SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements& Shameless Plugs
PaulDotCom Security Weekly - Episode 255 for Thursday August 18th, 2011.
- Don't miss our podcast next Friday night at 7:30 PM with Mark Russinovich!
- Don't miss the August 31st Late Breaking Computer Attack Vectors Webcast Sponsored by Core Security Technologies with Larry "I eat animals" Pesce.
- If you couldn't make it to BlackHat, then consider instead the always fabulous SANS Las Vegas for "Advanced Vulnerability Scanning Techniques Using. Nessus" Saturday, September 17 - Sunday, September 18.
- DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - "Automating Post Exploitation with Metasploit" Friday and Saturday of the Con from 4:00PM to 9:00PM.
- We want your feedback for a new show! Remember the vintage episodes dubbed "Listener Feedback"? We want to re-visit this idea, field questions from the audience and make it a show! If you listen to the Security Weekly podcast and have questions about techincal topics, please submit them! We plan to address the "n00b" questions and issues in a traditional PaulDotCom format. Send suggestions to the PaulDotCom Mailing List. Thanks!
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
Guest Interview: Dr. Timothy "Thor" Mullen
7:30 PM EDT
Johnny Long says: "Most recognize Thor as the Norse god of thunder with massive powers of destruction. Few realize that he was also the god of restoration. Likewise, his namesake, Timothy "Thor" Mullen, has spent his entire adult life both destroying and restoring Microsoft-based security systems. Thor's Microsoft Security Bible conveys the wisdom and expertise of the industry legend that has defined the bleeding edge of Microsoft security for over twenty years. I highly recommend this book."
- How did you get your start in information security?
- You've contributed to the Hacker’s Challenge, the Stealing the Network series, and now your new book. What led you to try your hand at being an author? What guidance or tips would you give to someone looking to write a book?
- What are some of the mistakes folks make concerning logs?
- What is EFS and how can it be used to lock down WebDav?
- What are some of the use cases for an Externally Accessible Authenticated Proxy?
- Why don't more people take system hardening and secure configurations to heart and implement them in their networks?
- Tell us about "Thor's Managed Interface Log Fetcher(MILF)" (™)
- What do you mean by "Anytime you see a reference to xp_cmdshell in any SQL solution, it should raise a red flag"?
- In your book and on Symantec's blog, you go further into Blocking Traffic by Country on Production Networks. Did anything surprise you about that research?
- Tell us about your work for Security Focus.
- Do you still believe that in certain circumstances, it's OK to fight back?
Stories For Discussion
- To the person who destroyed www.securityfail.com - Everyone please hold up their middle finger to the cameras. K, thx, bye, Security Fail you will be missed, maybe we will bring you back from the dead someday.
- Putting all of Your Eggs in One Basket - or How NOT to do Layoffs - So here's the thing, the people you either fire or lay off, however you want to put it, are going to be pissed off. If you want a free internal penetrationt test, fire these people then give them access to your network and wait to see what happens. In this case, a former employee was kept on as a contractor, only to still maintain his access to vSphere, and wiped out the network. Sure, he's facing charges, but your network is already wiped out. The article talks about defenses being "Separation of duties is super-critical." and "Hardening your infrastructure is also important.". While that has merit, and insider is more likely to cause damage, and the real key is to detect it as early as possible and deploy ninjas to have them removed ASAP. I do like the suggestion of more closely intergrating IT and HR, this is a winning idea. "But much more important, IT needs to be involved in termination. They need to collect the gear, revoke passwords and the like, in many cases during the exit interview. When an IT admin is layed off, fired or otherwise terminated, it's often a multi-person effort to change all the passwords - domain admin credentials, passwords for local hosts, virtual infrastructure admins, and the myriad of network devices (routers, switches, firewalls, load balancers, etc)." Be friends with HR.
