Episode160

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 160 - July 16th, 2009

  • DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam with the tantalizing title of "FAIL". We will also be having an invite-only party, but you'll need a PaulDotCom badge....

Episode Media

mp3

Special Guest Interview With David Rice

David is the author of Geekonomics: The Real Cost of Insecure Software

From the website:

Geekonomics is about the lack of consumer protection in the software market and how this loss impacts economic and national security. Software buyers are literally crash test dummies for an industry that is insulated against liability, accountability, and responsibility for any harm, damages or loss that should occur because of manufacturing defects or weaknesses that allow cyber attackers to break into and hijack our computer systems. As a matter of good public policy, this is unacceptable and must change.

  1. Is "good" code "Secure" code? Is there a difference? How do we get programmers, especially new ones, to think about security and writing secure code?
  2. So many times we have seen organizations purchase software solutions in a "bundle". That is they deliver a system running their custom software on an off-the-shelf operating system. However, the operating system can't be patched because it will break the software. Organizations keep buying the software, so how do we break the cycle?
  3. Secure software costs money (Portland cement and the process to validate it takes time :) Businesses often just flat out will not spend the money on it, even when confronted with the consequences. How do we turn the tables and convince organizations to create secure software?
  4. Your book mentions meta-level changes that need to happen to help correct the current situation and shift the market forces in a direction where security will matter. Assuming these don't come to pass (some of these things will likely not happen) what are some things that "line workers" can do to help make things better from within? Is there anything to be done?
  5. Every single person I've been able to get to read the book has really found it to be an eye opening experience. The problem, is they all work "in the biz". What response are you getting from non-security folks?
  6. The book "The Jungle" caused an uproar for food safety. In spite of all the data breaches, it seems the public at large doesn't really care all that much about security. Do you think they ever will? If so, what's it going to take?
  7. During the research of "Geekonomics", what was the most unexpected or pleasant surprise?

Group Tech Segment: Nmap Version 5.00 Released!

What a treat, Nmap version 5.0 released! W00t!

We get some treats with NSE, such as:

3306/tcp open  mysql   MySQL 5.0.18
|  mysql-info: Protocol: 10
|  Version: 5.0.18
|  Thread ID: 49
|  Some Capabilities: Connect with DB, Compress, SSL, Transactions, Secure Connection
|  Status: Autocommit
|_ Salt: s/,2S-$my9MVKSB-[bZ|

Zone transfer:

53/tcp open  domain  ISC BIND Hack Naked
|  dns-zone-transfer:
|  pauldotcom.com               SOA     localhost root.localhost
|  pauldotcom.com               NS      localhost
|  pauldotcom.com               NS      madmonk.pauldotcom.com
|  wrt-bridge.pauldotcom.com    A       192.168.1.40
|  freebsd62.pauldotcom.com     A       192.168.1.23
|  kwan.pauldotcom.com          A       192.168.1.15
|  wrt-basement.pauldotcom.com  A       192.168.1.91

Wireless router support:

80/tcp   open   http     Intoto httpd 1.0
|  http-auth: HTTP Service requires authentication
|    Auth type: Basic, realm = WRT54G
|_   HTTP server may accept admin:admin combination for Basic authentication
|_ html-title: 401 Unauthorized

I was experimenting with ncat, after 15 minutes I gave up, this is only half working:

ncat -k -vv -l 23 --sh-exec 'echo -n Enter Username: ; read user; echo -n Password: ; read pass; echo $user:$pass > test'

I like the idea of using ncat as a fake server, there are more examples in the doc. I was trying to create a fake TELNET server and log usernames and passwords. Be neat to have these scripts working.


