InfoSec Daily Podcast Episode 637 for April 4, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, and Karthik Rangarajan.
Announcements:
Outerz0ne 8
When: April 20-21, 2012
Where: Wellesley Inn, Atlanta GA
Linuxfest Northwest 2012
When: Saturday, April 28-29, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center - Huntington, West Virginia
http://www.appyide.org/
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Skydogcon
When: October 26-28
Where: Hotel Preston in Nashville, TN
http://www.skydogcon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Pentest Lessons
-
Do not expect your program to work if you are coding while drinking whiskey! #whiskey_and_coding_do_not_mix
-
No matter how good you think you are, NEVER tell a customer that you will find ALL of their vulnerabilities or ALL of the "ways in".
-
If you setup a "special" website for a phishing exercise, shut down the website once the exercise is finished.
-
When making social engineering pretexting calls, you should know the full names, geographic locations, and NATIVE LANGUAGES of the targets.
-
Pentest != (run vulnerability scanner of choice, load into Metasploit, autopwn) … And yes I know that autopwn has been deprecated
Stories
Quick shoutout to Adrian Sanabria for updating his blog based on our discussions and questions on yesterday’s episode. Head over to his blog (http://averysawaba.blogspot.com) to read more.
Source: http://www.macworld.com/article/1166195/apple_releases_java_security_updates.html
It’s probably safe to turn your Mac on again. Just a day after reports spread about a Java-based Trojan horse that could install itself on your Mac without requiring that you enter a password, Apple has released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7.
The updates, which are available for Mac OS X 10.6.8 Snow Leopard and 10.7.3 Lion (including both OS’s Server editions), patch multiple vulnerabilities in Java 1.6.0_29—including some that could allow malicious code to run on your Mac outside of the Java sandbox, triggered merely by your visiting a webpage containing the right nefarious code.
For full details on the update, Apple points to Oracle. The update patches no fewer than a dozen vulnerabilities, including the one exploited most recently in the newly-discovered Flashback Trojan horse variant.
…
Source: http://blog.imperva.com/2012/04/dissecting-the-sql-injection-tools-used-by-hackers.html
Recently, during a presentation to a group of security professionals, an impromptu poll was taken asking attendees whether they were familiar with Havij, a SQL injection tool used heavily in the hacking community. Out of a crowd of around 60 people, only two people were familiar with it. Though not a scientific, statistically valid survey, the result is spooky. It’s kind of like going to fight in the mountains of Afghanistan and not knowing what an AK-47 is.
If you’ve wondered why, as the most recent Verizon report shows, the main attack vector is web applications, knowing SQL injections tools hackers deploy to take data is vital. Here’s what every security professional should know.
-
Vulnerability scanners: Vulnerability scanners find an initial SQL injection vulnerability. However, these tools stop short of actually exploiting the vulnerability. In other words, they highlight a potential vulnerability but don’t actually extract the data. From a hacker’s perspective, they provide a list of likely targets. In this group we can find all kinds of vulnerability scanners which include:
-
Acunetix
-
W3af
-
Netsparker
-
Webinspect
-
Appscan
-
Whitehat
-
And the list goes on.
-
-
SQL injection dumping tools: Given a potentially SQL injection vulnerability, these tools expand the small hole to a major breach to leak all database content. This market is ruled by two main packages:
-
SQLmap – http://sqlmap.sourceforge.net/
-
There are some other much smaller “players” (e.g., SSDP or Absinthe). Considering there are two main players, we’ll focus on Havij and SQLmap.
For more, here’s a YouTube movie showing both tools: http://www.youtube.com/watch?v=GOvRAJBbRnk.
To date, here’s how Havij and SQLmap currently stack up:
|
|
Havij |
SQLmap |
|
Code |
Commercial/Proprietary |
Open source |
|
OS support |
Windows |
Every OS running Python |
|
Form |
Installer |
Python code |
|
UI |
Graphic (GUI) |
Command line |
|
Supported DBs |
MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, Sybase |
MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite,Firebird, Sybase, SAP MaxDB |
|
Last updated |
22.6.11 |
29.3.12 |
|
Password cracking |
Supported |
supported
|
|
Customizable DB dump |
Supported |
Supported
|
|
Execute arbitrary DB commands
|
Supported |
Supported |
|
Auxiliary functionality (password cracking, shell upload, remote contorl etc.) |
Supported |
…
Source: http://www.securityweek.com/do-you-know-what-your-dns-resolver-doing-right-now
Have you ever heard of the domain name ziyouforever.com? As an enlightening experiment, get a hold of one of your recursive DNS server logs and see if there are machines on your network looking up hostnames on that domain right now. You might also check your web server or firewall logs to see if someone from the Internet is trying to resolve a hostname on that domain to locations on your network. Are you even able to get a hold of those logs? Are you even keeping DNS logs? If you said “no” or “not easily” you will need to get those capabilities ASAP—otherwise you’re blind to one of the most insidious ways for hackers to interact with machines on your network unmolested and undetected.
Don’t worry if you found that domain in your logs somewhere—at least not too much. It is widely believed that this domain name is actually part of a large network of domains and hostnames that provide “DNS tunneling” services to dissidents and other information seekers who live in countries that restrict their citizens Internet access. However, this “positive” use of the DNS to do something it was never intended for—surfing the Internet and sending messages from behind a cordoned off network—is a great example of why most enterprises are wide-open to real attacks via this little-known vector. How much of your secret information is going right out the DNS door right now? How would you even know where to look or how to detect this kind of activity in the future?
…
Anonymous China announced the attack on Friday morning, publishing on Pastebin a list of institutional websites that were about to be targeted (screengrab)
The Anonymous hacking collective has landed in China, home of some of the most tightly controlled internet access in the world, and defaced hundreds of government websites in what appears to be a massive online operation against Beijing.
Anonymous listed its intended institutional targets on Pastebin and has now attacked them.
Anonymous Kroll claimed that hundreds of websites had been defaced or taken offline by the collective. "#China: Several hundred websites #defacedand 4659 Vhosts #hacked by #Anonymous.cdcbd.gov.cn & bbdj.gov.cn" read the tweet.
The defaced homepages carry a statement against the Chinese government along with the traditional Anonymous banner and the generational anthem Baba O'Riley by The Who played in background.
…
Edward Pearson, a UK-based 23-year-old from York, had grand plans to make his fortune by stealing from individuals and companies through hacking and information-stealing malware.
Between January 1 2010 and August 30 2011, he used of malicious computer programs to get his hands on – wait for it – eight MILLION personal identities.
He used Trojans such as Zeus and SpyEye, to hunt down personal details on the internet, says the Daily Mail.
These details include stolen Paypal accounts, 2,701 bank cards, not to mention "enough dates of birth, postcodes and names to fill 67,500 double-sided A4 pages," reports York newspaper The Press.
"One of his programs scanned through 200,000 accounts registered to online payment service PayPal – identifying names, passwords and current balances." according to the Daily Mail.
Luckily, Pearson got caught after only making a £2,400 ($3,800 USD). The authorities estimate he could have walked away with as much as £800,000 ($1.3M USD).
…
