SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
Welcome to Security Weekly, Episode 132 for December 4th, 2008. A show for security professionals, by security professionals.
- Security Weekly SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- RI Linux Installfest - December 6th!
- http://twitter.com/CoreSecurity - "...announce new exploits and advisories as they surface. We'll also pimp webcasts and try to actually talk with people too."
- "Zen and The Art Of An Internal Penetration Testing Program - Part I" - All materials now available, process, tips, and techniques for internal penetration testing, detecting rogue access points, permission slips, slides & audio available.
Interview: Andre' M. DiMino, Shadowserver Foundation
Andre' M. DiMino is the Co-founder & Director of the Shadowserver Foundation, a non-profit organization that gathers, tracks, and reports on malware, botnet activity, and electronic fraud. He has over 20 years experience in IT operations and computer system management, with his primary focus being on network and data security. His role within Shadowserver involves him in the direct research and analysis of malware and network traffic analysis, botnet research. attacker methods and techniques, and honeypot technology, Andre' also leads and provides overall direction to each segment of the Shadowserver operation.
- Tell us how you got your start in computer security.
- What is the shadow server foundation?
- How can security professionals take best advantage of its resource? How could attackers take advantage of its resources?
- Have you ever been targeted by the bad guys as a result of publishing information about botnets?
- Describe some of the botnet C&C software used by the bad guys. IRC? HTTP? HTTPS? SSL?
- What do evil bad guys do to protect the C&C servers?
- What should you do if you find a botnet C&C on your network or gain access to one?
- Have you seen OS X get a bot installed on the host operating system?
- Describe some of the bot software installed on client computers, what are the most popular methods of delivery?
- How can we best detect bots on our networks and computers? A/V? Intrusion Detection?
- Was there any noticeable change in botnet statistics after McColo shutdown?
- What can we do to support the Shadowserver Foundation?
Stories For Discussion
What's On Your Geek Christmas List? - [Paul] - I want to know what is on your geek Christmas list! Come to our forums using the link above to cast your vote and Larry, John, and myself will pick the top 5 Security Weekly gift recommendations.
201 CMR 17.00 - [Larry] - Wow, the state of Massachusetts is doing a number. New legislation states that: "Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information." Well, this could get interesting. Let's talk about what this means...What determines personal information, and what entails a security program...
Easy & Secure Don't Mix - [Paul] - It was demonstrated that facial reconigition software on a Lenovo Thinkpad could be bypassed with a simple print out. Authentication that is made easy for the end user is never secure. Short passwords, smart cards, access tokens, RFID, fingerprint readers, etc... are all insecure! (when used by themselves). Two factor authentication is the way to go here and I hope that the industry wakes up and makes it feasible (okay Cheap) for us to implement two-factor authentication.
HD Encryption cracked - [Larry] - Apparently it wasn't that difficult. The manufacturer claims that it uses AES-128 encyption - it does, but only for storing the values of the RFID tags used to authenticate to the housing - these RFID tags (from the pictures) appear to be standard unique ID EN4XXX tags that are clonable - and readable in the air in clear text. The actual encryption of the data on the drive? XOR with a repeating 512 byte block. The manufacturer claims that they never state that the HD is AES0128 encrypted, yet tht packaging states "All the information is encrypted with 128-Bit AES". The HD data was cracked in under 10 minutes.
Economic crisis could dramatically improve security in 2009 - Okay, I left the title just as an eye catcher. The author does a good job of listing some things that I believe we all need to be doing:
1) Make sure your $OldSecurityThings are actually doing what you think they’ve been doing up to now. 2) Remediate any deficiencies found in Step 1. 3) Spend some time trying to identify and classify unknown or forgotten systems, data, connections, privileges, etc. 4) Apply $OldSecurityThings from Step 1 to discovered assets.
- Question: Good two-factor authentication for OS X suggestions?
