The Week that Was – Christmas Edition

I’ve been remiss on posting The Week That Was installments the past couple of weeks.  I’m hoping this marks me finally getting back on track.

You’ll find that the “LOW to PWNED” series by Chris Gates takes up a lot of real estate this week.  I found hist blog series through another article and I think the series does a great job of how to look at pen test results and prioritize them from a risk perspective.  It’s stuff that most of us know we should do, but I suspect many of us don’t do it as consistently as we should.  It’s a good reminder and worth a read. [5-17]

Another interesting article is talks about those crazy kids over at ElcomSoft raising hell again.  This time they bring us Forensic Disk Decryptor, which can defeat cryptosystems that include PGP whole disk encryption, TrueCrypt, and BitLocker. [20]  This is significant, but it’s not a point-and-click attack.  ElcomSoft is picking the pass phrase out of memory, which can be a tricky proposition if the machine has been turned off.  Unless, of course, the machine has been put into hibernation mode in which case the passcode is on the hard disk and could be accessed by Forensic Disk Decryptor.  Fortunately, there is still considerable luck and skill needed to pull off a successful attack.

And, the mutant powered soldiers gave me a bit of the heebie-jeebies. [25]

I hope you all had a great holiday season and wish you a great 2013!

PS – Go read my post on The Risk of Mass Shootings if you haven’t already.

REFERENCES

[1]  #days: Chris Gates: Pentesting from “LOW” to “PWNED”. Lucerne, Switzerland: , 2012.

[2]  Episode 30: Solving Cyber Risk with Cyber-Hadoop. .

[3]  B. Krebs, “Exploring the Market for Stolen Passwords,” Krebs on Security, 26-Dec-2012. [Online]. Available: https://krebsonsecurity.com/2012/12/exploring-the-market-for-stolen-passwords/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29. [Accessed: 26-Dec-2012].

[4]  K. Zetter, “FBI Memo: Hackers Breached Heating System via Backdoor,” Threat Level, 13-Dec-2012. [Online]. Available: http://www.wired.com/threatlevel/2012/12/hackers-breach-ics/. [Accessed: 26-Dec-2012].

[5]  C. Gates, “From LOW to PWNED [0] Intro,” Carnal0wnage & Attack Research Blog, 19-Apr-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-0-intro.html. [Accessed: 26-Dec-2012].

[6]  C. Gates, “From LOW to PWNED [1] Exposed Services and Admin Interfaces,” Carnal0wnage & Attack Research Blog, 19-Apr-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-1-exposed-services.html. [Accessed: 26-Dec-2012].

[7]  C. Gates, “From LOW to PWNED [10] Honorable Mention: FCKeditor,” Carnal0wnage & Attack Research Blog, 21-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-10-honorable-mention.html. [Accessed: 26-Dec-2012].

[8]  C. Gates, “From LOW to PWNED [11] Honorable Mention: Open NFS,” Carnal0wnage & Attack Research Blog, 25-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-11-honorable-mention.html. [Accessed: 26-Dec-2012].

[9]  C. Gates, “From LOW to PWNED [12] Trace.axd,” Carnal0wnage & Attack Research Blog, 29-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-12-traceaxd.html. [Accessed: 26-Dec-2012].

[10]  C. Gates, “From LOW to PWNED [2] ColdFusion,” Carnal0wnage & Attack Research Blog, 23-Apr-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-2-coldfusion.html. [Accessed: 26-Dec-2012].

[11]  C. Gates, “From LOW to PWNED [3] JBoss/Tomcat server-status,” Carnal0wnage & Attack Research Blog, 27-Apr-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-3-jbosstomcat-server.html. [Accessed: 26-Dec-2012].

[12]  C. Gates, “From LOW to PWNED [4] Browsable Directories,” Carnal0wnage & Attack Research Blog, 01-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-4-browsable.html. [Accessed: 26-Dec-2012].

[13]  C. Gates, “From LOW to PWNED [5] Honorable Mention: Null Sessions,” Carnal0wnage & Attack Research Blog, 04-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-5-honorable-mention.html. [Accessed: 26-Dec-2012].

