Episode121

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 121 for September 4th, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

  • PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas! - Interview in this episode!
  • NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers! Don't forget our live podcast immediately following!
  • A retraction about no java on the blackberry. I'm an idiot, the OS is java based. duh.


Episode Media

mp3 pt 1

mp3 pt 2

White Wolf Interview

  • So, tell us about this year's ICE games at SANS Las Vegas!
  • What are the rules?
  • What kind of systems will there be to hack into?
  • How does the scoring work?
  • Will there be fabulous prizes?
  • How does the game work each night?
  • What tools will be available to each team?

Interview: Kismet - Mike Kershaw, Renderman, Thorn

  • So, for those that may not know, what is Kismet? Why should you use it? What platforms does it run on?
  • What are the differences in the branches of Kismet? (Stable, dev, and new-core)
  • Describe some of the challenges to wireless sniff, wireless IDS, and wardriving
  • What hardware do you recommend for wireless penetration testing?
  • So, whats in the book? What do people learn from reading the book?
  • Tell us about wi-spy and how it integrates
  • How can IT professionals use Kismet to help them in their jobs? Detect Rogue access points?
  • What are some interesting or creative usages for Kismet?

Listener Feedback: Listener Scott Is Evil

"Sorry if you spoke about this, but I'm still catching up on your shows. I'm not an expert on how the browser and SSL works, but I worry about this being true. Also, if this works, I'm a little hesitant to mention this because it could be used. I was wondering about using the DNS vulnerability to hijack domains. I hear a lot of people saying people can't hijack SSL secured domain because the certificate wouldn't validate. Well I can see that you can't spoof the root certificate authorities because the certificates are preloaded in the browser. However, can someone get a certificate able to issue other certificates from a trusted root certificate authority and then sign the phony paypal.com web page with it. This way when my browser goes to the phony paypal.com website, it will tell my browser it was signed by "evilCA.com", then my browser should check to see if "evilCA.com" is valid, and it would pass because it was signed by a root CA. So by browser should be happy and not even alert me anything is wrong and give me an SSL pad lock, maybe even an extended certificate, if you can issue those from a normal cert (because I doubt bad people would front a business for an EV cert). Is this how the browser chain of trust works? What did I miss to prevent people from doing this? Thanks and I promise to catch up on all the past shows. Scott"

Stories Of Interest

Hacking Biometric Locks

VMware Releases A TON of Patches - [PaulDotCom] - Patches still pending for VM Fusion, WTF! You should patch, its important, especially because the security of multiple machines is at risk, in a platform independent kind of way.

Body entropy? - [Larry] - We talked about hacking medical implants a few weeks back. These researchers are utilizing a biometric footprint to derive the key. They measure the interval between 16 heartbeats down to the millisecond, and combine it with photoplethysmograp (PPG - the measurement of light absorption under the skin relative to pulse), and use it to generate a 64 bit key. Now, cetainly a 64 bit key might be weak, but it is an interesting concept...

Chrome is Shiny, but scratches easily - [PaulDotCom] - Oh hey look, a new web browser! And look, vulnerabilities in the new web browser! Who would have thought? All software has vulnerabilities, especially new software. People have been hacking away at Firefox for quite some time, and they do a decent job of keeping things patched. Sure, they implement new features, which then could present software vulnerabilities, but they get fixed in a timely manner, a manner which best fits with my security requirements, so I am sticking with Firefox. Lets not even talk about IE, a browser still plagued with security flaws, and ones that don't get fixed until MS decides to bless us with their holy than thou bi-monthly patches. Chrome File download - [Larry] - Sure, everyone is all over Google Chrome. Neat security model, but will it work. Aside form all of the neat-ness and failures, the browser is already being evaluated for security. Nerex has found that a very simple javascript allows for executables (or other content) to be downloaded, but not executed, to a victim machine without any user intervention. Safari does this, and apple bills it as a feature.  :-(

"Securing" Your iPhone - [PaulDotCom] - I was excited about this article, until I read it. The first two items are implementing a 4 digit pass code, because that provides security, right. Then make sure your phone locks, well duh. And somehow re-mapping my home button protects my information, at least it prevents people from bypassing the lock and accessing my address book. Is that really security or just a workaround? The best part about the article? The screenshot of the iPhone shows they have 3 apps that need updating, doesn't keeping your software up-to-date apply to your phone as well? Also, none of this protects your information as it flys in clear text over open wireless networks...

CSI Stick - [Larry] - A neat little tool for cell phone "forensics" that works with Motorola and Samsung phones. This tool collects all of the SMS data, pictures, placed phone calls, e-mails, and phonebooks. The device runs $200 and requires a PC to attach it to. I wonder how this would compare to ay, LadyAda's simcard reader (at $17) for the kit. This goes along to some practices that Paul and I have done - having someone unsuspecting hand us their cell phone - which contains personal, potentially sensitive data! bitpim was the software mentioned by Mike Kershaw for accessing other phones with AT style commands.

Mythbusters Prevented From Running RFID Hacking Show - [PaulDotCom] - Conflicting stories abound, it appears that CC companies do not want RFID shortcomings to be public knowledge. I don't think that talking about RFID hacking and vulnerabilities is a crime, so look for some things coming soon.

Adam Savage (Mythbusters co-host) discussed this as The Last H.O.P.E. You can see the relevant part of his talk here on youtube.

Information must be free - [Larry] Along the lines of the MIT charlie card hackers, one group being told to be quiet about a weakness or vulnerability is bad, because that just opens the door for others to start talking about it. The Mythbusters wanted to talk about the huge insecurities in RFID, and contactless payment systems based on rfid on the show. when they set up a call with the manufacturers to get specs, the lawyers got involved and it appears that Discovery got pressured into not running the story. However, researchers have been saying that this stuff is bad for a long time. Remember the story about reading paypass data with a modified reader? It just didn't make it to prime time TV. possible backpedal

Security ROI - [Larry] - There is just too much to talk about here in a few short lines. Does RIO for security work? is the RIO more of a soft cost (IE preventing a breach, remediating, cleanup and legal/community view issues) Let's discuss.

HP Adds Smart Card Readers to HP Printers - [PaulDotCom] - Okay, here's a newsflash, authentication is not the major security problem on printers and multi-function devices!!!!! How about implementing software without vulnerabilities, using secure protocols to transfer data, hardening the operating system, and encrypting the files/filesystem? Now you have no excuse, if you are building on technologies such as smart cards to these devices, you can implement all of the other security measures.

Paper records too - [Larry] - While not really a tech problem, don;t forget about all of that stuff that you print. I guess ultimately it comes down to appropriate record retention (backup tapes anyone) and appropriate storage. Want lots of data, go after the backup tapes, or where they were stored. This gentleman was able to buy the contents of a storage unit at auction for $25, contents sight unseen. the contents had medical data, ripe for identity theft. What if this had been your backup tapes?

Botnet Counts: For Good Measure - [PaulDotCom] - Some really cool graphs on the number of botnet drones, yes they have sharply increased over the past few months. However, even more frightening, the number of C&C servers increased (Reference). This means, more drones and more individual botnets, confirming suspiciouns that botnets are more abundant and perhaps purpose built to avoid detection and eventual shutdown. The reason, seems to correlate with the rising SQL injection flaws. SQL injection flaws, ah yes, I've responded to incidents where these flaws are rampent. I also think that targeted phishing attacks are more common as well, especially in university settings.

Hacking so easy my mom can do it - [Larry] Software to cook the books at restaraunts.