SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 258 for Thursday September 8th, 2011.
- Paul will be handing out free puppies during his "Advanced Vulnerability Scanning Techniques Using Nessus" talk Saturday, September 17 - Sunday, September 18 at SANS/Las Vegas.
- DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - "Automating Post Exploitation with Metasploit" Friday and Saturday of the Con from 4:00PM to 9:00PM.
- Don't forget to check out Hack Naked TV - Episode 3 should be coming out tomorrow!
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
- We're spinning up a new mini-podcast/videocast and we and we're looking for topics from our listeners.
Guest Interview: Alex Hutton
7:30 PM EDT
Alex Hutton is Director of Operational Risk at A Financial Institution and was formerly Sr. Analyst in Risk Intelligence with Verizon Business. Alex has served as an information risk and security consultant for over 15 years, serving companies from the Fortune 10 to the SMB market. In 2007 ITSecurity.com named Alex one of the industries 59 most influential people.
Special Guest Tech Segment: Chris Grier talks about The Commoditization of Malware Distribution
Chris is a security researcher and works for Vern Paxson as a postdoc at ICSI and Berkeley and is on tonight to give us a walk thru of his paper "Measuring Pay-per-Install: The Commoditization of Malware Distribution".
You can find Chris' other research here.
- You've done quite of bit of research on underground economics - how much money are honest people leaving on the table?
- What is your estimate for Twitter traffic that is solely Spam?
- Your Click Trajectories: End-to-End Analysis of the Spam Value Chain paper lists just 3 banks for the spam transactions. Did you have any hypotheses how these 3 banks got so involved with this business?
- Tell us about the Geographic Distribution of malware findings for the Pay Per Install paper.
Stories For Discussion
Blog Round Up
- Reverse SSH via TOR on the Pwnie Express - [Larry] - Thanks Seb! So, got your Pwnie express installed in a victim, er client, but all of your services outbound don't work, or are monitored too closely? How about tunneling the traffic over TOR? Well, now you can. This may be a great option for using your evil Pwnplug, but it may also be good for some legitimate uses too. On another note, SJ has also released some setup automation scripts for the server setup at his blog as well.
- ok, passwords are bad… - [Larry] - …but these security questions aren't getting any better either. Really, "What is your preferred internet password?" Really, pick something better. I do like some of the comments for, if possible making up your own (or more from Scheneir: Q: Would you like to go on a date with me? A: Sure, Friday is free. Let me know where to pick you up. So how do we solve these type of problems, that make it easy for users?
- Fix? No, hack. - [Larry] - How long does it take to fix XSS on the University of Vermont web site? More than a month apparently after reporting, and the individual that reported got frustrated, and then went and hacked the site to prove a point. Now I don't agree with the end method, but I do think that a month was too long to fix. I think this may be a case of political issue getting things fixed (a problem!) or some folks not understanding the issue with XSS (a problem!). How long has XSS been around for, and why are folks still just not getting it?
- Should we still test patches? - [Larry] - Rob has some great discourse here about the volume of patches that most companies have to deal with from both an OS, application amd client app stand point. The argument is that do we have time to test the volume of patches, or do we potentially remained owned for up to a year? Sure we get a "bad patch" and maybe that one takes us out for a day, and that's an acceptable risk…but what about when you deploy a GOOD patch to all of your workstations the breaks your mission critical application? Discuss.
- Impersonating…ChrisJohnRiley? - CJR created a metasploit module for connecting to and capturing an SSL cert, and generating a fake one using as many values as possible from the valid cert. One neat trick he points out - make the cert expire "yesterday"…oops, that must be the problem.
- A Bluetooth GoodFET for the N900 - Remote keyboard sniffing with N900 and a GoodFET. Travis just keps coming out with cool stuff that we need to work to build into our penetration tests. Bluetooth Keyboard sniffing is hot, most organizations do nothing about it. Would be cool to fit this onto a pwn plug and drop it off at the client site. Then do some keyboard sniffing.
- When is Offense the Best Defense? - Good overview of offensive defensive tactics, I like that we are seeing this topic covered more in the media. However, how do we get people over the hump of traditional defenses and implementing more offensive techniuques? Now is the time! No question, attackers are very sucessful, so if your not thinking offensively, someone probably already has your data.
- Mac Desktop Security: The Landscape Is Changing - Should we keep OS Xout of the enterprise because of its security shortcomings? I think Apple is where M$ was in 2003, it hasn't hit the bottom line yet. When it does, and they realize that corporate adoption is slow due to security, they will improve. Right now, there is no business driver. Users want idevices because they are cool, they work, and they can play Angry bird. This crowd cares little about security. However, as soon as we see large-scale attacks that make impacts on organizations using OS X, hopefully Apple will be forced to spend more money on securing the platform than they do making sure there are no leaks.
- Ransomware plays pirated Windows card - Interesting though, once you pay the ransom, they send you (and everyone else who pays) a real Windows activation code. Anyone guess what $143 means? (its not a throwback to the old pager code for "I Love You")
- Mitnick's Tale Sheds Light on Social Tactics - Mitnick's new book sounds great, and its amazing how successful SE tecniques really don't change. In one case he tells the take of tracking down former employees of a company and pumping them for information on how their product works. Funny, we did the same thing in a recent penetration test last month!
- Second firm stops issuing digital certificates - Here's the newsflash: SSL is broken, yet we still all rely on it. I'm actually surpriised we haven't seen more attackers go after CAs, or have they?
- Cisco NX-OS CDP Processing Flaw Lets Remote Users Execute Arbitrary Code - I love, a remote execution flaw on Cisco gear, what looks to be switches. I like being able to create SPAN ports on other people's switches, it makes my pen testing happy.
- Botnet rentals reveal the darker side of the cloud - This is awesome: The company has reported that the operators of TDSS, one of the world's largest, most sophisticated botnets, are renting out infected computers to would-be customers through the awmproxy.net storefront. Not only has TDSS developed a convenient Firefox add-on, it's accepting payment via PayPal, MasterCard, and Visa, as well as e-currency like WebMoney and Liberty Reserve. A Firefox-add on to manage your botnet! That my friends is innovation!#13% of Brits are 'casual hackers' - Does that mean they hack in their Jammies? Naked? Just casually throw Metasploit modules at a target? "Cheerio, I'm hacking you now!"
- Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud? - I say its just plain fun, but hey, that's just how we roll here at pauldotcom.
- Hackers flip characters to disguise malware