03 Dec PasswordsCon in Bergen Marco
13 Nov November Adobe Patches Roel
12 Nov Microsoft Updates November 2013 - Burning the 0day Kurt Baumgartner
08 Nov ZeroNights: A Technical Security Conference in Russia VitalyK
08 Nov CTF WMD: WAR OF THE WORLD in HITB2013 Kuala Lumpur Suguru
04 Nov Android 4.4 arrives with new security features - but do they really matter? Stefan Tanase
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
It’s december. While it’s getting colder and people prepare and shop for christmas, here in Bergen, a city in Norway, experts from several countries come together talking about Passwords – something you’re using while buying christmas presents online for example – at the PasswordsCon. This one held at the University of Bergen in the Auditorium Pi.
After the discovery of a major breach at Adobe recently some would perhaps have expected a bigger number of CVEs to get patched this round. It will be interesting to see how the breach will affect patch cycles in the coming months.
Microsoft's November 2013 Patch Tuesday delivers a set of three critical Bulletins and five Bulletins rated "important". This month's MS13-088 patches eight critical vulnerabilities and two important vulnerabilities in Internet Explorer. Overall, Microsoft is addressing 19 issues in Internet Explorer, Office and Windows itself.
The star of the show is MS13-090 which addresses CVE-2013-3918, an ActiveX vulnerability being attacked through Internet Explorer, revealed on the 8th by the guys at FireEye to be abused by a long running APT operation they call "DeputyDog". As a part of this operation, the group strategically popped yet another carefully selected web site, then redirected those visitors to their 0day attack. Simply labelling it "just another watering hole" may not fully describe the amount of planning and preparation that goes into selecting the web site property to compromise, and then burn the 0day on attack activity. The identity of the compromised web property in this case has not been publicly disclosed to date. The timing of this 0day delivery could quite possibly reveal the operational maturity of this group as well. On another note, I don't know if I missed something, but in my decade or so of reviewing shellcoding techniques, I don't think that I have ever seen "CreateRemoteThread" used to deliver a payload in a significant exploit.
At the same time, another whopping eight flaws are being fixed in Internet Explorer with MS013-088. No doubt these should be patched by organizations immediately, as the memory corruption issues invite exploit development attention. A few of the eight CVE include issues with "information disclosure", which enable exploit developers to advance their exploit code further into process space and are serious issues.
Surprisingly, Microsoft is patching code in their WordPerfect converter "wpft532.cnv" for stack overflow issue CVE-2013-1324. This vulnerability enables spearphish attacks across all versions of their OS, but on 64bit platforms, the component may not be present. I didn't expect to write about stack BoF in their code at the end of 2013, but hey, it's tricky stuff.
More about this month's patches can be found at the Microsoft site.
The third security conference called ZeroNights conference has quickly grown into the largest security events in Russia. The conference first started in St Petersburg in 2011 with presentations from respectable speakers that included Dave Aitel and The Grugq. This year, ZeroNights had 800+ visitors, including quite a few English speakers and not surprisingly the presentations of Russian speakers were simultaneously translated in English for all.
The HITB (Hack In The Box) SecConf2013 was held from 14-17 October 2013 in Kuala Lumpur, Malaysia. On 14-15, they provided us with hands-on technical training about exploits, web hacking, penetration testing and building a secure web/mobile app. On 16-17, we had a conference with three tracks; Commsec village, Hackweekday and Capture The Flag Weapons of Mass Destruction: War of the World (referred to as "CTF WMD:WotW").
Last week, Google has released the 4.4 (KitKat) version of their omni-popular Android OS. Between the improvements, some have noticed several security-related changes. So, how much more secure is Android 4.4?
When talking about Android 4.4 (KitKat) major security improvements, they can be divided into 2 categories:
1. Digital certificates Android 4.4 will warn the user if a Certificate Authority (CA) is added to the device, making it easy to identify Man-in-the-Middle attacks inside local networks. At the same time, Google Certificate Pinning will make it harder for sophisticated attackers to intercept network traffic to and from Google services, by making sure only whitelisted SSL certificates can connect to certain Google domains.
2. OS hardening SELinux is now running in enforcing mode, instead of permissive mode. This helps enforce permissions and thwart privilege escalation attacks, such as exploits that want to gain root access. Android 4.4 comes compiled with FORTIFY_SOURCE set at level 2, making buffer overflow exploits harder to implement.
During 11-12 October, the "Information Security Workshop in Echigo-Yuzawa 2013" took place in the Echigo-Yuzawa, a location that is famous for its hot springs. About 300 people attended the event. Among attendees were security specialists, malware researchers, police officials, government officials and prominent professors. 15 college students also participated in the event as operational staff.
Recently we attended “Hack In The Box 2013” at the Hotel Intercontinental in Kuala Lumpur http://conference.hitb.org/hitbsecconf2013kul/. This conference has its roots in a small gathering of Malaysian security specialists back in 2002 and since then has also been held in the Netherlands, Dubai and Bahrain.
It was nicely crowded (~550 people) and more than 40 speakers from around the world shared their work on a nice variety of different topics.
We attended only the two-day conference part of the event, which also included a hands-on “HITB LABS” section, a “Capture The Flag”(CTF) battle …
and a “Lock Picking Village”, amongst other things.
The Ekoparty Security Conference 2013 was held in the beautiful city of Buenos Aires, Argentina, from 25 to 27 September, This event,the most important security conference in Latin America, is now in its ninth year and was attended by 1,500 people. The slogan of this year’s conference was “Somebody is watching”.
When I think about Iceland I do not immediately think about a place where top IT-security researchers from all over the world meet once a year to present and discuss some of the most recent and relevant security topics, but this is actually the case. It is the second year that the Nordic Security Conference has taken place here on Iceland. It is quite funny because when I’m in Las Vegas for DEFCON and BLACKHAT I always complain about the insane heat, and during the Nordic Security Conference the weather is terrible. When can someone arrange a conference at a location where it’s not insanely warm or cold?
I’ve had the great opportunity to present at both events. This year I gave a presentation about one of the weakest links in IT-security; the human factor. For over 6 months I have done several research projects, some of them on my own, and some together with other security researchers such as Martin Jartelius from Outpost24. We tried to answer the question: “How easy is it to hack a country?” by performing various social engineering experiments, with great success.