SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 256 for Friday August 26th, 2011.
- Don't miss the August 31st Late Breaking Computer Attack Vectors Webcast Sponsored by Core Security Technologies with Larry "crazy cat Lady" Pesce.
- If you couldn't make it to BlackHat, then consider instead the always fabulous SANS Las Vegas for "Advanced Vulnerability Scanning Techniques Using. Nessus" Saturday, September 17 - Sunday, September 18.
- DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - "Automating Post Exploitation with Metasploit" Friday and Saturday of the Con from 4:00PM to 9:00PM.
- Jack wants to hear if you've experienced Sec Burn Out, mainly so he can tell you to stop being a wuss.
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
- We're spinning up a new mini-podcast/videocast and we and we're looking for topics from our listeners.
Guest Interview: Mark Russinovich
7:30 PM EDT
Mark Russinovich is a Technical Fellow in Windows Azure, Microsoft's cloud operating system group. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006 and is author of the high tech thriller Zero Day: A Novel
Trailer for Zero Day: The Novel
- How did you get your start in information security?
- What were the early days building Winternals like? Did you get any acknowledgement (or scorn) from Redmond in the early years?
- Can someone cleanup a malware incident using solely the Sysinternals tools?
- Is it true that RootKit revealer is being depracated?
- What were the discussions like with Sony when you discovered their copy protection mechanism was a rootkit?
- Tell us about the GPU support in the tools.
- How important is digital forensics to the success of the information security professional today?
- How did your team take the news that Microsoft wanted to purchase them? Were there any other suitors?
- Will we ever see a non-Windows port of the tools?
- If you were being shipped to a desert island and you could bring a laptop with only one Sysinternals tool what would that tool be?
- What kind of malware keeps you up at night?
- What is your role in the Fabric Controller team for Azure?
- How is the distributed architecture challenge different than the traditional Windows kernel challenges?
- From Chris Hoff: Please describe how security in the Azure stack is similar/different from traditional enterprise deployments - beyond scale, is there a difference in approach/model?
- How does "assurance" change in the cloud?
- What kind of issues are you running into with Azure that surprised you?
- How is easy is it to segregate the issue of applicable laws when a U.S. firm operates services for say, European clients via Azure?
Zero Day Questions
- Was there a particular story or event that inspired your novel?
- How long was the idea for the story germinating before you took pen to paper?
- Was the character of Jeff Aiken based on a particular individual? True or False: It was based on Ballmer. [Joke!]
- Do you have any thoughts on another novel with this character?
Blog round up
Stories For Discussion
- Apache HTTP Server Byte Range DoS - Anytime a remotely exploitable bug comes out in Apache, its a bad thing. Its weird though, because the attack surface is so great, your web site could stay up for some time before someone gets around to attack it. Anonymous/lulzsec is going to have a field day with this one. The kicker is, the entire system becomes unstable. So, many devices you have running Apache, and not even know it, may go down as a result of this bug. Kingcope posted this to Full-Disclosure, well-known for some really interesting exploits.
- HP's Biggest Problem: Securing Its Message - HP's biggest problem might be internal security because perceptions drive its valuation, and it's unable to control perception largely because of the leaks. Wow, thats a bold statement, and I agree with it. I don't believe that companies put a high enough priority on perception. Its not something you can easily measure and wrap metrics around, its more like a feeling or a general opinion. Many executives will just dismiss it, based on the audience that is presenting the perception. The thing is, a bad perception is kind of like mold in your humidor, until you take the time to get rid of it completely, it will just keep coming back to haunt you and destroy things (like relationships or really nice cigars).
- UPnP-enabled routers allow attacks on LANs - Garcia said that, by performing an internet scan, he managed to detect 150,000 potentially vulnerable devices within a short period of time. Once initial contact has been made, the scanner sends such UPnP commands as AddPortMapping or DeletePortMapping to the devices via SOAP requests. This problem has been around for a long time, UPnP is a terrible protocol when it comes to security. It leaks information more than HP's board, and pretty much lets you do whatever you want to the device without stopping you (you know, like that girl in high school. Doh, that was bad taste, sorry). Umap is a new tool that was written to exploit these weaknesses. Now, if 150,000 devices were found on the Internet, just how many do you think you could find on your organization's enterprise network? Please run the tool and let us know the results!
