Week 31 In Review

Events Related

• Notes from BlackHat 2011
  Below are more than a dozen updates and resource portals for the recently concluded BlackHat conference.
• Tavis Ormandy’s Sophail Presentation – anti-virus-rants.blogspot.com
• BlackHat 2011 Presentation – sensepost.com
• Black Hat USA 2011 – f-secure.com
• BH2011: Hacking Google Chome OS – nakedsecurity.sophos.com
• BlackHat 2011: Macs in the age of the APT – nakedsecurity.sophos.com
• Beresford @ Black Hat Part 1: Details – digitalbond.com
• Beresford @ Black Hat Part 2: Guru’s, Politics, and ICS Response – digitalbond.com
• Dan Kaminsky on Black Ops of TCP/IP – slideshare.net
• Battery Firmware Hacking , Dr. Charlie Miller – accuvant.com
• Don’t Drop the Soap Real World Web Service Testing – blog.securestate.com
• How To Follow Blackhat/Defcon/BsidesLV Without Being There – blog.security4all.be
• Attacking Home Automation Networks Over Power Lines – news.cnet.com
• When Hacking Chrome it’s All About Your Data – download.cnet.com
• Microsoft Offers $250,000 for security defense research – news.cnet.com
• Researchers Warn of SCADA equipment discoverable via Google – news.cnet.com
• At BlackHat Mobile Devices Under The Microscope – darkreading.com
• Strengths And Weaknesses of Apple’s MDM Systems – intrepidusgroup.com
• BlackHat 2011 Highlight: DIY Hacking UAV
  Yesterday at Black Hat, two security researchers demonstrated how a radio-controlled model airplane outfitted with a computer and 4G connectivity could be used to create a nearly undetectable aerial hacking device that could perpetrate aerial attacks on targets otherwise unreachable by land.
• Wardriving Evolves Into Warflying – darkreading.com
• DIY Spy Drone Sniffs WiFi, Intercepts Phone Calls – wired.com
• BlackHat 2011 Highlight: The Problem With Square Card Readers
  Security researchers at the Black Hat Briefings demonstrated a method for turning purloined credit card information into cash, this time using Square, a free credit card reader that promises to turn anyone with a mobile device into a merchant capable of accepting credit card payments.
• Researcher: Square Card Reader Provides Avenue To Illicit Cash? – threatpost.com
• Researchers Find Avenues For Fraud In Square – news.cnet.com
• BlackHat 2011 Highlight: The Shocking Siemens Vulnerability
  A researcher…has discovered a number of vulnerabilities in programmable logic controllers (PLCs) from Siemens that are used to automate mechanical devices in utilities, power plants, and other industrial control environments and which could be remotely controlled to cause damage if connected to the Internet.
• Researcher demos attack on Siemens industrial control system – news.cnet.com
• Making Sense of Siemens’ Vulnerability Conflation/Confusion – digitalbond.com
• Hard Coded Passwords And Other Security Holes Found In Siemens Control Systems – wired.com
• DefCon 19
  Notes and news about DefCon 19
• Dan Rosenug Remote Kernel Exploitation Slides from DefCon 19 – vulnfactory.org
• DefCon: The Event That Scares Hackers – cnn.com
• How To Follow Blackhat/Defcon/BsidesLV Without Being There – blog.security4all.be
• 10 year old hacker finds zero day exploit in games – download.cnet.com
• Android could allow mobile ad or phishing pop ups – news.cnet.com
• Hacking Home Automation Systems Through Your Power Lines – wired.com
• DefCon Kids Join Adult Hacker Conferences – news.cnet.com
• DefCon 19 presentations (PDF) – it.toolbox.com
• How To Follow Blackhat/Defcon/BsidesLV Without Being There – blog.security4all.be
  Well, I’m one of the poor souls who couldn’t make it to the Blackhat/Defcon / SecurityBsides fun. There are some ways to follow the events in Vegas (real time). The first tool is to use twitter and follow the hashtags #defcon, #blackhat and #bsideslv. If you have a twitter account, I would recommend installing tweetdeck and setting up 3 search columns.

Resources

• OWASP O2 Platform the History So Far– diniscruz.blogspot.com
  For the past couple years I have been using this personal blog to document O2 Platform’s history. Here are the most important blog posts, ordered chronologically and with some additional comments (made in August 2011).
• Tavis Ormandy and Sophos – nakedsecurity.sophos.com
  As a security company keeping our customers safe is our primary responsibility, therefore we investigate all vulnerability reports and implement the best course of action in order to protect our customers. Recently, researcher Tavis Ormandy contacted us about an examination he was doing of Sophos’s anti-virus product – not in terms of possible vulnerabilities – but instead looking at how various components of it were implemented.
• The Scanning Legion: Web Application Scanners Accuracy Assessment & Feature Comparison Commercial & Open Source Scanners – sectooladdict.blogspot.com
  I’ve always been curious about it… from the first moment I executed a commercial scanner, almost seven years ago, to the day I started performing this research. Although manual penetration testing has always been the main focus of the test, most of us use automated tools to easily detect “low hanging fruit” exposures, increase the coverage when testing large scale applications in limited timeframes and even to double check locations that were manually tested. The questions always pops up, in every penetration test in which these tools are used.
• Damn Vulnerable Web Services – dvws.secureideas.net/downloads/index.html
  In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework).
• Cisco 2Q11 Global Threat Report – blogs.cisco.com
  Data breaches dominated security news during the first half of 2011 and companies across all industry sectors were equally impacted. Many of these breaches resulted from advanced persistent threats; others resulted from SQL injection and other brute force intrusions. In all cases, customer data and corporate intellectual property were at risk.