SonicWALL Licensing - [Larry] - Something is very wrong here. A licensing server fails, the product checks in, and the license is invalidated. Product fails open without any notice. This means that Web filtering, AV scanning and IPS were not functioning - it is also rumored that firewalls stopped functioning as well.
The Julie Amero Case Is Disturbing - [Paul] - Seriously, this could happen to anyone. However, I believe it is the IT folks that should be losing their jobs. Now, I'm not saying that everytime porn pop-ups get in front of students we should immediately fire the IT staff. But, if the IT staff can be proven negligent, they should be fine and fired on the spot. This should even be company policy. Here's why, in Julie's case, the IT staff had her running Windows 98 with outdated anti-virus software. It's their fault, not hers. And another thing, do you really think that 7th graders have never seen porn before? Come on!
Almost all computers at risk - [Larry] - Secunia, through some research calculated that 98.1% of the PCs it audited were at some sort of risk, mostly due to client applications and lack of updates. This was some of the same issues hat I try to bring home about being able to analyze metadata to determine client applications in use in the organization. Clearly, many people have issues with patching client apps.
There are hackers are them there Internets - [Paul] - So, apparently, if you browser the Internet using an "unsecured" computer, you get pwned. No kidding huh.. During the two-hour experiment, four New Zealanders ranging from a teenage boy to a senior citizen went about their online day-to-day tasks on poorly secured computers. NetSafe and IBM monitored more than 112 direct attempts to attack the four computers over two hours. and LOL After only one hour and 40 minutes, the computer used by the teenage boy became unusable. He should get a job in QA :)
Atheros Opening up - [Larry] - Atheros has opened specs to allow open source drivers for its ATH5K and ATH9K chip families. Why is this important? We can likely have better wireless tools for audit, attack and recon under open source platforms.
Teacher Denied Degree because of Drunken Pirate MySpace Pic - [Paul] - Ok, on this case I actually think that the University over-reacted. However, its a huge word of caution for all you social networker types out there.
When a patch isn't really a patch - [Larry] - At least with windows systems, when you need a reboot. There are several challenges that come up with needing to do reboots; asset management, tracking and confirmation, and ultimately business impact.
The Age Old Debate - Should you run Anti-Virus Software on Your Mac? - [Paul] - First Apple says that you should, then they pull the knowledge base article. How nice of them! I don't run Anti-Virus software on my Mac, I don't believe that the malware threat warrants installing yet even more software. You should keep all of your software up-to-date, including software you've installed on top of OS X. I am always curious to know how secure that update process is, I have lots of software that updates itself, but are the updates being verified? I am becoming a believer in good system security practice over Anti-Virus softare, with maybe the exception of non-tech user's on Windows. But, maybe that's just me...
Didier Stevens Quote: AV also helps you during drunk web surfing sessions. http://www.irongeek.com/i.php?page=videos/bypassing-anti-virus-with-metasploit
Bypassing Web Filters - [Paul] - Don't do this or you could get fired for violating your employee agreement. If you are in the enforcement role, read this and implement methods of detection. However, I do not like how the security team has become the web browser police, maybe we need a technical role in HR to deal with that. I believe the security team should be focused on security, finding machines that may be compromised, not someone browsing porn at work. Those are two totally separate things in my opinion.
Other Stories Of Interest
Revenge of the Nerds: Hackers Give Victoria's Secret Campaign a Virtual Wedgie - [Paul] - Tim Plunkett, a junior at Drexel, created a script that could cast 1,500 votes per second, according to The Daily Pennsylvanian, the University of Pennsylvania’s independent student newspaper. Mr. Plunkett wrote the script in about three minutes and ran it on 30 different computers over 12 hours. and Officials from Victoria’s Secret could not be reached on Monday but the company’s Web site offers this warning:
“Tech schools, we’re watching your votes. And we’re on to you. Don’t be surprised if PINK shows up at your school.”
The PHP Song - [Paul] - FUNNY