Week 9 in Review – 2013

Event Related

• Juniper Networks intros global cloud-based ‘attacker database’ – zdnet.com
  At the start of RSA 2013, Juniper Networks is rolling out a global database to track attacks on individual devices.
• MASTIFF Analysis of APT1 – novainfosec.com
  At Shmoocon this year we were please to find that there is a project focused on this specifically called MASTIFF.
• Armor for Your Android Apps ShmooCon follow-up – intrepidusgroup.com
  Hopefully, everyone’s already decompressed from all the Shmoocon partying by now. I wanted to follow up on the IG Learner app that I presented during my “Armor for your Android Apps” talk and give out a couple of tips on how to approach cracking the challenges (which aren’t all that hard, really).

Resources

• Android Security 101
  • Android Security 101 IG Learner – isisblogs.poly.edu
    This app was released in this year’s Shmoocon’13 by Intrepidus Group. You can get the app from the Google play store.
  • Android Security 101 IG Learner(Part-2) – isisblogs.poly.edu
    The instructions for this lesson suggest that we need to intercept the token that is sent as a request to a server. However, the request is sent via https, so the traffic when we intercept will be encrypted. We need to find a way to decrypt the traffic, so that we can get the secret token.
  • Android Security 101 IG Learner(Part-3) – isisblogs.poly.edu
    As the title suggests, this lesson is about encryption. Specifically, it concentrates difficulties with key management and why relying on client-side encryption to generate secrets may not be a good idea. As you look through the list of methods in the Lesson6Activity class, “encryptNumberWithAES()” looks interesting.
• Positive Research Center: SAP Unknown Default Password for TMSADM – blog.ptsecurity.com
  SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.
• API Hooking in Python – rohitab.com
  This uses in process patching and trampolines to hook windows APIs. Thanks to this forum for ideas and example code. CODE Python Language # patcher…
• Root Cause Analysis Memory Corruption Vulnerabilities – corelan.be
  For the past year or so I’ve spent a significant amount of time fuzzing various applications with the hopes of identifying exploitable crashes. Early on in my research I quickly realized that building fuzzers and generating large quantities of crashes, even for heavily targeted applications, was easy.
• PowerShell Basics–Objects and the Pipeline – pauldotcom.com
  PowerShell is an Object based Shell, this means that everything is an object. Those that have programed in Perl, Ruby, Python, C# or any other Objects based language know very well the power of objects, for those that come from a Bash, cmd.exe or any other regular text based shell you will notice that in PowerShell is a lot simpler to parse and use data, typically on one of this shells we are searching for strings, extracting the strings of text that we need and then piping them to something else, this can be very labor intensive.
• WebAppDefaultsDB (Web App Defaults Database) – github.com
  This is a repository for webappdefaultsDB.
• iSECPartners/LibTech-Auditing-Cheatsheet – github.com
  This list is intended to be a list of additional or more technical things to look for when auditing extremely high value applications. The applications may involve operational security for involved actors (such as law enforcement research), extremely valuable transactions (such as a Stock Trading Application), societal issues that could open users to physical harassment (such as a Gay Dating Application), or technologies designed to be used by journalists operating inside repressive countries.

Tools

• iCloud backups inside out – blog.crackpassword.com
  It’s been a while since we released the new version of Elcomsoft Phone Password Breaker that allows downloading backups from iCloud (read the press release).
• Looking Up Hosts and IP Addresses: Yet Another Tool – blog.didierstevens.com
  lookup-hosts.py takes hostnames or files with hostnames via arguments or stdin, and then uses getaddrinfo to lookup the IP addresses. And you can use a counter if you need to lookup sequentially numbered hosts, like this: master
  [0-20].teamviewer.com.
• Open Web Application Security Project – blogspot.com
  The OWASP iGoat tool is a stand-alone iOS app (distributed solely in source code) designed to introduce iOS developers to many of the security pitfalls that plague poorly-written apps.
• gamelinux/passivedns – github.com
  A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics.

