SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Sponsors & Announcements
"And now from the dark corners of the Internet, where the exploits run wild, packets get sniffed, and the beer flows steady its PaulDotCom Security Weekly!"
"Sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable's Security Center extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable ‚Äì Unified Security Monitoring!"
"Core Security Technologies, helping you penetrate your network. Now version 10.5 full of Jive! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool."
"Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."
"And Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!"
PaulDotCom Security Weekly - Episode 210 - For Thursday September 9th, 2010.
- Tenable Security Showcase - New Yorl City - Ron Gula, Renaud Deraison and Marcus Ranum invite you to a Security Showcase on October 6, from 8:30am to 2:00pm for this FREE event!
- Shoecon 9/18/2010 - Sept 18th "ShoeCon is being held as a charity event for the Matthew Shoemaker Memorial Care Fund. Matthew or “Shoe” was a fellow security professional, DC404 member and InfoSec podcaster who left behind two children. Thanks to the generosity of DC404, this event will be held in conjunction with their September meeting at the Wellesley Inn-Atlanta Airport. This is a donation driven event where all the proceeds will go to the Shoemaker Memorial Care Fund."
- Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend.
- Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.
Tech Segment:World Premiere of UpSploit with Tom, Duncan & Danny
Tom Mackenzie works part-time for RandomStorm and co-hosts the Disaster Protocol Webcast. Tom, the upSploit Project Manager, will be joined by Duncan Alderson and Danny Chrastil, developers for UpSploit.
upSploit is a PHP/mySQL web application that automates advisory distribution in order to simplify and expedite the advisory life cycle. The service will be released as a public beta and available at upSploit.com.
- What is upsploit?
- Why would people use it?
- How do we know you will not use the exploits to profit?
- What if a vendor decides to sue you?
- Why 180 days grace time? Should this timeframe be adjusted depending on the exploit?
- How did you build the database of vendor contacts and how will you keep it up to date?
- Any success stories? Failures? Learning experiences? All of the above?
Guest Interview: Christian G. Papathanasiou, Nicholas Percoco of Trustwave
Nick is Senior Vice President of SpiderLabs at Trustwave. He has more than 14 years of infoSec experience and leads SpiderLab's team, which has performed more than 750 computer incident response and forensic investigations around the world. Nick is also the co-creator of THOTCON, a hacking and security conference held in Chicago each year.
Christian is a consultant for Spiderlabs and specializes in Linux kernel rootkit technology, algorithmic trading and web application security. Christian also co-organizes AthCon; the first highly technical Information Security conference in Greece.
- Tell us about the work done by SpiderLabs.
- Is an open market for smartphone apps a security nightmare or is Apple just being Apple?
- What kinds of attacks have happened on smartphones?
- How do attackers make money attacking smartphones?
- How did Google respond to your DefCon talk on Android Rootkits?
- Does Google's remote delete function provide any kind of defense?
- What went behind the decision to release the rootkit demo "Mindtrick" on DVD at DefCon?
- Do you use an AV on your phones?
- Whats on tap for Thotcon?
- What is the hacker/maker culture like in Greece? Is it demonized in the media as it is in the US?
Stories For Discussion
- DVWA 1.0.7 Released - [PaulDotCom] - New features include enhanced logging and support for blind SQL injection vulnerabilities. This is a great project, everyone should be using it to hone their skills and test your web application testing tools, whether automated scanners or specialized testing tools.
- Wireless and Control Systems - [PaulDotCom] - I found this quote: "Segmenting the network into zones or cells provides the ability to quarantine should unauthorized access or virus affect a targeted system." I get a little worried when we start talking about segmentation and wireless attacks. I think many still view "wireless security" as only referring to the wireless network and itself as the only security concern. First, be careful with segmentation, things are not always segmented and networks need to talk. If something is so insecure that you need to segment it, make sure you do that AND fix the underlying security problems, or at least try. So many times I've seen security issues shuffled around, without the underlying problem being addressed. Second, don't forget about the client-side wireless threat, as this crosses all kinds of borders. Josh talked about using OS X to snoop on wireless networks, and there are issues with iPhones that we will also discuss tonight. Airpwn is still a huge problem for open wireless networks, and there are so many ways to attack captive portals. Also, as this article mentions, your defenses need to encompass all wireless protocols. Having wireless monitoring, wireless intrusion detection/prevention is great, but that means A LOT of gear, and attackers will hide on whatever protocol you are not monitoring. Most of the threat is physical proximity type stuff, so part of wireless security is physical security!
