Episode156

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

Security Weekly - Episode 156 - June 18, 2009

  • 2009 South Florida ISSA Conference and Exhibition - June 24th Learn more!
  • NY Infraguard CTF - Two day Capture the Flag Event on July 21 - 22, 2009 at Cisco Systems, 1 Penn Plaza, 9th Floor. The event will be held from 9:00AM to 5:00 PM both days.
  • SANS Raleigh Durham - June 22 thru 27th: SEC 401 SANS Security Essentials Bootcamp - The first step in the path to Enlightenment! Taught by Mark Baggett!
  • DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam with the tantalizing title of "FAIL". We will also be having an invite-only party, so stay tuned!

Episode Media

mp3

Guest Tech Segment: Rob VandenBrink

We have a special guest technical segment on "Man in the Middle Attacks in a Virtual World' by Rob VandenBrink.

Rob is a consultant with Metafore LLP in Ontario, Canada. His areas of specialization include Network Infrastructure design, Network Security and Virtualization. Rob is an STI Masters Degree student with the SANS Technology Institute, and holds a variety of current SANS and Cisco Certifications.

This evening we'll be chatting about Man in the Middle (MITM) attacks against Virtual services. Specifically we'll be discussing how a successful MITM attack can be mounted against a VMware Guest migrating from one ESX host to another, using VMotion. VMotion moves the machine while it's running, without a service interruption.

First, I want to be absolutely clear that Vmotion isn't an "insecure service", and that VMware is not an "insecure product". VMware and Vmotion are alive and well in thousands (if not more) datacenters, and because of this we've selected this product and this common operation to demonstrate with today.

This demonstration and the slides are lifted from SANS SEC557 - Virtual Security and Operations, an excellent security course which covers both the technical and operational (and non-technical) challenges in deploying virtual infrastructure into a datacenter.

MITM attacks are most often attacks against confidentiality. They run at layer 2 (more on this later), and are most often seen in switched ethernet environments (though fiber channel MITM is also possible). Passive MITM attacks concentrate on stealing information as it transits without modifying it - the data is intercepted, saved away, then forwarded on. This is by far the most common MITM attack. It's easy to mount, difficult to catch red-handed, and very difficult to prevent in most environments.

Active MITM attacks actually involves changing the data as it's intercepted. This is less commonly seen, as it's much more difficult to pull off. Simply changing the data isn't a problem - for instance, purchasing an item online, then modifying the "ship-to" quantity isn't any more difficult than intercepting that value. However, now the ship-to quantity does not match the invoice quantity. This mismatch is very likely to be detected by the application, or noticed by a "human eye, model 1, mark 1" that might be looking at a final invoice or shipping label.

We'll be demonstrating a passive MITM attack on Vmotion.

Mini Tech Segment: The Pre is rooted! Now what? by Mick Douglas

The Groundwork

You need to do two things first...

  1. Get root -- is that a BusyBox in your pocket or are you happy to see me?
  2. Get packages -- the processor's wee. Save on compile time!

Now the fun begins!

(Warning: These are CLI only apps -- MAN UP NANCY BOY!!)

Now that you have the basics covered, it's time to have some fun! Here's some things I'd suggest that you try out:

  • Set up a local shell -- it works in a pinch, but it is a bit hard to use... until WebShell gets better or another terminal is available, I think I'll just SSH or novaterm onto my Pre.
  • nmap
  • tshark
  • Metasploit!! Warning: ipkg-opt has Ruby 1.9.1 - which means problems with MetaSploit 3.2. Either SVN fetch 3.3 and make your own lite version -or- just wait for the release
  • kismet (start hacking the Marvell w8686 chip which is controlled by the sd8xxx driver)

