Security Weekly - Episode 219 - For Thursday November 11th, 2010.
- Register NOW for Blue Teams: "Don't Call It a Comeback" presentation with Core Security Technologies on Wednesday, November 17, 2010 2:00 pm EST
Guest Interview: Brian Krebs of 'Krebs on Security'
Brian Krebs worked as a reporter for The Washington Post, where he authored more than 1,300 posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post print edition. In his spare time, Brian tinkers with computers and various other chirping, blinking devices.
Mr. Krebs' full bio
- Two fold: How did you get started in journalism and how did you get started in technology/security?
- On your blog, you cover most major patch releases. What is your take on the Apple, Microsoft, and Adobe patches? The Sheer number, the fact that they fix a whole bunch and leave out publicaly known ones, etc...
- How has the dead tree industry changed especially with respects to tech journalism? Where is it all going?
- What is some of the most interesting and/or shocking things you've learned about the computer underground?
- How has security changed since the days of the Lion worm?
- What is the best computer-based scam you've ever encountered?
- Tell us about the recent attack by pharmaceutical spam gangs on your website.
- Why did you decide to start your own blog and move away from Security Fix?
- There is a trend towards commercialization of malware coding and distribution - please tell us more about this trend and its implications.
- What do you consider the biggest threat that we're not paying sufficient attention to?
- You reported that there were a lot of conspiracy theories behind KB976902, a.k.a. Microsoft’s “Blackhole” Update and you indicated it was due to lack of transparency. What are your thoughts concerning closed vs. open source?
- Did your research into malware provide an impetus to learn Russian?
- Do you feel that this administration in Washington "gets" security?
Mini-Tech Segment: Centos 5 Hardening Introduction
We've talked about it before, hardening is important. Its one of those things thats often overlooked, likley because its not an easy thing. I remember when I first started hardening Windows systems, there were lots of blue screens and system downtime! Thankfully documentation has improved, and I learned the importance of a test lab (and VMware makes it so easy to set one up). I had to build a VM to host an application, and I took a little time to harden it. I have to say, I am liking Centos. I've been a huge fan of Debian for some time, but recently had to do more with Centos because some enterprise applications will run only on this platform.
- I installed Centos in Vmware. I had some problems with the file system. Centos did not like the file system created by VMware (in the latest versions of Fusion or Workstation). I had to go through the manual configuration of the file system in order to make this work.
- Once the system was booted, it gave me a graphical interface. GUI to me means "Girls Use It", so I set out to remove the graphical components. I started up the application manager and unchecked all the graphical elements. You will get an error once all the dependencies are calculated warning you that its going to remove pirut, which is used to manage packages. I belive that "yum" is sufficient, so I went ahead. The GUI crashes horribly, but the system reboots and allows you to login.
- You will get an error that a process is respawning, simply comment out the following line from the /etc/inittab:
# Run xdm in runlevel 5 #x:5:respawn:/etc/X11/prefdm -nodaemon
Check which services are running:
chkconfig --list | grep :on
In order to be certain the various services are turned off at all run levels, use the following commands:
# chkconfig --level 0123456 cups off # chkconfig --level 0123456 portmap off # chkconfig --level 0123456 sendmail off # chkconfig --level 0123456 nfslock off
Now stop the services:
# service cups stop # service portmap stop # service sendmail stop # service nfslock stop
There is A LOT more to do here. You should look at:
- Configuring IPtables
- Disabling IPv6 if not in use
- Configuring policies in /etc/login.defs and PAM
- Hardening SSH
- Turning on auditd
More to come on these topics and more!
Guides & Further Reading
Stories For Discussion
- Protecting your domain admin account - [Larry] - I loled. Protect your Domain admin (and local admin) accounts from evil haxors by renaming them, and putting a dummy default named account with no privileges in it's place. It this an effective technique? I say no, as all I need to do is find one server or workstation that allows me to enumerate group membership…and then I know who the admins are. Thats not a thwart, that's an inconvenience - one you should be doing anyways.
- End of in flight WiFi? - [Larry] - Eeep, just when I became productive on planes. The thought is, that we can wifi enable an IED, and then they can be connected to over the internet and told when to detonate. I see several issues with this, from portal authentication, to proxying…but what about hte old tech such as timers or altimeters. Or banning toner cartridges over 16 ounces…
- Where's The 0x1337BEEF? - [Paul Asadoorian] - Its not in the Oracle vulnerability announcement, or patch, for the recent CDE advisory. The advisories say there is a buffer overflow, turns out its a NULL pointer dereference. Kewl or not.
