Week 7 In Review – 2011

Events Related

• Hop Hacking Hedy – cutawaysecurity.com
  Although this started as one of my first full-fledged hardware projects, the intent was always to evaluate ways to cheaply assess deployments frequency hopping spread spectrum (FHSS) technologies (please review and I’ll assume you did).
• OWASP Summit 2011 Results – diniscruz.blogspot.com
  As you can see by the Summit’s highlights, we achieved an amazing amount of work during the 3 days we were together in Portugal!
• RSA 2011
  It’s worth noting that even sleep-deprived Rich is surprisingly coherent.
  • RSA: the Only Difference Between a Rut and a Grave is the Depth – securosis.com
  • RSA: We Now Go Live to Our Reporters on the Scene – securosis.com
  • Back From RSA – blog.appsecinc.com
  • New Fast-Flux Botnet unmasked – darkreading.com
  • Vaccinate Your Computers – blog.absolute.com
  • What does “risk” mean? RSA’s Risk Management Smackdown – tripwire.com
• BSides 2011
  All of the presentations at BsidesSF were cutting edge and highly informational.
  • BSides 2010 – misc-security.com
  • Most over-looked data loss is from 3rd party data recovery vendors – tripwire.com
  • Security B-Sides’ founder attributes its success to conversations – tripwire.com
  • Building Community with Security B-sides – tripwire.com
  • EFF vs. copyright trollers – tripwire.com
• REcon 2010 slides – djtechnocrat.blogspot.com
  RECON is a computer security conference being held in Montreal. The conference offers a single track of presentations over the span of three days. REcon 2010 took place on July 9-11, 2010.
• Mallory Webinar Followup – intrepidusgroup.com
  First, we would like to thank everyone that attended our Mallory webinar. Mallory is Intrepidus Group’s in-house developed Man in The Middle Tool (MiTM) that we use to test mobile devices and applications.

Resources

• 2010 Breach Statistics – blog.absolute.com
  As you can see from the tally above, 662 breaches were reported for 2010. Those breaches exposed more than 16million records, though if you look closely into the report, you’ll see that quite a number of the breaches are left with a 0 for records reported – numbers may yet be unknown.
• Tour guide to the seven types of malicious hackers – infoworld.com
  When I learned over the weekend that hackers had planted malware on a Nasdaq Web server, I wasn’t exactly surprised.
• Metasploit Unleashed 2011 – offensive-security.com
  This past month has seen a number of additions to our free Metasploit Unleashedtraining course, primarily in our on-going effort to build out the Metasploit Module Reference section.
• Data Loss Prevention and Internal Threats – tripwire.com
  Combine the major players getting into DLP and the rise of Wikileaks, and now everyone is concerned and aware of internal threats and losing their data.
• SSDs prove difficult to securely erase – nakedsecurity.sophos.com
  At this week’s Usenix FAST 11 conference on File and Storage Technologies in San Jose, California researchers published a paperexamining the effectiveness of different secure erasure methodologies on Solid State Disks (SSDs).
• CISSP Domain – Security Architecture and Design – resources.infosecinstitute.com
  This article will cover some of the major areas within Security Architecture and Design by looking at: design concepts, hardware architecture, OS and software architecture, security models, modes of operations, and some system evaluation methods, specifically CAP.
• I uploaded some raw data and quick diff results from Windows 7 (x86) SP0 -> SP1: http://bit.ly/hauWee (read the README)– twitter.com, @hdmoore

Tools

• Manual Blind SQL Injection and password cracking w/ DVWA and JTR – pauldotcom.com
  The following video demonstrates the manual exploitation of blind SQL injection vulnerabilities in DVWA, followed up by a quick crack of the stolen hashes with John the Ripper.
• IRONBEE: The Open Source Next generation WAF – pentestit.com
  Its like building a universal web application firewall in the cloud Open Source Next Generation WAF for the Community! It is a new open source project from Qualys to build a universal web application firewall sensor in the cloud through collective efforts of the community.
• Nikto 2.1.4 available! – cirt.net
  We’re happy to announce the immediate availability of Nikto 2.1.4!
• Nessus “Exploitable With” Field Updated – blog.tenablesecurity.com
  Over the past few months, fields in Nessus reports indicating whether or not an exploit exists for a given vulnerability have continued to evolve.
• The Yeti is here – sensepost.com
  After several months of dedicated … uh dedication, our new network footprinting tool is being made available to the masses.
• Open-SCAP v0.7.0 released – open-scap.org
  The OpenSCAP Project was created to provide an open-source framework to the community which enables integration with the Security Content Automation Protocol (SCAP) suite of standards and capabilities.
• Web security v0.8 final released – code.google.com
  Websecurify Security Testing Framework identifies web security vulnerabilities by using advanced browser automation, discovery and fuzzing technologies.
• NessusDB v1.2 Released – github.com
  NessusDB is Nessus XMLv2 parser, which pushes reports into anActiveRecord database, easing report generation.
• inSSIDer v2.0.7.0126 The Wi-Fi network scanner released – metageek.net
  Because NetStumbler doesn’t work well with Vista and 64-bit XP, exits an open-source Wi-Fi network scanner designed for the current generation of Windows operating systems.
• Volatility the advanced memory forensics framework v1.4 released – code.google.com
  The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
• Debdroid: Run a Network Sniffing Debian System on Android – afrosec.org
  Just recently, it was announced that the Android phone operating system has grown a lot in the last two years.

