Week 26 in Review 2010

Events Related:

• Third SHB Workshop – schneier.com
  This is a two-day gathering of computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others.
• HiTB News
  HiTB  organizes conferences for a while in Dubaï and Kuala Lumpur but this is the first time that an event is held in Europe and not too far from Belgium.
  • Hack in the Box Day #1 Wrap Up – rootshell.be
  • Hack in the Box Day #2 Wrap Up – rootshell.be

• Notes from OWASP Bay Area Security Summit – michael-coates.blogspot.com
  However the portion on dynamic identification and quarantine of malicious scripts was very interesting.
• Hacking the Next Hope Badge – travisgoodspeed.blogspot.com
  The following are some notes that will help enterprising neighbors to hack these badges, which will be running an MSP430 port of the OpenBeacon firmware.

Resources:

• Comparing web application scanners, part 2 – portswigger.net
  Scanners were scored based on their ability to identify different types of vulnerabilities in different scanning modes.
• Cisco IOS Auditing – digitalbond.com
  Earlier this month Tenable released a new policy compliance plugin for Nessus that allows auditing of Cisco router and switch configuration.
• Third-Party Web Widget Security FAQ – jeremiahgrossman.blogspot.com
  Millions of websites such as online news, blogs, e-commerce, banks, webmail, social networking and more utilize third-party hosted content on their webpages in the form of JavaScript, Adobe Flash, Microsoft Silverlight, HTML IFrames, and images.
• securityacts it security e-zine issue 3 – terminal23.net
  If you’re looking for a new security-related e-zine to read, check out SecurityActs.
• New AMTSO guidelines – f-secure.com
  Anti-Malware Testing Standards Organization (AMTSO), which F-Secure is a member of, had a meeting in Helsinki in May.

Tools:

• BackTrack
  BackTrack started as a personal side project well over 5 years ago and by now has been downloaded over 5 million times.
  • BackTrack, Present and Future – backtrack-linux.org
  • BackTrack 4 Development Roadmap – backtrack-linux.org
• Autoruns and Dead Computer Forensics – sans.org
  It is essentially a targeted registry dump, peering into at least a hundred different Windows Registry keys that the boot and logon processes rely upon.
• Netsparker Community Edition 1.5.0.0 Released – mavitunasecurity.com
  There are not many new features in Community Edition but this release addresses the most common issues and includes several improvements.
• Skipfish 1.46beta – code.google.com/p/skipfish/
  A fully automated, active web application security reconnaissance tool.
• FxCop – .NET Framework Security Analysis Tool – darknet.org.uk
  FxCop is an application that analyzes managed code assemblies.
• bsqlbf v. 2.6 – notsosecure.com
  The new addition is the execution of any metasploit payload after executing OS code against Oracle database server by exploiting SQL Injection from web apps.
• upSploit – Press Release – tmacuk.co.uk
  This Vulnerability Advisory Gateway (VAG) should break down the barriers for security researchers and professionals to pass details of vulnerabilities to vendors in a structured easy to follow process.
• SandKit – s7ephen.github.com
  SandKit is a toolset that is intended to assist with the investigation of Sandbox technologies.
• IDA Pro 5.7 highlights – hexblog.com
  We have released a IDA Pro 5.7 few days ago.
• WinPcap – winpcap.org
  The latest stable WinPcap version is 4.1.2.
• ostinato 0.1.1 – code.google.com/p/ostinato/
  Ostinato is an open-source, cross-platform packet/traffic generator and analyzer with a friendly GUI.

Techniques:

