Sponsors & Announcements
"And now from the dark corners of the Internet, where the exploits run wild, packets get sniffed, and the beer flows steady its Security Weekly!"
"Sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable's Security Center extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable ‚Äì Unified Security Monitoring!"
"Core Security Technologies, helping you penetrate your network. Now version 10.5 full of Jive! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool."
"Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."
"And Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!"
"Now, Pull up a packet capture, pour a beer, and give the intern control of your botnet...."
"Here's your host, he's a few NOOPS short of an exploit, socially engineers the elderly, the kill bit at parties, Paul Asadoorian!"
Security Weekly - Episode 207 - For Thursday August 19, 2010.
- Sign up for "Advanced Vulnerability Scanning Using Nessus" being offered at Brucon!
- Ron Gula, Renaud Deraison and Marcus Ranum invite you to a Security Showcase on September 15, at the Embarcadero Center in San Francisco! You'll receieve:
- The current status of Nessus® and future development plans The advantages of pairing active and passive scanning
- “How I learned to stop worrying and love regulatory compliance”
- Free breakfast! Free lunch! :-)
More info from rstewart [AT] tenable.com
- John Strand will be teaching SANS 560: Network Penetration Testing at SANS Virginia Beach August 29th - Sept 3. Come get shell and crabs with strandjs
- Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.
Tech Segment: Ron Bowes
Ron Bowes is a Security Analyst for the Province of Manitoba and also runs Dash9 Security consulting. Ron is an active Nmap developer, compiles and disseminates research data on leaked or cracked passwords, and currently maintains and develops dnscat, which implements reverse shells over DNS in new and clever ways. He blogs at skullsecurity.org.
Ron will be going over a number of exciting topics for his technical segment! First, he'll talk about scripts he's written for the Nmap Scripting Engine that target the SMB protocol, and what kind of information Windows provides if you ask it nicely (and know the secret handshake). Second, looking at recent password breaches, with statistics about the terrible passwords people use, we'll see why we should all care about password breaches. And finally, he'll reveal exactly how he accidentally obtained the title "Facebook hacker" and how names obtained from Facebook can be used, with great success, to crack passwords.
- Blog: http://www.skullsecurity.org
- Twitter: https://twitter.com/iagox86
- Password cracking
- The wiki page: http://skullsecurity.org/wiki/index.php/Passwords
- Some background: http://www.skullsecurity.org/blog/?p=898
- Dictionaries I'll be talking about:
- Some analysis I've done in the past: http://www.skullsecurity.org/blog/?p=538
- Facebook-based wordlists: http://skullsecurity.org/wiki/index.php/Passwords#Facebook_lists
- Random stats:
- Most common names: john smith, david smith, michael smith
- Most common FIRST names: michael, john, david
- Most common LAST names: smith, johnson, jones
- Most common first-initial-last-name: jsmith, ssmith, skhan
Guest Interview: Chris Paget
- How did you get your start in information security?
- What got you interested in RFID and GSM hacking?
- Are their laws preventing you from reverse engineering GSM?
- How was your Blackhat talk different from the previous Shmoocon talk with respects to GSM?
- What types of RFID tags can be read at long distances? What about writing to the tags?
- Where are these tags used?
- What could you gain by reading tags on items in a warehouse or store?
- What kind of hardware did you use to read the tags at long distances?
- What are some of the challenges to reading RFID at long distances?
- Is it possible to get good results doing an RFID war drive?
- How widespread is GSM use?
- Does voice and TXT or SMS use GSM?
- Are all versions of GSM vulnerable to your attack?
- What kind of hardware do you need to pull of a GSM MITM attack?
- What kind of range are we talking about for a GSM hack?
- Has there been any followup from the FCC or AT&T on your demo?
- We love the EFF! were they advising you on the FCC regs or just offer advice on privacy?
- What was your interpretation of Part 97 is the Amateur Radio section of the FCC rules and how did that affect your demo?
