critical infrastructure cybersecurity.

• Obama’s Cybersecurity Executive Order: Heart In The Right Place But There Is Little Teeth – forbes.com

  On Tuesday, President Obama issued a Cybersecurity Executive Order, which outlined policies to defend against cyber attacks and espionage on US companies and government agencies.

• Defending our work – Part 2. The Exploit Lab Rip-off continues. – blog.exploitlab.net

  It has been a difficult week for us. First, the news of Exploit Laboratory’s class material being ripped off and used in a paid webinar.

• automatic password rule analysis and generation – thesprawl.org

  The purpose of this research is to help advance the field of password cracking by developing password rule analysis techniques and deliver tools to help enhance rule-based password cracking attacks.

• 2013 Threat Report: More than Scary Stats and Chilling Charts
  – community.websense.com

  The 2013 Threat Report from the Websense® Security Labs (WSL) is now available. The report details mobile, social, email and web-based threats, and while it is full of ominous data points, it is a very interesting read.

• FROST: Forensic Recovery Of Scrambled Telephones – informatik.uni-erlangen.de

  At the end of 2011, Google released version 4.0 of its Android operating system for smartphones. For the first time, Android smartphone owners were supplied with a disk encryption feature that transparently scrambles user partitions, thus protecting sensitive user information against targeted attacks that bypass screen locks.

• Symantec Intelligence Report: January 2013 – symantec.com

  In this month’s report, we find that the email malware rate has dropped significantly since December, where only one in 400 emails containing a virus in January. This is the lowest virus rate we’ve seen since 2009.

• Owning Windows Networks With Responder Part 2 – blog.spiderlabs.com

  One of the great things about working within SpiderLabs is that we prefer to use our own tools whenever possible. The biggest advantage to using your own toolset is lot more control over what’s happening during the testing process; helping to avoid any nasty side effects.

• Ruby on Rails Cheatsheet – owasp.org

  This article intends to provide quick basic Ruby on Rails security tips for developers. The Rails framework abstracts developers from quite a bit of tedious work and provides the means to accomplish complex tasks quickly and with ease. New developers, those unfamiliar with the inner-workings of Rails, likely need a basic set of guidelines to secure fundamental aspects of their application. The intended purpose of this doc is to be that guide.

Tools

• theHarvester v2.2a Released – code.google.com

  theHarvester is a tool for gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

• About PunkSPIDER – hyperiongray.com

  PunkSPIDER is a global web application vulnerability search engine powered by PunkSCAN. What that means is that we have built a scanner and architecture that can handle a massive number of web application vulnerability scans, set it loose on the Internet, and made the results available to you.

• SI6 Networks’ IPv6 Toolkit – si6networks.com

  The SI6 Networks’ IPv6 toolkit is a set of IPv6 security/trouble-shooting tools, that can send arbitrary IPv6-based packets.

• thomhastings/mimikatz-en – github.com

  This is an English language localisation of mimikatz. Mimikatz uses admin rights on Windows to display passwords of currently logged in users in plaintext. Mimikatz was written by Benjamin “gentilkiwi” Delpy.

• Artillery version 0.7 Released – trustedsec.com

  The blue team and defensive tool Artillery 0.7 released. This version adds full compatibility for local and remote syslog handlering for POSIX based systems.

Techniques

• Pentest Geek Scheduled tasks with S4U and on demand persistence – pentestgeek.com

  I came across an interesting article by scriptjunkie (which you should really read) about running code on a machine at any time using service-for-user. By changing one line in the export XML of a scheduled task you effectively get a scheduled task that can run whether or not a user is logged in, whether or not the system reboots, whether or not you have the user’s password, run as a limited user, and doesn’t require bypassing UAC!

• Poking Around in Android Memory – sensepost.com

  The technique that has given me most joy is memory analysis. Each application on android is run in the Dalvik VM and is allocated it’s own heap space. Android being android, free and open, numerous ways of dumping the contents of the application heap exist. There’s even a method for it in the android.os.

• MySQL madness and Rails – phenoelit.org

  A pretty common technique for password resets in web applications is to send out a token via email to the user. This token lets the user reset the password right away.

• Atmel SAM7XC Crypto Co-Processor key recovery – adamsblog.aperturelabs.com

  The problem with crypto is that it is processor intensive (i.e. slow), so it’s common, these days, to offload these functions to a dedicated hardware co-processor which will leave the main processor free to do whatever it is that it’s supposed to be doing and not faffing about with crypto.

• Unpacking, Reversing, Patching – resources.infosecinstitute.com

  This article is an introduction of packing, how to unpack, to reverse an exe and finally patching it. I have chosen to show reversing of a sample exe file and how to patch it.

• Command Execution on Shoretel Mobility Router:II – blakhal0.blogspot.com

  I managed to get shell, capture, and reveal the root password, which I will be sharing with you here since I’m 99.999% sure it’s the same on all the Shoretel Mobility Routers, but lets start where we left off.

