Week 3 In Review – 2015

Events Related

• Hou.Sec.Con 5.0 Experience (by an 8 year old) – prudentgames.com
  A 8 year old kid, Reuben Paul, share his feeling about Hou.Sec.Con 5.0 Experience! It was about qualities that kids and hackers share which makes kids really good hackers. For example kids are creative, kids are curious, kids are credible and kids are cool just like hackers.

Resources

• Gitrob: Putting the Open Source in OSINT – michenriksen.com
  Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information.
• 2015 ShmooCon Hiring – room362.com
  Mubix created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to. Hope this helps.
  • ShmooCon Firetalks 2015 – irongeek.com
    These are the videos for the ShmooCon Firetalks 2015. You can watch the videos online or download from here.
• 2014 Top Security Tools as Voted by ToolsWatch.org Readers – toolswatch.org
  ToolsWatch.org are honored to announce the 2014 Top Security Tools as Voted by their Readers, this is the second edition of their online voting by users and readers.
• Update: oledump.py Version 0.0.6 – blog.didierstevens.com
  Didier’s last software release for 2014 was oledump.py V0.0.6 with support for the “ZIP/XML” Microsoft Office fileformat and YARA. In this post he will highlight support for the “new” Microsoft Office fileformat (.docx, .docm, .xlsx, .xlsm, …), which is mainly composed of XML files stored inside a ZIP container.
• Session Hijacking Cheat Sheet – resources.infosecinstitute.com
  ‘Session Hijacking’ is an old and routine topic in the field of application security. To make it more interesting, in this article, Infosec Institute are going to focus on different ways it can be performed.
• Code execution in spite of bitlocker – ritter.vg
  The property of changing a single bit, and it propagating to many more bits, is diffusion and it’s actually a design goal of block ciphers in general. When talking about disk encryption in this post, Ritter is going to use diffusion to refer to how much changing a single bit (or byte) on an encrypted disk affects the resulting plaintext.
• Hackers for hire? Hacker’s List – for those with no ethics or espionage skills – nakedsecurity.sophos.com
  Need to break the law, but lack the technology chops to do it yourself? Now, as they say, there’s an app for that. More precisely, there’s a market for it, launched in November, called Hacker’s List.
• Blackhat Inaccuracies – blog.securestate.com
  The movie Blackhat centers on several cyber-attacks perpetuated against a Chinese nuclear facility and the stock market, and the hunt for the perpetrator of the attacks by Chinese and American law enforcement agencies. SecureState team decided to watch the movie and note any of the ridiculous inaccuracies here.

Tools

• AnomalyDetection – github.com
  AnomalyDetection is an open-source R package to detect anomalies which is robust, from a statistical standpoint, in the presence of seasonality and an underlying trend. You can download it from here.
• KeySweeper – samy.pl
  KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
• PuttyRider – github.com
  Hijack Putty sessions in order to sniff conversation and inject Linux commands. You can download it from here.
• Python Share Enumerator – hackwhackandsmack.com
  Over a period of time BEN have seen some Hyper-V backups on shares that were accessible to users and could be download and back doored for the admin password hash etc. This is a well worth task. So to cut a long story short he created a python script to do it. Download link is available here.

Techniques

• Powershell Popups + Capture – room362.com
  Metasploit Minute has entered into it’s 3rd “season”. And they kick it off with using the Metasploit capture modules to capture creds from this powershell popup. you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. You can leave it to execute on a system without any other code on disk and get creds constantly as any level of user.
• Enigma0x3’s Generate Macro Powershell Script – carnal0wnage.attackresearch.com
  This script will generate malicious Microsoft Excel Documents that contain VBA macros. This script will prompt you for your attacking IP (the one you will receive your shell at), the port you want your shell at, and the name of the document. Walk through the process here.
• Attacking Android Applications With Debuggers – blog.netspi.com
  In this blog, Eric Gruber is going to walk through how you can attach a debugger to an Android application and step through method calls by using information gained from first decompiling it.
• An unhealthy journey into the world of the traceroute – rawhex.com
  Many of the network cartography tools and protocols we commonly use are defined through a set of standards called Request For Comments (RFCs). Surprisingly, not all of the tools we take for granted are covered by these. Take the humble traceroute for example. Do you actually know what really happens when Alice tries to trace the route to Bob? Read on to find out.

Vendor/Software patches

• Google No Longer Provides Patches for WebView Jelly Bean and Prior – community.rapid7.com
  Independent researcher Rafay Baloch (of “Rafay’s Hacking Articles”) and Rapid7’s Joe Vennix have been knocking out Android WebView exploits somewhat routinely, based both on published research and original findings. Metasploit ships with 11 such exploits on Monday past week. Google will no longer be providing security patches for vulnerabilities reported to affect only versions of Android’s native WebView prior to 4.4.
• Adobe, Microsoft Push Critical Security Fixes – krebsonsecurity.com
  Microsoft on Tuesday posted eight security updates to fix serious security vulnerabilities in computers powered by its Windows operating system. Separately, Adobe pushed out a patch to plug at least nine holes in its Flash Player software.
  • Microsoft Patches Vulnerability Under Attack and Google-Disclosed Zero Day – threatpost.com
    For the first time in more than a decade, the majority of Windows IT shops walked blindly into Patch Tuesday. After announcing last week that it would no longer provide its Advanced Notification Service of upcoming security bulletins to the public, Microsoft today ladeled eight bulletins upon admin’s plates.
  • Adobe Patches Nine Vulnerabilities in Flash – threatpost.com
    Adobe released the year’s first round of security updates for Flash Player, addressing nine vulnerabilities in the software including several critical bugs that could allow an attacker to take control of an affected system.

Vulnerabilities

• You probably shouldn’t be using the WhiteHat Aviator browser if you’re concerned about security and privacy – plus.google.com
  Justin Schuh wants to explain why he was so concerned after a fairly cursory inspection of the Aviator source code release. Justin hopes that this criticism would taken constructively, and provides some useful context for people who want to enhance Chrome.
• GoDaddy CSRF Vulnerability Allows Domain Takeover – breakingbits.net
  An attacker can leverage a CSRF vulnerability to take over domains registered with GoDaddy. The vulnerability has been patched.

Other News

• Toward Better Privacy, Data Breach Laws. – krebsonsecurity.com
  President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked.The plan is intended to unify nearly four dozen disparate state data breach disclosure laws into a single, federal standard
• Park ‘N Fly, OneStopParking Confirm Breaches – krebsonsecurity.com
  Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.