SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
Security Weekly - Episode 196 - For Friday April 23d.
- QuahogCon - going on this weekend in Rhode Island. We will have t-shirts and other special things to give away and sell. Larry is giving not one, but TWO talks!
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon and Black Hat Las Vegas!
- Mark Baggett teaches SANS 504 during SANS Raleigh 2010 on June 21st for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling!
- Pen Test Summit! - June 14-15, 2010. The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment thought leaders in the world. This must-see event lets attendees interact directly with industry leaders, discussing tough technical and operational issues to get the most value from penetration testing and vulnerability assessment expenditures.
- Hacker Techniques and Incident Response with Ed Skoudis and John Strand, in your living room via SANS vLive! Pants are optional. IN504 gets you 25% off. http://www.vergenet.net/~conrad/scripts/pants.html
Tech Segment: http://WWW.SECURITYFAIL.COM
The purpose of this site is to document security failures in various technologies. Users are encouraged to submit stories and articles detailing how various technologies have failed you in terms of security.
I will provide an example: HNAP (Home Network Administration Protocol)
Tech Segment #2: "Distributing SSH for fun and profit"
Lately I have been having a number of students ask how they can do Incident Responses on a large scale. Sure, there are a number of different resources available for checking to see if a given system is compromised, but there is very little to help a person in then midst of an incident with hundreds or possibly thousands of systems that are compromised.
We have covered the wonderful world of wmic with Mick in the past and how we can distribute our commands by specifying a list of system names or IP Addresses. However, we have yet to cover how to do this with Linux. Anything worth doing is worth doing with SSH.
The fist tool we are going to talk about is pdsh This excellent little utility allows you to run you commands across multiple systems and get the results back in such a way that it can be quickly reviewed.
There are also some other tools that you can use like fanout and fanterm from Bill Stearns.
Regardless of the tool you use you will most likely be utilizing key-based authentication. Also, keep in mind the worst time to learn and set up these tools is in the middle of an incident.
Finally, anything that I covered here can also be implemented in a Nagios check via check_by_ssh. I recommend taking the core commands you would run in an incident and automating them so they happen every hour. That way there will be somewhat less of a scramble in an incident to collect the data.
Stories For Discussion
- Top 10 Ways to Access Blocked Stuff on The Web - [Paul] - Or how to get pwned is more like it. This is a list of little "tips and tricks", however, be careful as it recommends several browser add-ons, password managers, and opening up ports on your router! If you don't know what you are doing, its best to avoid stuff like this, unless you want malware on your computer. Also, be careful you are not violating company policy, you'll get fired.
- Data Redaction - [Paul] - People, learn how to redact your data, its not hard. I also found it interesting that HR departments will attmpt to look at the track changes inside Word documents. What is the best document format, a carefully crafted PDF? What is the best and easiest way to remove the track changes information? I'm going back to vim to write all my documents thank you very much.
- Here's a Patch, oh wait nevermind - [Paul] - Turns out the patch for MS10-025 isn't really a patch and doesn't fix the vulnerability, which BTW only affects Windows 2000. Wait, who is still running Windows 2000? Go to your network right now and perform an OS fingerprint scan of the whole thing, then unplug Windows 2000 systems. There, I just helped you make your network more secure, no charge :) Seriously, have a plan to update your systems, not only will they run better, be supported, but they will be more secure. When you buy software ask the vendor what platforms the software runs on, and if they say "only Windows 2000", run, and run far away from that.
- Use Anti-Virus Software The Smart Way - [Paul] - So, Mcafee made a big mistake this week. Mistakenly identifying services.exe on Windows XP sp3 systems as a virus. Oops. You can do one of two things (or both) send AV updates to a smaller subset of systems first (say your test lab, select IT workstations) and se if they are okay, or stagger your updates as Dale points out so all systems don't get an update at the same time. I say do both, and that goes for patches too. Desktop management is not rocket science, it just requires lots of planning and management of resources.
- 10 Quick, Dirty and Cheap Things to Improve Enterprise Security - [Paul] - Some great things in this article, some of which we've talked about on the show too. Its really about common sense, and this is a nice article that is a must read. I can't even find any obvious holes to poke in it like I do with so many other articles :) great job guys!
