Week 9 In Review – 2014

Events Related

• RSA Conference 2014
  • RSA protests by DEF CON groups, Code Pink draw ire – news.cnet.com
    The RSA security conference (where the world’s security companies come to do business with each other), opened its doors this week in San Francisco to a wide range of protests by security professionals who would otherwise be attending and speaking at the conference.
  • Highlights for the RSA Conference Day four – tripwire.com
    The following are some more highlights from some of the sessions Anthony attended and the awesome artwork of Kelly Kingman who attended some sessions to “visualize” the presentations in real-time as the talks were being given.
  • Smartphone app for RSA security conference puts users at risk, researchers say – arstechnica.com
    After learning about a smartphone app dedicated solely to this week’s RSA security conference in San Francisco, Dan Goodin publicly questioned why anyone would install it . After all, RSA’s recently discovered history of either deliberately or unknowingly seeding its trusted products with dangerous code developed by the National Security Agency has left many people suspicious.
  • Marisa’s RSA Conference Week In Review – blog.bugcrowd.com
    RSA Conference 2014 was certainly not Marisa’s first RSA, but it was definitely her favorite. There’s something amazing about being on the leading edge of a trend that is changing the industry.
  • At the RSA Security Conference, Things Get Testy and Then They Get Awkward – bits.blogs.nytimes.com
    It was hard to avoid the shadow of Edward J. Snowden at the annual RSA security conference this week. The sprawling computer security conference held in the city’s Moscone Center had protesters, a counter-conference, a show-floor booth for the government agency many people here are terribly unhappy with, and many, many security company executives trying to assure customers they can still be trusted.
• TrustyCon’s RSA Conference rebels promise more to come – news.cnet.com
  Government-sponsored malware, the legal implications of the US government’s pro-spying defense, and a discussion of tools to fight for the future lit up the agenda at the first Trustworthy Technology Conference.

Resources

• Building A Security Program From The Ground Up: Crawl, Walk, Run! – securityweekly.com
  Several folks have asked Security weekly for the materials from their webcast titled “Building A Security Program From The Ground Up: Crawl, Walk, Run!” So, here ya go! Enjoy!
• BsidesSF 2014 Fix What Matters – slideshare.net
  Why using CVSS for vulnerability management is nuts. How to fix the vulnerabilities that truly matter, and how to create and measure an effective security practice.
• The 2013 FireEye Advanced Threat Report! – fireeye.com
  FireEye has just released its 2013 Advanced Threat Report (ATR), which provides a high-level overview of the computer network attacks that FireEye discovered last year. In this ATR, FireEye focused almost exclusively on a small, but very important subset of their overall data analysis – the advanced persistent threat (APT).
• NTFS Alternate Data Streams for pentesters (Part 1) – labs.portcullis.co.uk
  Alternate Data Streams (ADS) have been present in modern versions of Windows for a long time. In the following posts information required to understand and identify potential ADS-related issues will be provided. This post will provide the required background to understand some common scenarios that could be useful during the penetration testing engagements.
• Trey Ford: Testing, notification should not be criminalized (slides) – zdnet.com
  At informal infosec conference Security B-Sides SF, former Black Hat General Manager and current Global Strategist for Rapid7 Trey Ford outlined the gaps between hacking and legislation in America.
• TrustyCon Video – www.f-secure.com
  TrustyCon, the first “Trustworthy Technology Conference” was held yesterday in San Francisco. And Google/YouTube volunteered a camera crew. Nice! The full event can be viewed here.

