Episode199

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

Security Weekly - Episode 199 - For Thursday May 12th.

  • Pen Test Summit! - June 14-15, 2010. The 2010 SANS What Works in Penetration Testing & Vulnerability Assessment Summit features an agenda loaded with brand-new talks from the best penetration testers and vulnerability assessment thought leaders in the world. This must-see event lets attendees interact directly with industry leaders, discussing tough technical and operational issues to get the most value from penetration testing and vulnerability assessment expenditures.

Episode Media

mp3

Guest Interview: Andy the IT Guy

BACKGROUND

Andy Willingham has been working in IT for the past 12 years and has been blogging since 2006 on various issues. He is the Information Security Officer for his company and is leading the charge to teach others how to be more secure.

"Martin Fisher (@armorguy) is a 20-year veteran of the IT Wars... For the last 5 or so years he ran the IT Security Operations area for a major airline based in Atlanta, Georgia. A strong believer in that leadership makes a difference in organizations and a practitioner of "pragmatic security" he is currently awaiting the start date of his next gig... He co-hosts the Southern Fried Security podcast (http://www.southernfriedsecurity.com) with Andy Willingham."

Questions

  1. How did you get your start in information security?
  2. When did you start your blog and why?
  3. What benefits are there to starting a blog? What are some of the benefits you have enjoyed?
  4. At the 2010 shmoocon podcaster meetup Martin asked a question that sparked debate, can you repeat the question?
  5. What should you look for in a good penetration test?
  6. Why is penetration testing safe, or not safe?
  7. What kinds of things do you talk about on the Southern Fried Chicken Security podcast?