- Infosec Subjectivity: No Black and White - Shack actually brings up a good point: "This list can go on and on. But infosec is such a subjective area, I think we all have to take a step back sometimes and realize that our passion and desire to ¿get things fixed¿ usually has the caveat that one size almost never fits all." He goes through 3 examples where we all fall on one side or another: 1) Security Awareness 2) Metrics and 3) Pen Testing. Lets table the pen testing thing, and take about 1 and 2.
- SSL MITM with an inserted CA and a DNS hijack - This is a really cool post! Now, it requires that you already have a shell on the host, but that's cool. So, throw this in your post-exploitation toolkit and see how it works on your next pen test. I think a stealthy way to intercept HTTPS and decrypt traffic is cool, however can't we grab it in memory by DLL hooking? Of course, you'd have to hook each application, so maybe this way is a bit easier.
- Customizing Nessus Scanners - Nice post on how to write your own NASL scripts, which I encourage people to do. If you want to tackle this please post questions to http://discussions.nessus.org!
- Looking Behind the Curtain: Making exploits work like they do in the movies¿ « Core Security Technologies - Very detailed post on making an exploit work.
- Gartner on Vulnerability Assessment - Wow, am I actually agreeing with Gartner? WTF is happening anyhow? They did have this quote: "Own the vulnerability; don't blame the threat" Thats just awesome. So many companies do this, they don't want to own the vulnerability, they just want to place blame. "Hey you, big software company, this is your problem". No, no, its actually everyone's problem. So, I translate this to, implement workarounds and don't sit on your asses and wait for a patch, because its already too late.
- Another Reason to Have a Security Policy ¿ Your Customer Demands It - While this may be a reason, its not a very good one. And I'm not just talking about policy, but assessments as well. Here's my take: If you've waited for your customers or partners to force or recommend that you have a security policy and/or a security assessment, its already too late. If you have progressed to the point where you are in business, have customers and an IT infrastructure, you should already, no, you MUST, have a security policy and a regular assessment of some kind. This probably means your systems are not patches and users have no idea about security at all. Customers should think twice before doing business with you. Also, if you are looking for an assessment because it is a requirement of a customer, this almost always ends badly. It means that the driving factor for security is to make money, and security costs money. It means that a 3rd party wants you to be secure, not driving security from within leads to "checkboxes" and "compliance", which is not "security".
- Information Security Burnout - Jack, what's the latest?
- Steve Jobs resigns as Apple CEO - Its a sad day, how will I buy two of every Apple product if Steve isn't around to hold them up? Seriously, say what you want about Steve, he is a brilliant man who invented iPod, iPhone, iPad and so forth. Cool stuff, big question burning on everyone's mind is how will Apple continue to innovate?
- MIT researchers craft defense against wireless man-in-middle attacks - Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas. Layer 2 has always been a weakness, it would be awesome if the researchers found a way to validate at either layer 1 or 2. Cool stuff.
- Seven Dwarfs password gag declared Fringe's best - Comedian Nick Helm has secured the Funniest Joke of the Fringe 2011 title, after entertaining the Edinburgh crowds with this rib-tickler: "I needed a password with eight characters so I picked Snow White and the Seven Dwarves.' Everyone laugh, then laugh some more!
- Insulin pump maker ignores diabetic's hack warnings - "The maker of an insulin pump that's susceptible to wireless hacking was identified for the first time on Thursday by a diabetic researcher who said the company repeatedly ignored his warnings." When will vendors learn? Fix your problems! The secrity if medical devices really sucks, just like SCADA.
- Validity of most-common-password lists - Never though to ask this question.
- Exploiting A Tricky SQL Injection With sqlmap - Good tips