Week 6 In Review – 2014

Resources

• Why PLCpwn Is Important for ICS Cyber Weapons – www.digitalbond.com
  The interesting question is what happens when organizations and governments stumble across one of these deployed attack systems and covert channels?
  • S4x14 Video: Stephen Hilt on PLCpwn -digitalbond.com
• Cheat Sheets – packetlife.net
  Here are Cheet sheets by packetlife. You can download all from here.
• OWASP Cheat Sheet Series – owasp.org
  The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific web application security topics. These cheat sheets were created by multiple application security experts and provide excellent security guidance in an easy to read format.
• Pen-Test-A-Go-Go: Integrating Mobile and Network Attacks for In-Depth Pwnage – pen-testing.sans.org
  Josh Wright and eskoudis presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course.
• Top Security Questions to Ask Your Cloud Provider – fishnetsecurity.com
  When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider.
• DARPA Open Catalog – darpa.mil
  Here is the DARPA Open Catalog, which contains a curated list of DARPA-sponsored software and peer-reviewed publications. DARPA funds fundamental and applied research in a variety of areas including data science, cyber, anomaly detection, etc.
• A look at Snapchat client-side controls – intrepidusgroup.com
  An iOS tweak to save Snapchat images to persistent storage, disable screenshot notifications, and never expire images. For this exercise, Intrepidus used the Theos framework to write a MobileSubstrate based tweak.
• WAVSEP Web Application Scanner Benchmark 2014 – sectooladdict.blogspot.ro
  Here is a detail analysis by Shay Chen on The Web Application Vulnerability Scanners Benchmark.
• SWAMP – continuousassurance.org
  The Software Assurance Marketplace (SWAMP) is committed to bringing a transformative change to the national software assurance landscape by providing a national marketplace that provides continuous software.

Tools

• tilde_enum – github.com
  Takes the output of a java scanner that exploits the IIS tilde 8.3 enumeration vuln and tries to get you full file names.
• SPIPScan – github.com
  SPIP (CMS) Scanner for penetration testing purpose written in Python, and released under MIT License. This tool has been designed to perform detection of SPIP installs during penetration testing.
• pasteye – github.com
  It’s an interesting side project, and can be rather useful to some people. Great for breach notifications (i.e: realtime notification if a large DB has been pasted to Pastebin), and future versions will have custom filter features which would allow you to monitor for anything.

Techniques

• Here’s how Bell was hacked – SQL injection blow-by-blow – troyhunt.com
  OWASP’s number one risk in the Top 10 has featured prominently in a high-profile attack this time resulting in the leak of over 40,000 records from Bell in Canada. It was pretty self-evident from the original info leaked by the attackers that SQL injection had played a prominent role in the breach.
• New iFrame Injections Leverage PNG Image Metadata – blog.sucuri.net
  In today’s attacks, especially when talking about drive-by-downloads, leveraging the iFrame tag is often the preferred method. It’s simple and easy, and with a few attribute modifications, the attacker is able to embed code from another site, often compromised, and load something via the client’s browser without them knowing.
• Pwn Faster with Metasploit’s Multi-Host Check Command – community.rapid7.com
  A new trick we’d like to introduce today is the modified “check” command, which allows you to quickly identify vulnerable, or likely exploitable machines in a more accurate manner.
• Obtaining NTDS.dit Using In-Built Windows Commands – blog.cyberis.co.uk
  Using the same underlying technique (Volume Shadow Service), there is an in-built command (Windows 2008 and later) that does a backup of the crucial NTDS.dit file, and the SYSTEM file (containing the key required to extract the password hashes), without the need to use VB Script, third-party tools or injecting into running processes.
• Reverse engineering my bank’s security token – blog.valverde.me
  Thiago Valverde’s current bank, one of Brazil’s largest, provides its clients with one of several methods (in addition to their passwords) to authenticate to their accounts, online and on ATMs. He reverse engineered their Android OTP code generator and ported it to an Arduino-compatible microcontroller.
• How I hacked Github again. – homakov.blogspot.com
  This is a story about 5 Low-Severity bugs, Egor pulled together to create a simple but high severity exploit, giving him access to private repositories on Github.

Vendor/Software patches

• Adobe Pushes Fix for Flash Zero-Day Attack – krebsonsecurity.com
  Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today.

Vulnerabilities

• Exploitable vulnerabilities #1 (MS08-067) – community.rapid7.com
  sho_luv still very frequently find organizations vulnerable to MS08-067. Usually these systems are one offs that have managed to slip through the cracks of patch management some how.
• ASUSGATE: A story about thousands of crimeless victims – nullfluid.com
  ASUSTeK Computer Inc (ASUS) have spent the better part of a year ignoring the fact that their RT-series routers suffer from two CRITICAL security vulnerabilities.
  • Interesting comments about this -reddit.com
• The Irony of Insecure Security Software – blog.quaji.com
  Remote Code Execution On All Enterprise Workstations Simultaneously – A Vulnerability in Jetro Cockpit Secure Browsing.

Other News

• Hacked Within Minutes: Sochi Visitors Face Internet Minefield – nbcnews.com
  The U.S. State Department has told Americans coming to Sochi that they should have “no expectation of privacy,” even in their hotel rooms.
  • That NBC story 100% fraudulent -blog.erratasec.com
    On February 4th, NBC News ran a story claiming that if you bring your mobile phone or laptop to the Sochi Olympics, it’ll immediately be hacked the moment you turn it on. The story was fabricated.
• Security Tip (ST14-001) Sochi 2014 Olympic Games – us-cert.gov
  Whether traveling to Sochi, Russia for the XXII Olympic Winter Games, or viewing the games from locations abroad, there are several cyber-related risks to consider. As with many international level media events, hacktivists may attempt to take advantage of the large audience to spread their own message.
• Security Tip (ST14-001) Sochi 2014 Olympic Games – us-cert.gov
  Whether traveling to Sochi, Russia for the XXII Olympic Winter Games, or viewing the games from locations abroad, there are several cyber-related risks to consider. As with many international level media events, hacktivists may attempt to take advantage of the large audience to spread their own message.
• This iPhone-Sized Device Can Hack A Car, Researchers Plan To Demonstrate – forbes.com
  At the Black Hat Asia security conference in Singapore next month, Spanish security researchers Javier Vazquez-Vidal and Alberto Garcia Illera plan to present a small gadget they built for less than $20 that can be physically connected to a car’s internal network to inject malicious commands affecting everything from its windows and headlights to its steering and brakes.
• Target attack shows danger of remotely accessible HVAC systems – computerworld.com
  Cloud security service provider Qualys said that its researchers have discovered that about 55,000 Internet-connected heating systems, including one at the Sochi Olympic arena, lack adequate security.