Tools

• UPDATE: Skipfish 2.03b! – code.google.com/p/skipfish/downloads/list
  Skipfish is a fully automated, active web application security reconnaissance tool.
• UPDATE: Cain and Abel v4.9.41! – oxit.it/downloads/ca_setup.exe
  Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of  passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.
• UPDATE: OllyDbg 2.01 Alpha 4! – ollydbg.de/odbg201b.zip
  OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
• UPDATE: The Social Engineer Toolkit v2.0! – secmaniac.com/download
  The Social Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It’s main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed.
• UPDATE: Context App Tool v1! – cat.contextis.co.uk/cat/CAT_Version_1.msi
  Context App Tool or CAT is designed to facilitate manual web application penetration testing for more complex, demanding application testing tasks. It removes some of the more repetitive elements of the testing process, allowing the tester to focus on individual applications, thus enabling them to conduct a much more thorough test.
• UPDATE: Agnitio v2.0! – sourceforge.net/projects/agnitiotool/files/
  Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. It aims to replace the adhoc nature of manualsecurity code review documentation, create an audit trail and reporting.
• HTTPS Everywhere opens to all – download.cnet.com
  The security add-on for Firefox called HTTPS Everywhere (download) that forces HTTPS encryption on numerous popular Web sites has graduated to its first stable release, about a year after it was released into public beta.
• Metasploit Framework 4.0 Released! – community.rapid7.com
  It’s been a long road to 4.0. The first 3.0 release was almost 5 years ago and the first release under the Rapid7 banner was almost 2 years ago. Since then, Metasploit has really spread its wings. When 3.0 was released, it was under a EULA-like license with specific restrictions against using it in commercial products.

Techniques

• Framebusting-the dual protection core – zeroknock.blogspot.com
  Since the outcome of ClickJacking attacks, framebusting has become the unavoidable part of web application security. Considering the real world scenario, it has been noticed that still the appropriate protections have not been placed in the plethora of websites.
• SQL Injection (Primer 1) PHP Escaping And Light Operators – zeroknock.blogspot.com
  This post talks about exploiting the SQL queries with LIKE operator in use. However, this situation and target can be specific in nature but one can use the concept that is discussed below to go after exploiting the SQL injection.
• Injecting O2 into an .NET Process, in this case IBM Rational AppScan standard – diniscruz.blogspot.com
  Of course that this is just the beginning! Now that we have the full O2 scripting capabilities inside the AppScan .NET process, there is A LOT that can be done (namely the integration with .NET Static Analysis data).
• John The Ripper Hash Formats – pentestmonkey.net
  John the Ripper is a favourite password cracking tool of many pentesters.  There is plenty of documentation about its command line options. I’ve encountered the following problems using John the Ripper.  These are not problems with the tool itself, but inherent problems with pentesting and password cracking in general.
• Stuxnet Footprint In Memory With Volatility 2.0 – mnin.blogspot.com
  In this blog post, we’ll examine Stuxnet’s footprint in memory using Volatility 2.0. A talk was given at Open Memory Forensics Workshop on this topic (see the online Prezi) and the details will be shared here for anyone who missed it.

Vulnerabilities

• Tim Thumb
  A zero-day in a very commonly used WordPress library hit quite a few news sites. The flaw is in an image utility called TimThumb which is used in a LOT of premium themes for generating on the fly thumbnails.
• Zero Day Vulnerability In Tim Thumb Image Utility Threatens Many WordPress Sites – darknet.org.uk
• Timthumb.php Security Vulnerability – r00tsec.blogspot.com
• Zero Day vulnerability in many WordPress themes – markmaunder.com

Other News

• Shady RAT Revealed!
  Computer security company McAfee has said that it has discovered a massive global cyber spying operation targeting several US government departments, the UN and other governments across the world for five years or more.
• McAfee Uncovers Massive Global Cyber Snoop – security.cbronline.com
• Global cyber espionage operation uncovered – news.cnet.com
• Shady RAT hacking claims overblown says security firm – computerworld.com
• Android Users Twice As Likely To See Malware Than Six Months Ago – news.cnet.com
  If you’ve got an Android you are 2.5 times more likely to encounter malware on the device today than six months ago, while mobile users have a 30 percent likelihood of clicking on a malicious link, according to a report released today from mobile security firm Lookout.
• Anonymous Hacks US Department of Defense: Analysis of the Attack – acunetix.com
  On the 12th of July 2011, Booz Allen Hamilton the largest U.S. military defence contractor admitted that they had just suffered a very serious security breach, at the hands of hacktivist group AntiSec. Operation Anti-Security (AntiSec) is a hacking operation, carried out by two of the biggest names in the black-hat world – Anonymous, and LulzSec.