Stories For Discussion

  1. Metasploit Unleashed! - [Larry] - Mmmm, great way to learn about metasploit, and to help a good cause. Written/endorsed by the folks who write and use metasploit....
  2. Disappointed in MOTB - [Larry] - I am Larry's sense of disappointment, in the month of twitter bugs. From the best of my knowledge, there have been no bugs actually disclosed about twitter itself, or the API, only tools that USE the API.
  3. MOTB might be a bust, but all's not well - [Mick] - Twitter has become a hotspot for attackers, because it's now so pervasive. Plenty of room for improvement!
  4. Love them 'sploits - [Larry] - Yeah, so you see the cool 'sploits used by some folks in their disclosures, and when you find it online you think it would be a good idea to use it. Nice, because if you don't understand the code, it rm -rf's your box.
  5. Iformation gathering from TweetMyPC - [Larry] - Istall teh app, and have it follow a twitter stream. Issue commands to control you workstation. Nice, except you can tell it to take screenshots that get posted to TwitPic that we can now analyze.
  6. Necessity is the mother of invention - [Larry] I n response to proposed French laws (HADOPI), ISPs were forced to disconnect users after 3 unsubstantiated claims of copyright infringement, so "N" created a router firmware that cracks keys of all other wireless routers in range, and then uses them as an AP...
  7. 1 in 10 admit to buying products offered via SPAM - [mikep] - and that's just the number who admitted it in the survey. By the way, need help in your lovelife?
  8. I.E. 6 is a workhorse at work - [Mick] - I.E. 6 is still clinging to the marketplace, yet folks are not upgrading away. Why? Please make our pentests more interesting! kthxbie!
  9. 3 reasons USA is not #1 when it comes to InfoSec - [Mick] - Wired throws down the gauntlet! And I have to say I agree with them. The tone might be a bit harsh, but truth can sting.
  10. Firefox 3.5 sploit in the wild! - [Mick] - No patch yet! Ugh. Until a patch is available, run NoScript or some other add-on which prevents javascript from auto-firing.
  11. nmap, Get your nmap! Hot fresh nmap here! - [Mick] - Fyodor is still on my folks I owe beer list. We luv us some nmap, and there's so much more now. The best keep getting better! w00t!
  12. Paypal vs. Hackers For Charity - [Mick] - It seems everyone was talking/tweeting/IMing about this. It got fixed quickly, which is nice.
  13. What do you mean "no backup" - [Mick] - Loosing the private key is bad. Loosing the only copy is really bad. Having to re-issue health cards for all of Germany because of this is FAIL!
  14. Anti-Sec posts a manifesto - [Mick] - ImageShack was the unwitting messenger for Anti-Sec's manifesto.
  15. You got spyware in my update! - [Mick] - This is just really strange... if you're going to snoop on your customers, there's easier and more subtle ways of doing it.
  16. Free Metasploit On Demand Course - [PaulDotCom] - I think this is great, videos cost money, but PDF and labs are free, videos cost $$ with goes to hackers for charity. Nice! I want to see the quality of the training presented in this manner and how often they will update it (The dev tree is changing daily).
  17. DHCP Vulns - [PaulDotCom] - This one looks like a vuln in the DHCP client on Linux. Thats awesome, if I setup a rogue DHCP server, not only can I MiTM people, but I can pwn them as well! Sweet! I wonder how many embedded systems have this? Lots?!
  18. Do you need a dedicated hands-on security department? - [PaulDotCom] - I've been in the thick of this arguement, and will take the side that you need dedicated security people. no qustion, you need people who live, eat, breath security, it can not be left to everyone else and just baked into their jobs. It cannot be enforced by risk management. You need a get-your-hands-dirty security person to analyze packets, watch for new threats, get trained on latest threats/defenses, beat IT departments who don't do things securely, and pen test, yes, pen test, the internal network. If you don't have this, your network will be used to participate in a botnet and you will have no clue its happeneing.
  19. Don't Be Blind to Web Attacks - [PaulDotCom] - Most people do get caught up in "blocking" attacks, or at least trying. There is so much value in logging and detection, that you should never lose site of it. Use a WAF to log the attacks comeing at your web server, validate if they were successful! This is so useful, requires some manual testing, but well worth it!

Other Stories For Discussion

  • Hackers want your BRAAIINS - [Mick] - Sigh. Sure it'll be neat, but we're ages off from this. Let's worry about buffer overflows and lack of input validation in today's apps.
  • Win '95 on the iPhone? - [Mick] - Yar! No thank you. At least it wasn't WindowsME  ;-)
  1. Nice TV B Gone Build
  2. Paris Hotel FAIL