Episode191

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 191 - For Thursday March 18th.

  • Notacon! - Mick will be presenting two talks and be a part of a panel discussion! You may also try to get him to discuss hockey!  ;-)
  • QuahogCon - This will be the next conference that we will be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come and enjoy what's sure to be a great Con! [PaulDotCom] - Uhm, should mention that Larry is giving not one, but TWO talks!
  • Also, please join our Mailing List, Forum, and sign up for the PaulDotCom Insider! New webcasts coming soon!

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Nessus Scanning Through a Metasploit Meterpreter Session

Nessus Scanning through a Metasploit Meterpreter Session

Guest Interview: Richard "Bonecrusher" Bejtlich and Ron "Tenacious" Gula

INFO

Richard B., Director of Incident Response at GE, and Ron Gula, CEO of Tenable Network Security, will debate the pros and cons of having a strong IT controls program with having one focused on responding to threats. There are many perceived advantages and disadvantages to both strategies from a cost, scalability and effectiveness. Mr. Gula will attempt to espouse the benefits and defend the practice of a controls program while Richard will enumerate the positive aspects of a threat-centric monitoring program.

Questions

  1. Ron, please describe what you mean by an IT security program focused on controls.
  2. Rich, please describe what you mean by an monitoring program using a threat-focused model.
  3. I guess the obvious question is, shouldn't you do both, be certain to have a control process and a threat-focused process?
  4. Using controls as the focus, is this just making sure all of the checkboxes are checked? Is this really security?
  5. If you are focusing on the threats, does this put you in a "firefighting" mode most of the time and take away from building your security program?
  6. Recently there has been some debate on "APT", could you both describe what this term means to you and what you believe people should know about it?
  7. While APT may not be anything new, many organizations will not adapt or change their security program until there is "buzz" about a certain aspect of information security. Should we ride this wave to get management to change, or have we already failed?

