Episode137

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!


Announcements & Shameless Plugs

Welcome to PaulDotCom Security Weekly, Episode 137 for January 22nd, 2009. A show for security professionals, by security professionals & done in what approximates sobriety in the state of Alaska.

Episode Media

mp3 pt 1

mp3 pt 2

Interview: Dave Shackelford

Dave Shackleford is the CSO at Configuresoft, a leading provider of enterprise configuration management. Previously, Dave served as CTO of the Center for Internet Security (CIS) where he led the consensus group behind the CIS Virtual Machine Security Guidelines and the CIS VMware ESX Server Benchmark. In this role, Shackleford brought together a broad team of contributors to create the first virtual machines benchmark of its kind. Prior to joining CIS, Shackleford served as vice president of business development and chief security architect for Vigilar, an information security consulting company, and has held information security management positions at Norfolk Southern Railways, AirTran Airways and Northrop Grumman.

Dave also serves on the Board of Directors of the SANS Technology Institute and the Technology Association of Georgia. He is a regular contributor to publications such as Information Security, CRN, Financial Times, InfoWorld and Bank Technology News. He also co-authored the text book "Hands-On Information Security Lab Manual."

A Brief History of Hacking - Dave's take on lessons learned from hacking milestones, including:

  • The early days of phone phreaks and bulletin boards
  • The growth of hacker gangs and 2600: The Hacker Quarterly
  • The 75-cent accounting error that led to an international crime investigation
  • Bill Cheswick's evening with "Berferd"
  • The first malware and Trojan horse programs


Tech segment: Removing PDF Metadata With Adobe Acrobat Standard/Pro

There are a number of additional tools from third parties, most of which do require a modest fee to purchase. In preparation for this paper, the author reviewed several that offered trial versions, and all offered similar functionality to Acrobat.

All of these tools smaller metadata removal tools are valid, I find that in many environments, the "official" adobe suite is already in use, especially by those (say, in marketing) that are converting documents for publication already. This is the time to remove the metadata, in my opinion.

But, what about those documents in PDF format already? This becomes a significant challenge when documents are converted to PDF format from a third party conversion tool or other authoring program. These third party converters often rely and populate the metadata carried over from the original authoring software. This can be removed by opening the final PDF document in Acrobat Standard/Pro assuming the document has not been protected.

In order to remove relevant metadata using Acrobat we need to select File, then Document Properties from the menu. In the new dialog box, we need to select the Description tag, then Additional Metadata. First, let’s address the Advanced section.


By addressing the Advanced section first, we can delete one item and have it remove the rest of our Metadata items as a result, including those in the Description selection, as well as the properties screen. The complete removal can be accomplished by selecting the PDF Properties parent item and selecting Delete.


All of the tools will still leave behind some information that is required for proper document utilization and may be required by the software. This can include software version that created the document in order to check for document compatibility.

Tech Segment: Physical Security Matters

This week I attended (virtually) the S4 SCADA security conference. One of the issues that came up during some of the talks was the issue of physical access. There has been a lot of research published that allows an attacker to gain sensative information or compromise a device which requires physical access. Many will disregard this attack vector because they believe that good physical security will protect them. Lets put this in the context of a device, for example a control systems device, a firewall device, a wireless access point, cell phone, or really any other embedded system in your environment. With physical access to the device an attacker can:

  • Reverse engineer the hardware and software, which then leads to:
    • Finding traditional software vulnerabilities in the firmware
    • Discovering vulnerabilities in the hardware, such as timing attacks allowing you to bypass or modify functionality
    • Stealing the passwords and/or keys stored on the device
    • Inserting malicious hardware or software
    • Uncovering network and/or web-based vulnerabilities

The ability to change the behavior of the device can lead to:

  • DoS attacks (ala Zune)
  • Inserting of backdoors for attacker access
  • Ability to control the device functionality (open a valve, disassociate users, pass traffic through the firewall)
  • Launchpad for other attacks, such as compromising a workstation connecting to the device

There are many ways in which an attacker gain gain physical access:

  • Insider threat at the manufacturer OR asset owner
  • Social engineering at the manufacturer OR asset owner
  • Dumpster diving, Ebay, Government auction
  • Breaking & Entering

Its important to note that the first two, insider threat and social engineering, can happen to the manufacturer of the device. So, you as the asset owner could implement the same level of security as the inauguration, but still get compromised because the manufacturer has poor physical security or controls in place to stop social engineering. Its also important to note that you can gain physical access to a device without leaving your home. For example, I could call up the manufacturer and pretend to be a potential customer and ask them to ship me a device. The attack, and your story, would have to be better than that, but its possible. Even easier, I can just buy the parts on Ebay.

