Infosec Events

RSA Conference 2010 – Wrap Up

glenn — Wed, 10 Mar 2010 04:37:16 +0000

The RSA Conference in San Francisco, CA just concluded and it was overflowing with the latest security information, insights and news. There’s been a lot of buzz about this security event and we’ve compiled a few of those links for you.

Studies and research

NSS Labs Study on social attack aversion – NSS Labs released its latest study on how well web browsers avoid social engineering attacks.
Veracode’s State of Application Security – Around 58 percent of the applications tested by application security testing service provider Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing.
McAfee on intellectual property risks – McAfee analyzed a commonly used software for housing intellectual property called Perforce and released its findings during a session at the RSA security conference.
Fifteen Common Activities from BSIMM2 - In addition to highlighting the fifteen most common BSIMM activities, the article also provides the 30 firm data for all 110 activities in public for the first time.

Presentations and sessions

Visualizing the Zeus attack against government and military – This presentation will focus on specific tools and methodology to aid you in establishing security data visualization practices in your environment.
Cryptographers Panel – Adi Shamir said that he is working with a team of researchers who have put together a paper that describes an attack that will break AES 128 within 10 rounds.
Wisdom of ‘Foolishness’ – A panel of leading cryptographers reveal some of the lessons they have learned while making seemingly imprudent decisions.
Pre-debate on ‘Proving the Worth of Security Metrics with Real-World Data’ – A warm up session between the panelists who are up to discuss the value of security measurements.

Some announcements and news from the conference floor

Symantec exhibit makes cybercrime tangible – The security company gave tours of its Black Market at the RSA security conference here this week.
DHS to extend Einstein technology to private sector – The White House did confirm this week that the latest version, called Einstein 3, involves attempting to thwart in-progress cyberattacks by sharing information with the National Security Agency.
Microsoft wants to put infected PCs in rubber room – Charney is the latest to champion the idea that infected PC users should be put in their own rubber room, so the malware, spam, and other attacks they generate can’t harm others.
White House outlines secret cybersecurity plan – Howard Schmidt gives a talk during a town hall meeting on how the nation will face impending attacks on the cyberspace front

Interviews (link redirect to MP3 podcasts)

Jennifer Bayuk – She says that audits do not break down, it’s the response to it that fails.
Mark Bower, Voltage Security – The director from Voltage Security speaks about E2EE, how it will affect merchants and what we might be seeing in the future from Voltage SecureData Payments POS SDK.
Andy Hayter, ICSA Labs – This interview with ICSA Labs discusses about anti-virus testing, education of consumers and a new initiative to use the testing ICSA does in the real world.
Pedro Bustamante, Panda Security – A senior analyst at Panda Security explains his company’s cloud AV product and USB vaccine.
Scott Charney, Microsoft – A post-talk Q&A with the VP of Trustworthy Computing at Microsoft about quarantining of infected computers away from the Internet.
Anton Chuvakin, “Security Warrior” – Anton Chuvakin talks about PCI compliance and log management.
Edward Haletky, Anton Chuvakin – Edward Haletky chats with Anton Chuvakin about the benefits of virtualization and the issues it faces.
Jan Hichert, Astaro Internet Security – The CEO of Astaro shares their new security products and how they are using it in social media environments.
Chris Hoff, Cisco – Chris Hoff explains a bit on cloud computing and virtualization.
Mikko Hypponen, F-Secure – The chief research officer of F-Secure converses about malware and how it is evolving to new platforms.
Jonathan Penn, Forrester – Jonathan Penn of Forrester discusses compliance and why it isn’t equal to security.
Marty Roesch, Sourcefire – Roesch talks on the security existential crisis, Immunet and virtual appliances.
Bob Russo, PCI Security Standards Council – Bob Russo, general manager of PCI Security Standards Council, stresses the importance of looking at your security logs and not just turning them on.
Roel Schouwenberg, Kaspersky Lab – A conversation with the senior AV researcher of Kaspersky on APT, signature-based APT and other topics.
Hord Tipton, (ISC)2 – The executive director of International Information Systems Security Certification Consortium expounds on the Safe & Secure Online program and other topics.
Jacob West, Jeremiah Grossman – Two security experts share what they see as the most common vulnerabilities out there and the incentives of the ones who exploit them.

Software downloads

VerIS Framework – Verizon released its framework for analyzing forensics data to help give organizations a better look into their data breaches.
Playbook – Matasano offers a virtual appliance that scans for any firewall rules that are outdated, redundant, or could potentially expose a network to security threats.
Forefront Identity Manager 2010 – Microsoft released its new identity management software, a system corporations can use to manage employees and others within an organization.

Finally, here is the official photo set from the conference and the compilation of video and audio from the keynote presentations. Watch out for RSA Europe coming this October.

ShmooCon 2010 Session Videos Now Available

glenn — Wed, 10 Mar 2010 04:36:29 +0000

Some of you have been waiting for this and here it is, finally! The official site for ShmooCon just post the slides and video of the various sessions. Here are a few picks from this bunch. Each video file is about 100mb. Happy downloading!

