Episode25

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Stories For Discussion

1) Fixing Code To Allow Virues to Run? - "Linus Torvalds has recently patched the Linux kernel to fix a small bug that was revealed during the testing of a proof-of-concept cross platform virus."

2) Ars Technica - One New York county has solved the "problem" of unauthorized access to unsecured wireless networks by passing a new law. Businesses operating in Westchester County will soon need to turn on security settings for their WiFi networks if they are used to access financial information for their customers. Check out the Security Catalyst 27 (Wireless Law!, Compliance Advice, Your top 5?).

3) A mailing list that will remain unamed has some interesting points about Password security and the defense of Account lockouts, specifically related to DOS attacks by locking people out of their accounts.

1. Account lockouts are an anachonism. They were there in the old days when sysadmins had no way to detect password enumeration attacks or the sysadmin was just plain lazy and didn't monitor the logs. I believe a DOS attack on accounts is more severe than a password enumeration attack.

       a. good password strength policies reduce the possibility of a 
          successful enumeration attack. Even the dreaded password aging
          feature can help here. [Security Weekly - users don't choose good 
          passwords, period.]
       b. The automated attacks we see here could lock out thousands of
          accounts in a short period of time and do so repeatedly. 
          [Security Weekly - What benefit is that to the attacker other than to 
          cause a DoS that would alert the admins? I've seen this happen, but 
          certainly I don't believe it was intentional]
       c. Every login failure generates a record of some sort and if you
          have a syslog or eventlog scanner that monitors the logs for
          such failures and notifies you, then you know you're under attack
          and can adjust your defenses. [Security Weekly - I don't know about you, 
          but I don't want to work weekends and nights responding to brute 
          force attempts!]
       d. If a site uses account lockouts, they have to adjust the numbers
          to avoid a DOS attack from impacting their operations. This seems
          to defeat the purpose of the lockout. [Security Weekly - Even a lockout 
          with generous timing makes it a thousand times harder to brute force]
       e. Does setting the lockout period to a short period of time actually
          prevent anything? Is it smoke and mirrors? 

[Security Weekly - The best thing I can find when pen testing a site are organizations who don't use an account lockout. I setup hydra with a custom dictionary in the begining of the test and let it run until my time is up. Sometimes I am successful and this could have been prevented with a simple account lockout]

4) - M$ Password Checker - Maybe we should remind our users that it's a BAD idea to possible give out your passwords on the interweb. This point is driven home in the ISC post, but may be worth mentioning. Maybe we could suggest an alternative? Maybe there is an alternative that people could download and run localy for themselves or their Corporations/Institutions. [Andy - I thought this is somewhat recycled news, but can spark a debate on a topic I know we cover in security basics] [Security Weekly - This is the worst password checker ever, defeats the purpose]

5) - ISC.sans.org - Multiple vulnerabilities have been reported in Apple Mac OS X and applications. Proof of Concept code has already been posted along with the information regarding the vulnerabilities. At this time no patches or workarounds appear to be available for the majority of the vulnerabilities. The impact is Denial of Service or arbitrary code executed remotely, and severity is highly critical. [Nick - I will hold back the laughter on this one :-P ] [Security Weekly - What, Linux never had any vulnerabilities? And NO ONE can talk when it comes to browser vulnerabilities, because they all have them, and lots of them. Safari is no different. Oh btw, check out these kernel vulnerabilities http://www.securityfocus.com/bid/17587 and http://www.securityfocus.com/bid/17593. Hey twitchy, are you done compiliing your kernel yet? How about now?]

6) - Upgrade Ethereal .99 - It is time to upgrade Ethereal. Frsirt has posted that there are 28 vulnerabilities. - ISC story.

7) Yet Another IE Flaw - Yikes, another 0day for IE in the making. I just grow tired of talking about it. Check out this site though Kill Bill's Browser

8) Where to download exploits - Excellent resources, I like the Security Forest concept.

Other Stories Of Interest

- CIOUpdate.com - The biggest bank heist in history was successful via hardware keystroke loggers. Does anyone consider this a threat to security? All the encryption and firewalls in the world can be foiled by a single device the size of my thumb and its available at ThinkGeek.com. [Paul Asadoorian - Why two stories about bank hacking? Pick one, then let it segway into the other maybe] [Nick - Spend millions on securing your network and worrying about threats on the outside only to be foiled by a simple hardware keystroke logger on the inside. Something to think about. Lets ask how others have delt with this as well as suggestions. ]

Hacker Con Videos - Tons of em'! Go check them out!

securewebbank.com - A list of banks and the web security they offer. How does your bank rate? The first national bank of Twitchy offers two-factor bio authentication just to pee in the bathroom. [Nick Always make sure that little golden lock shows up at the bottom right of your browser to make sure your always encrypted, Never bank online when using wireless.. EVER! As we all know and have shown you could be in a man in the middle or someone could just be sniffing the traffic, Switch banks!]

Malware: To Go! - I'll take my malware to go please...