Security News #0x3F

• There is a major unpatched vulnerability in Internet Explorer 8 that has been used to attack a number of high profile targets, including the US Department of Labor. Threatpost has some of the news, as does Brian Krebs. The problem is only known to affect Internet Explorer 8; for now IE 9 and 10 appear to be unaffected. The vulnerability is listed as CVE 2013-1347. Currently, there is no patch; Microsoft has announced a workaround, while CERT has pointed out that EMET protects against this attack. As you might expect, Metasploit has crafted a module to exploit this issue.
• I learned about a new way to attack Windows systems if you have physical access- even if the BIOS is locked so that you can’t boot to another OS. The attack is described over at IntelComms. The basic idea is that, when a Windows system reboots after a failed boot attempt, you have the option to repair the system. As part of that, the user is asked if they want to view the problem details, which launches a Notepad instance with the details. A Notepad instance running as SYSTEM. Ouch.
• The folks at PenTestLab have an article about a tool called FindMyHash. That tool is a Python script that sends your specified hash to a number of web sites that provide hash look-up services.
• Jim Walters shares his experience as Red Team at NCCDC. One key takeaway- Anti-virus, though not perfect (what is?) would have helped.
• Speaking of cyber defense competitions, NETRESEC now has packet captures from the 2010, 2011, and 2012 mid-Atlantic CCDC events.
• The Onion has a (serious) piece on how they were social-engineered last week by the Syrian Electronic Army. This turned out to be one of the better such articles that I have seen in some time, and is well worth reading.
• We talk about format string vulnerabilities in our application software security class. Would you like to see one in the wild? Here is an example in the game Skyrim. I don’t know if the problem is exploitable, but the game is common enough that many of us have played it.

Security News #0x3E

• ALex Levinson of National CCDC Red Teams has some great advice for defenders. When (not if, when) you realize an attacker is on your system, Don’t Panic. Don’t immediately kill the shell- if you do you will never find out what is actually going on! Read his piece for details.
• Talking about NCCDC, Raphael Mudge has a nice piece on his experiences on Red Team at NCCDC, together with a lot of great advice for students.
• For more CCDC lessons, visit Dave Cowen’s blog. He has been the Red Team Captain for years, and has always been gracious and helpful to the students. I highly recommend his blog. He even has the slides from the (always humorous) Red Team Debiref.
• Unallocated space is hosting a CTF exercise on Memorial Day Weekend.
• Karen Seubert has some excellent advice on how to securely use your computer to manage your bank accounts.
• Adam Gowdiak announced yet more Java vulnerabilities; this one affecting the just released Java 7 Update 21. PoC code was not publicly released.
• While we are talking about Java Ars Technica reports that attacks that affect earlier releases have now been added to common malware kits and are circulating. Metasploit has a module that attacks Java 7 Update 17, via CVE 2013-2423. For unknown reasons though, it has not (yet) made it into Kali yet. Eric Romang has a demo.
• phpMyAdmin, up to 3.5.8 and 4.0.0 RC2 are vulnerable to CVE 2013-3238, which allows for remote code execution. Exploit code is available on Exploit-db, and there is now a Metasploit module.
• Back in February, I mentioned CVE 2012-0809, a vulnerability in sudo 1.8.0 – 1.8.3p1 that allowed for privilege escalation. The folks at Exploit-db now have exploit code.
• What do you do if you have the password hash, but not the password? https://goog.li/.
• Many of my students have asked me for information about stack-smashing and ROP programming. Beginning next year, this will be part of the curriculum for all of the students in our computer security track. If you can wait that long though, take a look at what Ron Bowes has put together on the Skull Security blog. This is a one of the best introductions to exploiting a system protected by ASLR and DEP via ROP that I have seen. If you are a student of security, then get yourself to this site, and spend some time working though the example provided!
• If you are looking for a client that can handle SSH, VNC, and RDP, you might want to try remmina. It is available for Ubuntu based systems (including Kali) with apt-get install remmina. Take a look at this summary from Terrance Cox.
• Are you looking for packet capture data for analysis? The folks at Netresec have a large collection.
• Ars Technica reports that a vulnerability in an app known as Viber allows attackers to bypass the lock screen on an Android phone. Fortunately, this has only been downloaded some 100,000,000 times. Oops.
• I just learned about a Windows tool called TCPLogView; it tracks the TCP connections made to/from a Windows host.
  
  I wonder if this might be useful in an approaching class final exercise….

Security News #0x3D

• This is a but old, but worth sharing. One of my students has had good luck in class settings using the Windows 7 SYSRET privilege escalation attack. This was patched last summer as part of MS12-042 (CVE 2012-0217), and there is a technical discussion available at Vupen.
• You did install the latest Java patch, right? Metasploit has a module that will exploit Java 7 Update 17, and Eric Romang has a demo of it in action.
• Threatpost has a discussion of the ongoing attacks against WordPress installations; the folks at Sucuri have some technical details.
• The folks at SpiderLabs have a nice piece on how to develop custom Modsecurity rules to mitigate the kinds of attacks being thrown at WordPress installations.
• Ars Technica reports that NPR was attacked this week by a group calling itself the "Syrian Electronic Army".
• John Christmas from Solera has a description of what went down with Red Team at the recent MACCDC.
• And talking about CCDC events, Mudge lost a bunch of data on his system at the National CCDC. He used a VM on that system as a team server, and as the competition wound down another red team member accidentally ran an rm -rf on it, thinking it was a student system. Guess what- he had set up the VMWare Host-Guest file system, so a few local directories were mounted on the VM. Were. They are gone now….
• Hey students- did you know that NoVA Infosec has a board with job postings?
• And if you are not looking for a job because you have more schooling in front of you, how about applying for the Snort Scholarship?