- From The World Of Bad Security Ideas - This is a paper ledger for you to record your passwords in case you lose your computer system. What a value! Now I can easily index all of my passwords and write them down so I don't forget. I can carry it with me where ever I travel, and the best part is it will let me keep track of all those passwords that IT is constantly making me change! Super-duper, please just hack me now!
- Court: Too Many Emails Is Hacking - Here's what the court said: "[We] conclude that a transmission that weakens a sound computer system¿or, similarly, one that diminishes a plaintiff¿s ability to use data or a system¿causes damage". Really? That's hacking? I believe we need to separate the DoS type conditions and label them "destruction" or "disruption" and not let that fall into the category of "hacking" or "unauthorized access". Lines are blurred, on the flip side wouldn't this help in our fight against SPAM? Oh wait, we can't identify those people because they are renting botnets, so lets not even bother trying.
- 5 Most-Ignored IT Security Best Practices - Failure to rotate SSH keys tops the list of the most ignored security practices, which also include 2) training users 3) encrypting cloud data 4) Using strong encryption keys and 5) Having a plan for replacing breached certificate authorities. As a penetration test, my list looks very differnt 1) Apply patches to all systems and software 2) Change all default and easily guesable passwords 3) Find and fix all stupid web app vulns (like XSS, SQLi, and command injection 4) Monitor your logs and act upon them 5) Setup traps for attackers.
- Office equipment open to hacker attacks - "Researchers from Web security firm Zscaler ran a simple search and easily located 118,194 Hewlett-Packard printer-scanners, 9,431 Cannon photocopiers and 3,554 D-Link webcams equipped as Internet-connected Web servers." Its almost hard to believe this is still so common. Now, most of these attacks are due to 1) a default password and 2) an exposed web server on the device. Folks, this is easy stuff. When we look at the fight against malware or the difficulty of patching all the systems in your environment, finding and changing default passwords is easy. Turning off or firewalling web servers is easy to. You know what? Finding exposed web server on your network perimeter is easy too. This is low hanging fruit, why are we not fixing these issues?
- WarVOX Gets An Overhaul; Wardialing Added To Metasploit - Its good to see that war dialing is not dead. Most of us remember the original War Games movie, and wanted to be in computer security as a result. John Sawyer suggests we use it to fingerprint people: "Practical purposes? Well, if you're doing recon for a penetration test and social engineering is within scope, imagine if you could call the voicemail of the employee, record his voice from his cell phone, and then call all the phone numbers at his office (or in the nearby residential area) and identify him automatically." and identify devices that could be "juicy". I have to say, very few customers ask for war dialing, and we should work to include it in scope to help people understand the risk. However, sometimes the defenses are not so easy, like with voicemail, but there are certain things that can be locked down with voice mail (e.g. enforcing pin numbers and educating employees that telling you the password to the new ERP system in a voice mail is not cool).
- Defcon is OVER - Nice pics from our good friend Brad Carter. I love how they paid for a 24 hour bus ride and socially engineered a badge for their friend.
- The Ultimate Unix Cheat Sheet - Nice reference for pen testers.
- Reversing DELL's DRAC firmware - Nice tutorial on reversing Dell DRAC. I stumbled upon this on a pen test, and it gave me root access to a system via the console. This is yet another embedded system that no one bothers to secure. It also shows how reversing firmware is not all that hard, and the reward can be a backdoor username/password that lets you login. We do this a lot on pen tests, its sometimes time consuming, but often worth the effort.
- Dog fight game bitten with pro-PETA virus - Best title I saw this week for a news article.
- Better ATM skimming through thermal imaging
- RankMyHack - A 'Hot or Not' for hackers
- Beware the Juice Jacker - This sounds dirty, but shows you should not plug your phone into just any port (I guess thats true for a lot of things!). One interesting note: "¿One thing we discovered: On certain devices, if you power them completely off, then charge them, they don¿t expose the data,¿". Still, I wouldn't trust it. best thing to do is pick up an externally battery powered charger for yourself. Only plug into your own ports is what I'm sayin'!