Techniques

• Yeti – Footprinting Your Network – blog.rootshell.be
  “Footprinting” is a technique to gather information about information systems. The goal is to collect as much information as possible and correlate them to build some kind of “business card” of the target.
• Episode #134: Never Out of Sorts – blog.commandline.kungfu
  I was recently working a case where we had extracted a bunch of date-stamped messages from unallocated space, and we wanted to output them in reverse-chronological order.
• Bypassing MDM Restrictions for Mobile Safari on iOS 4.2 – intrepidusgroup.com
  When deploying iOS devices, such as the iPhone or iPad, to a corporate population, the security-minded may ask “how can we keep people from using this device for inappropriate web surfing?”
• The trick to defeating tamper-indicating seals – freedom-to-tinker.com
  Even so, when the state stuck a bunch of security seals on their voting machines in October 2008, I found that I could easily defeat them. I sent in a supplement expert report to the Court, explaining how.
• HeapLocker: String Detection – blog.didierstevens.com
  When you enable string monitoring, HeapLocker will create a new thread to periodically check (every second) newly committed virtual pages that are readable and writable.
• Possibly the most fascinating HTML parser behavior ever – Icamtuf.blogspot.com
  If this happens to be a single or a double quotation mark, the second parsing strategy is used; otherwise, the first method is a go.

Vendor/Software Patches

• Oracle Java Plug
  Oracle released the February 2011 Critical Patch Update for Java SE and Java for Business today.
  • February 2011 Java SE and Java for Business Critical Patch Update Released – blogs.oracle.com
  • Java 6 Update 24 Plugs 21 Security Holes – krebsonsecurity.com
• Oracle releases database firewall – h-online.com
  The company says the firewall protects not only Oracle’s own database, but also IBM’s DB2 (LUW), Microsoft’s SQL Server (2000, 2005 and 2008), and Sybase’s ASE (12.5.4 and 15) or SQL Anywhere V10.

Vulnerabilities

• Patched vulnerabilities remain prime exploitation vector – zdnet.org
  Which is the most popular tactic that cybercriminals uses on their way to infect users with malicious code (malware) and generate yet another botnet?
• Windows O-day SMB mrxsmb.dll vulnerability – vupen.com
  A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers or malicious users to cause a denial of service or take complete control of a vulnerable system.
• Oracle Passlogix Vulnerability – securityfocus.com
  An attacker can exploit this issue to view and execute arbitrary files on the target system. Successful exploits may aid in a compromise of the underlying computer.

Other News

• Anonymous vs. HBGary
  The battle rages on.
  • Still Smarting, Anonymous Releases 20,000 More HBGary Emails – threatpost.com
  • The HBGary Email That Should Concern Us All – dailykos.com
  • Anonymous decompiles Stuxnet, posts on Github – github.com
  • Anonymous Damage Control Anybody? – isc.sans.edu
  • Stuxnet, Github, and a Worm with Cloak and Dagger written all over it – readwriteweb.com
  • Lessons To Learn From The HBGary Federal Hack – djtechnocrat.blogspot.com
  • Anonymous speaks: the inside story of the HBGary hack – arstechnica.com
  • Black ops: how HBGary wrote backdoors for the government – arstechnica.com
  • Hacked and now Vandalized, HBGary pulls out of RSA – itworld.com
  • RSA 2011: HBGary Goes AWOL – liquidmatrix.org
  • The world of HBGary – Icamtuf.blogspot.com
  • More on the HBGary Hack – liquidmatrix.org
• Having a Ball with ATM Skimmers – krebsonsecurity.com
  On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine.
• Reinventing FedRAMP – novainfosecportal.com
  For those that haven’t heard GSA has been quickly pushing the Federal Risk and Authorization Management Program (FedRAMP) out the door with the goal of accrediting common cloud-based solutions that agencies can develop on top of.
• ESAPI and the Padding Oracle Attack – owasp.blogspot.com
  I originally noticed that the ESAPI symmetric encryption provided no authenticity way back in August 2009 and argued for a very long time with Jim Manico that what was present in ESAPI 1.4 and 2.0rc3 (or maybe it was rc2?) needed to be burned to the ground and replaced, and he agreed.
• Securing the smart grid is no small task – news.cnet.com
  The road to secure a smart rid is still being built.
• Attack Can Extract Crypto Keys From Mobile Device Signals – threatpost.com
  Many carriers and mobile providers are touting smartphones as the future of secure mobile payment systems, enabling users to pay for purchases with an app on their phones, and this already reality in many parts of Asia and Europe.
• OWASP – Has It Reached a Tipping Point? – curphey.com
  When I started OWASP nearly a decade ago it was without a plan (or frankly even much thought) but it was with a premonition that the Internet was going to revolutionize the world, web technology would be at the forefront of the revolution and that security would be a critical attribute in the mix.
• Bulk of browsers found to be at risk of attack – computerworld.com
  About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said today.
• 1 in 10 IT pros have access to accounts from previous jobs – net-security.org
  According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users’ electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence.
• At security confab, Clinton urges risk, investment – news.cnet.com
  Like any great endeavor, information technology does not come without its risks, former President Bill Clinton said this afternoon during a speech at the RSA security conference here.