Week 28 In Review – 2014

Resources

• Vendor Checklist app / Trust Metric app – archon.thewatchers.net
  ISECOM (the Institute for Security and Open Methodologies) began with the release of the OSSTMM, the Open Source Security Testing Methodology Manual. It was a move to improve how security was tested and implemented.
• Dumping Data from Memcached Servers – breenmachine.blogspot.com
  Memcached servers provide a dynamic, distributed memory object caching system to improve application performance. Stephen breen have developed a python script to dump data from memcached servers.
• Videos from the 15th Annual CERIAS Symposium – cerias.purdue.edu
  Cerias blog is now releasing videos of their sessions at this year’s CERIAS Symposium from late March. Here are videos from the 15th Annual CERIAS Symposium available.
• OISF 2014 Videos – irongeek.com
  These are the videos from the OISF Anniversary Event. You can watch and download the videos from here.
• Pwn2Own 2014: AFD.SYS Dangling Pointer Vulnerability (PDF) – siberas.de
  This is an incredibly well put together report.You can read the full report from here.
  • Interesting comments are going on here – reddit.com
• Weekly Metasploit Update: Another Meterpreter Evasion Option – community.rapid7.com
  There have four new exploits and one new auxiliary module this week for Metasploit users, including one for the long-anticipated, recently disclosed Yokogawa vulnerability, CVE-2014-3888.

Tools

• site-inspector-ruby – github.com
  Ben Balter built a small tool called Site Inspector in September 2011. Nearly three years later, he resurrected that tool, albiet a bit smarter, and, using the latest list, thought he’d take a look at how things have changed in the time since.
• Introducing Windows Exploit Suggester – blog.gdssecurity.com
  After searching online for a Window’s “exploit suggester” tool, Sam Bertram was surprised to find that none existed! Without further ado, he introduce “Windows Exploit Suggester” or for short “winsploit”, a tool created to automate the privilege escalation exploitation process targeting unpatched systems.
  • Windows-Exploit-Suggester – github.com
• MITMf – github.com
  Framework for Man-In-The-Middle attacks. This tool is completely based on sergio-proxy https://code.google.com/p/sergio-proxy/ and is an attempt to revive and update the project.

Vendor/Software patches

• Microsoft, Adobe Push Critical Fixes – krebsonsecurity.com
  Adobe issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer.
  • July 2014 Security Bulletin Release – blogs.technet.com
    This month’s release includes six new security bulletins, addressing 29 Common Vulnerability and Exposures (CVEs) in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, three are rated Important, and one rated Moderate in severity.

Vulnerabilities

• Abusing JSONP with Rosetta Flash – miki.it
  In this blog post Michele Spagnuolo presents Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site.
  • “Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al. – arstechnica.com
    A serious attack involving a widely used Web communication format is exposing millions of end users’ authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.Almost four hours after this article went live, a Tumblr spokeswoman e-mailed Ars to say the site has been patched against the Rosetta Flash attack.
  • Adobe Patches Flash Vulnerability Exploited by Rosetta Flash Tool – threatpost.com
    Popular websites such as Instagram, eBay, Tumblr and others using JSON with Padding or JSONP remain vulnerable to an exploit tool released today as a proof of concept against a vulnerability in Adobe Flash Player.
• Password Manager Security – LastPass, RoboForm Etc Are Not That Safe – darknet.org.uk
  Some researchers have ganged up and are taking a really close look at some of the popular password management solutions and password manager security. Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.
• Beware Keyloggers at Hotel Business Centers – krebsonsecurity.com
  The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

Other News

• Tens of thousands of Americans sell themselves online every day – blog.avast.com
  AVAST recovers an abundance of personal data from used smartphones. Their analysts found the following data.
• NIST’s New Approach to InfoSec Standards – bankinfosecurity.com
  NIST Fellow Ron Ross, in an interview with Information Security Media Group, says the principles employed by engineers can be used to communicate to all stakeholders the goals for creating new infrastructures.