Episode201

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

"Thanks to our sponsors Tenable network security, the developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more."

"Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool. "

"and Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."

"Here's your host, he's a few NOOPS short of an exploit, socially engineers the elderly, the kill bit at parties, Paul Asadoorian!"

(End Music)

"Hello and welcome to Episode XXX of PaulDotCom Security weekly, I am Paul Asadoorian. With me tonight is none other than fabulous larry pesce!"


Shameless Plugs & General Announcements

Paul: Are you ready?

Larry: Ready for what?

Paul: I'm going to use the word "podcast" as a verb.

Larry: Oh great, here we go again...

Paul: "ARE YOU READY TO PODCAST?!?!?!"

PaulDotCom Security Weekly - Episode 201 - For Thursday July 1, 2010.

  • Click here to register for an exclusive webcast from John & Paul titled For the Last Time: The Internet is Evil. This webcast will help you understand the attacks that are being launched against you and offer some advice to stop them. Can they be stopped? Most likely not, but we'll offer up some ideas to help you deal with it which include redefining your policies, and drinking, heavy, heavy, drinking.
  • It is finished... The Official Metasploit class from John Strand and Ed Skoudis is now complete. Two full days of Metasploit insanity. Want 25% off? Use IN580 when you register for vLive.
  • John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs.

Episode Media

mp3

Vulnerability Disclosure "Debate"

I want to take the side of so-called "Full disclosure", but with a twist. I think you should approach the vendor when you find a flaw in their product. Now, this can be trick business. The mere fact that you are engaging with the vendor could cause problems for you. The vendor could threaten a lawsuit against you. They could send ninjas to kill you. They could launch a smear campaign against you. They could seize all of your computers and business cards. So, in and of itself, disclosure even to the vendor is a slippery slope.

When you do disclose a vulnerability to a vendor, there is a lot of responsibility behind it. If its a low impact and low installation (i.e. it does not affect the Internet and its ability to deliver porn to the masses) its probably a safe bet to disclose and give the vendor a timeline, work with them, and coordinate. However, what if it has widespread affects? I think consulting with others is great, but then that starts to get the word out. Hence the tricky business.

An example of widespread disclosure is the DNS thing. I thought Dan handled it well. You had to tell all kinds of people about it in order for it to get fixed. By nature this means it will likely get leaked. Also, it probably means that if Dan came across it by accident, other people knew about it too. Then it reaches a point where you have to tell the public something is up. And guess what, people get curious, we are hackers after all, and Wham! someone figures it out. Then, you mine as well just tell people so you can even the playing field.

This is the crux of my viewpoint. Telling the public levels the playing field. There have been many cases where vendors and attackers alike know about a vulnerability/exploit, and the public does not. Someone could have a botnet with 10k+ hosts and you would never know. They could be using it to steak intellictual property (ala Google). But the good guys just don't know about it.

My question is this, how is that responsible?

Other questions:

  1. Do people really act upon information about vulnerabilities before there is a patch?
  2. Releasing information to the public helps both attackers and defenders, right?
  3. How does releasing this information affect the vendor? There seems to be a trend that when bad things happen, vendors will fix the issue.