Techniques

• Bypassing Windows ASLR using skype4COM protocol handler – greyhathacker.net
  While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set.
• Java 7 Exploit for CVE-2013-0431 in the Wild – community.rapid7.com
  An exploit for CVE-2013-0431 has been analyzed and shared by SecurityObscurity, and is also now available as a Metasploit module with some improvements for testability. We would like to use this blog post to share some details about the vulnerabilities abused by this new Java exploit.
• Bypassing Googles Two-Factor Authentication – blog.duosecurity.com
  TL;DR – An attacker can bypass Google’s two-step login verification, reset a user’s master password, and otherwise gain full account control, simply by capturing a user’s application-specific password (ASP).
• Injecting a DLL in a Modern UI Metro Application – blog.nektra.com
  Dll injection is one of the oldest techniques used to run custom code inside a target application in Windows. It is usually used to intercept and modify normal application behavior or add new functionality.
• Deobfuscating Java 7u11 Exploit from Cool Exploit Kit (CVE-2013-0431) – security-obscurity.blogspot.it
  At the beginning of the past week @EKWatcher has spotted Cool Exploit Kit using Java 7 update 11 vulnerability (CVE-2013-0431).
• The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor – securelist.com
  New Adobe PDFs exploiting CVE-2013-0640 drop sophisticated malware known as MiniDuke.
• Suggestions on what to do when a service you use getscompromised – room362.com
  It seems like every week there is a new compromise of some service or another. But as a user what are you supposed to do with this knowledge? Here are some suggestions on things to do or think about when reacting.

Vendor/Software Patches

• The Java Zero-Day Procession Continues – threatpost.com
  After a glorious 72-hour stretch without one, security researchers confirmed yesterday that they found yet another zero-day vulnerability in Oracle’s thoroughly troubled Java platform.

Vulnerabilities

• Another iPhone Passcode Bypass Vulnerability Discovered – threatpost.com
  A glitch in the iOS kernel of Apple’s much maligned iOS 6.1 is responsible for yet another passcode bypass vulnerability, the second to surface this month.
• Security Notice: Service-wide Password Reset | Evernote – evernote.com
  Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

Other News

• DHS’s Mark Weatherford on Cybersecurity Workforce – bankinfosecurity.com
  Homeland Security Deputy Undersecretary Mark Weatherford says he isn’t bashful about raiding other federal government agencies to build DHS’s IT security staff.
• EXCLUSIVE: Hacked ABC website likely breached by crooks in 2011 – risky.biz
  The ABC Website compromised by anonymous attackers overnight was likely already breached by cyber-criminals active on Russian forums as far back as 2011.
• Adobe issues emergency patch for zero-day Flash vulnerabilities – news.cnet.com
  The company says two vulnerabilities are being actively exploited and recommends that Windows and Mac OS X users of the browser plug-in update their systems immediately. Read this article by Steven Musil on CNET News.
• Here’s What Law Enforcement Can Recover From A Seized iPhone – forbes.com
  The call log of a seized iPhone, with numbers redacted. You may think of your iPhone as a friendly personal assistant. But once it’s alone in a room full of law enforcement officials, you might be surprised at the revealing things it will say about you. On Tuesday the American Civil Liberties.
• Continuous Monitoring and the Federal Government: Is There a Silver Bullet? – accuvant.com
  “Continuous monitoring” is the latest buzz word being used throughout the federal government. And depending on with whom you talk or what you read, the definition changes. The truth is there is no silver bullet to address this issue.
• Foreign hackers steal more than a terabyte of data per day in ongoing cyberwar – theverge.com
  Two decades after computer security began generating billions by selling expertise and software designed to protect unwanted network intrusions, experts say those networks are more vulnerable than ever.
• Today’s Outage Post Mortem – blog.cloudflare.com
  The cause of the outage was a system-wide failure of our edge routers. CloudFlare currently runs 23 data centers worldwide. These data centers are connected to the rest of the Internet using routers.