Becoming Jack Flack: Real Life Cloak & Dagger
A talk about how to keep your anonymity in a world that gets more and more connected each day. PDF | M4V
An Existential Threat To Security As We Know It?
This discussion centers on PCI, compliance and the existential threat to information security. PDF | FLV
Flying Instruments-Only: Legal and Privacy Issues in Cloud Computing
Here, Richard Goldberg reveals some big issues people will face as we move data to the cloud as well as what measures can be taken to protect this data. M4V

Exposed | More: Attacking the Extended Web
Some insights are revealed on how APIs of some websites are being exploited and what measures can be taken to reduce this risk while keeping them open for access. PDF | M4V

The New World of Smartphone Security – What Your iPhone Disclosed About You
This talk examines mobile to mobile attacks within cellular IP networks, the iPhone attack surface, iPhone worms, iPhone location-based gaming privacy concerns, and iPhone web application security. PDF | M4V

The Friendly Traitor: Our Software Wants to Kill Us
This session explores the usage of browser hooks, client provided content and malicious flash applications in attacking client machines and organizations. PDF | M4V

Back to the Glass House
A presentation of how virtualization technologies could be deployed to counter hacking attacks and an update on the current status of an on-going pilot deployment of these technologies with a large organization’s desktop environment. PDF | M4V

Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications
As the offline and online world begin to merge, new attacks shift from being temporal to persistent, giving the attacker almost an infinite array of resources to accomplish his goal. This talk breaks down the risks involved in offline technologies as well as some real-life examples. M4V

Week 9 in Review – 2010

glenn — Tue, 09 Mar 2010 07:05:47 +0000

Events Related:

ShmooCon 2010 Presentations – shmoocon.org
Slides and video from sessions during the DC conference.
Some posts related to the RSA Conference
- RSA 2010 Coverage – novainfosecportal.com
- Videos from RSA Conference 2010 – rsa.com
Some BSides SF posts
- BSidesSanFrancisco Official Site – securitybsides.org
- BsidesSF Videos – ustream.com

Resources:

Verizon Incident Metrics Framework Released – verizonbusiness.com
Our goal is to be able to create data sets that can be used and compared because of their commonality.
Web Application Security Trends Report – cenzic.com
The report incorporates findings from Cenzic’s leading-edge managed security assessment (SaaS) and research from Cenzic Intelligent Analysis (CIA) Labs.
Final Course and Exam Review: Pen Testing with BackTrack – ethicalhacker.net
The Pentesting with BackTrack course was originally released as Offensive Security 101 and consists of 3 separate training segments.

Tools:

Web Security Dojo – mavensecurity.com
A free open-source self-contained training environment for Web Application Security penetration testing.
WebRaider v0.2.3.8 – code.google.com/p/webraider
WebRaider focuses on getting a shell from multiple targets or injection point.
Product Watch: Free Tool Cleans Up ‘Rusty,’ Unsafe Firewall Settings – darkreading.com
Matasano Security rolls out open-source product that cleans up and checks firewall configurations for security holes.
HPING3 Cheatsheet – professionalsecuritytesters.org
Also, some examples are enclosed in order to approach special requests with this awesome tool.
ASPsh – A remote shell written in ASP. – skypher.com
The goal of this project was to create an ASP page that can be used on a server to provide a “command line shell”-like experience.
Internet Exploiter 2 – bypassing DEP – skypher.com
I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in.

Techniques:

Quickpost: NetworkMashup.xls – didierstevens.com
NetworkMashup.xls is a spreadsheet with VBA macros to execute pings and name/address resolution from within Excel with WIN32 API calls.
Announcing Elevation of Privilege: The Threat Modeling Game – silverstr.ufies.org
If you have a team that is new to the whole process of threat modeling, you will want to check it out.
RSA 2010: Experts Expect Several Ciphers to Be Cracked Soon – threatpost.com
Cryptographers are expecting several of the major cryptographic systems in use today to be broken in the near future.
RSA 2010: Cryptographers Discuss Wisdom of ‘Foolishness’ – threatpost.com
By going against the grain, new objectives can be made and boundaries overcome.
Top 25 Series Posts
A discussion of the top 25 security vulnerabilities
- Top 25 Series – Rank 2 – SQL Injection – sans.org
- Top 25 Series – Rank 3 – Classic Buffer Overflow – sans.org
- Top 25 Series – Rank 4 – Cross Site Request Forgery – sans.org
RSA: Visualizing the Zeus attack against government and military – holisticinfosec.blogspot.com
For the article I discuss NetGrok and AfterGlow.
Metasploit auxilary module FILE_AUTOPWN – houseofhackers.ning.com
Metasploit auxilary file_autopwn module – Video Tutorial
SSH gymnastics with proxychains – pauldotcom.com
For this discussion I will be focusing on SOCKS4 proxies setup with the SSH -D parameter.
Top 10 Hacks of 2009 and WAF Mitigations – tacticalwebappsec.blogspot.com
In case you were not able to attend his RSA talk, I am going to outline which items can been addressed by WAFs.
Study on cloud security threats – h-online.com
Among the identified potential threats are malicious programs such as the Zeus botnet and the InfoStealing trojan.
Fifteen Common Activities from BSIMM2 – informit.com
Part of what makes BSIMM interesting is its basis in actual data from real software security initiatives.
IT Audit: 3 Easy Steps to Finding Rogue Wireless Clients – sans.org
You can easily discover if there are hosts from your network connecting to unprotected networks nearby and figure out which hosts are the rogues.
How big is the ideal dick…tionary? – skullsecurity.org
I’ve been working on collecting leaked passwords/other dictionaries.
Study of BlackBerry Proof-of-Concept Malicious Applications – smobilesystems.com
This research exposes the weakened security posture of devices that operate under the BlackBerry Internet Service environment.
Proof-of-concept exploits IE using help files.
It uses a malicious dialog box which will trigger the execution of arbitrary code when the user presses the F1 key.
- Microsoft Security Advisory (981169) – microsoft.com
- Help keypress vulnerability in VBScript enabling Remote Code Execution – technet.com
- Microsoft: Don’t press F1 key in Windows XP – computerworld.com
RSA compromised?
Researchers at the University of Michigan say they have uncovered a way to circumvent encryption used on many devices.
- Researchers Claim RSA Authentication Crack – eweek.com
- Researchers find way to zap RSA security scheme – networkworld.com
‘Severe’ OpenSSL vuln busts public key crypto – theregister.co.uk
Private keys pilfered through power supply