- Vuln Disclosure is Rude - [Paul] - This continues to be an issue, and to a certain extent Rober is right, disclosure is seen as rude. Its like telling your neighbor that they smell, its just not going to go over well. The Attrition blog is a must read, and covers the pain of disclosure as it relates to smaller companies. After talking about this subject more and more, I'm leaning on the side of full disclosure. Give the vendor a quick chance to do something, then just release it. This will make them patch it quicker, and lets be honest with ourselves, there are TONS of 0days out there.
- Taking Penetration Testing In-House - [Paul] - First, I'm not convinced that even the most highly skilled attacker could test a network and not crash something. No matter how experienced you are, I've seen stuff crash just from even talking about sending it a packet. So, thats just BS. Second, if you have critical systems, you have to test them, and you should be TRYING TO CRASH THEM. The difference between an experienced tester and an inexperienced tester is knowing why it crashed and helping to fix it so your systems are more reliable. If you are of the attitude, "oh, I don't want any security testing because it may crash something" you are already screwed because something is going to trigger a crash, and you're going to spend a lot of time and money trying to figure out why. Guess what though, when something crashes by accident or from an attacker, good luck figuring out why.
- 9-year old hacks Blackboard - [Paul] - Once upon a time a security professional found some vulnerabilities in this product and changed the purchasing decision of a university. The security of this product has been horrible ever since, and now its been hacked by a 9-year old. It begs the question, "Why do we purchase crappy software?".
- McAfee update causes Windows XP SP3 machines to perform Seppuku - [MikeP] - Welcome to the world of QA, McAfee!
- Metasploit Express - [Larry] - Here is the beginning of the commercial offerings from Rapid7 with respect to metasploit. Looks to be a wrapper to the continued to be free framework, enabling easier use of many of the features. I think that this has been one of the challenges of metasploit for a newcomer, is that it isn't particularly easy to use. Honestly, I think that this is a good thing, as long as it remains affordable.
- Stored documents on MFC devices. - [Larry] - This may be something that may be obvious to us, but not to many responsible for the folks in charge of our office equipment. I think some education is in order on the of overlooked devices. A few things to note, that most MFC devices that have some storage do store documents for a short, limited time (often 10 docs or 3 days with FIFO) even without the use of any of the "Document Server" functionality. Other things to think about, Yes stored FIFO, but depending on the disk format, it may lead to lots of files remaining in slack/free space on the drive, prime for some forensic recovery techniques.
- Twitchy back from the dear, or Mars - [Larry] - Nothing like releasing some flaws in the underlying protocols and transfer of information for cell phone networks. Fixing would apparently require breaking much of the system. On other notes CallerID spoofing made illegal, so questionable about reproducing efforts? Wait, so make it illegal to spoof caller ID, that means no one will do it? Yeah, right. The research was also done prior to the laws…and there will likely always be someplace on earth where it is still legal - just move your haven.
- Tragedy scammers - [Larry] - We hear it every time; some disaster happens and the scammers come out of the woodwork to register domains and take your money while you are trying to help out. Well, apparently the scammers are taking pause on the latest issue with the Icelanic volcano Eyjafjallajökull (yeah, say, spell and search for that one 10 times fast). Of course, for most people it is a difficult one to deal with, but they forgot one small demographic that should have no problem - Icelanders. I guess there was no ROI.
- The elephant in the room - Mcafee bad DAT fiasco - [Larry] - Ok, lets discuss the story what happened and the implications, but also let's talk about 2 other things: How many places did we learn about computing infrastructure software usage and policy? How many businesses, utilities and government agencies do we know that use Windows XP SP3, Mcafee AV and what the default Delete vs quarantine policy likely is? Not to mention the discussion about authentication from Mcafee reps and attaching the updated DATs e-mails. I sense SE opportunity there.
- Holly Blippy Batman - [Darren] - Wow, we protect your data, while you share your purchases with friends. Too bad Google indexed your credit card numbers. Findable with a simple "site:blippy.com +”from card”" search.