Week 33 In Review – 2015

Events Related

• Kaminsky Creates Clickjacking-Killer – www.darkreading.com
  Renowned security expert Dan Kaminsky here this week unveiled his latest project: a solution to eradicate so-called clickjacking attacks that plague the Web.

• 9^th USENIX Workshop on Offensive Technologies – www.usenix.org

• Black Hat USA 2015 Highlights – www.tripwire.com
  The 18th annual Black Hat USA conference gathered thousands of professionals, researchers and enthusiasts to discuss not only the industry’s current trends and threats but also what we, as a community, can do to improve the security of ourselves, and of those around us.

• The Lifecycle of a Revolution (Keynote) – www.youtube.com
  In the early days of the public internet, we believed that we were helping build something totally new, a world that would leave behind the shackles of age, of race, of gender, of class, even of law. Twenty years on, “cyberspace” looks a lot less revolutionary than it once did. Hackers have become information security professionals

• DEFCON 23
  Def Con’s move to Bally’s and its adjoining property Paris allowed it to accommodate an estimated 20,000 attendees this year. And, like a goldfish growing to fit a big new bowl, the talks, expo, workspaces and hacking villages filled the vast ballrooms in each hotel to the limits.
  • DEFCON 23 Badge Challenge – potatohatsecurity.tumblr.com
  • Def Con 23: Where PR stunts and hackers come together – www.engadget.com
  • Presentations & Workshops – www.wallofsheep.com

Resources

• Thunderstrike 2: Mac firmware worm details – trmm.net
  This is the annotated transcript of our DefCon 23 / BlackHat 2015 talk, which presented the full details of Thunderstrike 2, the first firmware worm for Apple’s Macs that can spread via both software or Thunderbolt hardware accessories and writes itself to the boot flash on the system’s motherboard.

• Buzz Session Planner: DEF CON (Hacker Conference) Awareness Training – imgur.com

• NSA Playset from BHB – firmwaresecurity.com

• The Art of VoIP Hacking – Workshop Materials – www.linkedin.com
  The following materials are provided for the DEF CON 23 workshop, but also for the VoIP community to improve unified communications security.

• Project Bitfl1p – bitfl1p.com
  Detect and analyze the frequency of bit flips for an average internet user through the use of bitsquatting.

• Blackbox Reversing an Electric Skateboard Wireless Protocol – blog.lacklustre.net
  Recently at DEFCON 23 Richo Healey and I gave a talk about hacking electric skateboards. One of the skateboards, the Yuneec E-GO, uses a custom wireless protocol between its handheld remote and the board.

Tools

• Hackers Cut a Corvette’s Brakes Via a Common Car Gadget – www.wired.com
  Car hacking demos like last month’s over-the-internet hijacking of a Jeep have shown it’s possible for digital attackers to cross the gap between a car’s cellular-connected infotainment system and its steering and brakes.

• Qubes 3.0-RC alpha of LiveUSB release – firmwaresecurity.com
  Run and try Qubes OS of any laptop without needing to install it anywhere.

• OwnStar Wi-Fi attack now grabs BMW, Mercedes, and Chrysler cars’ virtual keys – arstechnica.com
  Remember OwnStar? Earlier this month, security researcher and NSA Playset contributor Samy Kamkar demonstrated a Wi-Fi based attack that allowed his device to intercept OnStar credentials from the RemoteLink mobile application—giving an attacker the ability to clone them and use them to track, unlock, and even remote start the vehicle.

• Stagefright Plugins for Android – github.com

• QARK – github.com
  Quick Android Review Kit – This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.

• tpwn – github.com

Techniques

• Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part II – Supremacy – blog.checkpoint.com
  In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web.

• Domain Administrator in 17 seconds – blog.gojhonny.com
  Obtaining domain administrative privileges on a security assessment is a goal that many assessors seek. It is what fills us with excitement, as we know that the real fun is about to begin.

