SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
Welcome to Security Weekly, Episode 133 for December 11th, 2008. A show for security professionals, by security professionals.
- HACK NAKED TV - Announcing Hack Naked TV! This new video series will focus on technical how-tos, screencasts, and hardcore security nerd stuff. It will be released in the Security Weekly feed, incorporate our technical segments, and have its own show notes in the wiki. Basically, these are video versions of the technical segments with all the fixin's.
- Welcome John Strand as the newest member of Security Weekly! John will be working on our video channel and some new initiatives here at Security Weekly
- Security Weekly SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- Monthly Security Webcast - Late-Breaking Computer Attack Vectors - Dec 23rd 2PM EST REGISTER HERE
- Larry's Metadata Paper - Read it, love it. Offer me suggestions, comments. I'll be doing more tech segments in the future.
Interview: Marcus Ranum
You wrote The Six Dumbest Ideas in Computer Security in 2005. Now, some 3 years later, how many of your opinions still ring true? Is the security still a miserable failure?
I'm in agreement with the need to do things right the first time. Why do you think that this doesn't happen? Lazyness? Poor business decisions? Or, is it really jsut that hard to code properly to begin with!
Sure, design things right and secure from the beginning. How do you deal with situations where you don't have the ability to change/audit/secure required code, with something that is/will be essential to your business; say, for example, windows.
What are your feelings on penetration testing?
Ranum's recommended reading
Appendix F - Personal observations on the reliability of the Shuttle by R. P. Feynman - "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.", Richard Italic textFeynman
Stories For Discussion
- Microsoft Security Advisory (961051) - has Microsoft's recommendations on "protecting" against this attack.
Nmap Book! - [Larry] - Now shipping in time for Christmas. Awesome book that Fyodor has promised for years. It includes all of the information that he's learned in scanning networks over the last 10 years. Sample chapters are available on nmap.org... Paul, you have a copy, please tell us what you've found valuable
Penetration Testing is Dead! - [Paul] - Thats right, penetration testing is dead. Oh hell, why don't we just come out and claim that security is dead. One can pick on any one defensive/auditing tactic, claim it dead, and say that other layers are more effective. This is bull, you need to evaluate the risk for your organization and determine which layers to implement, and how you should implement them. More on this topic in a blog post I am working on, but thats the jist of it.
One line Bash web server - [Paul] - Command line Kung Fu is important if you are a pen tester, and here's is a good example. It allows you to serve files in a directory via web server, neat! Great way to share "tools" on a pen test.
Facebook: 100 friends in 4 days - [Larry] - An interesting, if somewhat repeated, experiment. but, it just goes to show that sometimes just asking for something, and acting like you belong is often one of the easiest methods of social engineering. To me, it also speaks to the dangers of what you share on social networking sites, and who you've given access to it.
DD-WRT XSRF - [Larry] - Remote command execution, password changes, modify forwarding rules, enable remote administration...This has been tested by the author on the latest version v24-sp1, and I winder if it works on older versions. I know lots of people use DD-WRT...
Linksys WVC54GC Camera Vulnerabilities - [Paul] - I thought this was great, check out this description: US-CERT say that by delivering a specially crafted packet to the cameras UDP port 916, an attacker can make it respond with a packet that contains the majority of its system configuration, including details such as username, password, wireless ssid, WEP key, WEP password, WPA key, and DNS server. Love it!
WordPad - [Larry] - On the heels of a recent round of patches, an exploit is now circulating toe a WordPad exploit. This affects Windows 200 SP4 to XP SP2 and Server 2003 SP1 and SP2. Micorosoft claims that it does require some user interaction to get them to open the malformed document. No patches exist currently, so how do we protect? Web filter, block attachments and AV with appropriate signatures? How about IPS with some rockin' rules?
Fone Fraud Follow-up - Apparently a few more details about the Nortel system that was owned earlier this year due to default passwords being in place.
Asterisk Vulnerability, FBI Style - [Larry] - The FBI released a notice that Asterisk had a vulerabiluty that allowed fo "vishing", without releasing a lot of info, or contacting the vendor, Digium. Come to find out, Digium found the bug in March in versions 1.2 and 1.4, and fixed it for 1.6. So, two things: why hold back the info, and not contact the vendor? Second, how to patch critical systems that are expected to be up 24/7?
Netscreen Of The Dead - Firmware Attacks! - [Paul] - Awesome presentation! They reversed the Juniper Netscreen firmware, hotness. However, I find it most interesting when they describe the attacks:
- Hidden shadow configuration file, allowing all traffic from one IP through Netscreen, and network traffic tap
- Persistent infection via boot loader on ScreenOS upgrade
Geek Christmas Gifts! Don't Forget! - [Paul] - Don't forget to add you favorite security geek or just plain geek Christmas gifts. Some of the suggestions so far
Christmas Hacking Challenge - [Larry] - Here's some fun for the holidays from our good friend Ed Skoudis. I bet some of the solution to this one is some tools we've talked about on the podcast!
Spam back on the rise - [Larry] Slowly but surely, just like we talked about last week with Andre, the McColo shutdown won;t stymie the bot-herders for long. Although the article brings up some interesting points, that some botnets aren't making resurgence as it apparently becomes a business decision to abandon your botnet and start fresh when something like this happens; turns out the longer it goes, there's some diminishing returns on trying to recover your zombies.