Stories For Discussion

  1. Apple Should Hire Charlie Miller - [PaulDotCom] - At this year's CANSECWEST conference Charlie will reveal 20 zero day vulnerabilities he found using fuzing techniques against OS X. They include libraries, components such as Preview, and 3rd party apps such as Flash. He descibes the differences in security between OS X and Windows as, "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.". I also find it interesting that he states, ""They sell lots of computers and nobody doesn't buy Apple computers because of a perceived lack of security. So in their minds, they don't have a security problem until it affects their bottom line, which hasn't been the case, yet". And this continues to be the larger problem, since its cheaper in the short term to ignore security, this is what companies will do.
  2. Hacker Bricks 100 Cars - [PaulDotCom] - I thought it was fun to brick WRT54Gs! So, this technoogy uses a pager service that allows the dealer to do two things in the case of non-payment. Dealers can send a signal to the cars whose owners have not paid their bills to disable ignition and/or sound the horn. Forget to pay your bill? How about a horn blaring every night at 3AM? Going to work? I don't think so! It can't be used to stop a running car, but in any case this hacker set off the horn on about 100 cars and killed the ignition. It was a former employee, 20 years old. This is an important lesson for everyone about insider threat. To be an "insider" you don't have to be a current employee. To combat this threat, lock down your stuff inside the firewall! We've preached this over and over, but expire user accounts, change passwords, logging, using security protocols, etc.. I used to work for a company that lets just say had a lot at stake. They used TELNET on the internal network to login to all of the test and production systems and though it was safe because they were behind the firewall. Not only that, but most of the passwords were easily guessed and shared amoungst users. This is NOT how you want to roll.
  3. FBI Agents are on Facebook - [PaulDotCom] - So, the captain privacy people of the world are up in arms because there are FBI agent pretending to be regular people on Facebook. I say good, they should be monitoring for criminal activity. I think this goes along the lines of defenders being more offensive (no pun intended). If criminals are lurking on these social networks, shouldn't law enforcement be hanging out there too? And if any Joe Shmo can create a Facebook account, why is that out of scope for law enforcement? You will cry privacy until one of your family members is the victim of a hanoues crime that was perptrated on a social network.
  4. Happy Belated St. Patrick's Day! - PaulDotCom - Storm troopers are funny. Here's a question, did the empire rebuild the storm trooper army after wiping out the Jedi or is it in fact the same army that was previous used by the Jedi and the republic?
  5. More Insider FAIL (or WIN) From TSA - [PaulDotCom] - So, question for you all, how would you detect malware placed on a server by an insider? Tougher because they know the system?
  6. New Study Says People Would Rather Be On Facebook Than Have Sex - [PaulDotCom] - So THATS what the FBI is doing on Facebook, getting our of having sex with their spouse? :)
  7. Does this mean I can crack your codez? - [Mick] - From the long range department -- Looks like they've made a basic quantum circut. This is really interesting because we've all been told that quantum systems will be so fast that crypto as we know it just won't work. Stay tuned, and be patient.
  8. Use your computer and go to jail? - [Mick] - Listeners of the show are aware of these things... however, a *shocking* number of folks don't know about these matters... or worse yet, the believe the laws don't apply to them for certain exceptions that don't exist.
  9. Social media suicide - [Mick] - Kevin Johnston and Tom Eston have been pwning folks for thier own good. However, sometimes you have to do the honerable thing and kill your accounts!  ;-)
  10. Smart meters expose your privacy - [Mick] - The EFF is alerting folks about a new item to be concerned about... your privacy. From a recon perspective, higher resolution of detail on how you use your home is a great thing. What protections will be put in place to ensure we're safe?
  11. I suppose it's better than pleaserobme.com - [Mick] - TMI! Please just stop.
  12. Privacy in the EU getting better - [Mick] - It looks like a German court has made an important decision that will eventually lead to the tighter controls of what info can/can't be collected and how it must be stored. Why can't the USA be number one in this field? Come on! USA! USA! USA!
  13. Twitter now checking URL shortening links - [Mick] This is really good news. 'Bout time!
  14. 100 cars disabled - [Larry] - Te former employee messed with 100 cars by using another employee's password to manage the web based Webtech Plus system. Yikes a few lessons to learn here: Disable accounts when staff leave. Perform an appropriate audit, including getting passwords changed, even for some staff. Don't web enable your vehicle shutdown mechanism. Get that black box out of my car, now.
  15. Rsnake on the effectiveness of user training - [Larry] - So, really what is the time tradeoff between dealing with the fallout from phishing, to reacting to UAC and such, when the protection likely doesn't work to begin with…
  16. Mac users thought they were safe - [Larry] - Charlie Miller is at it again for Pwn2Own this year hinting that he has 30 unknown vulnerabilities in his back pocket - 20 of them in Preview the built in OSX PDF viewer.
  17. MS Virtual PC memory fail - [Larry] - The vulnerability report summs it up nicely: A vulnerability found in the memory management of the Virtual Machine Monitor makes memory pages mapped above the 2GB available with read or read/write access to user-space programs running in a Guest operating system. By leveraging this vulnerability it is possible to bypass security mechanisms of the operating system such as Data Execution Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and Address Space Layout Randomization (ASLR) [3] designed to prevent exploitation of security bugs in applications running on Windows operation systems. Thus applications with bugs that are not exploitable when running in non-virtualized operating systems become exploitable if running within a guest OS of Virtual PC. In particular, an application running on Windows 7 in XP Mode may be exploitable while the same application running directly on a Windows XP SP3 system is not." In other words, you should not be relying on DEP or ASLR to cover your ass.
  18. Analysis of the Logitech Mouse Server - [Larry] - Yes, this one is simple, but a great analysis. Who thought that taking unauthenticated network traffic, in cleartext as input for a keyboard was a good idea.
  19. DNSCAT rocks! - [Mark] - Ron Bowes strikes again. DNSCAT has been weaponized and a metasploit payload was created. Carry your shell over DNS.

Other Stories Of Interest

  1. Battlestar MMO - [Mick] - oh man... let's see how much more time I can sink into this franchise  ;-)