Other News:

U.S. Department of Defense Goes Social…Yes, Really! – readwriteweb.com
The U.S. Department of Defense gave all users of unclassified computers in the .mil domain access to popular social networking sites
DoD 8570 and GIAC Certification – sans.org
Department of Defense Directive 8570 provides guidance and procedures for the Information Assurance functions in assigned duty positions.
On the EC-Council’s Certified Ethical Hacker (CEH) Certification – informit.com
In my humble or not-so-humble opinion, the U.S. Department of Defense was wise to overlook the CEH.
Feds Commence Huge Data Center Consolidation – datacenterknowledge.com
The federal government has begun what looms as the largest data center consolidation in history.
Wiseguys Indicted in $25 Million Online Ticket Ring – wired.com
The defendants made more than $25 million in profits from the resale of the tickets between 2002 and 2009.
Qualys to scan Web sites for malware – cnet.com
Qualys is set to launch on Monday a free service for Web site operators that will scan their sites for malware.
Most resistance to ‘Aurora’ hack attacks futile, says report – theregister.co.uk
Most businesses are defenseless against the types of attacks that recently hit Google and at least 33 other companies.
Cyberwar hubbub
All the latest buzz about the rumored war on the Internet
- Cyberwar Hype Intended to Destroy the Open Internet – wired.com
- White House Cyber Czar: ‘There Is No Cyberwar’ – wired.com
State Of Application Security: Nearly 60 Percent Of Apps Fail First Security Test – darkreading.com
Veracode app-testing data demonstrates that application security still has a ways to go.
Shamir acknowledges chip-and-PIN attack as his favorite – techtarget.com
Every year Adi Shamir brings something new to the table at the annual RSA Conference Cryptographers’ Panel.
Microsoft wants to put infected PCs in rubber room – theregister.co.uk
A top Microsoft executive is floating the idea of creating mandatory quarantines for computers with malware infections that pose a risk to internet users.
Regulators Revisit E-Banking Security Guidelines – krebsonsecurity.com
The guidance was meant to prod banks to implement so-called “multifactor authentication”.
Apple hires ex-Mozilla security chief – h-online.com
Snyder, head of security at the Mozilla Foundation, is joining Apple as senior security product manager.
Cybersecurity plan outed
Schmidt also announces release of unclassified version of Obama administration’s plan for securing government, private industry networks
- Cybersecurity Czar Outlines Priorities – darkreading.com
- U.S. Declassifies Part of Secret Cybersecurity Plan – wired.com
- US government publishes parts of its cyber security directive – h-online.com
Mariposa botnet taken down
Three Spaniards have reportedly been arrested for gaining control of more than 13 million computers.
- Spanish police release details about Mariposa arrests – h-online.com
- How FBI, police busted massive botnet – theregister.co.uk
- Mariposa botnet – pandasecurity.com
- ‘Mariposa’ Botnet Authors May Avoid Jail Time – krebsonsecurity.com
- In focus: Mariposa botnet – technet.com
RSA Highlight: Howard A. Schmidt – eset.com
An interview with the cybersecurity coordinator
Wi-Fi finders let thieves track down hidden laptops – networkworld.com
Theives with increasingly sophisticated, directional Wi-Fi detectors can home in on the laptop’s radio even when the PC is hidden away.
Narus develops a scary sleuth for social media – itworld.com
The new program, code-named Hone, is designed to give intelligence and law enforcement agencies a leg up on criminals.
Privacy With a 4096 Bit RSA Key — Offline, On Paper – slashdot.org
The Dutch security company Safeberg developed an Offline Private Key Protocol, with an asymmetric key scheme.
Professional Script Kiddies vs Real Talent – snosoft.blogspot.com
Do want to work with a security company that launches attacks against your network with tools that they do not fully understand?
Krebsonsecurity Author Twice Honored – krebsonsecurity.com
The SANS Institute polled 75 cybersecurity journalists and asked them to rank the top peers in their field.
Security Pros Question Deployment of Smart Meters – wired.com
The country’s swift deployment of smart-grid technology has security professionals concerned.
Symantec exhibit makes cybercrime tangible – cnet.com
Symantec has created a Black Market exhibit that attempts to make these virtual ideas more tangible.
Hacking human gullibility with social penetration – theregister.co.uk
So-called social penetration techniques are more reliable and easier to use in identifying chinks in client fortresses.

