Episode233

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here



Announcements

PaulDotCom Security Weekly - Episode 233 for Thursday March 3d, 2011.

  • Wednesday, March 9th, 2011 at 2pm EST, Wasted Strand will present the Wireless "Security" edition of Cyber Security World's "Security Fail" Monthly Webcast.
  • Be sure to check us out next week at the Mid-Atlantic CCDC competition - Badge hacking, penetration testing, tons of presentations, and the entire event will be streamed live! Podcast will also be streamed at the same time and same channel.
  • SOURCE Boston on April 20 - 22- Paul and Larry will be there to hang out, talk security and drink beer.

Special Guest Tech Segment: Sharon Conheady discusses "What’s next on the social engineering agenda?"

Download the Audio (MP3) Version of this segment here!

Sharon Conheady is a director at First Defence Information Security in the UK where she specialises in social engineering. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

What’s next on the social engineering agenda? What are the emerging trends and what social engineering techniques might we expect see in future? Sharon will give an overview of the types of social engineering attacks people have used throughout the ages, from tricks used by the classic conmen of the past to the phishing attacks that are at an all time high, and the proliferation of social networking and how useful this is to social engineers. Sharon will discuss some of the new social engineering techniques and trends that are emerging and discuss war stories from her experience of social engineering, describing techniques she's used to gain access to sensitive information.

Where SE is going:

  1. Same tricks, new technology
  2. More sophisticated and targeted SE attacks
  3. Social networking as an enabler to SE
  4. More technology to improve/automate SE attacks
  5. Social engineering as a service

Guest Interview: Ray Davidson

Download the Audio (MP3) Version of this segment here!

Ray is a self described Computer security geek, Incident responder, Digital Forensicator, Professor and occasional kilt wearer.

  1. What made you decide to switch from PhD in Chemical Engineering to infosec?
  2. You have an extensive background with pharmaceutical companies. Is there anything that you've found to be different in the pharmaceutical industries for security than other industries?
  3. Tell us about your recent ShmooCon presentation ShmooCon Labs Goes To College

Stories For Discussion

Download the Audio (MP3) Version of this segment here!

Larry's Stories

  1. iTunes multiple flaws - [Larry] - Now I probably wouldn't mention this one on normal circumstances, but this one seems pretty epic to me. There are a handful of exploits here that can run arbitrary code as the current user. Handful. All around a theme if you ask me - loading images and XML. Guess what you might be using to listen to or download this podcast? Yeah, iTunes that has loaded images and XML provided by us. Oh, and MitM attacks against the built in webkit that can trigger memory errors while browsing the iTunes store. I wonder if it carries over to other webkit enabled browsers…
  2. Firefox Passwords - [Larry] - I think this one is quite elegant. In a public place (say a library, kiosk) modify Firefox so that every time a user id and password is entered in Firefox, it is automatically stored in the password store without any warning messages. Return later and harvest credentials. This might be fun on a pentest with the appropriate scope. While the details aren't publish that i can find, the code that is modified comes from "nsLoginManagerPrompter.js"…so, if anyone wants to take a stab and share…
  3. How to steal computers at KASK - [Larry] - Hah, a security lesson from somewhere I would not have expected - Instructables. This one is 4 slides of images. which basically state: Go to KASK, Go to the graphics design deparmtent (ask for directions if you need them), Look for iMacs with security cables with the KEY RIGHT UNDER THE LOCK, or use the code of "1111" to unlock, undo lock, walk out. I think this speaks a bunch about some physical security - If you are taking the effort to put the damned locks on the machines that shouldn't move, don't put the keys with the lock. Heck, even change toe combination to something a little more tough so I have to spend a few minutes with some other method to recover the code…
  4. Thunderbolt, now with more hacking - [Larry] - I really wish Darren was here for this one, but oh well. So, the speculation is now, that with the new Thunderbolt technology on the Macs is apparently connected directly to the PCIe bus. That means that a potential rogue device can be plugged in and would have unauthenticated access to anything else on the PCIe bus - including complete read access to memory and hard drives. Of course this isn't a big deal as most of the macs already have the same issues with Firewire Express card and SD ports. Intel does have a solution with VT-d that allows the chipset to be configured so that devices on the PCIe bus don;t have free reign. Unfortunately the chipset in the mac doesn't support VT-d.
  5. More rant on smartphone security - [Larry] - A follow up from last week. Yes, one of the ways to get malware on to a smartphone was the "store", which last week's article was alluding to were infallible. well, the Android marketplace just took down 50 rogue apps the were malicious, all published under fake developer names. That sounds like the alleged infallible method just fails 100 times over. Why 100? 50 fake devs and 50 malicious apps, that weren't caught for some period of time. So how many people downloaded and use them? Well, probably more than the number on one hand, as stated from last week. Looks like these apps were only after cloning your phone, but there is so much more than could happen here.