Security News #0x3C

• When first learning offense, students have a tendency to try various tools found on the web, often without truly understanding what they do. MaXe has a post on Intern0t showing how many of the PHP shells available on Exploit-db have backdoors into the shell. Be sure to take the time to understand your own tools before deploying them on a network (even a test network), whether they are easy to read PHP shells or some complex piece of Russian malware you "found".
• We mentioned CVE 2013-1899 last week, a particularly worrying problem in PostgreSQL. I still have not seen remote code execution, but BlackwinHQ has a nice attack where they overwrite the PostgreSQL profile which could result in code execution. Nicely done.
• Do you think your home routers are secure? Are you sure? Phil Purviance (@superevr) has five new exploits for Linksys routers ( 4 for the EA 2700 and one for the venerable WRT54GL) on Superevr. Earlier in the year, Michael Messner announced vulnerabilities in the Linksys E1500 and E2500. To add to the fun, the Metasploit folks have a collection of modules for the Netgear DGN2200B, DGN1000B, and the D-Link DIR-615.
• Over on the SANS blog, Tim Medin has a nice demo some attacks through phpMyAdmin.
• Web Application Firewalls (WAFs) like ModSecurity can block simple attempts to perform SQL injection; they do this by matching some common attack patters with their signatures. Well Tom Van Goethem has a nice piece on how to use MySQL type conversion to bypass some of these rules.
• Mathy Venhoef has a nice piece on how they solved the nuclear plant challenge at the UCSB iCTF.
• Are you looking for vulnerable systems to practice your offensive skills? Try VulnHub.
• If you copy and paste material from the web into a command prompt, you should definitely read (and understand) this!.
• Do you scan QR codes with your phone? I refuse to do so.
• Do you want to build your own botnet? Ars Technica shows you how.
• I hadn’t seen this until recently, but boy is it helpful. How to set up "God Mode" on a Windows 7 system.
• Can you hack a plane with a mobile phone? Take a look at what Bruce Schneier thinks.

Security News #0x3B

• Hey students- do you have a great idea that should be better known? Submit your paper to Security B-Sides DC. The conference is October 19-20, and they will be accepting paper proposals from April 15 through June 30.
• The Spider Labs blog has a great piece on techniques to defend web applications, especially aimed at CCDC teams.
• Raphael Mudge describes his experience on the Red Team at WRCCDC.
• If you were interested in last week’s discussion of a vulnerability in MongoDB, then you may also want to read this bit of analysis of MongoDB at the Spider Labs blog.
• Speaking of last week’s MongoDB issues (CVE 2013-1892), the folks at Metasploit now have an exploit module while Eric Romang has a demo. These exploit MongoDB 2.2.3 on Ubuntu 10.04.
• Metasploit now has a module for CVE 2013-1493, last month’s Java vulnerability. That problem lied in the color management system. Well, that and the fact that you were running Java at all. Interestingly, the Metasploit blog tells us that they came across this attack in a Trojan targeting Windows Minecraft players.
• PostgreSQL announced a vulnerability. Listed as CVE 2013-1899, it may be possible to use this vulnerability to remotely execute code, though this has not yet been demonstrated. Metasploit has a scanner module to detect the vulnerable versions.
• The folks at Cyber Arms have a nice piece on the use of oclHashcat-Plus.
• Are you interested in trying out the grsecurity Linux kernel hardening package? The folks at the Network Journal have installation instructions for a CentOS 6.4 system.

Security News #0x3A

• If you want to learn how exploits are developed, you definitely want to read the SCRT blog post showing how they developed an exploit for Mongo-DB.
• Do you want to learn how to crack passwords offline? Nate Anderson has a great piece on how he learned to crack’em using widely available tools.
• Websense reports that 93% of Java installations are still vulnerable to the most recent attacks.
• Do you want to see one of the exploits used at the recently concluded iCTF competition? Of course you do!
• If you are a student getting ready for an exercise, and are wondering what you might do after getting system on a Windows machine- say via an MS 09-050 attack, then you might want to take a look at Mimikatz. Just in case this applies to anyone reading this blog. Say in my class. That has an exercise next week.
• Digging around the net, I ran across an older blog post that shows what happens when the author tried an SSH honeypot named Kippo. It certainly seems worth another look….
• Learn how to pivot Metasploit through SSH.
• Andrew Sorensen blogs about his experience on Red Team at the Pacific Rim CCDC competition.
• You may also be interested in a write-up from the Red Team point of view of the ISTS exercise.

Security News #0×39

• Silas Cutler has a nice blog post about learning from cyber security competitions.
• The folks at the Penetration Testing Lab have a piece on how to attack MS-SQL Servers.
• The folks at CrackStation have released a massive wordlist of nearly 1.5 billion entries including the wordlists from many major password dumps, every word in every Wikipedia article (in every language) as well as a bunch of books. Are you sure you want to base your password on a "word"?
• Want to know how to use Network Miner in practice? Joshua Wright has a nice illustration at the SANS pen-testing blog of mobile app analysis with Network Miner.