Week 31 in Review – 2013

Event Related

• Course Review: SANS SEC573 Python for Penetration Testers – ethicalhacker.net
  “SANS SEC573 Python for Penetration Testers” is a five-day class that teaches the basics of the Python language then builds on that knowledge to show how to utilize its specialized libraries to perform network capture and analysis, SQL injection, Metasploit integration, password guessing and much more.
• HiTCON 2013 slides – reverse.put.as
  The slides are slightly changed from previous presentations, fixing/reordering some things and minor additions (small details related to OS X Mavericks).
• Stronger Identity Protection via Mobile Devices Passwords13 – viaforensics.com
  At this year’s PasswordsCon, viaForensics Mobile Researcher David Weinsten presented “Stronger Identity Protection via Mobile Devices”. The presentation was made on July 30, 2013.
• Black Hat USA 2013
  • Black Hat USA 2013 – blackhat.com
    Briefings and Keynotes for Black Hat USA 2013.
  • NSA Director Heckled At Conference As He Asks For Security Community’s Understanding – forbes.com
    When NSA Director Keith Alexander appeared at the Las Vegas security conference Black Hat Wednesday morning, he hoped to mend the NSA’s reputation in the eyes of thousands of the conference’s hackers and security professionals. It didn’t go exactly as planned.
  • #BlackHat Briefings USA 2013: Day One Notes – toolbox.com
    Updated throughout the day – check back for updates.
  • This Fake Charger Will Hide A Trojan In Your iPhone’s Facebook App – forbes.com
    At the Black Hat security conference in Las Vegas Wednesday, three Georgia Tech security researchers carried out a demonstration for reporters showing just how easily they could compromise an iPhone 5 using a malicious charger built with a three-inch square, $45 computer known as a BeagleBoard.
  • Researchers reveal how to hack an iPhone in 60 seconds – zdnet.com
    Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a “malicious charger.”
  • Introducing Binfuzz.js – blog.dinaburg.org
    Tomorrow morning I will be giving a demonstration of Binfuzz.js at Blackhat Arsenal 2013. Please stop by the Arsenal area from 10:00 – 12:30. The slides are already available on the Blackhat website.
  • Researchers exploit cellular tech flaws to intercept phone calls – computerworld.com
    Researchers showed a Black Hat audience how femotcell technology, used by phone companies to boost cell phone coverage, can be hacked to intercept cell phone calls, text messages and other data.
  • #BlackHat Briefings USA 2013: Day Two Notes – it.toolbox.com
    Sorry for the delay on day #2. A lot going on! Opened the day with listening to a rocket scientist (yes, an actual rocket scientist), then ran for the DEFCON badge line… and now proceeding with some talks.
  • Capturing Unencrypted HTTPS Requests and Responses (As Seen at BlackHat Arsenal) – blog.nektra.com
    Today Manuel Fernandez is presenting HookME at Black Hat USA Arsenal 2013. HookME is software designed for intercepting communications which uses the Nektra Deviare Engine for binary instrumentation. HookME can intercept unencrypted HTTPS web traffic.
  • Blackhat USA 2013 Day 2 – Double Fetch 0day, ICS/SCADA, and Remembering Barnaby Jack – securelist.com
    Blackhat 2013 day 2 brought 0day, a sad remembrance of young researcher Barnaby Jack, and ICS/SCADA security vulnerabilities and review.
  • Researchers demo exploits that bypass Windows 8 Secure Boot – computerworld.com
    The Windows 8 Secure Boot mechanism can be bypassed on PCs from certain manufacturers because of oversights in how those vendors implemented the Unified Extensible Firmware Interface (UEFI) specification, according to a team of security researchers.
• BSides Las Vegas
  • BSidesLV: Android Backup
    [un]packer release – blog.c22.cc
    As part of my “Mobile Fail: Cracking open “secure” android containers” talk at BSidesLV I’ve released a couple of scripts I wrote to automate some of the legwork involved in backing up Android applications and automatically unpacking their data and settings.
  • Bsides Las Vegas 2013 Videos – irongeek.com
    These are the videos from the BSides Las Vegas conference. Thanks to all of the BSides Crew for having me out to help record and render the videos.
  • BSidesLV Day 2 Postmortem – novainfosec.com
    Just wanted to follow-up with our article from yesterday on some of the going-ons at BSidesLV this year… Unfortunately, I took the morning off to pick up my badge for Defcon but did manage to catch some gems later in the afternoon.
  • Researchers bypass home and office security systems – computerworld.com
    Many door and window sensors, motion detectors and keypads that are part of security systems used in millions of homes and businesses can be bypassed by using relatively simple techniques, according to researchers from security consultancy firm Bishop Fox.
• Defcon 21
  • Car hacking code released at Defcon – news.cnet.com
    Car computer hacking hit the gas on the first morning of Defcon 21, as hackers revealed how they took over two of the most popular cars in America. Read this article by Seth Rosenblatt on CNET News.
  • Defcon Day 2 Postmortem – novainfosec.com
    As compared to day 1 of Defcon I did a little better and actually got into Defcon before noon. And after a quick lunch I headed off to check out several talks.
  • Researchers Develop DIY System to Detect Malware on Mobile Phones – wired.com
    Researchers have developed a do-it-yourself system for detecting malware on mobile phones using a femtocell that allows users to monitor their own mobile traffic.

