Week 15 In Review – 2014

Events Related

• Enter to win an INFILTRATE security conference ticket worth $2,2000 from Hacker Warehouse – hackerwarehouse.com
  INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere. Conference is being held on May 15 and 16 in Miami Beach.

Resources

• Car Hacking 2: The Content – blog.ioactive.com
  Does everyone remember when those two handsome young gentlemen controlled automobiles with CAN message injection? However, what if you don’t have the resources to purchase a car, pay for insurance, repairs to the car, and so on?
• HeartBleed slides – malwarejake.blogspot.com
  Better (more complete) slides and other material available here.
• SOURCE Boston 2014: idb – iOS Blackbox Pentesting – speakerdeck.com
  More than ever, mobile apps are used to manage and store sensitive data by both corporations and individuals. In this talk, Daniel’s team review common iOS mobile app flaws involving data storage, inter-process communication, network communications, and user input handling as seen in real-world applications.
• M-Trends 2014 Threat Report Revealed – www.mandiant.com
  The fifth installment of Mandiant’s annual threat report, M-Trends has arrived! You can download the latest report, “M-Trends: Beyond the Breach”, here.
• Notacon 11 (2014) Videos – www.irongeek.com
  These are the videos from the 11th Notacon conference held April 10th-13st, 2014.

Tools

• Capstone – www.capstone-engine.org
  Capstone is a lightweight multi-platform, multi-architecture disassembly framework.Their target is to make Capstone the ultimate disassembly engine for binary analysis and reversing in the security community.
• OWASP ZAP 2.3.0 – wasp.blogspot.com
  OWASP ZAP 2.3.0 is now available. There are a large number of changes in this release, so this post will just give a high level overview of some of the most significant changes

Vulnerabilities

• The Heartbleed Bug – heartbleed.com
  The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
  • Heartbleed test – filippo.io
    Enter a URL or a hostname to test the server for CVE-2014-0160.
  • Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping – arstechnica.com
    Researchers have discovered an extremely critical defect in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other sensitive data.
  • OpenSSL 1.0.1 Heartbleed Vulnerability –
    [Critical Vulnerability] – www.r00tsec.com
    The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
  • hb-test.py – gist.github.com
    Here is OpenSSL heartbeat PoC with STARTTLS support.
  • openssl_heartbleed.rb – github.com
    Here is a module about openssl heartbleed. This module requires Metasploit.
  • Yet Another HeartBleed – penturalabs.wordpress.com
    This Heartbleed Information Disclosure Vulnerability has pretty much been covered all over the internet on 8th April 2014. As a one-page-stop summary, please read this.
  • Heartbleed Bug Impacts Mobile Devices – bluebox.com
    Another SSL vulnerability has been disclosed and released to the public. This one is referenced as CVE-2014-0160 or as it is commonly be called the Heartbleed bug due the leaking of information from heartbeat messages an SSL/TLS connection produces. How does this relate to mobile devices?
  • Gaping SSL? My Heartbleeds – community.rapid7.com
    As you may already know, a vulnerability affecting OpenSSL was reported and it most likely affects your organization. The “Heartbleed” SSL vulnerability affects widely deployed versions of the OpenSSL library, which is used in the majority of software, including web-, email-, database- and chat-servers.
  • heartattack.py – bitbucket.org
    CVE-2014-0160 exploit PoC, Originally from test code by Jared Stafford (jspenguin@jspenguin.org), Adapted by Johan Nestaas.
  • Why you should care about the OpenSSL heartbleed vulnerability – research.zscaler.com
    researchers from Google and Codenomicon made quite a splash when they revealed details of a vulnerability in OpenSSL’s implementation of the heartbeat extension, which they have affectionately dubbed heartbleed. Why is this such a big deal?
  • Everything you need to know about the Heartbleed SSL bug – troyhunt.com
    Massive. Huge. Catastrophic. These are all headlines troyhunt had seen on april 9 that basically say we’re now well and truly screwed when it comes to security on the internet.
  • Why heartbleed doesn’t leak the private key [retracted] – blog.erratasec.com
    So as it turns out, Robert Graham completely messed up reading the code. He don’t see how, but he read it one way.
  • Heartbleed Bug Poses Serious Threat to Unpatched Servers – symantec.com
    Heartbleed, or the OpenSSL TLS ‘heartbeat’ Extension Information Disclosure Vulnerability (CVE-2014-0160), affects a component of OpenSSL known as Heartbeat. OpenSSL is one of the most widely used, open source implementations of the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.
  • OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products – tools.cisco.com
    Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.
  • The Heartbleed Hit List: The Passwords You Need to Change Right Now – mashable.com
    An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook.
  • Heartbleed Bug Impacts Mobile Update – bluebox.com
    Bluebox Labs has updated the original Heartbleed Scanner application to determine if your Android applications or your Android OS are vulnerable to the Heartbleed bug.
  • WhiteHat Security Observations and Advice about the Heartbleed OpenSSL Exploit – blog.whitehatsec.com
    The Heartbleed SSL attack is one of the most significant, and media-covered, vulnerabilities affecting the Internet in recent years. According to Netcraft, 17.5% of SSL-enabled sites on the Internet were vulnerable to the Heartbleed SSL attack just prior to its disclosure.
  • How the heartbleed bug works. – xkcd.com
    Heartbleed explained in details here.
  • Hacker successfully uses Heartbleed to retrieve private security keys – theverge.com
    This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared.
  • Testing for Heartbleed vulnerability without exploiting the server. – blog.mozilla.org
    Heartbleed is a serious vulnerability in OpenSSL that was disclosed on Tuesday, April 8th, and impacted any sites or services using OpenSSL 1.01 – 1.01.f and 1.0.2-beta1.
  • 8 Tips For Dealing With Heartbleed Right Now – researchcenter.paloaltonetworks.com
    There’s a lot out there already about what Heartbleed means for the Web and beyond, and I’ll point you to our own analysis written by Scott Simkin or an essay by Dan Goodin over at ars technica for that explanation.