- Describe the scariest scenario for a GSM hack. What about RFID? (I loved the shopping mall example)
Stories For Discussion
- When SQL injection attacks - [Paul Asadoorian] - Apparently over 500,000 sites become compromised and distribute malware. Seems to me that this attack is "low hanging fruit" and results from a very easy to exploit SQL injection. It just shows that so many organizations are not paying attention to web application security, including Apple.
- Linux Kernel Vulnerabilities Lingering - [Paul Asadoorian] - I have to say, I believe that the several in the Linux community have gotten a bit comfortable in terms of security. They have a history of silently introducing patches, belieing that vulnerabiliites are not exploitable, and creating a false sense of security. Good thing we have people like Brad Spengler to point out security flaw. I think people think that maybe because Linux kernel is open source that its secure? Or that when peopel find vulnerabilities they will be fixed? Who know, buts got to stop, Linux has and will have a lot of vulnerabilities, so deal with it.
- ReCAPTCHA Cracked! - [Paul Asadoorian] - Will we ever stop the SPAM problem? I'm guessing not, as there is too much money to be made, so people will always try to get around any anti-spam measure.
- Rogue Wireless Access Point Vulnerabilities - [Paul Asadoorian] - I was reading this article, quite happily, until I saw this: "If you think about [wired-only scanning], that's goofy -- it doesn't make any sense," King says. "In the case of the TJX hacker, you wouldn't have found any of that." Goofy? Really? If something is plugged into your network there is a good chance you can pick it up on the wire. In fact, there are many ways in which you could have detected the TJX hackers, for example once they were sending packets onto the network an IDS or passive scanner could have detected them. I do agree though, "wired-only" is silly. You need both. There are direct attacks against the wireless protocols that will only be detected using a wireless detection system. There are also many ways to "hide" on wireless, such as using non-US channels, Bluetooth, 900Mhz, or any other wireless communications that won't get picked up by whatever wireless security device is in place at the organization.
- How to DDOS a Cell Phone - [Paul Asadoorian] - What kind of world would this be without YouTube sensation Justin Beiber (his Mom is hot though). Anyways, he recently Tweeted his "Friends" cell phone number to all 4 million followers. The cell phone rang and received TXT messages non-stop. Hope he had unlimited TXT messaging. PS. Justin's Mom is till hot and no, she didn't pose nude for Playboy. PPS. I just listened to 15 seconds of a Justin Bieber song, and now I am ill.
- another example of a large non-security company buying a security company - [Paul Asadoorian] - Really Bruce? Then tell me, why would the largest and most successful chip maker in the world buy a company that produces a bloated half-ass anti-virus product? Oh, and never mind the DAT file debacle. If Intel truly was interested in a client-side security product, they could have done so much better.
- Embedded Vulnerabilities = Scary - [Security Weekly] - Did you know Tenable has created plugins to detect similar vulnerabilities in the QNX debug service? Yes, yes they have!
- - redaction fail - [Larry] - Wow, I like this type of redaction. Highlight the text and the redaction goes away. Why is this so difficult, and why don't people test?
- Websense filter bypass - [Larry] - Only version 6.0, which is older but still supported if I recall. This one is simple as adding the Via: directive to the header of your HTTP request, which is a trivial task with Firefox and a single plugin. How long before malware authors include this as it is so simple…because URL filtering works wonders after a machine has been compromised for several reasons.
- More on testing… - [Larry] - If you have the ability to do SQL injection against a site as large as say, apple.com, you had dammed well better be sure that your specially crafted iframes that are encoded to bypass WAFsrender as valid, working HTML by the client. This being said by the guy who sent a PDF exploit to an entire company's address book via SET, with the connect back sent to 127.0.0.1…
- Disney, Zombies and Cookies? - [Larry] - Disney is being sued for tracking online habits (of children) when they said they wouldn't not through the browser cookies though, but using Flash based cookies or LOS Locally stored Objects…by backing up browser cookies into the LSO. After deletion, another (or even the same site) can restore the cookies or possible read them from the LSO… I wonder how may sites are doing this, and if we can start using the practice for evil by retrieving cookies before deletion and sending them elsewhere…