Stories For Discussion

  1. "I'm using WPA", "No You're Using WEP" - [PaulDotCom - WHAT? Yes, you may think you are running WPA, but Core security researchers found a way to trick the compatibility mode into turning back to WEP. And we all know how much fun it is to crack WEP. Of course Cisco doesn't believe its a vulnerability in their product, its all WEP's fault. Right... I firmly believe that vendors need to take responsibility for their errors. Someone needs to write a script that automates this attack and then posts the WEP keys to a web site. Then maybe they will fix it.
  2. The Disclosure Debate - Some Thoughts & Responses - [PaulDotCom] - So, I'm going to relate this to something political. "Responsible Disclosure" is just like gun control, the bad guys have the weapons but the people don't. It doesn't matter how widespread, the bad guys still have the weapons. The good guys need the weapons too, in order to defend themselves. Its plain and simple, public disclosure levels the playing field to a certain degree. The is not true in all cases, as some disclosures are very small (like unreal backdoor) and some are enormous (like DNS).
  3. D-Link DAP-1160 Authentication Bypass - [PaulDotCom] - One of my favorite blogs recently has released a new exploit for D-Link routers. Get this, you send a device a UDP packet, it reboots, then magically enables a secret management page. Schweet! I did some searching and found that D-Link has an emulator for this firmawre, and you can access the firmware upgrade screen here: http://support.dlink.com/Emulators/wbr2310/tools_firmw.htm Hrm... Seems the functionality is disabled, but still interesting none the less!
  4. Places to MITM - [PaulDotCom] - Sounds kinda dirty, like top ten places people like to MITM each other. Maybe its a headline from a trashy magazine or something. But no, its actually an article from Rsnake. He has also announced that he will stop blogging. Let me be the first to say, "What an ass". We love you Rsnake, don't stop, you're making me beg! In any case, he lists all the places where you can MITM people going to their bank. Boils down to this, how many people type "https" before the URL for their bank? Probably the people listening to this podcast and not many others (which is A LOT of people).
  5. Popsicle Makers are a favorite weapon of terrorists - I mean, everyone knows this, right?
  6. RFID transplant - Some dude took the RFID chip out of his credit-card sizes housing and planted it in his cell phone. Now his cell phone gives him access to the building, and you don't have to worry about losing a card (just don't lose your cell phone). I want a multi-pass! ("She knows its a multi-pass!")
  7. 10 Everyday Items Hackers Are Targeting Right Now - Here's my take on this list:
    1. Your car - I think that hacking cars is realy cool. Twitchy and I had some fun with injecting audio into the Bluetooth systems on cars some time ago. Disabling remote vehicles sounds fun too, I mean you could win every race you entered, mess with your neighbors, and make it really easy to get around traffic if you can get this to scale. Car thiefs could use this too, but bypassing locks with a slim jim or just breaking the window are just as good and equally as effective. Professional theifs may turn to technology, but it will be targeted. Much of the risk with embedded systems is diluted because there are so many different types. It would be hard to come up with one device that has one button labeled "disable vehicle alarm and unlock". More likely yo will have to purchase many different devices, specific to the car manufacturer and model car you want to access. The other problem is, other than grand theft auto, there is not much in the way of profit to be made here. Until we use our cars in some sort of financial transaction, its my bet that hacking cars is something people will do for fun and crop up on CNN every once and a while. We'll all point at it and say, "Look! This is bad, I can hack a car!". Meanwhile the evil bad guys are using clickjacking and phishing attacks to steal you money right from your bank account.
    2. That New GPS Gizmo - GPS does have some more potential than cars, as the protocol seems to be failry standard. I think we will see a day where an attacker can lure you into a private location, then rob you. This will not be as widespread as you think for quite some time as there are just not that many people 1) Using GPS actively and 2) That stupid to drive to a desserted location.
    3. Your Cellphone - Now, here is an area where we are going to see LOTS of evil bad guys take interest. There are already systems being developed to pay for good and services using your phone. So, think skimming attacks, but without physical access. Data on your phone can be valuable too, so don't put it past attackers to go there too. Harvesting address books, passwords and more will be done by malware that uses SMS, email, and even Bluetooth. Also, your phone can be used to dial 900 numbers owned by the attacker to make them $$.
    4. The Front-Door Security System - I think that criminals could easily start using lock pikcing technoquies to get into your home. And yes, as home automation becomes more ubiquitus they can use digital technology to access you home. This is all bunk, and poses no greater threat than you are already succumbed to on a dail basis. Why? Someone could just as easily steak your keys as they could your cell phone which contains a code to unlock your door. Someone could use a device to automatically open your garage door, just as easily as disabling your home video camera system. In the end, someone may just as well come in through an already open window, using the tall ladder you left under the deck. Breaking into homes is not rocket science people, the lock on your door is for insurance purposes, not to keep people out. If you want real home security (for times when you are home) own and learn how to use a gun or other close-quarter self-defense mechanism. Lock your valuables up in a safe, use cameras, and have an alarm system.
    5. Your Blender. Yes, Your Blender - While gaining access to a home automation system to compromise a blender is fun, its really just ridiculous. I mean, really, you could potentially start a fire or something, or maybe even make margaritas when the person's not home. Come to think of it, I'll leave mine open to people can make me drinks.
    6. Your Printer - This is dangerous, as we've stated in the past, attacker will compromise your printer and steal the information flowing through it. Its of interest to attackers because it contains, or rather prints, sensitive information that is of value to an attacker and can be sold for real money on the black market (for example).
    7. Your New Digital Camera - I agree here, devices such as cameras, photo frames, etc.. will be used to distribute malware and infect your computer. The attacker doesn't care about your pictures, but is merely using it to gain access to your PC, which makes total sense.
    8. The Power Sockets in Your Walls - Lets separate "Smart Grid" from "Home automation". Smart grid is different, you can cause damage and people will hack it to bypass usage rules and get free power. Home automation is less interesting for reasons mentioned above.
    9. The Human Body - I do have grave concerns about technology, specifically wireless, being used in the body. I believe that attackers, of a different type, may be interested in using this to cause harm to others. Even scarier, interference could cause accidental death.
    10. Even the Human Brain - I think we are quite a ways off from understanding the human brain, let alone putting computers in it, then using them to control people. Sounds like a great plot for a science fiction movie, such as the Matrix, and many other cheesy sci-fi flix (which I love to watch)
  8. Normal sites now doing the infection - [Larry] - While we used to joke that it was mostly porn sites that were the ones responsible for the browser based infections. According to Avast, 99% of all browser exploits are being delivered by legit sites…
  9. IDing the bad guys - [Larry] - A new tool is coming to analyze malware to determine the author based upon contents of the code, executable and memory footprint.
  10. Adobe fixes the /launch PoC - [Larry] - Yeah, the dialog box has been fixed to show the correct content as of 9.3.3. Not to mention they actually disabled the /Launch command by default.
  11. reverse image search - [Larry] - I love information gathering using social networks. I like more information. Using Social network icons to match several users across social networks expand our information footprint.
  12. web/e-mail connected printers - [Larry] Inspiration from Paul and Carlos on post exploitation. Do we really need web/e-mail enabled printers for submission of jobs?
  13. Russian Spies need tech support? - [Larry] - I guess even the bad guys resort to easy to use, but not every secure technology. How did they get owned/discovered? The same way everyone else gets hacked - exploiting weak technology and social engineering.

Other Stories of Interest