Tools

• drozer – labs.mwrinfosecurity.com
  drozer provides tools to help you use and share public Android exploits. It helps you to deploy a drozer agent by using weasel – MWR’s advanced exploitation payload.
• A Cheap Spying Tool With a High Creepy Factor – mobile.nytimes.com
  Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?

Techniques

• admin to SYSTEM win7 with remote.exe – carnal0wnage.attackresearch.com
  I ended up using Method 2 on a recent test. The post above calls for needing an elevated command shell so you can call “at”. This is easy if you are legitimately sitting in front of the box but if you pentesting, potentially harder.
• How to Easily Spot Broken Cryptography in iOS Applications – andreas-kurtz.de
  Within one of my recent research projects on mobile application security, I reviewed some password managers for iOS devices from the Apple App Store.
• Troy Hunt: Everything you wanted to know about SQL injection (but were afraid to ask) – troyhunt.com
  Put on your black hats folks, it’s time to learn some genuinely interesting things about SQL injection. Now remember – y’all play nice with the bits and pieces you’re about to read, ok?
• Struts 2 Remote Code Execution via OGNL Double Evaluation – communities.coverity.com
  Struts 2 heavily utilizes OGNL as a templating / expression language. OGNL, similar to other expression languages, is vulnerable to a class of issues informally termed “double evaluation”. That is, the value of an OGNL expression is mistakenly evaluated again as an OGNL expression.
• Mimikatz Minidump and mimikatz via bat file – carnal0wnage.attackresearch.com
  First, check out this post by the mimikatz author. Now, one of the twitter comments I received was: “duh anyone can right click and dump process memory to a file”. Unfortunately i’m rarely sitting with a GUI and can just “right click” but i do usually have the ability to “net use” and create scheduled tasks. The cool thing about AT jobs and scheduled tasks is that if you run them as “admin” they really get run as SYSTEM, so you can do neat stuff like dump lsass memory or get SYSTEM shells when the job executes your binary.
• Obviously a Major Malfunction…: RFIDler – An open source Software Defined RFID Reader/Writer/Emulator – aperturelabs.com
  RFID is, as with a lot of these technologies, mysterious by nature. It relies on strange physical phenomena like “induction” and “electro-magnetism” and “near-fields”, etc. Yes, what we Code Monkeys like to call “Magic Moonbeams”. It’s all very nasty and analoguey.
• Zone Transfers on The Alexa Top 1 Million – ethicalhack3r.co.uk
  At work as part of every assessment we do a some reconnaissance which includes attempting a DNS Zone Transfer (axfr) and conducting a subdomain brute force on the target domain/s. The subdomain brute force is only as good as your wordlist, the Zone Transfer is a matter of luck.

Vendor/Software Patches

• Lavasoft Security Bulletin: July 2013 – lavasoft.com
  Top 20 Blocked Malware
• Researchers demo exploits that bypass Windows 8 Secure Boot – itworld.com
  The Windows 8 Secure Boot mechanism can be bypassed on PCs from certain manufacturers because of oversights in how those vendors implemented the Unified Extensible Firmware Interface (UEFI) specification, according to a team of security researchers.

Vulnerabilities

• Microsoft Expands MAPP Program to Incident Response Teams – threatpost.com
  Microsoft MAPP program is expanding to incident response teams and also provides earlier guidance to member companies.
• Versatile and infectious: Win64/Expiro is a cross-platform file infector – welivesecurity.com
  Recently, our anti-virus laboratory discovered an interesting new modification of a file virus known as Expiro which targets 64-bit files for infection. File-infecting viruses are well known and have been studied comprehensively over the years, but malicious code of this type almost invariably aimed to modify 32-bit files.

Other News

• Students hijack luxury yacht with GPS spoofing – scmagazine.com.au
  A team of university students have demonstrated that it is possible to subvert global positioning system navigation signals to pilot a superyacht without tripping alarms.
• Millions of Kwikset Smartkey Locks Vulnerable to Hacking, Say Researchers – wired.com
  Millions of Kwikset smartkey locks used to secure residences can easily be thwarted with a screwdriver or wire, despite the company’s claims that special features of the lock prevent anything other than a key from being inserted in the lock.
• SIM card hack inspires quick fix by carriers – edition.cnn.com
  Major wireless carriers have fixed a bug that could have allowed criminals to hack into hundreds of millions of cell phones, says a security expert who exposed the flaw.