Stories For Discussion

  1. The revolution will be spread in 140 characters or less - [Mick] - Twitter has hit an interesting and powerful place in the world. Who knew a "waste of time" would end up as a mouthpiece for regime change?
  2. Sloooooowwww - [Larry] - Slowloris, a new Apache DoS tool. It doesn't require much bandwidth, and only small keep-alives.
  3. Month of Twitter bugs - [Larry] - Here we go again! I do like these projects, but to what aim? Either way, I hope tey release a bug to increase my followers.
  4. Validate your inputs - [Larry] - By intercepting the HTML posted to the Apple store, you can add an iPhone to your cart without apparent contract, or credit check. Of course, these are non-susidized prices. Theme for my week, given I'm TA'ing SANS 542.
  5. Browser History without JavaScript - [Larry] - Neat. Disabled javascript won't help here, as it uses hidden iframes an CSS.
  6. Month Of Twitter Bugs - [Paul Asadoorian] - there is just something really sexy about the "month of" bugs. you can call it what you want, but in the end it gets some pretty serious media attention. also, whatever seems to be the focus of the "month of bugs" gets is laundry aired out, public attention, and eventually patches. i know, i know, responsible disclosure, blah, blah, but i am siding on with the month of bugs helps us be more secure in the end, because lets face it, thats where we'll take it if people stop disclosuing bugs in any fashion.
  7. Tons of anti-virus software bypass vulnerabilities released - [Paul Asadoorian] - I believe its important for these to be public, and it also looks like Thierry Zoller has done a good job with the disclosure end. My question is, when will people realize that Anti-Virus software may do more harm that good? I will take the stance that Anti-Virus software does more harm that good by creating a false sense of security. People will happily click on stuff, download files, and stick USB thumb drives because, well, "I've got Anti-Virus software, so I'm safe!". Wrong! I'll go back to my most recent blog post, your greatest weapon is common sense! In the enterprise A/V should be transparent to the end user, it should exist on your gateways and file servers, and even inspect traffic as it moves through your network. Train your end users, and if you use an endpoint security solution it needs to be smarter than the dumbest end user. Here's the thing, signature-based A/V still falls short of that requirement.
  8. Nice Wiping Tip - [Paul Asadoorian] - Giving the finger to forensics, I love it! Linux is so great, the built in tools are just so flexible and provide so much functionality. I don't know why anyone would run Windows as their primary OS, it just gets in my way!
  9. SMS Hacking - [Paul Asadoorian] - This just has security fail written all over it. SMS presents a huge risk to organizations, and here it sounds like some researchers are taking it to the next level and finding some vulnerabilities. The most attractive feature for attackers is the "wlaways on" nature of sms. i don't think you will see a smartphone botnet, at least not yet, but certainly if you could come up with a way to steal data from people's phones that would be great. the problem is that its too widespread, people have all sorts of different numbers and its tough to target an organizations cell phone precense without some accurate information gathering. I'm thinking that you break into a company, steal the directory, parse cell phones, then launch an attack
  10. Common Sense: Your Greatest Weapon - [Paul Asadoorian] - In this post I point out some security FAIL, in a fishing tale kind of way :) I was fishing one day, and observed what the fish were eating, and then used that information to catch more fish. To put a different spin on it, thats what the bad guys are going. They are looking at what the fish (i.e. users) are eating and adapting. As defenders, we are doing a poor job of adapting. From wireless, to not checking logs, to over dependance on A/V, sometimes I feel like we all suck. I did manage to identify strategies that work and are worth putting effort into, policy & procedures, vuln management, and system hardening. So there, go do it :).
  11. PCI Debate: Level 2 Merchants Now Require QSA - [Paul Asadoorian] - There is good and bad that goes along with this. As Brian would say, the PCI cheerleaders are cheering about it. They say it will help a lot of organizations, because now these organizations need to be audited, and it will find some things that need to be fixed, security will improve, and everyone will be happy and take off early on Friday to go drink beer. The other side, is that many PCI QSA will do a lack-luster job, create a false sense of security, and the overall state of information security will degrade, in the meantime putting more money into the QSA pocket. I mean think about it, the times are tough, so lets boost some PCI business by requring level 2 merchants. Awesome.
  12. iPhone 3.0 - over 35 security updates - [Paul Asadoorian] - Wow, and hear I am, the apple fan boy that I am, jumping up and down for joy at copy/paste and voice memos. I dig a little deeper and realize that I was bent over a barrel running iPhone software! Holy freaking security updates, I mine as well just publish all of the information on my phone to the Internet. I feel dirty, like that scene from Ace Ventura when he finds out that woman is really a man, and starts squeezing toothpaste in his mouth and showering, scrubbing, etc... Yea, like that. I think I'm switching to an N95 or a Pre real soon now, oh wait, I just shelled out more $$ to Apple for a 3G S. At least my phone will look pretty.
  13. http://blog.tenablesecurity.com/2009/06/protecting-scanning-credentials-from-malicious-insiders.html - [Paul Asadoorian] - So, lets say that you've setup nessus to scan your entire environment with credentials. This probably means that you've created an account in the domain that has the ability to login to all systems. Ideally, this should be a domain admin account. Now lets say that I am a malicious insider, either someone at your company that hsa gone bad, or an attacker who compromised a machine on the "inside" of you network, or I've placed a device on your internal network. I then setup my system with a fake SSH server and a fake SMB server that accepts all credentials and steals your account. Now I have access to your entire network! Nessus has several ways to prevent this, more so than other scanners, by supporting SSH keys and allowing you to import an ssh known_hosts file, and on the windows side supports SMB packet signing. This post gave me some evil ideas for pen tests too :)
  14. Applying for a job? Give us your creds - [Mick] - I get that employers may want to know what potential employees do off hours... and I'm OKish with this. But handing over my usernames and passwords? OH HELL NO!!

Other Stories For Discussion

  1. Opera Browser beta opens up your machine to file sharing - [Mikep] - Beta version allows access to files/folders and pictures over the web ... Let the Black Hat games begin!
  2. No ties this year... - [Mikep] - Father's Day gift ideas for White, Black and Grey Hat dads.