Week 7 In Review – 2014

Events Related

• BruCON 5by5 – WPScan Online Vulnerability Database – ethicalhack3r.co.uk
  For those of you who have been living under a rock, BruCON is a security conference held every year in Belgium (originally Brussels, now Ghent). Last year was the 5th time the conference had been held and so the year before (2012) they setup what they called 5by5.

Resources

• BSides Huntsville 2014 Videos – irongeek.com
  These are the videos from the BSides Huntsville conference. Download and watch all the videos from here.
• Checking RDP support across an internal network – labs.portcullis.co.uk
  Portcullis Labs have recently added some new features to rdp-sec-check, which is a Perl script to enumerate security settings of an RDP Service (AKA Terminal Services). The following new features were added to rdp-sec-check.
• MS SQL Server Audit: Introduction – labs.portcullis.co.uk
  MS SQL Server is Microsoft’s relational database management system with a large number of features and services. This article gives an introduction to the security guidelines available and an overview on what key areas to audit and lock down.
• NIST Releases Cybersecurity Framework – bankinfosecurity.com
  The National Institute of Standards and Technology has unveiled its long-awaited cybersecurity framework, which provides best practices for voluntary use in all critical infrastructure sectors, including, for example, government, healthcare, financial services and transportation.
  • 3 big problems with the new Cybersecurity Framework -h30499.www3.hp.com
    The White House just released a Cybersecurity Framework developed by the National Institute of Standards and Technology designed to help critical industries both secure their networks and recover from successful breaches. While a move in the right direction, there are some definite problems with the guidelines.
• The One Quality that Distinguishes Great Leaders – georgeambler.com

Tools

• fakeAP – github.com
  fakeAP Creates a fake access point in Kali. Determines the correct DHCP settings and creates the dhcpd.conf file for you.
• HTTP NTLM Information Disclosure – blog.gdssecurity.com
  Remote enumeration of host/service details is a core activity of any penetration test. In support of such activities, GDS blog released a new Nmap script that anonymously enumerates remote NetBIOS, DNS, and OS details from HTTP services with NTLM authentication enabled.

Techniques

• Apple TV Hacking, Counterattacks, and Certificate Pinning – intrepidusgroup.com
  A few months ago I presented a neat hack at DerbyCon that let you put your own apps on Apple TV. A few days afterwards, the hack stopped working. It’s time dschuetz had a follow-up to explain just what happened.
• The Keystone Rocks – Foundation Chips of Pentesting Tips Part 1 – blog.spiderlabs.com
  This series of posts will focus entirely upon the Meaningless knowledge and therefore begin with a brief and one-off elaboration of the Relevant category by way of contrast.
• Dumping Windows Credentials – securusglobal.com
  During penetration testing engagements, we often find ourselves on Windows systems, looking for account credentials. The purpose of this post is to walk through some techniques to gather credentials from Windows systems while being as non-intrusive as possible.
• Audit services using Windows Programs only – labs.portcullis.co.uk
  Windows have native programs on-board that can be used to gather information about your system, for example:WMIC and CACLS. In this article, we will look specifically at auditing what Windows services are run and could be overrun with WMIC and CACLS.

Vendor/Software patches

• Assessing risk for the February 2014 security updates – blogs.technet.com
  Microsoft released seven security bulletins addressing 31 unique CVE’s. Four bulletins have a maximum severity rating of Critical while the other three have a maximum severity rating of Important.
  • Microsoft Security Bulletin MS14-007 – Critical -technet.microsoft.com
    This security update resolves a privately reported vulnerability in Microsoft Windows. The security update addresses the vulnerability by correcting the way that Direct2D handles objects in memory.
  • Microsoft Security Bulletin MS14-010 – Critical -technet.microsoft.com
    This security update resolves one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Internet Explorer.
  • Microsoft Security Bulletin MS14-011 – Critical -technet.microsoft.com
    This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The security update addresses the vulnerability by modifying the way that the VBScript scripting engine handles objects in memory.

Vulnerabilities

• Change your passwords: Comcast hushes, minimizes serious hack – zdnet.com
  Comcast took a page from Snapchat’s playbook to hush and downplay NullCrew FTS’ successful hack on dozens of Comcast’s servers — from an unpatched, easy-to-fix vulnerability dated December 2013 — which most likely exposed customer data.
• How I hacked Instagram to see your private photos – insertco.in
  In this article, Christian Lopez would like to explain a vulnerability (now properly fixed) discovered months ago on the Instagram’s web and mobile applications. Certain actions of the instagram’s API were vulnerable to a cross-site request forgery (CSRF) attack.
• CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries – blog.spiderlabs.com
  In this article Oren Hafif will discuss CVE-2014-0050: Apache Commons FileUpload and Apache Tomcat Denial-of-Service in detail. The article reviews the vulnerability’s technical aspects in depth and includes recommendations that can help administrators defend from future exploitation of this security issue.
• Android WebView Exploit, 70% Devices Vulnerable – community.rapid7.com
  This week, the biggest news Tod Beardsley think that metasploit have is the release this week of Joe Vennix and Josh @jduck Drake’s hot new/old Android WebView exploit. this vulnerability is kind of a huge deal.
• Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website – fireeye.com
  This blog post examines the vulnerability and associated attacks, which we have dubbed “Operation SnowMan.”

Other News

• Sophisticated Spy Tool ‘The Mask’ Rages Undetected for 7 Years – >wired.com
  Researchers have uncovered a sophisticated cyber spying operation that has been alive since at least 2007 and uses techniques and code that surpass any nation-state spyware previously spotted in the wild. The attack, dubbed “The Mask” by the researchers at Kaspersky Lab in Russia who discovered it, targeted government agencies and diplomatic offices and embassies.
• Hackers break into networks of 3 big medical device makers – sfgate.com
  Hackers have penetrated the computer networks of the country’s top medical device makers, The Chronicle has learned.
• NTP Amplification Blamed for 400 Gbps DDoS Attack – threatpost.com
  A massive DDoS attack, reaching at its peak 400 Gbps of bad traffic, was detected against a number of servers in Europe, according to traffic optimization firm CloudFlare.
  • Record-breaking DDoS attack struck on Monday, according to reports -gigaom.com
    The attack, which appears to have been felt particularly hard in Europe, apparently exploited the protocol that maintains the accuracy of computers’ clocks.
  • Technical Details Behind a 400Gbps NTP Amplification DDoS Attack -blog.cloudflare.com
    On Monday Cloudflare mitigated a large DDoS that targeted one of their customers. The attack peaked just shy of 400Gbps. Monday’s attack serves as a good case study to examine how these attacks work.
• French journalist “hacks” govt by inputting correct URL, later fined $4,000+ – arstechnica.com
  In 2012, French blogger, activist, and businessman Olivier Laurelli sat down at his computer. It automatically connected to his VPN on boot and began surfing the Web.
• Email Attack on Vendor Set Up Breach at Target – krebsonsecurity.com
  The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.
• Fake SSL certificates deployed across the internet – news.netcraft.com
  Netcraft has found dozens of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. Some of these certificates may be used to carry out man-in-the-middle attacks against the affected companies and their customers.