Stories For Discussion

  1. Now ALL AV is full of fail - [Larry] - instead of attacking the AV itself, how abut attacking the portion of the kernel that is hooked by AV (the SSDT; System Service Descriptor Table). With some clever timing and taking advantage of poor thread tracking on multi core processors, code is able to trick AV products into thinking the code being executed is "good". Is this the argument that AV is dead? I'd say no, as a significant amount of code needs to make it to the machine before this can happen, which we might be able to detect for. Maybe more windows kernel fixes? Or, how about a multi-layered approach….
  2. What's in your wallet? - [Larry] - Whore cares, it's got biometrics, RFID protection carbon fiber and bluetooth. Who thought this as a good idea?
  3. Coldfusion Input Validation Flaws - [Larry] - Yeah, yeah, XSS. Old. Lame. However it is the ADMIN page that is affected. Not to mention that the I/O sanitization, well, doesn't work right with the affected module.
  4. Get 'em started early - [Larry] - The new generations of hackers are coming, mostly because we take them with us to hacker cons. Why shouldn't they get their own con?
  5. Biometric ATM - [Larry] - To follow on to the Barnaby Jack ATM story from last week, and this week's biometric wallet…so now instead of just spitting out our cash, Jack can make it cough up our biometric info too?
  6. Facebook privacy erosion over time - [Mick] - Just look at these graphs. SCARY!
  7. Open up social networks! - [Mick] - Diaspora appears to be an interesting project. With a goal of creating an open social network, they've gained loads of attention quickly... and money to boot! They're actually over the goal -- and still climbing!! Help them out! Let the internet know PRIVACY is something worth paying for!
  8. Patch Tuesday - Language Barrier Edition - #[Paul] - This is a post I wrote for the Tenable blog this week. The jist of it is that Microsoft puts some good spin on the vulnerabilities released each month, playing them down rather than looking at the real risks. I call their new language "Minglish". For example, "Dropping my pants could allow monkeys to fly out of my butt". For MS10-30, the vulnerability in Outlook Express/Windows Mail, monkey are flying everywhere. Public exploit code exists, despite Microsoft's best attempts to hide it by saying "no public code existed when we released this bulletin". What a bunch of crap. Also, the criticality level for Windows 7 is listed as "Important" and not critical (like it is for XP) simply because it does not come installed by default on Win 7. So, according to Microsoft, this means that all Adobe vulnerabilities would be considered "Important" because its not installed by default. More hogwash. They also state that, "users must visit a malicious email server". Really now? Do you make "visits" to your email servers and have come coffee, maybe some biscuits? We're not talking about visiting grandma here people, we're talking about computers and networking dammit. This means is a fucking connection, NOT a visit. Oh, a connection you say, yes such as one that can be re-directed with a DNS or arp cache poison to FORCE the user to CONNECT to your malicious email server. Yet again, Microsoft has done a great job of not telling end-users the entire story and playing down the monthly vulnerabilities. This is why everyone should read the blog and listen to this podcast, so we can set the record straight.
  9. Software Security Is The Problem - [Paul] - While most that know me also know that I am not a fan of so-called "big government". However, in the case of software, centralized control and management may just be what the docotor ordered to solve some of our software security problems. I went through this when I worked for the University. Most universities are very de-centralized, and to a certain extent so are most corporations. This can be a double edged sword. On the one hand, managing something centrally provides uniformity, control, and therefore vulnerabilities and exposures can be mitigated on a grand scale. However, having central control is more difficult because the policies must satisfy the masses, not just one particular group. For example, maybe the finance department can handle a password change per week, but the general community would incur too much support and can only handle a 180 day password change. Now we're in management hell, things get complicated, and once we've complicated things, compromises usually follow. So, in the case of software security, I say create that central office, let it create, support, and govern software for the government, and maybe, just maybe, we'll improve slightly.
  10. Slick AV Bypass - [Paul] - So by playing the old "switch-er-roo", you can defeat Anti-Virus software. By hooking deep into the kernel you can feed AV a good binary, have it check out okay, but when you run it switch it out with a new binary that is evil. I like it, and think its important to continually test the limits of AV software.
  11. Funny and Annoying flaw in Pidgin - [Paul] - A certain emoticon in use for the MSN v9 protocol allows a remote attacker to crash a user's client. That's just too funny :-9090909090909090909090 ;-9
  12. If a sexy lady adds you as a friend.... - [Security Weekly] - I mean lets face it, we're geeks. If a sexy lady is offering us something online, its malware and nothing more! Also, if a sexy lady has become your friend on facebook and promised you a 4G iPhone, I mean really, come ON! How can you possibly think that is for real!!!!
  13. The Cost Of Free Software - [Paul] - Wait, free software is free, like free beer right? NOT! For example, GPL (v2 specifically) requires that if you modify it, you have to give it back. This means after you drink the beer, provide a urine sample. Open source software has maintenance and support costs too, in addition to implementation. I'm not saying this is a bad thing, but many people get excited about open source (and beside penguins are cute) and start implementing without thinking about the costs. Also, in defense of open source software, I encountered many cases in my career where there was a decision made about using OSS, and they went commercial for support reasons. The support was HORRIBLE, and we'd have been better off going with OSS and supporting it ourselves. This should also weigh in on security, I tend to like OSS from a security perspective in a lot of cases because they just fix security problems and the source code is available to analyze or even improve upon. Who wants to wait for a large company to release fixes? (Why I use Mozilla over IE The Cost Of Free Software] - [Paul] - Wait, free software is free, like free beer right? NOT! For example, GPL (v2 specifically) requires that if you modify it, you have to give it back. This means after you drink the beer, provide a urine sample. Open source software has maintenance and support costs too, in addition to implementation. I'm not saying this is a bad thing, but many people get excited about open source (and beside penguins are cute) and start implementing without thinking about the costs. Also, in defense of open source software, I encountered many cases in my career where there was a decision made about using OSS, and they went commercial for support reasons. The support was HORRIBLE, and we'd have been better off going with OSS and supporting it ourselves. This should also weigh in on security, I tend to like OSS from a security perspective in a lot of cases because they just fix security problems and the source code is available to analyze or even improve upon. Who wants to wait for a large company to release fixes? (Why I use Mozilla over IE). OSS does have advantages, but don't get caught up in all the hype, do the math as the blog post describes and find what works best for you.
  14. Counterfeit Cisco Gear Confiscated - [Paul] - I wonder, if we did forensics on these devices, how many would have some kind of backdoor code or backdoor?

Other Stories

My New Office Chair