Moral of the story: Physical security is not just limited to the confines of your organization. You must run through these scenarios and use them in your risk calculations. This means you have to take into account a device being "evil" when you design your security architecture.

Stories For Discussion

Hacking Construction Zone Signs - [PaulDotCom] - Such a fun hack, complete with default passwords. Endless amounts of fun, I like the "Zombies Ahead".

Disabling Security: The age old answer - [PaulDotCom] - Except this time its in my car and not my computer or network! Its inevitable, if something doesn't work the first thing people want to do is disable security. "My server can't talk to the other server", "Oh, just disable all the firewall rules". 90% of the time, its not the firewall. (What's that, I hear every firewall admin listening chanting "Hurraaaaaaay".

Security: You're Doing It Right or Lessons learned from Inauguration Security - [PaulDotCom] - Some wicked cool stuff.

From Dailydave - CSRF Remote Shell Exploit Example: Hotness

The President Has a Blackberry, and I have an Exploit - [PaulDotCom] - I would not send an exploit, but how many people will? I guess this builds on our cyber attacks against the White House theme we have going on.

Hsing Twitter for Information Mining - [Larry] - A big thanks to Lenny Zeltser for posting this. He illustrates ways in which you can use some of the third party Twitter tools to engage in information gathering, for subjects, individuals, and companies. A very interesting read, given the rise in popularity in social networking tools, and their use for information gathering.

Are you sure you disabled autorun? - [Larry] - Given the fast rise of Conficker/Downadup, which can propagate via USB with an autorun, the suggestion has been to disable autorun. Sure, that 's good. However the way Microsoft has you do it, merely disables media change notification - meaning the OS can't tell that new media has been inserted. So, when you open the media, it will still process the autorun.inf! The disable method mentioned in the article instructs the OS to ignore the autorun.inf files all together.

Set HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf to @SYS:DoesNotExist

Conf#$cker in the Hospital - [Larry] - Ouch, this one hurts. A hospital in the UK is having serious issues with a massive Conficker/Downadup infection exploiting MS08-067. Why? Right before the patch was released, the management turned off ALL updates on 8,000 machines because two in an operating suite rebooted after updates the previous month, in the middle of a surgical procedure.

How do you fall twice? - [Larry] - Another case of leading a horse to water, and the effectiveness of user education. Guy gets scammed via e-mail for $160,000 which puts him in debt, mortgage, etc. Then when he finds out he gets scammed, he falls for another e-mail scam in which he hires 2 ex-FBI agents to find the original scammer...

Now you only need to wipe once - [Larry] - New research shows that you only need to wipe a drive once in order to completely obliterate data. Electron microscope you say? The authors proved that you'd only be able to recover one bit that way, as opposed to a range of bits.

Spear phishing advice - [Larry] - This is the way I read this article: Instead of providing details on how spear phishing attacks are conducted and are affected, I see this as an opportunity to take the same tactics and techniques to make more appropriate social engineering attempts for client side exploit delivery after performing information gathering.

[John] - We got an interesting email from PDC land. How do you deal with all of the tinyurls you get in emails and via twitter? We are all security folks, hopefully this means that we are a bit better then the "unwashed masses" when is comes to the security of the systems we use every day. However, we tend to click on links like meth addicts jumping on rat poison. So, what is the savvy security tech to do? This will serve as a jumping off point for the next few segments that we will run. I have decided to circle back around and sink into honeypots again. And what better way to do it then talk about how honeypots can help us be better in protecting ourselves when we click on suspect links. Tonight I will talk about a few cool tools to help us out. We will look at spbye, honeyc, and shelia. Hopefully, we can all be a safer bunch of twits!

Shavlik apologises for over-hyping a patch? - [John] - Is this possible? Plus they are backing down because the knowledge to write an exploit is "Very High". Never mind... Nothing to see here...

End of Passwords? - [John] - Nice article that gives an overview of "password alternatives". Not really a deep technical article but an intro. One of the things that bothers me about it is that it seems to imply that passwords have no relevance. Or, at the very least are heading that way. One of the concerns I have about articles like this is that they don't address the underlying problem. LANMAN and NTLMV1 suck as authentication mechanisms. Many organizations I work with believe that if they use smart-cards or tokens that password attacks do not apply. However, even if you use this tokens they only server to authenticate you at your point of presence. All of your authentication on the network is still over the LANMAN or NTLMV1. The point? Attacks like pass-the-hash and smb_relay still work.

Obama's Cyber Security Plan - [John] - This ties in with what we talked about last week with Eric Cole. It is nice that cyber security has a high place on the agenda, but I would like to know how it is going to be funded.