SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 189 - For Friday march 5th, 2010
- Community SANS AUDIT 507 Auditing Networks, Perimeters, and Systems - SANS is pleased to announce Community SANS Atlanta, starting March 15th. Mick will teach Auditing 507 Auditing Networks, Perimeters, and Systems
- Notacon! - Mick will be presenting two talks and be a part of a panel discussion! You may also try to get him to discuss hockey! ;-)
- SOURCE Boston - Paul will be speaking at SOURCE Boston on April 22nd giving his new talk titled Embedded System Hacking and My Plot to Take Over The World
- QuahogCon - This will be the next conference that we will be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come and enjoy what's sure to be a great Con! [PaulDotCom] - Uhm, should mention that Larry is giving not one, but TWO talks!
- Mark Baggett teaches SANS 504 during SANS Raleigh 2010 on June 21st for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling!
- Also, please join our Mailing List, Forum, and sign up for the PaulDotCom Insider! New webcasts coming soon!
Non-Technical Segment: Top Ten Tips To Socially Engineer Management
10. Avoid Geeky Language - While you know that a reverse HTTPS connecting, process jumping backdoor installed on the domain controller is a bad thing, that means nothing to management. You have the tough job of putting the technical details into a report that is readable by management. I set aside one page of the report for this, and it takes the longest to write, so don't rush it. [Mick] - Don't use biz jargon if you don't know it cold. ROI, trade space, and total cost all have real solid meanings. Throwing terms around inappropriately is just like when your parents refer to the computer as the "hard drive" or "cpu". You sound like an idiot. What's that sound you're hearing? Oh that's just your credibility falling down the well.
9. Don't Use The "-v" Flag - You have to be concise. This means your speech, Powerpoint, email, report, whatever, be to the point. This takes time too! I will put together my thoughts, then go over them an additional 2-3x to trim them down (trimming the fat so to speak).
8. Use Numbers - Saying, "We have a lot of vulnerabilities, but our Firewall stops a lot of them" doesn't cut it. How many? What percentage? You need to take metrics from all of your security initiatives and then present the most compelling ones to management.
7. Use Pictures & Video - While a picture speaks a thousand words, video speaks volumes. Nothing wrong with a screencast movie showing IP leaving, employees being socially engineered, etc... This really drives the point home. Plus, who doesn't like watching a movie?
6. Put it in terms of cost savings - Yes, security is an expense, but it saves money too. Use examples of how much breaches costs, compare that to ongoing security spending and come out ahead.
5. Use Examples Carefully - Examples of what other people are doing with security weigh heavily with management. No one wants to be the executive who is spending MORE than they have to on security, and they look at other similar businesses and organizations as a guide. I think this is bull, but it can help you make your case. Just be careful with it, it can bite you in the ass if you are proposing to do more than your peers (even though your business model and situation may be way different).
4. Use Familiar Analogies - Business people watch CNN, Fox News, etc... Watch and listen to those channels and use the same language. Just avoid politics though, and stick to business speak. [Mick] - Get lodged into their heads. Make and use slogans, sayings, or anything else to get inside someone's skull. For instance, after one long meeting I was exasperated and used a quote from the movie Marathon Man: "Is it safe?". Now our upper management ask me that when they see me in the halls. When this happens, you know the battle's half over. [PaulDotCom] - I call this the "elevator" quote.
3. Leverage Audit For Clout - We've talked about this, use Audit as a tool. Your goals should be in line with auditors.
2. Do Your Best To Fit In - Don't dress like a slob, cut your hair, cover the tattoos, etc... While I am not one to judge, many people do. Its sad,
1. Have The Meeting Before The Meeting - This is the best single piece of advice I can give you to be successful at your job. If you have a big meeting coming up, schedule individual meetings with those in attendance. it can even be coffee or lunch, or "I just want to run an idea by you". This allows you to gauge people's reaction and adjust your strategy. It gives people time to think about what you are proposing. It also builds your allies, which is the most important thing. You want to have people in the meeting agreeing with you, who will in turn gather more followers (kind of like Leadership Lessons From Dancing Guy). To be honest, this is how I got security implemented at the University. If I walked into a meeting cold and presented an idea for security, it was met with resistance 90% of the time. I greatly increased my chances by meeting before the meeting!