[14]  C. Gates, “From LOW to PWNED [6] SharePoint,” Carnal0wnage & Attack Research Blog, 07-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-6-sharepoint.html. [Accessed: 26-Dec-2012].

[15]  C. Gates, “From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH,” Carnal0wnage & Attack Research Blog, 11-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-7-http.html. [Accessed: 26-Dec-2012].

[16]  C. Gates, “From LOW to PWNED [8] Honorable Mention: Log File Injection,” Carnal0wnage & Attack Research Blog, 11-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-8-honorable-mention.html. [Accessed: 26-Dec-2012].

[17]  C. Gates, “From LOW to PWNED [9] Apple Filing Protocol (AFP),” Carnal0wnage & Attack Research Blog, 18-May-2012. [Online]. Available: http://carnal0wnage.attackresearch.com/2012/05/from-low-to-pwned-9-apple-filing.html. [Accessed: 26-Dec-2012].

[18]  C. Osborne and Z. Whittaker, “Hacker, Verizon duel over customer record claims,” ZDNet, 22-Dec-2012. [Online]. Available: http://www.zdnet.com/hacker-verizon-duel-over-customer-record-claims-7000009151/. [Accessed: 26-Dec-2012].

[19]  C. Gates, “Lares from LOW to PWNED,” Lucerne, Switzerland, 06-Dec-2012.

[20]  J. Leyden, “PGP, TrueCrypt-encrypted files CRACKED by £300 tool,” The Register, 20-Dec-2012. [Online]. Available: http://www.theregister.co.uk/2012/12/20/elcomsoft_tool_decrypts_pgp/. [Accessed: 26-Dec-2012].

[21]  R. Lemos, “Protecting Data In The Cloud Without Making It Unusable,” Dark Reading, 21-Dec-2012. [Online]. Available: http://www.darkreading.com/security-services/167801101/security/security-management/240145260/protecting-data-in-the-cloud-without-making-it-unusable.html. [Accessed: 26-Dec-2012].

[22]  K. Jackson-Higgins, “Report: U.S., Israel Fingered In Latest Data-Annihilation Attack,” Dark Reading, 21-Dec-2012. [Online]. Available: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240145251/report-u-s-israel-fingered-in-latest-data-annihilation-attack.html. [Accessed: 26-Dec-2012].

[23]  K. Lapole, “Safe & Secure Online Volunteer Experience,” (ISC)2 Blog, 21-Dec-2012. [Online]. Available: http://blog.isc2.org/isc2_blog/2012/12/safe-secure-online-volunteer-experience.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+isc2Blog+%28%28ISC%292+Blog%29. [Accessed: 26-Dec-2012].

[24]  J. H. Sawyer, “Tech Insight: Using Penetration Tests To Gauge Real Risk,” Dark Reading, 21-Dec-2012. [Online]. Available: http://www.darkreading.com/risk-management/167901115/security/vulnerabilities/240145258/tech-insight-using-penetration-tests-to-gauge-real-risk.html. [Accessed: 26-Dec-2012].

[25]  A. Schaub, “The Risk of Mass Shootings,” SCHAUBA SEC. 22-Dec-2012.

[26]  D. Axe, “This Scientist Wants Tomorrow’s Troops to Be Mutant-Powered,” Danger Room, 26-Dec-2012. [Online]. Available: http://www.wired.com/dangerroom/2012/12/andrew-herr/. [Accessed: 26-Dec-2012].

[27]  S. Rajan, W. van Ginkel, N. Sundaresan, A. Cardensa Mora, Y. Chen, A. Fuchs, A. Lane, R. Lu, P. Manadhata, J. Molina, P. Murthy, A. Roy, and S. Sathyadevan, “Top Ten Big Data Security and Privacy Challenges.” Cloud Security Alliance, Nov-2012.

[28]  “Top Threats to Cloud Computing.” [Online]. Available: https://cloudsecurityalliance.org/research/top-threats/#_downloads. [Accessed: 26-Dec-2012].

 

Leave a Reply

%d bloggers like this: