SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 193 - For Thursday April 1st.
- Notacon! - April 15th - 18th in Cleveland, Mick will be presenting two talks and be a part of a panel discussion! You may also try to get him to discuss hockey! ;-)
- SOURCE Boston - Paul will be speaking at SOURCE Boston on April 22nd giving his new talk titled Embedded System Hacking and My Plot to Take Over The World
- QuahogCon - This will be the next conference that we will be attending. We will have t-shirts and other special things to give away and sell. Larry is giving not one, but TWO talks!
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at [Brucon http://blog.brucon.org/2010/03/announcing-brucon-training-5-advanced.html] and [Black Hat Las Vegas http://www.blackhat.com/html/bh-us-10/training/bh-us-10-training_TEN-AdvNessus.html]!
- Mark Baggett teaches SANS 504 during SANS Raleigh 2010 on June 21st for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling!
- Hacker Techniques and Incident Response with Ed Skoudis and John Strand, in your living room via SANS vLive! Pants are optional. IN504 gets you 25% off.
Guest Interview: Johannes Ullrich
As chief research officer for the SANS Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2004, Network World named him one of the 50 most powerful people in the networking industry. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida. He also enjoys blogging about application security tips.
- How did you get your start?
- Is there any overlap between physics and the computer security industry?
- IPV6. How many do you see using it? What are the issues? Are people securing it appropriately?
Stories For Discussion
- Imbeding chips where? - [Mick] - It's one thing to stick silicon chips inside of you. It's another thing entirely to put them *inside* cells. The optoins this brings the medical field are staggering, but I'm sure Bob can think of some other fun things too!
- More troubles with SSL? - [Mick] - Nice article on governments forcing CAs to cut legitimate certs so they can easily MITM an SSL session.
- Step-by-step bot analysis - [Mick] - Thanks Ron Bowes for such a great write-up on the trojan that was in the Energizer UPS software. If you're new to this type of forensics, this is a *great* read!
- OMGPDFBBQ - [Larry] - Didier is up to it again! He's now got a POC PDF with embedded cmd.exe. Embedded, as in, bring your own executable. Sure Adobe Reader requires some social engineering, but he can tailor the message that comes up to be exactly what he wants - no need for additional messages. Ok, switch to Foxit? The problem is worse - it opens with no prompting. Didier promises more to come. I challenge him to deploy ME via PDF. [Mick] "Larry deployed"! ;^)
- F-Secure's new RickRoll Protector - [Larry] - So far the best April Fool's joke I've seen this year. We really do need this protection, so go here to tell them you really want it. :-)
- Learning Incident response from Real life actions - [Larry] - While the story is sad, where mistakes are made and someone dies, it shows great lessons that can be learned for operational security and incident response processes.
- Windows 7 Less Vulnerable Without Admin Rights - [PaulDotCom] - Reducing priveleges is bullshit. First off, there are privelege escelation exploits that work on Windows 7. Second, a company that makes software to restrict priveleges came out with this study, WTF? Second, reducing privleges does not prevent successful attacks, it just adds a step for the attackers. So, if you can do it easily, go for it, otherwise focus on stuff that actually works to protect your network (like management, monitoring and control of the desktop, not just limiting priveleges.). Microsoft also said in 1999 that: "...people who have administrator privileges can maliciously or accidentally damage your organization if they copy or delete confidential data, spread viruses, or disable your network." First, I don't need to be admin to delete or copy confidential data. If I compromise a user who can copy or delete that data (and most users can copy of delete their own data!) then I don't need admin. I can also spread viruses as a non-admin user by infecting documents and programs that the user has access to, or even attacking hosts on the same network. Disabling the network is also pretty simple, as I can connect to other hosts as a non-admin user and exploit vulnerabilities in network gear (such as weak passwords) and take over the network. While root is great, its over rated. And even if you need it, its there if you want to work for it.
- Keyboard Sniffing - A whole new level - [PaulDotCom] - So we talked about the initial keyboard sniffing hardware and software called "Keykeriki", which was focused on sniffing and injecting into keyboard receivers operating at 27Mhz. That was all good (we even tried to get a demo and do a video of this, not sure where that went...). However, this was primarily limited to Microsoft keyboards, and has a very short range (90cm). Still cool though! The new release of Keykeriki is v2, and now supports a proprietary protocol on 2.4Ghz using a Nordic chipset. This chipset is used in Microsoft and logitech keyboards. I'd imagine this has a greater range as well, and they have it working so you can sniff and inject keystrokes. Here's the thing, this chipset is used in vehicle disabling systems, helicopters, sports instruments, voting systems, and even computer speakers. This is scary and something we have to keep an eye on for sure. We will, of course, attempted to get the hardware and build one!
- iPad Security In The Enterprise - [PaulDotCom] - Why is it that whenever a new device comes to market, people speculate about "OMG, how will the enterprise handle this!". They also seem to state, "Wow, I hope our users don't ever use that technology, it sounds insecure". This is the type of thinking that has put us at a signifigant disadvantage against the attackers. Attackers are going to use new technology, and they are going to exploit it to get at your data, whether you have a freaking policy or not! New technology such as this should mean absolutely SQUAT to your security strategy, and if it does you are already screwed. Here's one person's thoughts on what it should mean and my response to each:
- "Consumerization of IT: iPad will continue to drive this trend. If IT teams do not already have policies and procedures around the use of personal technology in the workplace they need to implement it now. If it hasn¿t been updated in the past year, it should be." - [PaulDotCom] - Policy and procedures will do little to stop people from using their phones and devices to access company applications and email. Just face it, its going to happen and aren't your employees more productive as a result? What are you trying to protect by limiting which systems can access your applications? okay, so someone may not patch their system and access your application, and that could be bad, but that could happen to any system. Furthermore, your application should have some intelligence to detect unauthorized access. Why is a user logging in when they are on vacation?
- "Data Leakage Protection: The more that consumer-level devices can be used in business processes, (email, Web-based applications, SharePoint, etc.) the more an organization¿s data is at risk to leakage outside the organization. Is your corporate data protected/encrypted before it can be introduced on an iPad?" - How does encrypting the data help when you are trying to protect it from the user? The user will need the keys to decrypt it, which is also stored or entered into the same device. Doh! Everyone gets on this rant, "we have to encrypt our data". Thats good, I agree, but doesn't help when you take into account a user access device that has been compromised. The keys are usually in memory or keystroke logger away!
- "Browser-based Vulnerabilities: The iPad¿s browser, like the iPhone and Mac OS browsers is based on the WebKit open-source browser project. Add Google Chrome to that list, and you have enough nodes to make WebKit a meaningful target for the hacker community." - Look, all browsers are vulnerable. If you don't have a strategy, beyond patching, to deal with browser insecurity, you have a problem. How is the browser on the iPad any less or more vulnerable than a browser on a corporate laptop using Wifi at a Starbucks? Just because you have patch management you feel safe? Right, because there are no IE 0day exploits, ever. And that corporate web app that still requires IE 6, that is critical to your business, poses no risk what so ever, right? Yea, its all the new technology in use by empoyees thats the REAL risk. As Borat would say, NOT! (Sorry to said person who wrote this, i did not mean to pick on you).