Week 49 In Review – 2013

Events Related

• BotConf 2013 Wrap-Up
  • BotConf 2013 Wrap-Up Day #1 –blog.rootshell.be
    Xavier was in Nantes (France) for two days to attend a new conference: Botconf. As the name says, this event was dedicated to botnets and malwares.
  • BotConf 2013 Wrap-Up Day #2 – blog.rootshell.be
    Here is the Day 2 wrap up of the conference by Xavier.
• The Appsec Program Maturity Curve 3 of 4 – www.veracode.com
  This is post three in a series on the Application Program Maturity Curve. A dedicated and rigorous Application Security Program is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk.
• Baythreat 4 – thesprawl.org
  The year is almost over, but the infosec community in the Bay Area shows no signs of slowing down with the fourth annual BayThreat conference.

Resources

• BayThreat 2013 Presentation – Additional Resources – shadow-file.blogspot.com
  Here you’ll find links to additional resources that Zach Cutlip had referenced in his talk at Baythreat 2013.
• Mobile Device Tips, Tricks and Resources – pen-testing.sans.org
  This is Josh Wright’s tips for mobile device penetration testing. Josh shares some really useful insights here, as well as recommendations for tools (software and hardware) and resources for keeping current.
• AppSecUSA 2013 Videos – youtube.com
  Here are the videos from AppSecUSA 2013 conference. This playlist has the majority of the talks from the conference.
• Introducing “Have I been pwned?” – aggregating accounts across website breaches – troyhunt.com
  Just after the Adobe breach, a number of sites started popping up that let you search through the breach to see if your email address (and consequently your password), was leaked. As Troyhunt analysed various breaches he kept finding user accounts that were also disclosed in other attacks – people were having their accounts pwned over and over again. So he built this.
  • ;–have i been pwned? -haveibeenpwned.com
• Look What I Found: Moar Pony! – blog.spiderlabs.com
  With the source code of Pony leaked and in the wild, Spiderlabs continue to see new instances and forks of Pony 1.9. One of the latest instances they’ve run into is larger than the last with stolen credentials for approximately two million compromised accounts.
  • Researchers discover database with 2M stolen login credentials -news.cnet.com
    Researchers have unearthed an online database full to the brim of stolen account information from popular services including Facebook, Yahoo, Twitter, and Google.
• AnalyzePDF – Bringing the Dirt Up to the Surface -hiddenillusion.blogspot.com
  A great way to learn about the internals of The Portable Document Format (PDF), what to expect and what would be abnormal. The PDF has become a defacto for transferring files, presentations, whitepapers etc.
• Bypassing Windows AppLocker using a Time of Check Time of Use Vulnerability -www.nccgroup.com
  Download the research paper in pdf format from the link above.
  • Interesting comments about this research -reddit.com
• how to make the internet not suck (as much) -someonewhocares.org
  Here’s a hosts file template to block thousands of shock sites, drive by malware and hijack sites.

Tools

• GCC Poison – blog.leafsr.com
  gcc-poison is a simple header file for developers to ban unsafe C/C++ functions from applications. It uses the #pragma GCC poison directive to define a number of identifiers (function names) as unsafe.
• SYmbolic Exploit Assistant – seatool.org
  “Symbolic Exploit Assistant” ( SEA ) is a small tool designed to assist the discovery and construction of exploits in binary programs. SEA is free software (GPL3) and includes a minimal toolkit (BSD) to quickly develop binary analisys tools in Python.
  • SEA -github.com
• Binwally: Directory tree diff tool using Fuzzy Hashing – w00tsec.blogspot.com
  A simple script to perform directory tree diffing using the concept of Fuzzy Hashing (ssdeep) to define a matching score between binaries.
• TekDefense-Automater – github.com
  Automater is a tool that orginially created to automate the OSINT analysis of IP addresses. It quickly grew and became a tool to do analysis of IP Addresses, URLs, and Hashes.
• New Burp/ZAP plugin : Script Generator – blog.h3xstream.com
  ZAP/Burp plugin that generate script to reproduce a specific HTTP request (Intended for fuzzing or scripted attacks)
• oclHashcat v1.00 – hashcat.net
  oclHashcat v1.00 is a fusion of oclHashcat-plus v0.15 and oclHashcat-lite v0.15. Download it here.

Techniques

• The gentle art of cracking passwords – www.bbc.co.uk
  If you want to pick a stronger password do not use simple combinations of words and numbers, choose words that are only tangentially related to you and make sure the password you use for your online banking is used for nothing else.

Vendor/Software patches

• Important Security Update for D-Link Routers – krebsonsecurity.com
  D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.
• VMWARE Patches Privilege Escalation Vulnerability – threatpost.com
  Virtualization software company VMware pushed out patches for some builds of its Workstation, Fusion, ESXi and ESX products this week, fixing a vulnerability that could have led to a privilege escalation in older Windows operating systems running in a virtual environment.
  • NEW VMSA-2013-0014 VMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalation -seclists.org

Vulnerabilities

• Healthcare.gov Operational – Security concerns not addressed – trustedsec.com
  TrustedSec’s CEO presented in front of Congress on the security concerns on the healthcare.gov website. TrustedSec performed no form of hacking, just passive analysis of the healthcare.gov website.
• DDoS Attacks originated from thousands of .EDU and .GOV WordPress Blogs – thehackernews.com
  In a recent cyber attack on a Forum site, thousands of outdated legitimate WordPress blogs were abused to perform DDOS attacks using previously known vulnerabilities. After analyzing the Log file from the victim’s server, The Hacker News have noticed many WordPress CMS based educational (.EDU) and Government (.GOV) websites from where the attack was originated.
• Siemens Patches Authantication Bypass Flaw in SINAMICS ICS Software – threatpost.com
  Siemens has patched a serious remotely exploitable vulnerability in its SINAMICS S/G ICS software that could enable an attacker to take arbitrary actions on a vulnerable installation without having to authenticate. The vulnerability affects all versions of the Siemens SINAMICS S/G products with firmware versions earlier than 4.6.11.
• Unprivileged GPU access vulnerability – CVE-2013-5987 – nvidia.custhelp.com
  An NVIDIA graphics driver bug allows unprivileged user-mode software to access the GPU inappropriately. An attacker who successfully exploited this vulnerability could take control of an affected system.

Other News

• Malware jumps ‘air gap’ between non-networked devices – news.cnet.com
  Researchers create proof-of-concept software to show how standalone computers can communicate via built-in speakers and microphones.
• JP Morgan warns 465,000 cardholders of data leak after hackers breach defenses – www.welivesecurity.com
  Personal information for up to 465,000 customers of JP Morgan, Chase & Co. may be at risk after hackers breached its network in July, the bank has admitted – and has issued warnings to state officials and cardholders across America.