autopwn

Microsoft have recently released an advisory "Microsoft Security Advisory (2286198)Vulnerability in Windows Shell Could Allow Remote Code Execution" for a new 0-day that is currently being exploited.

While it can be exploited via network or webdav shares, it is removable drives that are the most likely vector for exploitation. A big part of that is our old friend, autorun, that has been the cause of problems before.

If you haven't yet disabled autorun in your organization, I strongly suggest you look into it. Microsoft have some details on how to accomplish this here:

Also I recently stumbled across this little gem from ex-MS (now Amazon) Security guru Steve Riley:

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

I hadn't seen that registry key mentioned before, but it looks well worth investigating...

Extreme Pentest

I recently came across this blog entry from the SNOsoft research team (aka NetraGard) describing in some detail a rather extensive penetration test for a 'mid-sized' bank.

The pentest was undertaken to not to identify all points of risk, but instead was to identify how deeply the pentesters could penetrate. The unusual approach and the use of social networking reconnaissance and social engineering that caught my eye:

In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank. That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.

Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn. To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available). Within one day of submission of our fake resume, we had a telephone screening call scheduled.

We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity. Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions. In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.

From there they were able to identify key employees and eventually email a dodgy trojan pdf that could evade the companies AV and eventually capture the DCs. Game Over.

I doubt many companies would have an external party go to this extreme to test their defences, even banks. I wonder how many companies would have sufficient defences to resist this type of assault?

They also have an interesting blog post entitled “FaceBook from the hackers perspective“ that is worth a read.