• Got database access? Own the network! – bernardodamele.blogspot.com
  The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world.
• SSL gives point-to-point, not end-to-end security – root.org
  SSL provides good point-to-point privacy and integrity protection. However, there is no guarantee to upper layers that SSL is indeed in use.
• HCP Vulnerability Exploited in the Wild – pandasecurity.com
  This vulnerability disclosure has fueled an intense debate amongst security professionals on responsible disclosure, as the Google researcher only allowed Microsoft 5 days before going public with the flaw details.
• The curious case of JBoss Hacking – inner-knowledge.blogspot.com
  It is not so rare seeing jboss where the jmx-console is not password protected.
• Linux buffer overflow II – gunslingerc0de.wordpress.com
  In the first edition of my tutorial tutorial explains berbuffer 400-byte buffer overflow.
• Set Wallpaper Meterpreter Script – room362.com
  Certainly nothing to fuss over, but I’ve had a fascination with setting my target’s wallpaper as sort of a calling card for years now.
• Vulnerability Assessment Testing Automation Part I – sans.edu
  In my SANSFire presentation I described how and why to automate parts of the security testing process.
• V3rity has released a redo log mining tool to extract DDL from redo logs – petefinnigan.com
  V3rity is the new company founded by David Litchfield in March 2010 since he left NGS and until recently his site had little on it.
• Full-Disclosure, Our Turn – jeremiahgrossman.blogspot.com
  No Web applications, no forms, no log-in, no user-supplied input where XSS can hide.
• Social Security Number Format – attackvector.org
  First, for those of you who live under a rock, or across the pond, a social security number is in the format of xxx-xx-xxxx.
• CSRF flaws that pack a punch – holisticinfosec.blogspot.com
  A year after DEFCON 17, cross-site request forgery (still one of my favorite bugs) continues to present itself in some mighty interesting places.
• Wifi Security Slides – trustedsignal.blogspot.com
  There are a few canned video demos in the PPT version that are obviously not in the PDF version and the PPT version contains copious notes, not found in the PDF.
• Memory acquisition and the pagefile(s) – mandiant.com
  The easiest way to do this with Memoryze is to use the MemoryDD.bat script from the command line or to use the UI, Audit Viewer.
• sqlmap and SOAP based web services – bernardodamele.blogspot.com
  Last week a sqlmap user, Chilik Tamir, provided me with a patch to add basic support for SOAP based requests to the tool.
• Lessons from criminals – Good passwords matter – sophos.com
  Unless this is an elaborate public relations stunt, it appears the integrity of AES-256 as a military-grade encryption standard has been proven in a rather public way.
• more with rpcclient – carnal0wnage.attackresearch.com
  Got asked to help remotely locate local admins on boxes on a network.
• You want the BlackBerry Event Log? beg damnit! – chirashi.zensay.com
  If I succeeded at understanding this topic, I would be able to directly connect to a BlackBerry device and collect all the information that I wanted.
• Twitter updates
  • Looks like it’s possible to infinitely brute force Windows passwords without hitting lockout policy using “Change Passwd” Is that old news? – ax0n
  • Arduino + MetaSploit + USB wireless presenter dongle == VNC remote access on the box. – hdmoore
  • @ax0n you have to be authenticated to the domain to access the SAM function though right? Once you have an account, it works – hdmoore
• How to write shellcode – gunslingerc0de.wordpress.com
  I previously had written an article about buffer overflow, it is time I wrote an article how to write shellcode.
• Secunia Survey of DEP and ASLR – taosecurity.blogspot.com
  At the FIRST conference last month, Dave Aitel said something to the effect that DEP and ASLR are the only two noteworthy technologies produced by Microsoft since starting their security initiative.
• Hacking wireless presenters with an Arduino and Metasploit – teusink.net
  Someone in the audience can control the slides and can send any keystroke you want to the victim, as if they were sitting at the keyboard.
• CiscoWorks TFTP directory traversal exploit – teusink.net
  So far I have not seen any details published so I decided to see if I could find the bug.

Vendor/Software Patches:

• Critical hole closed in PNG reference library – h-online.com
  As numerous browsers use libpng to display images, specially crafted web pages could infect visitors’ PCs with malicious code.
• Adobe Patches PDF /Launch Hole
  Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac and UNIX users to malicious hacker attacks.
  • Security updates released for Adobe Reader and Acrobat – adobe.com
  • Critical PDF Reader Patch Fixes ‘/Launch’ Command Attack Vector – threatpost.com

Other News:

• ‘LikeJacking’ – What is it? – zscaler.com
  The term has been adopted enough, that there is a Wikipedia page for it, with a very straight-forward definition.
• Privacy problems persist in latest Windows Messenger 2011 beta – infoworld.com
  Earlier versions of Messenger played fast and loose with your privacy.
• SSL Certificates In Use Today Aren’t All Valid – esecurityplanet.com
  Ivan Ristic, director of engineering at Qualys, said that he found that only about 23 million of the sites were actually running SSL.
• White House Cybersecurity Czar Unveils National Strategy For Trusted Online Identity – darkreading.com
  Devil’s in the details for Obama administration’s draft plan for eliminating passwords and advancing authentication, security expert says.
• Regular domains beat smut sites at hosting malware – theregister.co.uk
  A study by free anti-virus firm Avast found 99 infected legitimate domains for every infected adult web site.
• IBM to Acquire BigFix – Hallelujah! Can I Get a Witness?! – techbuddha.wordpress.com
  I will post more later but given all the blood, sweat, and tears we have poured into BigFix we are extremely excited about this move.
• Top Apps Largely Forgo Windows Security Protections – krebsonsecurity.com
  Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system.
• Why Johnny Can’t Pentest – ethicalhack3r.co.uk
  The three authors of the paper (Adoupe, Marco, Vigna) test the black-box scanners against their custom vulnerable web application they called WackoPicko.