- "We want the smart grid!" - [Pauldotcom] - This is a prime example of security failure. Going back to human nature, we want what is good. Green is good, so smart grids are good. No question, there are positive effects and benefits. However, what about the security? Why can't we implement something that is good and secure? I believe its possible, but we need to take into consideration security, and give it a higher priority, and NOT wait until something bad happens before we consider security.
- Corrections - Novel story from last week was for Netware, not a version of Linux, and Debian SSL was not a backported patch, but a "security feature".
- Cisco WLAN Controller vulnerabilities - [Pauldotcom] - This is a great example of vulnerabilities that may not catch your interest, but are important to the security of your organization. The first is ACL bypass. This is why I never completely trust segmentation and firewalls. People make mistakes with firewall rules, and sometimes they can be bypassed due to a vulnerability, as with this vulnerability. Think your wireless is segmented? Think again. As a defender you MUST go through the What If? Scenarios. In this case, what if someone bypassed the ACL? Really bad things? Maybe you need to think about other defenses and/or network architecture. This can be a difficult exercise, and why I believe in penetration testing. It helps you understand the "what if" scenarios. Also, I just wanted to cover this story to say the word "WISM". Also, your internal management applications must be secure. Often folks tend to think that attackers would not gain access to them. Not true, client side attacks can enumerate and even attack your internal management application. No shit. Make sure they get patched, are restricted, and don't use any defaults.
- Adobe 0day = Groundhog day - [Pauldotcom] - I like this analogy, yes we have ANOTHER Adobe 0day vulnerability and exploit. Dave makes a great analogy to the movie "Groundhog Day". I wake up in the morning and there is a new Adobe 0day exploit, I use it successfully on a pen test to compromise workstations in an organization. I wake the next day, and....
- MiTM For iPhones - iMiTM - [Pauldotcom] - iPhones make a "wispr" request, but its not too silent. This is a probe for a captive portal. You can lure in iPhones and get them to attach to your captive portal. This is a great thing to do on a pen test! If you can hook iPhones, they will send you stored credentials, freakin sweet!
- Snakeoil Security and Bears - [pauldotcom] - Rsnake sets us straight. Great story about two banks and a snakeoil security product. If there were two banks he tells us how a security product can show reduced incidents and a positive effect, but without actually implementing security. Also, you are better off fighting the bear together rather than letting it eat, because eventually it will catch up to you. Just awesome!
- Finding Mapped Drives - [pauldotcom] - Ron over at Skullsecurity has a guest post that shows you how to look at mapped drives. This is a great way to grab information quickly on a pen testing, compromise a system and browse the mapped drives. Difficult to defend against once a client computer has been compromised, hard to not let users access shares! So many times the auditor will come down and say, "you should have internal controls to safeguard your information". Internal controls do crap to prevent this attack vector.
- Ooof, IPv6 - [Larry] - quite honestly, I need to get waaaay up to speed on the whole IPv6 mess, and I've been saying that for far too long. Part of the reason is, that it takes a lot of work to configure and get right, especially where security, egress filtering, nat, and routing is concerned.
- Women good at defeating Social Engineering - [Larry] - I wonder why the women were less apt to fall for the scheme. I suspect that it is a human nature thing. Now if we could only bottle that up and drink it at end user trainings.
- Google instant search - [Larry] - Wait, Google wan't fast enough already? Now we have an even faster way to get SEO poisoning and malware delivered to our systems!