• Black Hat USA 2015: The full story of how that Jeep was hacked – blog.kaspersky.com
  Recently we wrote about the now-famous hack of a Jeep Cherokee. At Black Hat USA 2015, a large security conference, researchers Charlie Miller and Chris Valasek finally explained in detail, how exactly that hack happened.

Vendor / Software Patches

• Adobe, MS Push Patches, Oracle Drops Drama – krebsonsecurity.com
  Adobe today pushed another update to seal nearly three dozen security holes in its Flash Player software. Microsoft also released 14 patch bundles, including a large number of fixes for computers running its new Windows 10 operating system.

Vulnerabilities

• Researchers exploit ZigBee security flaws that compromise security of smart homes – www.networkworld.com
  Researchers at Black Hat and Def Con warned about security flaws in Internet of Things devices using the ZigBee protocol, leaving Philips Hue light bulbs, smart locks, motion sensors, switches, HVAC systems and other smart home devices vulnerable to compromise.

• Severe deserialization vulnerabilities found in Android and third-party Android SDKs – www.net-security.org
  Closely behind the discoveries of the Stagefright flaw, the hole in Android’s mediaserver service that can put devices into a coma, and the Certifi-gate bug, comes that of an Android serialization vulnerability that affects Android versions 4.3 to 5.1 (i.e. over 55 percent of all Android phones).

• Safenet HSM key-extraction vulnerability
  This series of posts is provides a more in-depth explanation of the key-extraction vulnerability we discovered and reported to Safenet, designated as CVE-2015-5464.
  • On Safenet HSM key-extraction vulnerability CVE-2015-5464 (part I) – randomoracle.wordpress.com
  • Safenet HSM key-extraction vulnerability (part II) – randomoracle.wordpress.com

Other News

• .COM.COM Used For Malicious Typo Squatting – isc.sans.edu
  Our reader Jeff noted how domains ending in “.com.com” are being redirected to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous “com.com” domain name was sold by CNET to known typo squatter dsparking.com.

• IoT Working Group Crafts Framework For Security, Privacy – www.darkreading.com
  An industry working group that includes members from Microsoft, Symantec, Target, and home security system vendor ADT today issued draft recommendations for locking down the privacy and security of home automation and consumer health and fitness wearable devices with security practices such as unique passwords, end-to-end encryption of sensitive and personal information, and a coordinated patching and update mechanism, as well as other measures.

• Oracle Deleted Its Insane Rant Against Security Hackers But You Can Read It Here – gizmodo.com
  Oracle’s security chief Mary Ann Davidson published a rambling screed today against the security research industry, bug bounties, and reverse engineering on the company’s corporate blog.

• S. Identifies Insider Trading Ring With Ukraine Hackers – www.bloomberg.com
  Exposing a new front in cybercrime, U.S. authorities broke up an alleged insider trading ring that relied on computer hackers to pilfer corporate press announcements and then profited by trading on the sensitive information before it became public.

• ‘Banned’ article about faulty immobiliser chip published after two years – www.ru.nl
  In 2012, three computer security researchers at Radboud University discovered weaknesses in the Megamos chip, which is widely used in immobilisers for various brands of cars. Based on responsible disclosure guidelines, the scientists informed the manufacturer immediately, and they wrote a scientific article on the topic that was accepted for publication at a prestigious digital security symposium (USENIX 2013).

• Company Loses $197K In Cyberheist, Has To Bribe Chinese Police With Cigarettes & Cash To Get Some Of It Back – consumerist.com
  If someone steals nearly $200,000 from your business and you were able to track down the location of the thief, you’d hope the local police would be willing to arrest that criminal and help you get your stolen money back. But for one American business owner whose money had been illegally siphoned off by a Chinese company, it took payments of cigarettes and cash for the authorities to care.

• Kaspersky Lab accused of faking malware to generate false positives in competing software – www.digitaltrends.com
  Two former employees of Russian anti-virus firm Kaspersky Lab have accused the company of generating fake malware files so that its competitors’ software would classify them as malicious.