Week 11 in Review – 2013

Event Related

• ShmooCon 2013
  • ShmooCon Epilogue 2013 Videos Recut per speaker / talk – excivity.com
    I was one of the people helping out with streaming this year’s ShmooCon Epilogue talks. Google Hangouts was kind enough to record everything for us, but lumped it into one large file.
  • ShmooCon 2013 Videos Posted – shmoocon.org
    Videos for ShmooCon 2013 posted here.
• Blackhat Europe 2013
  • Highlights from BlackHat Europe 2013 in Amsterdam – securelist.com
    Every year as Europe wakes up from the cold winter to the warm days of spring, BlackHat traditionally descends to Amsterdam.
  • Black Hat | Europe 2013 – Briefings – blackhat.com
    We are in the middle of a power shift in society that is at least as large as that of the printing press. Information advantage has always been the same as power: when the ruling elite has historically lost the information advantage, they have also lost power.
  • Day 1
    • BlackHat Europe 2013 Wrap-Up Day #1 – blog.rootshell.be
      Hello Everyone, it’s BlackHat time again! Here is my wrap-up for the first day. Yesterday evening, after a safe drive to Amsterdam with @corelanc0d3r, we went out for dinner and had good times with other friends and guys from the Rapid7 team who maintain the Cuckoo project.
    • BlackHatEU2013 Day 1 To dock or not to dock – corelan.be
      Time flies ! After hanging out with @repmovsb and @botherder, it’s time for the last talk of the day. In the “To dock or not to dock, that is the question” talk, Andy Davis, research director at NCC Group shares his research around using laptop docking stations as hardware-based attack platforms.
    • BlackHatEU2013 Day1 Hardening Windows 8 Apps for the Windows Store – corelan.be
      The first talk after having lunch at BlackHat Europe 2013, title “Hardening Windows 8 Apps for the Windows Store” is delivered by Bill Sempf (@sempf).
  • Day 2
    • BlackHatEU2013 Day2 Whos really attacking your ICS devices ? – corelan.be
      Kyle Wilhoit, Threat researcher at Trend Micro, explains that he will provide an overview of ICS systems before looking at some interesting attacks at ICS systems.
    • BlackHatEU2013 Day2 The Sandbox Roulette: Are you ready to ramble – corelan.be
      I think there is no better way of starting the second day at a conference with – say – some hardcore technical stuff about sandboxes. This must be my luck day because that is exactly what Rafal Wojtczuk and Rahul Kashyap, from Bromium, will be covering in their talk.
    • BlackHat Europe 2013 Wrap-Up Day #2 – blog.rootshell.be
      And we are back with the second wrap-up of BlackHat Europe 2013! After a dinner with friends and some beers at Rapid7 and IOActive parties, I went back to the hotel to finish the first day wrap-up.
    • BlackHatEU2013 Day2 DropSmack: How cloud synchronization services render your corporate firewall worthless – corelan.be
      Jake Williams (@malwareJake) from CSR Group has more than a decade of experience with systems engineering, network defines, malware reverse engineering, penetration testing and forensics.
    • BlackHatEU2013 Day2 Advanced Heap Manipulation in Windows 8 – corelan.be
      The next talk I will be covering today is presented by Zhenhua ‘Eric’ Liu, Senior Security researcher at Fortinet.

Resources

• Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI) – pauldotcom.com
  WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), with some enhancements in the initial version of it, WBEM is a industry initiative to develop a standard technology for accessing management information in an enterprise environment that covers not only Windows but also many other types of devices like routers, switches, storage arrays …etc.
• 0xdabbad00.com Blog Archive Thoughts on signed executables – 0xdabbad00.com
  In thinking about making an application to do white-listing on Windows, one of the first questions you have is how do you identify what to trust?
• Virtual Patching Cheat Sheet – OWASP – owasp.org
  The goal with this cheat Sheet is to present a concise virtual patching framework that organizations can follow to maximize the timely implementation of mitigation protections.
• America’s Next Top Module – community.rapid7.com
  These stats are gathered roughly monthly from the Metasploit exploit database backend, and tend to have a pretty strong recency bias — modules that recently got a lot of press or Twitter buzz tend to shoot up to the top of the list.
• Windows Auth – The Nightmare Begins (SSO) – passing-the-hash.blogspot.com
  I’m going to start with an overview of Windows authentication and why it’s such a large, complicated, unwieldy beast.
• The Pentester’s Guide to Akamai – nccgroup.com
  I’m happy to announce we’ve just published a new technical whitepaper based on knowledge gained assessing sites located behind Akamai.
• Security of RC4 Stream Cipher – home.hiroshima-u.ac.jp
  We published a first plaintext recovery attack of RC4 in the broadcast setting where same plaintext is encrypted by different user keys at FSE 2013 (earlier than AlFardan-Bernstein-Paterson-Poettering-Schuldt Results).

