InfoSec Daily Podcast Episode 826 for January 14, 2013. Tonight's podcast is hosted by Justin Brown and Bill Gardner
When: January 16, 2013
Where: Abertay University in Scotland (drink more scotch)
Tickets are on sale! They're £10 (ten pounds) and can be bought from the website (which is securi-tay.co.uk). It's a student-run security conference and the money goes to cover the cost of running it, and any spare will be put behind the bar – so the more people that buy tickets, the more drunk everyone can get. Plus it's Scotland, so they have good whiskey. Get on it people!
When: February 15-17, 2013
Where: Washington DC
Spridel is going, Them is going, IronGeek is going, Bill is going,
When: February 23, 2013
Where: Microsoft’s New England Research & Development Center (NERD) Cambridge, MA
CFP is OPEN!
When: March 15-17, 2013
Where: Raleigh, NC
CFP is OPEN!
When: April 6th 2013
Where: Cathedral Hall inside the Rochester Auditorium Center
When: April 5-7, 2013
Where: San Juan, Puerto Rico
CFP is open
When: April 13-14, 2013
Where: Orlando, FL
When: April 24, 2013
Where: London. England
When: May 18, 2013
Where: Southwest Tennessee Community College
AIDE InfoSec Conference
When: May 24 and 25
Where: Huntington, WV
BsidesLV 2013 “Science Fair”
When: September 26-30, 2013
Where: Louisville, KY
For easy use of the Amazon Affiliate link, use AffiliateFox. Configure it for amazon.com with infdaipod05-20, and for amazon.co.uk with infdaipod-21. Thanks for supporting the podcast!
NEW TOOL: Scrape-DNS
Back at my old job, we used cache snooping techniques (Scraping) to check for evidence of client systems that were attempting to resolve known malware sites.
We would use the list at Mayhemiclabs.com and compare it to our cached DNS entries.
So, why don't we do something badass like that, but to support the penetration test or red team mission?
Using standard cache snooping techniques you can determine what anti-virus vendors might be in use on a clients network.
HOW? Simple. By making non-recursive queries to the client's DNS servers for known AV update site domains.
Yes, it is that simple.
To query cached DNS entries, you need only to make a NON-recursive request a target DNS server.
Dig seems to yield the most reliable results.
Confirmed: Java only fixed one of the two bugs.
One of things we tend to do when preparing our Java exploitation training as part of the INFILTRATE master class, is to analyze the past and the present in order to not only teach the specifics of exploitation but to build in our students their offensive "intuition".
This is an important characteristic if you want to win in the world of exploitation, because these days exploits are not served on a fresh cucumber nitro-tini but rather you will need picks and shovels to open your way into it.
This is the case of the recent MBeanInstantiator exploit, which combines two bugs in order to remotely execute code.
And sometimes for everyone involved in the offensive world, this mean you need to look at the patch with special detail, because sometimes the vendor stops the worm/0day exploit with a patch, but doesn't necessary fix all of the associated problems. And of course, being only human, sometimes the vendor's team just plain messes up the patch.
After further analysis of the Oracle Java patch (Java 7 update 11), Immunity was able to identify that only one of the two bugs were fixed, making Java still vulnerable to one of the bugs used in the exploit found in the wild.
The patch did stop the exploit, fixing one of its components. But an attacker with enough knowledge of the Java code base and the help of another zero day bug to replace the one fixed can easily continue compromising users. (Assuming they now use a signed Java applet – one of the other changes introduced in this patch.)
Java is indeed a constant target for attackers, and nobody should be surprised if an attacker just replaces the patched bug with a different one and starts compromising machines again. This is why it is important for Oracle and their user base to start paying special attention to each bug because with an exploitation chain as the one is needed these days, every bug matters.
Immunity this year is doing a five day long Master class at Infiltrate (April, 15-19) where we will spent a full day on Java exploitation, teaching our student how to analyze patch, understand the Java code base and how to combine multiple bugs to obtain full exploitation.
Scammers are spamming out malicious emails purporting to come from payroll processing company ADP, according Dancho Danchev of Webroot.
The emails arrive under the subject line “ADP Immediate Notifications” and contain links to compromised websites hosting the latest iteration of the Blackhole exploit kit. The kit is serving CVE-2013-0422 Java exploit, which Danchev claimed was still active when he published his report. However, Oracle appears to have patched the bug sometime yesterday.
The exploit is dropping the ‘Win32/Cridex.E’ and ‘Win32/Farei’ Trojans, which are detected by 12 and eight out of 46 antivirus scanners respectively. After exploitation, the malware is phoning home to command and control servers at the following IP addresses: 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124.
Imagine an email specifically designed to exploit a system, but only one protected by an anti-virus email gateway. A piece of Web page code that exploits a browser, but only those protected by anti-virus software. Incoming Web traffic whose goal is to compromise an IPS or WAF itself, not necessarily the website behind it.
None of this is far fetched. In fact, the writing is already on the wall. Just look at what Tavis Ormandy did recently to Sophos’s products in his spare time. No one should be naive enough to believe this is an anomaly. How many zero-days do you think are yet to be found in that software? What about other AV products? What about all the other security products out there? Juicy untouched zero-day heaven, that’s what it is. Oh right right, we know the answer we’ll be given. Buy more firewalls and AV! And of course people will listen, but what for? To protect insecure firewalls, insecure AV, and the other insecure security products? Please.
I’m sure the industry apologists will also predictably say, “there is no silver bullet,” as if that somehow absolves responsibility for shipping risk increasing products.
Hacktivists, cyber-criminals, nation-state sponsored APT, however we label them, we’ve witnessed how our adversaries select their targets, and especially the method of attack, typically by the path of least resistance. One vulnerability is all a bad guy really needs, and the first and easiest one to identify and exploit will do just fine. So when one path of attack doesn’t work or becomes too difficult, the bad guys will shift. Reporters and PR agencies, get your digital ink ready, we’re in for a bumpy ride.