Week 25 in Review – 2012

Event Related

• Hack in Paris 2012
• Hack in Paris 2012 Wrap-Up Day #1 – blog.rootshell.be
  The title was “Where are we and where are we going?“. Mikko is working in the security field for 21 years and always so busy! In fact, why can’t we get rid of vulnerabilities? Because applications and systems have… bugs! The most popular mobile phone, the iPhone, will be five years old next week.
• Hack in Paris 2012 Wrap-Up Day #2 – blog.rootshell.be
  “Home sweet home!“, its time to wrap-up the second day of Hack in Paris before taking some sleep hours. The second day started with Winn Schwartau from securityexperts.com.
• RVAsec 2012 Slides – rvasec.com
  Videos will be coming soon, but in the meantime here are the slides from the RVAsec 2012 presentations.
• DefCon: 20 Years of Hackers, Hijinks and Snooping Feds – wired.com
  In 1992, former hacker Jeff Moss invited a bunch of hacker friends he’d met primarily on electronic bulletin boards to come to Las Vegas to party in the desert. That party grew into a legendary conference that’s become one of the premiere gatherings for hackers from around the world – as well as for undercover intelligence agents who want to spy on them (or recruit them).
• RECON 2012 PRESENTATION – blog.coresecurity.com
  At Core we enjoy participating in activities, and helping to improve the security community. As a result you will often see us sponsoring industry events and presenting research and tools that our engineering and research teams have developed. This was true at the recent RECon conference in Montreal, Canada where two members of our Exploit Writing Team presented.

Resources

• Companies that Give Back with Free Tools – room362.com
  Penetration Testing / Red Teaming requires the use of a lot of tools. I don’t mind getting called a “script kiddie” because I can accomplish more and faster when I don’t have to code every single task I need to do. This post is to point out companies that make this possible and give a small bit of thanks.
• USRP NFC Post Part II – intrepidusgroup.com
  This is not what you think it is, unfortunately. It has nothing to do with the USRP, but is the second in a series of posts which should really be entitled “Alice’s Adventures in NFC-land”. Since the second post in this series was supposed to be about demodulation/decoding, I’ll continue the title with the hopes of eventually porting this to the USRP.
• Apple’s iOS Security Overview – intrepidusgroup.com
  It starts off describing the overall system architecture, from the boot ROM (including a public key used to validate system software) though the Low Level Bootloader and into the kernel and application layers. Executable code at all layers, including OS, Apple, and third-party applications, is signed, and the signatures are validated before the code is run. These checks help to keep malicious code from affecting the system.
• CVSS for Penetration Test Results (Part I) – blog.spiderlabs.com
  Trustwave has been adding support for the Common Vulnerability Scoring System (CVSS) in PenTest Manager, our online reporting portal used for all SpiderLabs penetration tests.
• Introducing HackRF – ossmann.blogspot.com
  Digital audio capabilities in general purpose computers enabled a revolution in the sound and music industries with advances such as hard disk recording and MP3 file sharing.

Tools

• Using Mimikatz to Dump Passwords – blog.opensecurityresearch.com
  If you haven’t been paying attention, Mimikatz is a slick tool that pulls plain-text passwords out of WDigest (explained below) interfaced through LSASS. There are a few other blogs describing mimikatz on the net, but this will hopefully provide more details about the components involved and ideas on how to use it. The tool itself and the download page is in French, so it makes it “fun” to use if you don’t speak french 🙂

Vendor/Software Patches

• Attack code published for ‘critical’ IE flaw; Patch your browser now – zdnet.com
  Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.
• Some shellcode de-mystified – blogs.technet.com
  The shellcode described in this post was obtained from the Eleonore v1.2 exploit kit. High-level details about that kit are mentioned in my April 2012 blog post.

Vulnerabilities

• New Critical Microsoft IE Zero-Day Exploits in Metasploit– community.rapid7.com
  We’ve been noticing a lot of exploit activities against Microsoft vulnerabilities lately. We decided to look into some of these attacks, and released two modules for CVE-2012-1889 and CVE-2012-1875 within a week of the vulnerabilities’ publication for our users to test their systems. Please note that both are very important to any organization using Windows, because one of them is a newly patched bug, while the other is still a zero-day. To test if any systems on your network are vulnerable, you can download the latest version of Metasploit for free.
• CVE-2012-1889 in Action – symantec.com
  Following on from the exploitation of the Microsoft Internet Explorer CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875) detailed in our previous blog, Symantec has also observed continued exploitation of the Microsoft XML Core Services CVE-2012-1889 Remote Code Execution Vulnerability (CVE-2012-1889) in the wild.
• CVE2012-1889: MSXML use-after-free vulnerability – blog.eset.com
  As soon as Microsoft had released patches for security bulletin MS12-037 (which patched 13 vulnerabilities for Internet Explorer) Google published information (Microsoft XML vulnerability under active exploitation) about a new zero-day vulnerability (CVE-2012-1889) in Microsoft XML Core Services.
• Writing a Metasploit Exploit for the Adobe Flash Vulnerability CVE-2012-0779 – community.rapid7.com
  Ever since the first sightings of a new zero-day attack (CVE-2012-0779) on Adobe Flash last month, the exact path of exploitation has been somewhat of a mystery. The attacks were specifically targeted against defense contractors and other victims as part of a spear phishing attack, and included a Word document with a Flash (SWF) object.
• Vulnerable SAP Deployments Make Prime Attack Targets – securityweek.com
  A Russian security firm, using a combination of TCP scans and Google, found that nearly a quarter of the organizations running vulnerable versions of SAP are tempting fate by leaving them exposed to the Internet.

Other News

• U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say – washingtonpost.com
  The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.
• How Anonymous Picks Targets, Launches Attacks, and Takes Powerful Organizations Down – wired.com
  No one but Hector Xavier Monsegur can know why or when he became Sabu, joining the strange and chaotic Internet collective known as Anonymous. But we know the moment he gave Sabu up. On June 7, 2011, federal agents came to his apartment on New York’s Lower East Side and threatened the 28-year-old with an array of charges that could add up to 124 years in prison.