- Worker rights extended to facebook? - [Larry] - so you've done this great job of having a social media policy, indicating what is appropriate usage for usage in your organization. Nw, apparently you can;t prevent your employees form making disparaging remarks about their job or company. Really, well, I never thought that it would be wise to, but at least you can not allow them to do it form their work computers. Restricting and regulating the use of social media can be a tricky thing. [Paul] - This is a slippery slope indeed. Some will cry, "Freedom of speech", and its a tricky debate. There are tons of corporate policies, such as NDAs and the like, which prevent employees from talking about certain things. As an employee, you accept these as a condition of employment. I think its within the companies right to restrict what information is disseminated to the public, corporate secrets and IP for example. Where this went wrong is the blanket, "you can't talk about company on the Internet". Still, I think its within a company's right to not want to have a presence on the Internet and social networking. The key that people are missing with freedom of speech is choice, you chose to work for the company. In the sense of a nation, you do choose to live in a country but expect to have rights, different from working for a company.
- There's a Shitload of patches, now what? - [Paul Asadoorian] - Apple, Microsoft, Adobe are all releasing patches. The interesting part is Flash patches accounted for 41% of the total that Apple issued today.. WTF, I do not want to wait until Apple gets around to patching Adobe, as its bundled. This just sucks and I can't believe I use OS X. Stuff like this makes me want to switch back to Linux as my desktop OS. Man, now I sound like Twitchy!
- Microsoft Patch Tuesday Roundup - November 2010 - "Stuck In The Mud" Edition -[Paul Asadoorian] - I was tempted to use the phrase, "Stuck in the middle with you" and depict someone getting their ear cut off, but I refrained :) I really do feel like we are spinning our wheels. We all know A/V is a joke, and that patches only solve a small percentage of the probem. Here's the thing, office got several patches and people kinda freaked about the email attachment attack vector. This is bogus, as you can just embed your payload in a macro, no vulnerable software, so to speak, required. We fail to recognize things like MS Word making outbound TCP connections. Why does that need to happen? On Linux too, if you see Bash making a TCP connection, raise a red flag. This is common sense stuff that can help detect attacks quickly, because lets face it you can't prevent bad things from happening.
- Female hacker charged with stealing nude photos of Grady Sizemore - [Paul] - Lastly, don't take nude photographs of yourself and email them to your lover in the hope that they'll stay private. Thats some sounds advice! I also thinks its interesting that the female hacker was looking for nude male pics, and us guys thought we may be the only ones looking at porn on the Internet (of course, she went to great lengths to get it). The other thing, the same old "use good passwords" and "don't answer password hints" is really old. Why can't we come up with a better method of authentication that easy to use and more secure than a guessable phrase or question? Why can't authentication be something you physically have instead of something you know?
- D-Link DIR-300 Authentication Bypass - [Paul] - Because, you know, I set a strong WPA-PSK, so we can leave the default password on the router and forget about any security risks from the "inside" because the external interface is protected and attackers would have to break the WPA-PSK. WRONG. Stop thinking about security in this way, its really annoying and makes me want to retire and become a carpenter, or maybe a nude model, something. Anyhow, let me fire off some mroe rage towards embedded systems vendors, sure go ahead and just keep ignoring the security community, in the end I'm sure that'll work out for you.
- SCADA and DU Ammunition? - [Paul] - Wow, just wow, what a great article calling out the SCADA vendors. Most of them don't even have a security contact. Exploits for SCADA software are being added to Metasploit. Stuxnet put blood in the water according to the author of this article (Shawn Merdinger). Do we have a ticking time bomb on our hands? This does tell me one thing, security is a culture. If your industry lacks security culture, you will be targeted and made an example of until you adopt some form of culture. Ignoring security will not make it go away, and it will not make it better, in fact it makes things worse as researchers and attackers alike will set out to make examples of you.
- TCL Backdoor in Cisco Router - [Paul] - Really neat way to create a backdoor on a Cisco router. I think this is one of the sleeping giants as well, for so long we've been trying to point out that its important to secure routers, and for so long we just haven't.
Other Stories of Interest
Beers for tonight
Weihenstephaner Hefe Weissbier