Episode122

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

Core Security

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

Tenable

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Astaro

Astaro offers the most complete and easy to use Internet security appliances available. The products combine best of breed applications, the proven quality of Linux and enterprise level performance, providing the latest protection with the best total cost of ownership. All products are available as software, hardware or virtual appliances, which allows users the flexibility to meet a wide variety of deployment scenarios.

One of the best things about Astaro is that it offers its products completely free for home use. All enterprise features and all subscriptions, including virus scanning, web content filtering, email filtering and VPN clients, are available in the home license for no cost. All you have to do is visit www.astaro.com, register, download the software and obtain the key, which protects up to 10 IPs. There are no sales people to talk to, no payment information to enter—it’s just free. Again, visit www.astaro.com for more information or to download the product and free home user license.

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 122 for September 11th, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals. This week with a special guest in the studio!

Episode Media

mp3 pt 1

mp3 pt 2

Jay Beale Interview

  • OMG, they are attacking our clients? Wait, when did this happen? Can you reiterate some of the challenges with client security. We've talked about it, but sometimes you need to hear it form the high paid third party.
  • Tell us about the middler!
  • What makes the middler so effective?
  • Middler iPhone app?
  • How do software update apps fit in with the middler.
  • When will it be available?
  • For those that don't recall, are yo still involved with Bastille? Can you give us the rundown on it, and why we should use it?
  • What's the status of Bastille?

Listener Feedback: Listener Scott Is Evil

"Sorry if you spoke about this, but I'm still catching up on your shows. I'm not an expert on how the browser and SSL works, but I worry about this being true. Also, if this works, I'm a little hesitant to mention this because it could be used. I was wondering about using the DNS vulnerability to hijack domains. I hear a lot of people saying people can't hijack SSL secured domain because the certificate wouldn't validate. Well I can see that you can't spoof the root certificate authorities because the certificates are preloaded in the browser. However, can someone get a certificate able to issue other certificates from a trusted root certificate authority and then sign the phony paypal.com web page with it. This way when my browser goes to the phony paypal.com website, it will tell my browser it was signed by "evilCA.com", then my browser should check to see if "evilCA.com" is valid, and it would pass because it was signed by a root CA. So by browser should be happy and not even alert me anything is wrong and give me an SSL pad lock, maybe even an extended certificate, if you can issue those from a normal cert (because I doubt bad people would front a business for an EV cert). Is this how the browser chain of trust works? What did I miss to prevent people from doing this? Thanks and I promise to catch up on all the past shows. Scott"

Security FAIL Of The Week: How not to work remotely from the coffee shop

Andy The IT Guy Reference

Unattendedlaptop.jpg

I noticed this twice, once in Starbucks, and once at a local Pei Wei restaurant.

Stories Of Interest

Cheap SSD Drives - [Larry] great, they are getting cheap - 32 Gig for $99, although slower and more power hungry than spinning disk. I bring this up, because the SSD drives provide a significant barrier to recovering deleted and or modified. This makes it very difficult to perform any type of forensics on these drives. How, as an industry do we deal with this situation? Not allow for system disks to utilize SSD?

Secure RFID Technology? - [PaulDotCom] - Continuing our discussion from last week, here is a story about a new technology from Verayo which aims to use PUF (Physical Unclonable Functions) to generate a random identifier. Truth? Fiction? Who knows, this is why testing the security of devices is so important. Read more here

"21" Meets RFID and the 21st century - [PaulDotCom] - Chalk this up to "stupid ideas" here is an RFID poker table, nice!

Encryption is great! - [Larry] - but bad implementations, and those that retrieve encrypted passwords are bad. We say all the time to use tried and try encryption algorithms, an this USB key manufacturer did just that. However, they added the ability for the password that is also used to access the device to be checked against a history of passwords. This function resides in memory, and brute force of the passwords can be conducted.

A Note About Mobile (in)security - [PaulDotCom] - So, make a long story short, while an F-Secure researcher was giving a presentation about mobile security, a bluetooth worm outbreak happened and people's phones in the room were infected. There is also this scary Java vulnerability that could effect mobile phones, over 100 million of them in fact. So, how do you control this in your environment? Do you just give people phones, or do you have a managed system like Blackberry? But what happens if a bluetooth phone worms creeps into your building? "Hi, this is security, before you can enter the building you must disable bluetooth on your phone". Is there even such a thing as a bluetooth IDS/IPS?

SCADA Attack released - [Larry] - No offense to Kevin, but this is a re-implementation of the attack released by CORE a month or so back. So why does this one seem to get more press? This implementation is a Metasploit module. Yep, you can attack the latest in SCADA vulnerabilities for free.

You own the hardware - [Larry] - You own the hardware, so tinker with it. There is already some folks poking at the Esquire magazine E-ink cover. Sure, not a device that has huge security implications, but take ownership of all of the other small (or large) devices that you network in your home or office.

Wireless Driver Vulns, and no patches, oh my! - [PaulDotCom] - Laurent Butti and Julien Tinnes from France Telecom have found vulnerabilities (DoS, possible remote code) in several wireless chipsets. For example, the Netgear WN802T (firmware 1.3.16) with MARVELL 88W8361P-BEM1 chipset is vulnerable to a bug that "...can be triggered by a malicious association request to the wireless access point with a Null SSID." Wow, thats pretty easy, and guess what, NO PATCH. This one, for Atheros, is patched

Twitter to spread malware - [Larry] - I'd have liked to see more, less user interaction. See blog post.

NMAP 4.75 released - [Larry] - Now with network MAPS. Go figure. Even faster too!. I hope Paul has a tech segment on this one coming up.  :-)

New e-mail attack tactic? - [Larry] - Ugh. This one is new to me. The attacker looking to deliver an attack via e-mail send a COMPLAINT that you've been spamming, and here are the logs. The logs are of course an executable with malware.