Week 8 in Review – 2010

glenn — Mon, 01 Mar 2010 12:16:31 +0000

Events Related:

Securosis’ Guide to the RSA Conference 2010 – mckeay.com
If you want to do some research on specific technologies at the RSA Conference 2010, this should help.
ShmooCon 2010 Firetalks – Update 5 (aka – the Wrap-Up) – novainfosecportal.com
Presentation compilations and more.
Assured Exploitation Training – trailofbits.com
This training class is focused on various topics in advanced exploitation of memory corruption vulnerabilities.

Resources:

IT Audit: 6 VMWare Settings Every IT Auditor Should Know About – sans.org
Here we’ll take a look at settings that impact security, and how they should ideally be configured.

Tools:

Side-Track: Security/Pen-testing Distribution Of Linux For The ZipIt Z2 – irongeek.com
The ZipIt Z2 is great platform for dropboxes since it runs Linux and is only $50.
Sahi v3.0 – sahi.co.in
Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.
Repscan v3.0 – sentrigo.com
This new version supports MS SQL Server and Oracle databases.
NoMore and 1=1 – eslimasec.com
This tool is used to minimize the time required to type malicious syntax and have a handy repository as well.
Katana v1.5 (Z@toichi) – hackfromacave.com
Katana includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, Malware Removal and more.
John the Ripper v1.7.5 – openwall.com
Its primary purpose is to detect weak Unix passwords
Watcher version 1.3.0 released February 25, 2010 – websecuritytool.codeplex.com
Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing.

Techniques:

Really good whitepaper about “Hacking Oracle from the Web” – red-database-security.com
This is the most comprehensive published collection of different techniques for attacking Oracle from the web.
Ping Shellcode – didierstevens.com
I’ve added 2 new assembly source files for shellcode to execute a ping.
Running a command on every machine in your domain from the command line – pauldotcom.com
You can run any command you want on every machine in your domain.
Man in the Browser – fireeye.com
Man in the Browser a.k.a MITB is a new breed of attacks whose primary objective is to spy on browser sessions.
How Secure are Secure Interdomain Routing Protocols? – microsoft.com
In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information.
How to prevent a user granted the ALTER USER priviledge from changing SYS/SYSTEM password and how to bypass it. – red-database-security.com
Many Oracle users are not aware that the grant command can also be used to change passwords or even create users.
Securing Java in Oracle Update and escalating to SYSDBA – oracleforensics.com
Most organisations either take the risk of the change breaking functionality or decide to stay as they are.
VMWare Directory Traversal Metasploit Module – carnal0wnage.attackresearch.com
I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.
Killing the Monkey in the Middle – pauldotcom.com
There are many ways for the attacker to insert themselves in the middle of a conversation.
Enumerate Oracle SIDs – slaviks-blog.com
As promised, here is a small Python script to allow you to enumerate and find Oracle SIDs.

Vulnerabilities:

Multiple Adobe products vulnerable to XML External Entity Injection And XML Injection – cgisecurity.com
This advisory provides a good explanation and examples of these rarely discussed attack types.

Vendor/Software Patches:

Adobe plugs critical hole in Download Manager – cnet.com
Download Manager is a tool that helps users efficiently download files from Web servers.

Other News:

75 percent of enterprises have been hit by multi-million dollar cyber attacks – daniweb.com
Every enterprise, yes 100 percent, experienced cyber losses in 2009.
An Interview With Howard Schmidt – threatpost.com
Dennis Fisher talks with Schmidt about his career and what the priorities should be for the cybersecurity czar.
Police called in over SMH leak – abc.net.au
An Australian transport minister says there were about 3,727 unauthorised hits on the website
‘Sophisticated’ Hack Hit Intel in January – wired.com
Intel acknowledged that it was hacked in January in a sophisticated attack at the same time that Google, Adobe and others were targeted.
Credit card skimming attacks on pay-at-the-pump petrol stations – h-online.com
Skimming devices attached to petrol pump terminals use Bluetooth to transmit the data to criminals operating near by.
GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission – sucuri.net
Some scary stuff that might happen to you if you host your site with them, clearly violating on your privacy.
US unable to win a cyber war – net-security.org
If the US got involved in a cyber war at this moment, they would surely lose.
N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss – krebsonsecurity.
A New York marketing firm that was preparing to be acquired is now facing bankruptcy from a computer virus.
Hotel room security defeated by a piece of wire – can be secured with a towel – gadling.com
A piece of bent wire can defeat these magnetic swipe rooms.
Are Hollywood Hackers Bogus or Bright? – pcworld.com
Gordon, a lecturer at the Dublin Institute of Technology, studied 50 movies, produced over five decades.
Navy Planning Prototype Cyber-Network Security System – darkreading.com
Seeking proposals for a system that ensures cyber operations aren’t shut down in the event of a cyber war.
Microsoft secretly beheads notorious botnet – pcpro.co.uk
Microsoft has won court approval to deactivate 277 domain names that are being used to control a vast network of infected PCs.
Cryptome Back Online After Brief DMCA Battle – darkreading.com
Website reportedly taken down for posting sensitive Microsoft document on criminal investigation compliance.
Wyndham Hotels Hacked Again – yahoo.com
This is the third data breach reported by Wyndham in the past year.
Another, Better TKIP Attack That’s Still Limited – wifinetnews.com
One of the two researchers who brought us the TKIP Michael packet integrity attack has a refined technique.

