Week 14 in Review – 2013

Event Related

  • CCDC
    • WRCCDC – A Red Team Members Perspective – blog.strategiccyber.com
      Western Regional CCDC was pretty epic. Given the level of interest in red activity, I’d like to share what I can. So much happened, I couldn’t keep up with all of it.
    • Web Application Defender’s Cookbook: CCDC Blue Team Cheatsheet – blog.spiderlabs.com
      Trustwave is a corporate sponsor of the National Collegiate Cyber Defense Competition (CCDC) where the SpiderLabs team members actively participate on the Red Teams and simulate attackers.
    • Active Cyber Network Defense with Denial and Deception – cerias.purdue.edu
      In January 2012, MITRE performed a real-time, red team/blue team cyber-wargame experiment. This presented the opportunity to blend cyber-warfare with traditional mission planning and execution, including denial and deception tradecraft.

Techniques

  • Jamming With WordPress Sessions – blog.spiderlabs.com
    I’ll be focusing on WordPress, a popular website content management system, that also just happens to handle “sessions” in a unique way which makes this a far more interesting discussion.
  • Command Injection Tips: Leveraging Command-line Kung Fu with nslookup – pen-testing.sans.org
    When I took the recent SANS SEC 560 vLive course (yes, with Smell-O-Vision!) in January and February, I was super pumped to study the Pen Testing Arts under Sensei Skoudis and Sensei Medin. The last half of Day 5 focused on web app attacks (including hands-on exercises for XSRF, XSS, SQLi, and command injection).
  • Compromising Embedded Linux Routers with Metasploit – community.rapid7.com
    Normally we don’t get a lot of contributions regarding embedded devices. Even when they are an interesting target from the pentesting point of view, and is usual to find them out of DMZ zones on corporate networks.
  • Cool ColdFusion Post Exploitation – breenmachine.blogspot.com
    So on a recent test I happened to run into an instance of the new(ish) Adobe ColdFusion authentication bypass (http://www.adobe.com/support/security/advisories/apsa13-01.html).
  • Pass-the-Hash Web Style – pen-testing.sans.org
    I’m talking about a different kind of pass-the-hash, one where the web app developer congratulated himself with an ingenious security feature, but almost completely missed the goal in securing the application’s authentication.
  • GPU Cracking: Building the Box – netspi.com
    So if you’re planning on putting together your own GPU cracking rig, here’s some steps that you may want to take to make it easier.

Vulnerabilities

  • AMI Firmware Source Code, Private Key Leaked – threatpost.com
    Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan.

Other News

  • CFAA 2013: Congress New Draft Could Incarcerate Teenagers That Read News Online – ibtimes.com
    Reading the news should be an essential habit, especially for students and children, yet anyone under 18 found browsing through the news online could hypothetically face jail time under the latest draft of proposed changes to the Computer Fraud and Abuse Act, which is supposed to be “rushed” to Congress during its “cyber week” in the middle of April.

Leave A Comment