Week 16 In Review – 2014

Events Related

  • Highlights from the SyScan 2014 Conference – symantec.com
    David Maciejak recently attended the Symposium on Security for Asia Network (SyScan), an annual conference held in Singapore, which brings together computer security researchers from around the world. This year, security myths were dispelled and several interesting topics were discussed at the conference. The following is a list of some of the topics and demonstrations he found interesting at this year’s conference.

Resources

  • iSEC Completes TrueCrypt Audit – isecpartners.github.io
    As announced in December 2013, iSEC Partners (iSEC) worked with the Open Crypto Audit Project on the final goal conducting a methodical analysis of TrueCrypt through code review and penetration testing. iSEC is grateful and honored to have been a part of the TrueCrypt security audit and feels that the analysis was both productive and important. iSEC’s full report is now available to the public.
  • The security of the most popular programming languages – net-security.org
    A new WhiteHat Security report takes a deeper look into the security of a number of the most popular programming languages including .Net, Java, ColdFusion, ASP and more. The complete report is available here.
  • Host Unknown presents: I’m a C I Double S P (CISSP Parody) – www.youtube.com
    Think you know what being a CISSP is all about? Not all CISSP’s are equal, some are more equal than others!
  • Heartbleed: Picking your pocket 64k bytes at a time – stateofsecurity.com
    James Klun consolidated some of the things He learned about Heartbleed over the last week and provided his – hopefully correct – answers to some of the questions He’d been asked. He also placed a companion audio commentary here.
  • A Security Expert’s Thoughts on WhiteHat Security’s 2014 Web Stats Report – blog.whitehatsec.com
    Given Ari Elias-Bachrach’s experience and expertise, WhiteHat Security asked Ari to review their 2014 Website Security Statistics Report which was announced earlier to get his thoughts which he has shared as a guest blog post.

Tools

  • IronWASP 2014 is finally here! – blog.ironwasp.org
    IronWASP 2014 is finally released and it is packed with features to help make your life easy. Here’s what is new.
  • Burp Suite Professional – Release Notes – releases.portswigger.net
    This is the final v1.6 release. Burp Suite Free Edition contains significant new features added since v1.5. Burp Suite Professional contains a number of bugfixes and tweaks, added since the last beta version.
  • nmap Grepable Script Output – Heartbleed – blog.didierstevens.com
    Peter was looking for a way to make nmap’s heartbleed script output grepable. He ended up hacking the script. Didier Stevens proposed a method without modification of the NSE heartbleed script.

  • SSLyze v 0.9 released – Heartbleed edition – isecpartners.github.io
    A new version of SSLyze is now available. This version brings a few improvements and bug fixes as well as a new plugin to identify servers affected by the Heartbleed vulnerability.
  • Kansa: A modular live response tool for Windows enterprises – trustedsignal.blogspot.com
    A look at the Readme.md says Kansa is a modular rewrite of another script in davehull’s Github repro called Mal-Seine. Mal-Seine was a Powershell script he hacked together for evidence collection during incident response.

Techniques

  • iOS Kernel Reversing Step by Step – viaforensics.com
    This article will show you step by step how to obtain, decrypt and extract a binary version of the iOS kernel with the help of Santoku-Linux 0.4.
  • Exploiting CSRF under NoScript Conditions – community.rapid7.com
    CSRFs-or Cross-Site Request Forgery vulnerabilities occur when a server accepts requests that can be “spoofed” from a site running on a different domain. The attack goes something like this.

Vendor/Software patches

  • VMware reveals 27-patch Heartbleed fix plan – theregister.co.uk
    VMware has confirmed that 27 of its products need patches for the Heartbleed bug. Patches are already available for Horizon Workspace Server 1.0 through 1.8.

    • VMware Security Advisories – www.vmware.com
      VMware product updates address OpenSSL security vulnerabilities. Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
  • Critical Java Update Plugs 37 Security Holes – krebsonsecurity.com
    Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead.

    • April 2014 Critical Patch Update Released – blogs.oracle.com
      Oracle released the April 2014 Critical Patch Update. This Critical Patch Update provides fixes for 104 vulnerabilities across a number of product lines including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite etc.

Vulnerabilities

  • Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too – arstechnica.com
    Private encryption keys have been successfully extracted multiple times from a virtual private network server running the widely used OpenVPN application with a vulnerable version of OpenSSL, adding yet more urgency to the call for operators to fully protect their systems against the catastrophic Heartbleed bug.
  • SANS Python Pen Testers | Exploit Heartbleed Vulnerabilities | SEC573 – pen-testing.sans.org
    Pen Testers use Python to assess HeartBleed vulnerabilities. The vulnerability was first made “public” (by varying definitions of the word “public”) on April 7th. The events leading up to the disclosure are interesting.
  • Heartbleed maliciously exploited to hack network with multifactor authentication – arstechnica.com
    Demonstrating yet another way the catastrophic Heartbleed vulnerability threatens users, malicious hackers were able to exploit the bug to successfully bypass multifactor authentication and fraud detection on an organization’s virtual private network (VPN), security researchers said.

Other News

Leave A Comment