Tools

• The Social-Engineer Toolkit (SET) v4.7 Headshot released – trustedsec.com
  The Social-Engineer Toolkit (SET) version 4.7 codename “Headshot” has been released.

Techniques

• How I Hacked Any Facebook Account…Again! – nirgoldshlager.com
  This is my second post regarding Facebook OAuth Vulnerabilities.
• Phishing Techniques: Similarities, Differences and Trends Part II: Targeted Phishing – resources.infosecinstitute.com
  Spear-phishing is a technique by which a cyber-criminal falsely presents himself in an electronic communication as a CEO, director, manager or a subordinate (an insider) of a particular firm or department of government where his victim works to earn their trust, or he impersonates an entity which is either trusted by the targeted firm/government or the latter has relations or obligations towards it.
• PowerShell Basics – Extending the Shell with Modules and Snapins – pauldotcom.com
  There is a big miss conception with people starting with PowerShell when they install some server products like Exchange or SharePoint and the programs place a shotcut to what they call a “Management Shell” it is nothing more than PowerShell with a loaded Module or PSSnapin. As you will see extending the shell is quite simple and flexible.

Vendor/Software Patches

• TP-Link Router
  • TP-Link http/tftp backdoor – sekurak.pl
    TP-Link TL-WDR4300 is a popular dual band WiFi, SOHO class router.
  • More information about TP-Link backdoor – sekurak.pl
    During the analysis of this TP-Link backdoor, I found other issues, which can be handy when analyzing other devices.
• Critical Updates for Windows, Adobe Flash, Air – krebsonsecurity.com
  Microsoft and Adobe each released patches today to plug critical security holes in their products. Microsoft issued seven update bundles to address at least 19 20 vulnerabilities in Windows and related software.
• IPv6 Focus Month: Kaspersky Firewall IPv6 Vulnerability – isc.sans.edu
  Kasperksy today released an update to its personal firewall product for Windows. The patched vulnerability fits very nicely into our current focus on IPv6.

Vulnerabilities

• NIST NVD Site Hacked (updated) – novainfosec.com
  Wait … isn’t stuff like hacking the National Vulnerability Database (NVD) supposed to wait until Friday night? Well I guess it did … but it was last Friday.
• Most PC security problems come from unpatched third-party Windows apps – arstechnica.com
  86 percent are caused by non-Microsoft programs, Secuina finds in review.
• Two new attacks on SSL decrypt authentication cookies – arstechnica.com
  Aging standard isn’t holding up very well in face of sophisticated attacks.
• 3G and 4G USB modems are a security threat, researcher says – infoworld.com
  The security researchers showed how to attack 3G and 4G USB modems at Black Hat Europe

Other News

• Brian Krebs
  • Security reporter tells Ars about hacked 911 call that sent SWAT team to his house (Updated) – arstechnica.com
    Brian Krebs may be first journalist to suffer vicious hack known as swatting.
  • The World Has No Room For Cowards Krebs on Security – krebsonsecurity.com
    It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time.
• Security Theater on the Wells Fargo Website – schneier.com
  Click on the “Establishing secure connection” link at the top of this page. It’s a Wells Fargo page that displays a progress bar with a bunch of security phrases — “Establishing Secure Connection,” “Sending credentials,” “Building Secure Environment,” and so on — and closes after a few seconds. It’s complete security theater; it doesn’t actually do anything but make account holders feel better.
• Cryptographers Demonstrate New Crack For Common Web Encryption – forbes.com
  It’s long been known that one of the oldest and most widely used standards for encrypting web sites has some serious weaknesses.
• NSA Director Alexander: US Building Cyberattack Teams – threatpost.com
  NSA Director Gen. Keith Alexander told a House committee the U.S. is putting together 13 teams capable of hacking back at foreign nations who use malware to attack American critical infrastructure.
• Security Appliances Are Riddled with Serious Vulnerabilities, Researcher Says – cio.com
  Companies should not assume that security products are implicitly secure, the researcher said
• Thread: If you’re doing a new RSS reader… – threads2.scripting.com
  The main thing we learned is that subscription needs to be centralized to make the process as simple as possible for the user. That’s one of the main reasons Twitter was such an effective competitor.