Week 43 In Review – 2016

Events Related

• Hack.lu
  I’m back to Luxembourg for a new edition of hack.lu. In fact, I arrived yesterday afternoon to attend the MISP summit. It was a good opportunity to meet MISP users and to get fresh news about the project.
  • Hack.lu 2016 Wrap-Up Day #1 – blog.rootshell.be
  • Hack.lu 2016 Wrap-Up Day #2 – blog.rootshell.be
  • Hack.lu 2016 Wrap-Up Day #3 – blog.rootshell.be

Resources

• My slides from BsidesPDX’16 – firmwaresecurity.com
  I gave a brief presentation at Security BSides Portland (BsidesPDX) a few days ago. Title was “Firmware Tools for Security Researchers”. Since it was only a 20-minute time slot, I only had time to cover a few tools, and didn’t get a chance to mention other noteworthy tools.

• Setting up a Research Environment for IP Cameras – insinuator.net
  Embedded devices often serve as an entry point for an attack on a private or corporate network. The infamous attack on HackingTeam, for example, followed exactly this path as was revealed here. Although the attack may have been for the greater good (refer also to this great keynote), such incidents demonstrate that it is important to properly secure your embedded devices.

• IP Cameras Default Passwords Directory – ipvm.com
  We have gathered this list of IP camera manufacturers and their default usernames and passwords to help users get started more quickly. After the list, we discuss recent changes by manufacturers as well as password security issues.

Tools

• BloodHound – github.com
  BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.

Techniques

• What are malicious USB keys and how to create a realistic one? – www.elie.net
  Dropping a malicious USB key in a parking lot is an effective attack vector, as demonstrated by our recent large-scale study. This blog post follows up on the study by showing how reliable and realistic-looking malicious USB keys can be created.

• Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier – www.scriptjunkie.us
  Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege policies by granting specific administrative privileges to users, defined by built-in and script-defined PowerShell cmdlets. Microsoft’s documentation claimed JEA was a security boundary so effective you did not need to worry about an attacker stealing and misusing the credentials of a JEA user.

• Extracting LastPass Site Credentials from Memory – techanarchy.net
  Let me start by stating this is not an exploit or a vulnerability in LastPass. This is just extracting any data that may remain in memory during a forensics acquisition. At some point the data must be in clear.

• Inside The Bulb: Adventures in Reverse Engineering Smart Bulb Firmware – hackernoon.com
  Following the Reverse Engineering a Smart Light Bulb post, I got contacted by Eyal, a member of the TAMI community, asking if we could meet up and try to reverse engineer a Xiaomi Yeelight WiFi Bulb he has recently purchased.

• SLACK, A Brief Journey to Mission Control – secalert.net
  In order to understand the infrastructure and to gain information about the used framework I started to check the HTTP response header and saw that Slack is using an Apache httpd server. So I tried to identify common Apache directories and directives like “/icons/README”, “/manual/”, “/server-info” and “/server-status”.

Vulnerabilities

• 5900 online stores found skimming
  [analysis] – gwillem.gitlab.io
  Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.

• Recording Keystroke Sounds Over Skype to Steal User Data – www.onthewire.io
  New research from the University of California Irvine shows that an attacker, who has not compromised a target’s PC, can record the acoustic emanations of a victim’s keystrokes and later reconstruct the text of what he typed, simply by listening over a VoIP connection.

• Researchers Bypass ASLR Protection on Intel Haswell CPUs – news.softpedia.com
  A team of scientists from two US universities has devised a method of bypassing ASLR (Address Space Layout Randomization) protection by taking advantage of the BTB (Branch Target Buffer), a component included in many modern CPU architectures, including Intel Haswell CPUs, the processor they used for tests in their research.

• Dirty Cow
  Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel
  • dirtyc0w.c – github.com
  • Dirty COW – dirtycow.ninja
  • Linux kernel bug: DirtyCOW “easyroot” hole and what you need to know – nakedsecurity.sophos.com
  • DirtyCow Local Root Proof Of Concept – packetstormsecurity.com

• How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts – motherboard.vice.com
  On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google. The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government.

Other News

• Weebly hacked, 43 million credentials stolen – techcrunch.com
  The web design platform Weebly was hacked in February, according to the data breach notification site LeakedSource. Usernames and passwords for more than 43 million accounts were taken in the breach, although the passwords are secured with the strong hashing algorithm bcrypt.

• How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts – motherboard.vice.com
  On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google. The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government.

• DDoS Attack
  Major websites have gone down worldwide – the reason is still unclear but a major DNS Provider is suffering a massive DDOS Attack and experts are connecting the dots.
  • DDoS Attack on DNS; Major sites including GitHub PSN, Twitter Suffering Outage – www.hackread.com
  • DDoS Attack Against Dyn Managed DNS – www.dynstatus.com
  • Hacked Cameras, DVRs Powered Today’s Massive Internet Outage – krebsonsecurity.com
  • Amid major internet outages, downed websites have lessons to learn – www.zdnet.com
  • ISC Briefing: Large DDoS Attack Against Dyn – isc.sans.edu
  • Dyn Statement on 10/21/2016 DDoS Attack – dyn.com

• How Stolen iOS Devices Are Unlocked – isc.sans.edu
  For a number of years now, Apple has been implementing “Activation Lock” and “Find my iPhone” to deter the theft of iOS devices. According to some statistics, this effort has had some success. But with millions of users carrying devices costing $500 and more loosely secured in their pockets, mobile devices far exceed the value of an average wallet.