Vendor Parties @ RSA 2010

ggee — Sun, 28 Feb 2010 03:20:21 +0000

The RSA conference is just around the corner, and that means the vendor parties are as well. I’m not sure who is behind the RSA party list on yahoo’s upcoming, but it contains a good list of parties. I’ve gone ahead and created a party map for Tuesday and Wednesday of next week.

Tuesday Map:

Wednesday Map:

Information Security Events in March

glenn — Sat, 27 Feb 2010 12:06:59 +0000

Here are the information security events in North America this month:

17th Annual Network and Distributed System Security (NDSS) Symposium – February 28 to March 3 in San Diego
RSA Conference USA – March 1 – 5 in San Francisco
BSides San Francisco – March 2 – 3 in San Francisco
SecureIT 2010 – March 3 – 5 in Los Angeles
SANS 2010 – March 6 – 15 in Orlando
BSides Austin – March 13 in Houston
GRC Summit 2010 – March 14 – 17 in Amelia Island
Corporate Fraud: Prevention, Detection & Investigation in the Aftermath of the Global Economic Downturn – March 15 – 16 in Boston
CarolinaCon 2010 – March 19 – 21 in Raleigh
CanSecWest 2010 – March 22 – 26 in Vancouver
MIT Spam Conference – March 25 – 26 in Cambridge
The 2010 SCADA and Process Control Summit – March 29 – 30 in Lake Buena Vista

And here are the information security events in the other parts of the world:

Gartner Identity & Access Management Summit – March 3 – 4 in United Kingdom
TROOPERS10 – March 8 – 12 in Germany
SANS Wellington – March 15 – 20 in New Zealand
SecureCloud 2010 – March 16 – 17 in Spain

Week 7 in Review

glenn — Mon, 22 Feb 2010 03:49:31 +0000

Events Related:

Pwn2Own 2010
Now in its fourth year, the Pwn2Own competition will award up to $100,000 for exploits that successfully penetrate various hardware and software systems.
- Contest offers $100,000 for smartphone, browser hacks – theregister.co.uk
- Pwn2Own 2010 – tippingpoint.com

Resources:

2010 SANS Top 25 Most Dangerous Programming Errors Released – cgisecurity.com
This is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities.
Security Scoreboard – securityscoreboard.com
Think about a Zagat for security products, that is what it is.

Tools:

MacNikto 1.1.1 – informationgift.com
It provides easy access to a subset of the features available in the Open Source, command-line driven Nikto web security scanner.
Harden SSL/TLS – Tool release – g-sec.lu
It allows locally and remotely set SSL policies allowing or denying certain ciphers/hashes or complete ciphersuites.
Pyrit 0.3.0 – code.google.com/p/pyrit/
Pyrit allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff
Browser Rider v20090204 Released – engineeringforfun.com
The project aims to provide a powerful, simple and flexible interface to any client side exploit.
Websecurify v0.5 Beta 1 – code.google.com/p/websecurify/

Techniques:

Self-Inflicted SQL Injection – don’t quote me ! – mikesmithers.wordpress.com
But how can you be attacked when the attacker isn’t even around at the time ?
Integrating Core Impact Pro With the Metasploit Project – coresecurity.com
Today we announced that CORE IMPACT Pro will be integrated with Metasploit in our next scheduled product release.
Scriptable Processor modules – hexblog.com
One of the new features we are preparing for the next version of IDA is the ability to write processor modules using your favorite scripting language.
Abusing WCF to Perform Remote Port Scans – gdssecurity.com
The first step in establishing a session with WSDualHttpBinding requires the client and server to negotiate the duplex connection.
Screen Unlock Meterpreter Script – relentless-coding.blogspot.com
The script needs SYSTEM privileges and patches the msv1_0.dll loaded by lsass.exe so that every password will be accepted to unlock the screen.

Vulnerabilities:

Google Buzz Security Flaw – ha.ckers.org
It’s yet another example of bad input validation/output encoding by your favorite advertising overlords at Google.

Vendor/Software Patches:

Adobe fixes Reader and Acrobat Flaws
This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests.
- Security updates available for Adobe Reader and Acrobat – adobe.com
- Adobe plugs more gaping holes in PDF Reader – zdnet.com
- Adobe Plugs Critical PDF Code Execution Flaw – threatpost.com
- Security Updates for Adobe Reader, Acrobat – krebsonsecurity.com
Mozilla security updates
Firefox and Seamonkey get a few bug fixes.
- SeaMonkey 2.0.3 - seamonkey-project.org
- Firefox 3.5 Release Notes – mozilla.com
- Firefox 3 Release Notes v3.0.18 – mozilla.com

Other News:

Reverse-engineering a smart meter – root.org
A software bug, typo at the control center, or hacker could potentially turn off my power and gas.
Electronic key impressioning – hackaday.com
Apparently, a handheld impressioning device is about to hit the market that can tell you the key codes for a lock in a matter of seconds.
China Home to Most Hacked Computers, Says Report – inc.com
In the last three months of 2009, about 1,095,000 computers in China were hacked.
Criminal hacker ‘Iceman’ gets 13 years – computerworld.com
Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning in Pittsburgh on charges of wire fraud and identity theft.
A Comparison of DBIR with UK breach report – verizonbusiness.com
The following is a high-level comparison of DBIR findings to the 7Safe report from the UK.
Even Kingston Knocks Off Kingston microSD Cards? – gizmodo.com
Bunnie Huang of the famous Chumby encountered some Kingston microSDs appeared to be dysfunctional counterfeits.
Mock cyber attack shows US unpreparedness – net-security.org
The simulated cyber attack in Washington showed that the US is still not ready to deflect or mitigate such an attack.
Hackers, Troops Rejoice: Pentagon Lifts Thumb-Drive Ban (Updated) – wired.com
U.S. Strategic Command has lifted its ban on the tiny drives, memory sticks, CDs and other “removable flash media” on military networks.

