Episode120

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the G-Unit Studios Welcome to Security Weekly, Episode 120 for August 28st, 2008

Welcome to Security Weekly, a show for security professionals, by security professionals.

  • Security Weekly SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!
    • Larry and I will each lead a team, names to be announced
    • Attendance and participation is FREE, come join one of our teams!
    • 4 Networks, 1) Attackers 2) Defenders 3) Public/Internetish 4) Spectator Room
    • Looking for food/drink sponsor
    • Featuring wireless, voip, and SCADA!
  • Help support Security Weekly with your donations. Visit http://securityweekly.com and press the DONATE button.Note: Thanks to listener Ken for the donation!
  • NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast!
  • Check out the new beer listing.

.

  • Interested in a RI security con?

Episode Media

mp3

Tech Segment: Paul's Quick & Dirty Web App Testing Tips

Nikto

Nikto.png

This screenshot displays Nikto in action. You will notice that it identifies the server as "Apache", but offers no version information. This means an administrator has taken the time to hide the version string, giving you dome idea of what you are up against. Also, I like to run Nikto against a server and find the version its running, because if there is a remote exploit for the web server program itself (or associated technologies such as PHP), my web app testing is much easier done as root :) I also like to have Nikto find some of those hidden directories and interesting pages, as often they are informational, providing me with valuable recon.

Paros

Paros.png

Paros has a neat little vulnerability scanner, in addition to the proxy feature. I like to run the vuln scanner against a web site and have it catch the low hanging fruit, I mean hey its free. Don't forget to run the spider against the site first, then run the scan. You get a nice little HTML report as well. This is not comprehensive, but can find some items that require further exploration. Tune the scan as well so that you're not trying to find MS SQL injection flaws in PHP apps.

Webscarab: Possible Injection

Websc1.jpg

My favorite proxy is becoming Webscarab. Its added so many wonderful features, such as the ability to find potential injection points. I set this up and browse the entire web site. I then go back and look at the potential injection points and am usually surprised by the results. Just taking the single quote and sticking it in the field forces a SQL error, sweet! This can also be used to find things such as persistent script injection, which is fun too. Don't forget to check the sessions too!

Webscarab: Reveal Hidden Fields

Websc-2.jpg

This is just an awesome feature which can tell you a lot about the application. Hidden fields are, well, no so hidden! Webscarab does a great job of displaying them to you through the proxy and allowing you to modify their values. This can be especially interesting when it comes to e-commerce sites that may, for example, store the price for items in the hidden field(s).

FAIL Of The Week: GetAdmin

Reservations.png

Mini-tech segment - MultiISO LiveDVD

A single DVD with a grub boot menu for different linux distros:

  • Backtrack 3 - we all know this one
  • Damn Small Linux (DSL) 4.2.5 - Tiny distro
  • GeeXboX 1.1 - Media display...used at IKEA
  • Damn Vulnerable Linux (Strychnine) 1.4 edition - Hack Away!
  • Knoppix 5.1.1 - General Live CD
  • MPentoo 2006.1 - Mini Pen testing distro, with some neat tools, wireless, metasploit, etc
  • Ophcrack 1.2.2 (remastered to contain SSTIC04-5k [720MB] table sets) - - password cracking, with decent rainbowtable
  • Puppy Linux 3.01 - A mini linux distro
  • Byzantine OS i586-20040404 - mini linux distro with focus on home entertainment

I really liked the concept for the multiboot, and with UNEtbootin (as discussed a few shows ago) you should be able to make this bootable on a USB thumb drive. I haven't had a chance to test, and I'll wait for the appropriate sized drives to go on sale.

I thought that MPentoo, Knoppix, DVL and BT3 were good choices, but in reality, for security testing, how many mini-distros do I need? Or how many multimedia distros do I need? How about some of the other cool stuff like samurai, DBAN, viopong, helix...the list goes on...

Stories For Discussion

ISS gets a virus - [Larry] - Yep, you guessed it, the international space station has a virus - W32.Gammima.AG, which steals online games information (such as WoW), and tries to send it "home". NASA is labeling it "just a nuisance". So, how did it get there? It appears to be form infected USB thumb drives, and not from their data uplink. NASA stated that it couldn't tell us if it actually causing a problem due to security concerns. It was also stated that this is not the first time that this has happened. How do you justify some of this stuff given that it may be putting people's lives at risk?

Linux Systems Targeted With SSH Attacks - [Paul] - Okay, so we saw this coming right? I think that if you maintain a perimeter you should have patched SSH and DNS long ago, and be complete patching those systems on the so-called inside as well. use passwords for your SSH keys and monitor your logs for these attacks, both DNS and SSH should look pretty noisy!

Personal data on 1M people, cheap - [Larry] - Just buy a used laptop from e-bay.

Pick a Good Password! - [Paul] - We tell people to use good passwords, we tell them not to use the same password for everything, and here is a case where both don't matter. Attacking the password reset feature, armed with information from social networking sites, is where its at. Paris Hilton's dog is tinkerbell, everyone knows what,it should not have been her password question. I always put bogus information, of course makes it hard to recover your password!

iPhone emergency call fail - [Larry] - Yes, you can gain access to almost all of the functions of the phone when locked, via a silly emergency call override under 2.01 and later. [Paul] - This is not the first time this has happened, it seems Apple can't lock this feature down. Do we really need the emergency call feature? Do other phones have this? Can the emergency call feature be turned off? Personally, I'd like to lock my phone and turn this feature off. The perils of a closed platform...

Interesting notes on browser forensics - [Larry] Some great tips on using the local system browser history to determine where a machine has been on the web, including how to analyze images, and some reminders about hidden IE windows and wget. I'm a big fan of IEHV as well..

Lost USB drive by contractor - [Larry] - Audit your contractors, and have the appropriate agreements in place. Sometimes security isn't all about technology, it is a people problem.