Week 31 In Review – 2014

Resources

• REcon 2014 Videos – recon.cx
  REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. Here is the index of REcon 2014 videos. Watch and download the videos from here.
• RVAsec 2014 Videos – rvasec.com
  Miss a talk or even the entire conference? No problem! All of the speaker videos and presentations are linked here, or you can view the full Youtube playlist here!
• Mac OS X and iPhone sandbox escapes – googleprojectzero.blogspot.com
  The main reason for this particular blog post is to highlight Google project zero team’s process for making bugs public. That said, there are some interesting bug details available as of today!
• The NSA Playset – ossmann.blogspot.com
  In this presentation,Michael Ossmann shared his thoughts about how we in the open security community can build everything in the catalog. His focus was primarily on hardware.
• NIST Drafts – csrc.nist.gov
  Here are drafts of NIST computer security publications–FIPS, Special Publications and NISTIRs–that have been released for public review and comment.
• OWASP Internet of Things Top Ten Project – owasp.org
  The OWASP Internet of Things (IoT) Top 10 is a project designed to help vendors who are interested in making common appliances and gadgets network/Internet accessible. The project walks through the top ten security problems that are seen with IoT devices, and how to prevent them.

Tools

• Kautilya 0.5.0 – Passwords in Plain, Exfiltrate SAM, Code Exec and more – github.com
  Kautilya 0.5.0 is out. This version adds six more exciting payloads for Windows and supports Ruby bundler!
• pwntools – github.com
  This is the CTF framework used by Gallopsled in every CTF. Most code is inside the pwnlib folder with some functionality inside pwn or bin.

Techniques

• Bypass iOS Version Check and Certification validation – www.netspi.com
  Recently, during testing of a particular application, Vikram Kulkarni encountered an iOS application that was checking for iOS version 7.1. If version 7.1 was not being used, the application would not install on the device and would throw an error.
• Pass-the-Hash is Dead: Long Live Pass-the-Hash –harmj0y.net
  You may have heard the word recently about how a recent Microsoft patch has put all of the pentesters out of a job. Pass-the-hash is dead, attackers can no longer spread laterally, and Microsoft has finally secured its authentication mechanisms. Oh wait, This information can give you a better idea of what credentials will work where, and what systems/accounts you need to target.

Vendor/Software patches

• Announcing EMET 5.0 – blogs.technet.com
  TechNet are excited to announce the general availability of the Enhanced Mitigation Experience Toolkit (EMET) 5.0. EMET 5.0 further helps to protect with two new mitigations and several other improvements.
  • Enhanced Mitigation Experience Toolkit 5.0 -microsoft.com

Vulnerabilities

• 14 antivirus apps found to have security problems – theregister.co.uk
  Organisations should get their antivirus products security tested before deployment because the technology across the board dangerously elevates attack surfaces, COSEINC researcher Joxean Koret says.
• How to get root access on FireEye OS – blog.silentsignal.eu
  A couple of months ago Silent Signal Tech team had the opportunity to take a closer look at a FireEye AX 5400 malware analysis appliance. Having successfully demonstrating the issue, they contacted the vendor who responded instantly, acknowledged the vulnerability and notified them on the status of the fix regularly.
• Why the Security of USB Is Fundamentally Broken – wired.com
  The security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.
  • This thumbdrive hacks computers. “BadUSB” exploit makes devices turn “evil” -arstechnica.com
    White-hat hackers have devised a feat even more seminal—an exploit that transforms keyboards, Web cams, and other types of USB-connected devices into highly programmable attack platforms that can’t be detected by today’s defenses.
  • flowswitch / phison -twitter.com
    That BadUSB talk looks a little bit overhyped. Here’s a starting point to reimplement the tricks yourself.
• Remote code execution on Android devices -labs.bromium.com
  Recently Tom Sutcliffe and Thomas Coudray have been looking at an Android remote code execution vulnerability to see how much of a problem it is in real-world usage.

Other News

• Sen. Leahy’s Latest NSA bill: The Good, The Bad, and The Ugly – justsecurity.org
  Senator Patrick Leahy released a new version of the USA Freedom Act, a bill intended to reform NSA surveillance following Edward Snowden’s revelations that the intelligence agency collects Americans’ calling records in bulk.
• Your iPhone Can Finally Make Free, Encrypted Calls – www.wired.com
  The open source software group known as Open Whisper Systems has announced the release of Signal, the first iOS app designed to enable easy, strongly encrypted voice calls for free. Signal encrypts calls with a well-tested protocol known as ZRTP and AES 128 encryption, in theory strong enough to withstand all known practical attacks by anyone from script-kiddy hackers to the NSA.
• Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System – krebsonsecurity.com
  Three Israeli defense contractors responsible for building the “Iron Dome” missile shield currently protecting Israel from a barrage of rocket attacks were compromised by hackers and robbed of huge quantities of sensitive documents pertaining to the shield technology, KrebsOnSecurity has learned.
• Guy brags about gift card tinkering at new job, gets house raided by feds – nakedsecurity.sophos.com
  Just because you discover a vulnerability doesn’t make you a good guy. It doesn’t make you a “white hat” hacker.In many countries, it is, and should be, a criminal offence to access a computer system without authorisation.
• Judge rules on warrant for Microsoft emails – cbsnews.com
  U.S. law enforcement can force Microsoft Corp. to turn over emails it stores in Ireland, a judge ruled in a case that technology companies have rallied around as they pursue billions of dollars in data storage business abroad.
• How hackers could slam on your car’s brakes – money.cnn.com
  A report shared exclusively with CNNMoney shows that the 2014 Jeep Cherokee, 2015 Cadillac Escalade and 2014 Toyota Prius were the most ‘hackable’ of 20 car models reviewed by automotive security researchers. The 2014 Dodge Viper and 2014 Audi A8 were the least hackable.
• The Internet of Things Is the Hackers’ New Playground – recode.net
  The HP company’s Fortify application security unit conducted an analysis of the 10 most popular consumer Internet things on the market and found 250 different security vulnerabilities in the products, for an average of 25 faults each.