RSA Conference 2010 (Free Expo Pass!)

glenn — Sat, 20 Feb 2010 00:25:46 +0000

It’s time for the RSA Conference again! This year’s RSA Conference will be from March 1 – 5, 2010 at the Moscone Center in San Francisco. Featuring over 300 exhibitors and security vendors in the expo floor, this is one of the most comprehensive security events in the world. There will also be over 250 security sessions covering a variety of relevant topics such as darknets, the National Cyber Security Framework, cloud computing security, crowdsourcing fraud and business metrics for security and risk.

There’s a lot of info going on for this conference and we’ve compiled a few links below to help you digest it.

Catalog Brochure – A comprehensive guide of everything about the RSA Conference. Beware though, it’s in Flash but they do offer a downloadable PDF version as an alternative.
Session Catalog – A list of all the talks, speakers and schedules during the conference, all bundled in a neat, search-friendly page. There’s also a printable version of this list available.
Twitter Stream – Keep your finger on the pulse via the conference’s official Twitter feed. Use #rsac for your related tweets.
Facebook Group – Socialize with other attendees online at this site.
Agenda at a Glance – A basic overview of all the events including the Keynotes, Peer2Peer and Track Sessions. Below is the expo schedule for a quick reference

Monday, March 1: 6 pm – 8 pm (Welcome Reception)
Tuesday, March 2: 11 am – 6 pm
Wednesday, March 3: 11 am – 6 pm
Thursday, March 4: 11 am – 3 pm

Exhibitor List – Check out if your favorite security vendor is on-site. This list includes other details like the company website, booth number and company address.
Floor Plan – You can map out your activities with this floor plan, courtesy of mapyourshow.com. This site is also in Flash so be forewarned.

If you’re interested in going to the expo floor, we can get you in for free! Register here then enter the complimentary expo pass code to save on the $100 fee! You only need to use one of these codes so just choose your favorite one from the list below.

3Com – SC10TPP
ArcSight – EC10ARS
Blue Coat – EC10BLC
CA Security – SC10CA
Cloud Security Alliance – 1310CLEXPO
Collective Software – EC10CSO
Kantara Initiative – 1310KANEXPO, select Kantara Initiative from the Registration Package page to get free access to the March 1 workshop from the company.
Lieberman – EXH9LSC
nCircle – SC10NCR
PKWare – EC10PKW
Proofpoint – EC10PRF
Qualys – SC10QLS
Symantec – SC10SYM, expires February 26
Tipping Point – SC10TPP
WebRoot – EC10WBR

We’ll be posting more about the event when it kicks of this coming March. Also check out the BSidesSanFrancisco event as well while you’re out there.

Week 6 in Review – 2010

glenn — Sun, 14 Feb 2010 07:00:54 +0000

Events Related:

ShmooCon related posts
A few stories about the recently concluded security conference.
- ShmooCon 2010 – Show Notes – chuvakin.blogspot.com
- FireTalks from Shmoocon 2010 – Videos – irongeek.com
- Shmoocon 2010 Security Conference – tenablesecurity.com

Resources:

Social Engineering Framework – social-engineer.org
We will be developing this framework over time and there will be more to come.
DIY Hard Drive Diagnostics: Understanding a Broken Drive – myharddrivedied.com
This talk is the basic process to start doing diagnostics on your damaged hard drive.
Attack Simulation and Threat Modeling – professionalsecuritytesters.org
Attack Simulation and Threat Modeling is a book that explores advanced security data collection, classification, processing and mining.

Tools:

GuestStealer v1.00 – fyrmassociates.com
GuestStealer allows for the stealing of VMware guests from vulnerable hosts based on the Directory Traversal Vulnerability.
Keimpx v0.2 – keimpx.googlecode.com
It can be used to quickly check for the usefulness of credentials across a network over SMB.
BeEF, Browser Rider, and XSSTunnel make friends… – securityaegis.com
A few browser attack tools band together to deliver a more exceptional product.

Techniques:

