Week 22 In Review – 2014

Events Related

• HITB Amsterdam 2014 Wrap-up
  HITB Amsterdam 2014 Wrap-up Day #1 – blog.rootshell.be
  Xavier is in Amsterdam for attending at the new edition of Hack In The Box. This is a special edition with many improvements.
  • HITB2014AMS – Day 1 – State of the ART: Exploring the New Android KitKat Runtime – www.corelan.be
    This is a talk on ART, the new Android KitKat Runtime. ART was introduced in Android 4.4 back in October 2013 and although it is still in an experimental stage, it’s poised to replace Dalvik in the near future.
  • HITB2014AMS – Day 1 – Harder, Better, Faster Fuzzer: Advances in BlackBox Evolutionary Fuzzing – www.corelan.be
    Active security testing, Fabien explained, is the process of generating input which travel in the application, hit a sink and violate a property.
  • HITB2014AMS – Day 1 – Keynote 2: Building a Strategic Defense Against the Global Threat Landscape – www.corelan.be
    Kristin started her keynote by explaining that she had been in the business about 22 years ago and used to be in public services.
  • HITB2014AMS – Day 1 – Keynote 1: Security at the End of the Universe – www.corelan.be
    This year’s edition started with a keynote by Katie Moussouris, previous lead at Microsoft Security Response Center (MSRC) and now the brand new Chief Policy Officer at HackerOne.
• HITB Amsterdam 2014 Wrap-up Day #2 – blog.rootshell.be
  And here is the second day wrap-up. The day started with a sunny sky over Amsterdam.
  • HITB2014AMS – Day 2 – On Her Majesty’s Secret Service: GRX & A Spy Agency – www.corelan.be
    Last year, Belgacom got hacked by an intelligence service (GCHQ?). “What is so interesting about this hack, why did they hack into Belgacom, what would or could be the purpose of a similar hack?”
  • HITB2014AMS – Day 2 – Exploring and Exploiting iOS Web Browsers – www.corelan.be
    The presenters explained that their research was primarily focused on the behaviour around multiple tabs, address bar, autocomplete & password manager, downloads, support for untrusted SSL certificate and other features.
  • HITB2014AMS – Day 2 – Keynote 4: Hack It Forward – www.corelan.be
    Jennifer started her keynote by explaining that she’s fortunate to be able to travel to a lot of conferences and meet a lot of amazing people.

Resources

• Testing your Cisco ASA appliance for vulnerabilities with Nmap – cqure.net
  The scripts make use of the new Cisco AnyConnect library that was part of the commit and test for the (almost) recent vulnerabilities outlined in this Cisco advisory. The easiest way to test the scripts is to run the SVN version of Nmap.
• What You Need To Know to Become a Penetration Tester – pentesticles.com
  There is some good information for those who wish to break into Penetration testing. The post by Lawrence Munro has provided a useful amount of information to aspiring Penetration testers.
• How Anything Can Be Hacked: Phreaked Out (Trailer) – youtube.com
  In this three-part documentary series titled “Phreaked Out”, Motherboard meets face-to-face with today’s most talented security researchers and white hat hackers to get a firsthand schooling on the various ways to breach their most commonly used devices.
  • Unlocking L.A.’s Traffic Grid: Phreaked Out (Episode 1) – youtube.com
    In the debut episode of three-part series, Motherboard took a retrospective look at one day in August of 2006, when two Los Angeles traffic engineers, Kartik Patel and Gabriel Murillo, remotely accessed the city’s traffic control system and tampered with the light sequences at four main intersections of the city, as part of a labor union protest.
• TROOPERS14 – Keynote – FX – youtube.com
  Troopers14 (IT Security Conference) video is available on YouTube now. You can watch and download it from here.
• Truecrypt-archive – github.com
  Archive of (almost) all truecrypt releases. Most of the files are from different collections that people have provided.
• OWASP PCI Project – owasp.org
  OWASP PCI project related presentation, repository and other related important links are available here.
• Slides from Infiltrate 2014 on Analytics, Scalability and UEFI exploitation – prosauce.org
  Prosauce will keep track of what capabilities and tools are released throughout this presentation.

Techniques

• OpenSSL tips and tricks – commandlinefanatic.com
  OpenSSL, however, in addition to providing a library for integration, includes a useful command line tool that can be used for effectively every aspect of SSL/PKI administration. It’s a bit under-documented though; this post doesn’t aim to fully document it, but Joshua Davies come across some fairly useful shortcuts that he thought he’d share with us, in “cookbook” style format.
• Locate and Attack Domain SQL Servers without Scanning – netspi.com
  In this blog Scott Sutherland will share a new PowerShell script that uses Service Principal Name (SPN) records from Active Directory to identify and attack SQL Servers on Windows domains without having to perform discovery scanning.
• Mimikatz Against Virtual Machine Memory Part 1 – carnal0wnage.attackresearch.com
  Someone will drop some new way of doing something and then you get to reflect on all those missed opportunities on previous engagements. CG remembered when MC showed him all the Oracle stuff and he reminisced about the missed shells. This post and part 2 is like that for him.

Vulnerabilities

• ProTip: Use Apple? Turn Passcode On! – f-secure.com
  Interesting Apple security news was  reported on Tuesday, Apparently some Apple devices had  hijacked via Apple’s “Find My iPhone” feature. How? Likely via poorly defended iCloud accounts, i.e., iCloud accounts with weak passwords.
  • Australian Apple iDevices hijacked, held to ransom – smh.com.au
    It is likely hackers are using the unusual name as a front to get money from people. A real Oleg Pliss is a software engineer at tech company Oracle.
  • The mechanics of the iCloud “hack” and how iOS devices are being held to ransom – troyhunt.com
    This is predominantly impacting Aussie iCloud users and to date, there’s no clear reason why, rather troyhunt have 23 pages of reported hacks and general speculation on the Apple Support Community website. But of course it all begs the question – how is this attack happening? Isn’t iCloud “secure”? With no hard evidence we can only speculate, but there are some likely suspects.
• Unencrypted cookies make WordPress accounts vulnerable over open networks – neowin.net
  People accessing the Internet over open WiFi networks are now vulnerable to having their WordPress webpage hijacked even with two-step authentication enabled. This new vulnerability was found by Yan Zhu, a staff technologist with the Electronic Frontier Foundation.
• True Goodbye: ‘Using TrueCrypt Is Not Secure’ – krebsonsecurity.com
  The anonymous developers responsible for building and maintaining the free whole-disk encryption suite TrueCrypt apparently threw in the towel this week, shuttering the TrueCrypt site and warning users that the product is no longer secure now that Microsoft has ended support for Windows XP.
• Vulnerability found in the All in One SEO Pack WordPress Plugin – blog.sucuri.net
  If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk, so you have to update the plugin now.

Other News

• OpenSSL to get a security audit and two full-time developers –arstechnica.com
  A Linux Foundation project inspired by the Heartbleed security flaw announced that it will fund a security audit for the OpenSSL code base and the salaries of two full-time developers. $5.4M plan to help open source funds OpenSSL, OpenSSH, and Network Time Protocol.
• US cybercrime laws being used to target security researchers –theguardian.com
  Some of the world’s best-known security researchers claim to have been threatened with indictment over their efforts to find vulnerabilities in internet infrastructure, amid fears American computer hacking laws are perversely making the web less safe to surf.
• Security experts in high demand at major US companies –cnet.com
  Big companies including JPMorgan Chase and Pepsi are bringing on chief information security officers to limit their exposure to major hacks. The recent rash of corporate hacks has scared major companies into investing more into security experts, a new report from Reuters says.