• Using a Custom VDB Debugger for Exploit Analysis – mandiant.com

  Analyzing an exploit and understanding exactly how the exploit lands can take a long time due to inadequate analysis tools. One way to speed up understanding how an exploit behaves is to use Vtrace and VDB. In this post I explain how to create a custom VDB debugger in order to detect, analyze, and prevent execution of an exploit payload.

Vendor/Software Patches

• Microsoft Security Updates
• Assessing risk for the February 2013 security updates – blogs.technet.com
  Today we released twelve security bulletins addressing 57 CVE’s. Five of the bulletins have a maximum severity rating of Critical, and seven have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
• MS13-018: Hard to let go – blogs.technet.com

  MS13-018 addresses a potential denial-of-service condition in the Windows TCP/IP stack. This vulnerability could be leveraged by an attacker in certain circumstances to exhaust a server’s non paged pool, preventing it from making new TCP connections.

• Fat Patch Tuesday – krebsonsecurity.com

  Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework.

Vulnerabilities

• iOS 6.1
• iOS 6.1 Bug Allows Snoopers Access To Your Photos And Contacts – forbes.com

  A bug in Apple‘s iOS 6.1 update allows anyone with physical access to an iPhone the ability to make calls, view and modify contacts, and even access to photos via the Contacts app, even if the device is protected by a passcode.

• iOS 6.1 Security Risk: Anyone Can Bypass Your iPhone’s Lock Screen – gizmodo.com

  So, iOS 6.1 hasn’t been Apple’s finest hour. So far it’s been plagued with connection issues, battery woes, and now it’s sadly insecure, too. You can bypass any lockcode on an iPhone using this straightforward sequence of button presses.

• Adobe
• Thanks, Adobe. Protection for critical zero-day exploit not on by default – arstechnica.com

  Reader protected view: Like car airbags that work only if owners flip a switch.

• Adobe confirms zero-day exploit bypasses Adobe Reader sandbox – computerworld.com

  A recently found exploit that bypasses the sandbox anti-exploitation protection in Adobe Reader 10 and 11 is highly sophisticated and is probably part of an important cyberespionage operation, the head of the malware analysis team at antivirus vendor Kaspersky Lab said.

• At Facebook, zero-day exploits, backdoor code bring war games drill to life – arstechnica.com

  Early on Halloween morning, members of Facebook’s Computer Emergency Response Team received an urgent e-mail from an FBI special agent who regularly briefs them on security matters. The e-mail contained a Facebook link to a PHP script that appeared to give anyone who knew its location unfettered access to the site’s front-end system.

• From USR to SVC: Dissecting the ‘evasi0n’ Kernel Exploit – blog.azimuthsecurity.com

  The kernel vulnerability leveraged by evasi0n lies in the com.apple.iokit.IOUSBDeviceFamily driver in iOS. An application may talk to this driver using the IOUSBDeviceInterface user client, allowing it to access and communicate with a USB device as a whole.

• Exploit Sat on LA Times Website for 6 Weeks Krebs on Security – krebsonsecurity.com

  The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.

• Yahoo!, Dropbox and Battle.net Hacked: Stopping the Chain Reaction – blog.crackpassword.com

  Major security breaches occur in quick succession one after another. Is it a chain reaction? How do we stop it?

Other News

• Facebook
• Facebook Hacked Via Java Vulnerability, Claims No User Data Compromised – Forbes – forbes.com

  Facebook has announced in a blog post that it’s been the target of an attack that gained access to its corporate network using a security vulnerability in Oracle’s Java software, although the social media firm says it believes no user data was accessed.

• Facebook Says Employee Laptops Compromised in ‘Sophisticated’ Attack – threatpost.com

  Facebook security officials said the company was compromised through the use of a java zero day exploit that bypassed the sandbox.

• 2013: The year to forget everything you know about Perimeter Security! – security-musings.blogspot.ca

  Even in complex environments, we have had the comfort of knowing where our network perimeter connected to the public Internet, and could apply stringent controls to secure that traffic.

• The 3 ways we owned you in 2012 – pentest.netragard.com

  Here are the top 3 risks that we leveraged to penetrate into our customers’ networks in 2012. Each of these has been used to affect an irrecoverable

• How Lockheed Martin’s ‘Kill Chain’ Stopped SecurID Attack – Dark Reading – darkreading.com

  A rare inside look at how the defense contractor repelled an attack using its homegrown ‘Cyber Kill Chain’ framework.

• A Chinese Hacker’s Identity Unmasked – businessweek.com

  Joe Stewart’s day starts at 6:30 a.m. in Myrtle Beach, S.C., with a peanut butter sandwich, a sugar-free Red Bull, and 50,000 or so pieces of malware waiting in his e-mail in-box. Stewart, 42, is the director of malware research at Dell SecureWorks, a unit of Dell (DELL), and he spends his days hunting for Internet spies.