Excel with cmd.dll & regedit.dll – didierstevens.com
Stevens modified source code from ReactOS to transform cmd.exe into cmd.dll and regedit into a dll.
Larry Suto Report Inaccurate, Says Vendors
A couple of vendors have stepped up and found irregularities in the recent published web scanner report
- Latest Comparison Report from Larry Suto – acunetix.com
- On Web Application Scanner Comparisons… – hp.com
- Web Vulnerability Scanner Comparison – cenzic.com
- Where’s WhiteHat? Re: Scanner Comparisons – jeremiahgrossman.blogspot.com
ShmooCon | Inside FarmVille’s Sinister Underbelly – csonline.com
A talk in the recent event about the dangers of online gaming and social networks
ShmooCon | Your iPhone’s Dirty Little Security Secret – csonline.com
A discussion on how to hack smartphones
A few posts on BlackBerry spyware
- Is Your BlackBerry App Spying on You? – veracode.com
  A demo on how BlackBerry apps can access and leak sensitive info using only RIM-provided APIs and no exploits of any sort.
- Tyler Shields on the BlackBerry Spyware and the Coming Wave of Smartphone Attacks – threatpost.com
  Dennis Fisher talks with Tyler Shields of Veracode about his BlackBerry spyware application, txsBBSPY.
Automatically Routing Through New Subnets – metasploit.com
Among the coolest features in metasploit is the ability to pivot through a meterpreter session to the network on the other side.
Wireshark Plugin for Mariposa Botnet Command and Control – paloaltonetworks.com
Yamata Li has developed a Wireshark plugin that will allow you to view obfuscated pcaps of traffic from a Mariposa infected client.
Black Hat TPM Hack and BitLocker – windowsteamblog.com
We believe that using a TPM is still an effective means to help protect sensitive information.
The Bad Guys Hate Security Folks – m86security.com
A Pushdo bot we analysed earlier this week uses domain names which taunt FireEye and Brian Krebs.
Nsploit: Nmap grows some teeth – securityaegis.com
Ryan Linn has started a project to bridge Nmap Scans all the way to exploitation using Metasploit.

Vulnerabilities:

Oracle Zero-Day revealed
It covers vulnerabilities that allow an attacker to escalate their privileges to sysdba and take complete control of the database.
- Oracle Security Alert for CVE-2010-0073 – oracle.com
- Litchfield DBMS_JVM_EXP_PERMS 0-day on Oracle – appsecinc.com
Claimed Zero Day exploit in Samba – samba.org
The issue is actually a default insecure configuration in Samba.Events Related:
Firefox extension installation process vulnerable to MITM attack – ivanristic.com
If a man in the middle is able to intercept the traffic of someone installing an extension, he will be able to get the user to install something else.
Windows SMB NTLM Authentication Weak Nonce Vulnerability released – hexale.blogspot.com
It’s basically a 14/17-year old vulnerability in the Windows implementation of the NLTM Authentication protocol.
WordPress >= 2.9 Failure to Restrict URL Access – ethicalhack3r.co.uk
Security by obscurity is not sufficient to protect sensitive functions and data in an application.

Vendor/Software Patches:

Another Patch Tuesday from Microsoft
The company has a heap of updates with this week’s security bulletins.
- February 2010 Security Bulletin Release – technet.com
- Details on the New TLS Advisory – technet.com
- Microsoft Security Bulletin MS10-003 – Important – microsoft.com
- Microsoft Security Bulletin MS10-004 – Important – microsoft.com
- Microsoft Security Bulletin MS10-005 – Moderate – microsoft.com
- Microsoft Security Bulletin MS10-006 – Critical – microsoft.com
- Microsoft Security Bulletin MS10-007 – Critical – microsoft.com
- Microsoft Security Bulletin MS10-008 – Critical – microsoft.com
- Microsoft Security Bulletin MS10-009 – Critical – microsoft.com
- Microsoft Security Bulletin MS10-010 – Important – microsoft.com
- Microsoft Security Bulletin MS10-011 – Important – microsoft.com
- Microsoft Security Bulletin MS10-012 – Important – microsoft.com
- Microsoft Security Bulletin MS10-013 – Critical – microsoft.com
- Microsoft Security Bulletin MS10-014 – Important – microsoft.com
- Microsoft Security Bulletin MS10-015 – Important – microsoft.com
- MS10-006 and MS10-012: SMB security bulletins – technet.com
- MS10-007: Additional information and recommendations for developers – technet.com
- Restart issues after installing MS10-015 – technet.com
- Assessing the risk of the February Security Bulletins – technet.com
- MS Patch Tuesday: 13 Bulletins, 26 Vulnerabilities – threatpost.com
Critical Security Update for Adobe Flash Player – krebsonsecurity.com
Adobe Systems Inc. today released an updated version of its Flash Player software to fix two critical security holes in the ubiquitous Web browser plugin.

Other News:

Chinese man gets 30 months for fake Cisco sales – networkworld.com
Yongcai Li, 33, will have to pay the networking company nearly $800,000 in restitution.
U.S. House passes cybersecurity research bill – cnet.com
It calls for beefing up training, research, and coordination so the government can be better prepared to deal with cyberattacks
Zero-day vulnerabilities on the market – net-security.org
Even government agencies from all over the world are engaged in buying these zero-days.
PS3 hypervisor exploit reproduced – root.org
It remains to be seen what security measures Sony has taken to address a hypervisor compromise.
Hacker training site backup lives after takedown by China – arstechnica.com
Black Hawk Safety Net, an online hacker training resource, was brought down recently by Chinese authorities.
UK Security Breach Investigations Report 2010 Published – techwhack.com
Anonymised data has been analysed from over 60 computer forensic investigations.
McAfee Labs Quarterly Threat Report Posted – avertlabs.com
It highlights many of the most significant spam-generating stories in 2009 as well as the rise of political hacktivism.
TPM crytography cracked – hackaday.com
Christopher Tarnovsky figured out how to defeat the hardware by spying on its communications.
Researchers Discover New ACH Banker Trojan – threatpost.com
The Bugat Trojan includes features commonly found in malware used to commit credential theft for financial fraud.
Chip and PIN is broken, say researchers – zdnet.com
Researchers at Cambridge Unviersity have found a flaw in the Europay, Mastercard and Visa protocols.
Simulated hacker attack to test US government response – computerworlduk.com
Cyber ShockWave involves former administration staff, national security officials.
Record 13-Year Sentence for Hacker Max Vision – wired.com
A skilled San Francisco computer intruder was sentenced Friday to 13 years in federal prison for stealing nearly two million credit card numbers.
Rootkit May Be Culprit in Recent Windows Crashes – krebsonsecurity.com
A sysad said he traced the problem on each machine back to “atapi.sys” — a Windows storage driver.