Paul's Stories

  1. Two Women Sentenced for "Hacking" - [Pauldotcom] - I was dissappointed in this article for two reasons. The first is obvious, there was no reference to the timeless and classic "women in prison" movies. Second, "hacking" in this case was re-using a former co-worker's username and passwords to gain access to information. While we can harp on the fact that this is not "hacking", the company still incurred damages. So what do we do when an employee leaves, reset everyone's password? One may also wonder just how she got access to the network, what is a VPN connection or protected web application? It seems to be that security is really broken when it comes to protecting these threats. We tell users not to share passwords with each other, and this is exactly why. I'm starting to think that two-factor authentication may be more important than firewalls and anti-virus, but maybe thats just me and I'm still distracted with the whole "women in prison" thing.
  2. Okay, There are Legit Uses for FTP - [PaulDotCom] - I guess if you are a large Linux distribution, using FTP goes with the territory. vsFTP is popular for this, as its well-written and has maybe patched a few DoS attacks over the years. However, I have to wonder, if you are not letting the public at large upload files, why use FTP to let people download stuff? Can you just setup an HTTP server for that then use SSH to let people upload? I'm still on the fence about all of these clear-text protocols being used for file transfers.
  3. A Great Quote and Congrats - [Pauldotcom] - First off congrats to Havlar, his company was just aquired by Google. In reading his post he has a quote that really struck me: ""In mathematics, you don't understand things. You just get used to them." by John von Neumann. von Neumann was a brilliant guy, making contributions to the Manhatten project and areas in computer science. If he could only see what is happening today, I bet he'd have a similar comment about information security. So often we see that organizations don't like to "understand" or better yet "experience" things, they just get used to them. "Ah, yea, we get viruses on computers, a few compromised hosts here and there, you get used to it.". Believe me, especially when working for a University, you can develop this attitude. I'm not saying its a bad thing, in fact some may have higher tolerance for certain things, like compromises, than others. Where this goes horrible wrong is when you tak the "you just get used them" concept and apply it to security people, like us. I don't ever want to get used to the idea of people using TELNET. I don't want to just get used to open Wifi networks, "the firewall will save me" montra, or Microsoft Patch Tuesday. This is unacceptable, and we need to continue to help people understand, and maybe even help make the world a more secure place. So please, don't lose site of this, rainbows and unicorns for all.
  4. Your Firewall is Stupid - [PaulDotCom] - This is a great example of what its like to be a firewall admin. Ah, the memories. People seem to think that a firewall is smart. I mean, its a "security" device right? So, if it sees something "bad" it will just block it, right" No, firewalls are in fact stupid. They just do what you tell them to do, nothing more, and nothing less. If you tell them to allow everything, they will do just that and open the floodgates. Its important that you, the human, put some context around each rule and be the intelligence. Firewalls are a tool, kinda like a hammer. Swing it at a window and it will break. Hit the nails the right way and you can build a house.
  5. Top 10 places your laptop is likely NOT to get stolen - [Pauldotcom] - Okay, if you read through the list, its kinda funny, really a spoof. Truth is the least likely place a laptop can get stolen is from my own cold dead hands. Seriously, the best advice is this: NEVER be without your laptop. This means when you run into the store, you take your laptop. When you run into the liquor store that says "leave all backpacks at the front" you walk by the sign and just laugh. When the store attendant asks you for your backback, you just punch him square in the junk. Sorry, just kidding, but you catch my drift. Never leave it unattended, ever. Like the author states, my laptop has been all sorts of places with me. To school, the movies, coffee, dinner, the point is to develop a special bond between you and your laptop, one that only water boarding and/or a car battery and nipple clamps could break. In all seriousness, hard drive encryption, cable locks, and LoJack help too, but most of all its all about "Me and my laptop".

Carlos's Stories

  1. WordPress Largest DDoS In its History The old and tried method of Denial Of Service by flooding a company resources with traffic is still one one force to reckon with.
  2. New Set of SAP Attack Modules by Chris John Riley New set of modules to attack where most enterprises fear the most their, where they save, process and use their business data.
  3. Microsoft Attack Surface Analizer so you may never say that we do not cover new ways and tools for defense, here is a little gem from Microsoft for when planning and testing new software.

List of beer victims

  • 1/2 off random micro brews from Joyal's Liquor