Tools

• wig – WebApp Information Gatherer – Identify CMS – darknet.org.uk
  wig is a Python tool that identifies a websites CMS by searching for fingerprints of static files and extracting version numbers from known files. You can download wig here.
• iCloudHacker – github.com
  iCloudHacker is Arduino code to brute force 4-digit iCloud PINs and bypass Apple’s theft protection.
• CVE-2014-1266-poc – github.com
  This repository contains some Go code that demonstrates the recently discovered SSL verification vulnerability in iOS and OS X.
• mimikatz – blog.gentilkiwi.com
  A small utility to play with Windows. To compile the version 2.0, the Windows Driver Kit 7.1 is required. Download binaries from here.
• EyeWitness – github.com
  EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

Techniques

• Checking OCSP revocation using OpenSSL – blog.ivanristic.com
  If an OCSP responder is malfunctioning, it is often difficult to understand why exactly. As is usually the case with SSL, the best approach is to use OpenSSL for troubleshooting.
• Uncovering Hidden SSIDs using Wireshark – cybersecuritylabs.wordpress.com
  Hidden SSID is an option for every access-point in order to not broadcast the SSID. Finally using Wireshark Cybersecuritylab revealed the SSID of the wireless network.
• Decrypting IIS Passwords to Break Out of the DMZ: Part 1 – www.netspi.com
  In this blog Scott Sutherland will cover how to use native IIS tools to recover encrypted database passwords from web.config files and leverage them to break into the internal network from the DMZ.

Vendor/Software patches

• Bypassing EMET 4.1 – labs.bromium.com
  Bromium Labs regularly do security research on a variety of computer threats and protections. EMET (Enhanced Mitigation Experience Toolkit) is a free download provided by Microsoft to enhance the security of an endpoint PC.
  • Researchers Develop Complete Microsoft EMET Bypass -threatpost.com
    Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

Vulnerabilities

• RFID Wallets/Sleeves. How much Security do they provide? – penturalabs.wordpress.com
  With the increasing amount of RFID technology creeping into everyday life. Just how much data can be obtained from your wallet? Penturalab undertook a small experiment where using standard off-the-shelf products, they would attempt to obtain personal information leaked from RFID enabled devices.
• Apple’s “Gotofail” bug
  Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The Act – blog.veracode.com
  A bug in security-sensitive code is more serious than code which is subject to the decisions of SSC. As such, an extra degree of care should be taken in writing and especially testing your SSC (“security-sensitive code”).
  • New iOS flaw makes devices susceptible to covert keylogging, researchers say -arstechnica.com
    Researchers said they have identified a flaw in Apple’s iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control.
  • Apple Patches Its ‘Gotofail’ Security Bug In OSX After Four Days Of Anger -www.forbes.com
    After a very long four days of snowballing criticism from the security community, Apple has fixed the critical security flaw in its software dubbed “gotofail,” which threatened to allow any untrusted network to disable the encryption on users’ communications.
  • Understanding the Apple ‘GOTO FAIL;’ Vulnerability -www.cigital.com
    Let’s take a look at the goto fail details as well as at who is affected.
  • Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation -fireeye.com
    Background monitoring mobile applications has become a hot topic on mobile devices. FireEye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple’s app review process effectively and exploit non-jailbroken iOS 7 successfully.
• Scanning Fortune 500 for JavaScript libraries with known vulerabilities -erlend.oftedal.no
  After scanning Norway and Alexa Top 100,000, Erlend decided to scan the Fortune 500 companies. Summarized 385 (77%) out of the 500 are using JavaScript libraries with known vulnerabilities.
• From Read to Domain Admin – Abusing Symantec Backup Exec with Frida -blog.silentsignal.eu
  The dynamic analysis revealed, that you can also simply build a wrapper program around bemsdk.dll, since the problematic section of code is not called during the standard execution. SilentSignal still find the Frida.RE way more convenient though.
• CVE-2014-0502 : New Adobe Flash Player Zero-Day vulnerability -secpod.org
  A new zero-day vulnerability (CVE-2014-0502) in Adobe Flash Player is being exploited in the wild. A double free vulnerability exists in Adobe Flash Player that can be used to execute arbitrary code. The flaw allows attackers to take complete control of the system remotely.

Other News

• The cyber security skills gap – www.j4vv4d.com
  The topic – “Closing the cyber security skills gap” where conversation flowed extremely well. Javvad Malik threw out a few questions and sat back and watched the show. TripWire had commissioned an artist to draw a visual representation of the conversation which turned out to be fantastic.