SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 103 for April 3, 2008
- PaulDotCom SANS Click-Through - Helps pay for cool stuff and general insobriety
- Network Security Projects Using Hacked Wireless Routers with Larry Orlando, FL. on Thursday, April 24
- Cutting Edge Hacking Techniques with Paul in N. Kingstown, RI on April 15-16
- Pen Test Summit - June 2-3 to be attended by Larry
- Rhode Island Linux Install Fest - Come and install Linux, help people install Linux, install Linux on different devices and systems (at least show up for pizza and b**r)
- Custom Laptop Skins - Mike Boman made us some. They rock!
Tech Segment: The Hacker Princess
Stories For The Week
Stored Search Queries Hosting hidden iFrames - [PaulDotCom] - This is an example of how broken the web is currently. Why do you need to store other people's queries? Also, why allow tags in people's search queries?
Virtual Machine Firewalls - [PaulDotCom] - Is this a good thing? In some ways yes, for server deployments this has the potential to help, and it makes a neat barrier when virtual machines are used on the desktop. However, similar to anti-virus, are we just introducing more software which then presents more risk because its yet another program that could have a vulnerability? Like, whatever happened to hardening your software and applications? I think the trend towards adding more software needs to end, and we need to be more focused on hardening and security configurations.
Nmap 4.6 is out! - [PaulDotCom] - Important to note here that the OS fingerprint and service detection databased have been implemented into this version. This means all of the geeks like us who scanning devices, like iPhones and WRTs, should have better fingerprinting. Still testing...
Egress is important - [PaulDotCom] - Quote from article on Hannaford breach: "Clearly, there was a pathway back out of the network that Hannaford should have closed," So, if nothing else, you can use your IDS/IPS to look at, and even block, ougoing traffic. Certainly monitor it. Okay, so your host may get compromised, but if you catch it risk away you can mitigate risk siginifigantly. Now, I'm not saying let attackers waltz into your network at will, but a critical component to your security infrastructure should be looking at outgoing traffic. This can be done very cheaply with Snort and the emerging threats ruleset.
Remote Buffer overflow in SILC - [PaulDotCom] - Core found this bug and I find a couple of things interesting. First, patch your SILC servers ASAP. Second, this was fixed immediately by the team, Core notified on 3/19, it was patched on 3/20. Hurray for open source!
Linksys Auth Bypass Vulnerabilities - [PaulDotCom] - This has been in the security news a lot lately. Its been known since 2003, uncovered by ginsu rabbit, that version 1.00.9 of Linksys firmware had auth bypass issues. These are just more auth bypass issues. You should never be running version 1.00.9, its had these problems since 2003, and they've been public since then.
Ciscoworks built-in TCP backdoor - [PaulDotCom] - No, this is not a belated April fools joke, Cisco really did build a tcp backdoor root shell into their product. Helps when you forget the password, also saves time by attackers as you don't even have to deploy metasploit or core agent, its already got root shell backdoor!!!!! For more Cisco hilarious vulnerabilities, http://www.cisco.com/en/US/products/products_security_advisory09186a008096fd9a.shtml go here], this is a command execution vulnerability that allows you to "Successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to cause a denial of service condition, obtain sensitive configuration information, overwrite configuration parameters or execute arbitrary commands with full administrative privileges". Defense? Lock down your internal applications, only allow a few workstations to access them. A great way to do this if they are running on Windows if to enforce an IPSec policy. And obviously, keep them patched. Maybe don't even open the web application at all, and implement Radmin with two-factor authentication to gain access to them, using a local web browser.
Check out talks from CANSEC - [PaulDotCom] - Don't get hung up on the pwn2own contest. Yes, its such a sexy thing to exploit a system and get fabulous $$ and prizes. Again, I am glad they run the contest as it forces a few vulns and exploits out of the woodwork, and promotes disclosure that leads to the bug getting fixed. It does not prove that any operating system is more secure than the others, which is a ridiculous claim. If they only put up an ubuntu system, it would get pwn'd in the first 30 minutes. Those that think an operating system loaded with software is more secure than another operting system loaded with different sofwtware is just wrong. All software has holes, and we ALL run way too much software. In any case, don't forget to check out all of the other cool talks from CANSEC, presentations forthcoming.
Blackboard XSS - With Worm Code! - [PaulDotCom] - Its funny, I did some testing with Blackboard years ago, and guess what, it was riddled with XSS holes. Guess what? It still is! Now, consider this, "Tests, quizzes and assignments are easy to create and deploy, and a variety of tools for evaluating performance contribute to instructor efficiency while providing timely feedback and reporting for students." This vulnerability could be used to collect credentials to the blackboard system, giving the attacker an opportunity to login and wreak havic (esp. if creds are the instructors). This hole has the potential to compromise the integrity of all courses being hosted in the system. This is bad, not to mention any sensative information stored in the system could become compromised. Also, some systems may use the same id/password for other systems, for example the same userid and password for blackboard may be the same to login to a financial aid application, and thats where the good information is stored. Also, if you were to find a persistant XSS, you could inject malicious code into the application itself, and deploy a trojan to all of the computers that accessed blackboard.
Information Gathering via LinkedIn - [Larry] - Sure, gathering information on folks via LinkedIn isn't new, but LinkedIn's new tool Company Profile Pages, make it even easier to gather and correlate information on a potential target. LinkedIn is doing all of the legwork for you! - recent promotions and new hires? Guess who may not be up on all of the new corporate security? Perfect victim! Companies have no way to regulate, or what gets put on the site by the private employees...
Karma and Metasploit coming together? - [Larry] I think I need a tissue. Let's talk about the implications, and how sexy this could be.
Testing web filters for...porn - [Larry] - gotta love a project called Deep Throat Fight Club...sounds like a porn movie. Untangle is testing web filters with scripts to see the actual rate and detection of blocking porn, at a San Francisco (uh oh) bar. This is a PDC story through and through - a bar, porn, fight club. and yes, you guessed it, a lesson on testing and validating your installations.
Scanning Skype's encrypted IM - [Larry] - E-bay has struck a deal to allow FaceTime access to their crypto so that they can actively monitor Skype IM traffic - presumably for monitoring in the financial service market. No mention about the VOIP traffic. Either way, I'd like to see the crypto be made public so that everyone can use it...or...
PGP publishes encryption APIs - [Larry] - Excellent. Now, I don't want to hear any more excuses as to why you went and developed your own, in house crypto algorithm, or poorly implemented a good one. Aside form the licensing costs, of course...
A New Security Podcast - [Larry] - Sure, we rock, but you should take all available avenues to get information. I haven't had time to listen, but with names like Jhoannes Ullrich and Joel Esler there HAS to be some gems here.
For Your Enjoyment
Beer snobs! - [Larry] - Yes, yes we are.
Lala (Tiki Bar) Showers Video - [Larry] - This is a work of art. I <3 Lala. I <3 Tiki Bar Tv. This is why.
Paul and/or Larry after a party - [Securethoughts] Watch out what you sign!