ShmooCon 2010 – Wrap Up

ron — Wed, 10 Feb 2010 07:11:43 +0000

This year’s ShmooCon 2010 East coast hacker convention was a three day event at the Wardman Park Marriott, Washington DC, USA. The event took place according to schedule from Friday, February 5 to Sunday, February 7, 2010.

The central theme for day one was “One Track Mind,” a single track consisting of seven 30-minute speed talks. Day two and day three each presented three tracks: Break It!, Build It!, and Bring It On! For those that did not attend ShmooCon this year, the ShmooCon Group broadcast ShmooCon Live Streaming Video of all presentations.

As with the past three ShmooCon conventions, tickets for ShmooCon 2010 had sold out early. About 1,500 fans attended ShmooCon 2010, despite the heavy snow that blanketed the greater Washington, DC, area. This post lists links to ShmooCon 2010 related articles, blog posts, videos, photos, tools and downloads.

ShmoonCon 2010 East Coast Hacker Convention, Washington, DC, USA

The ShmooCon 2010 schedule.
ShmooCon’s Hacker Arcade.
ShmooCon exclusive, Hack-or-Halo.
The TF2 Lan Party Cheater Tourney and TF2 Tourney (Team Fortress 2- Blog).
Full Disclosure: ShmooCon 2010 CFP – About the ShmooCon conference format and more.
ShmooCon 2010 Washington, D.C., area map.

ShmooCon 2010 – InfosecEvents Previous Posts

ShmooCon 2010 – Resources and Tools

Jsunpack-network Edition Release: JavaScript Decoding and Intrusion Detection by Blake Hartstein, Blake Hartstein.

Download jsunpack-n.tgz.
JavaScript unpacker Jsunpack.

Blackberry Mobile Spyware – The Monkey Steals the Berries, Tyler Shields.

Slides: Blackberry Mobile Spyware (PDF).
TXSBBSpy Demo by Tyler Shields at Veracode Research Lab.
txsBBSpy.java source code.

Cracking the Foundation: Attacking WCF Web Services, Brian Holyfield.

DIY Hard Drive Diagnostics: Understanding a Broken Drive, by Scott Moulton. Be sure to get your free copy of DIY Hard Drive Diagnostics (PDF). Visit Moulton’s web site, MyHardDriveDied.

Information Disclosure via P2P Networks, Larry Pesce and Mick Douglas. Check out The Cactus Project at PaulDotCom. The Cactus Project is a tool intended to be used for all sorts of purposes on the Gnutella bases P2P network.

Articles and Blog Posts

NovaInfosecPortal’s coverage on ShmoonCon 2010 FireTalks.
ShmooCon | Inside FarmVille’s Sinister Underbelly (CSO, Bill Brenner, Senior Editor). “You love Facebook apps like FarmVille and Mafia Wars and think they’re perfectly safe, right? Think again.”
ShmooCon | Your iPhone’s Dirty Little Security Secret (CSO, Bill Brenner, Senior Editor). “Just how easy is it for the bad guys to use your iPhone against you . . . Trevor Hawthorn explains what to do about it.”

Videos

ShmooCon 2010 GSM: SRSLY? by Chris Paget and Karsten Nohl. Shmoocon 2010 – Hak5, an intervew with Chris Paget via revision3 on YouTube.
Paget, “Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS’ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all. . . .”
- The OpenBTS Project web page.
- OpenBTS download.
- OpenBTS Hardware link from the OpenBTS web page.
ShmooCon 2010 Social Zombies II: Your Friends Need More Brains by Tom Eston, Kevin Johnson, Robin Wood. Facebook Application Autopwn with BeEF, via spylogicdotnet (Tom Eston) on YouTube. Demo showing machine getting pwnd by simply viewing the profile page of a vulnerable Facebook application; particular Facebook app found vulnerable to persistent XSS (via theharmonyguy).
- BeEF Tool (Browser Exploitation Framework) used to launch the Metasploit Browser Autopwn module to attack the victim machine.

Twitter

There is a lot of valuable information security talk out there in the world of Twitter. The twitosphere was full of interesting streams about #shmoocon.
OWASP BWA (Broken Web Application) Project (BWA Main Page) via ChrisJohnRiley and danphilpott. Learn about the OWASP (Main Page), DVWA, WebGoat, Matiliday, and more.
VMWare vSphere Hardening Guide via k4l4m4r1s. This guide represents a new approach to providing security guidance.
Secmaniac.com launched; Social Engineering Toolkit: SET v0.4 codename “pink pirate” (not making that up) talk at firetalks #shmoocon from Shpantzer

InfosecEvents’ Closing Comments

February 2010, this concludes another exciting ShmooCon East coast hacker convention; held this year at the Wardman Park Marriott, Washington DC, USA. Be sure to check back here at InfosecEvents for the latest information on hacking contests, security tools, training, vulnerabilities, workshops, and upcoming events.