0. [Mick] Give solutions - Things are always going to go badly. All bad news must be accompanied with real workable options. You know why just about everyone likes firemen? They save the day. Any fool can point and shout "ZOMG there's a fire!"... Walking into the building, rescuing the kids and pets, and then putting that bitch out? You are a hero.
Stories For Discussion
- Ugh, time to find a new wireless tool - [Larry] - In an unexplained move, Apple removed most of the good WiFi detection tools from the app store, with no apparent, valid reason as to why. Why does this matter? On of the best ways to hunt APs (Rogue or other wise) is to use a high power wireless card in combination with a directional antenna for long range scanning, then a low power wireless card with an omnidirectional antenna (read as crappy) for close up work. Guess what that real handy too for that close up work that met the requirements than many folks already have? Yes, the iPhone/iPod touch…
- Once, twice, three times al lady - [Larry] - Wow, not only do Wyndham properties (the hotel chains) get owned, they get owned 3 times in 12 months. The claim that they are having auditors and PCI experts in to help. Suuuure you are. Want about the first 2 times that happened? That and if that is all you are doing, it is pretty clear that those compliance checkboxes aren't enough…
- Never enough tools - [Larry] - Yeah, add this one to the pile, but the Web Security DOJO is out there. It includes tools AND targets. Soemthing else to put in your bag of tricks for practice.
- Porn Detection stick - [Larry] - A new tool form Paraben to search windows machines for porn by examining for flesh tones even from deleted files (images only, not video) Funny enough, I didn't know this was new, as I've had a porn detection stick for some time…
- please press F1 for help - [Larry] - Hah, you just got owned. Really, who uses this help stuff anyways. Isn't that what Google is for?
- Bonus discussion point from Mick - Never say never. When someone at work asks for something you have to assume -- until otherwise proven -- that it's a legitimate need. Saying no just because it's easy is a great way to piss everyone off and once that happens they start working *around* you.
- DNS Registrars: Get your head out of your ass - [PaulDotCom] - This is a great example of something I've been talking about lately: If profit is your only motive your business will follow a bell curve. Sure, the more domains that get registered, the better, but to what end? Someone was able to register google-analitics-dot-net, as "?????????" in the Province of "Taliban". Way to go guys. How crappy does the Internet have to become before you actually take responsibility for your own shit? If we all took a little more responsibility, the Internet may be a much less crappy place. I understand you have to make money, but aren't we all making money in a much happier place if there are some security standards and common sense being put in place?
- Simple Fuzzing - [PaulDotCom] - I really can't stand the following attitude, "Well, if something is not perfect then we can implement it or even consider it". This is the attitude that will get you into trouble. Fuzzing is a great example. Fuzzing is not perfect, its an art and a science all rolled into one. Sometimes your not given time to fuzz something because, "well, you may not find any bugs". I used to get his arguement a lot, in fact every time I proposed a security measure at a particular place, there would always be someone to argue this point. The fact is, nothing you do is perfect, but doing nothing isn't going to help either. So, take the time to fuzz, and do all those security things that are not perfect. Why? You will only find success if you try. On a technical note, my friend Daniel has a nice little Python code snipet you can use to get started on fuzzing!
- North Korea makes a linux distro - [Mick] - This can only mean one thing. CYBERWAR! Sigh. Well at least that's what the pundits will say, because they are lame.
- Google hacking in real time! - [Mick] - Being able to google dork as folks leak the data? I'm giddy with the possibilities!
- Using WiFi signal locators to steal laptops! - [Mick] - So you put your laptop in your trunk... ok good. But I, err "Bob" might be able to find it by using one of these!
Other Stories Of Interest
- If you throw away your console, the terrorists have won - Afghan raid turns up PlayStation parts - yet *another* item to add to the TSA "dangerous items" list!