SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 264 for Thursday October 20th, 2011.
- Check out Hack Naked TV
- Friday October 28th is our 12 hour podcast for Hackers for Charity - we have a special interview with Johnny Long, Kevin Mitnick and other special guests in the works.
- Larry is teaching SEC580 Metasploit Kung Fu for Enterprise Pen Testing in San Antonio, TX December 4-5. Tell them (and us) that we sent you!
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
- BSides, BSides, BSides everywhere
Guest Interview: Mike Poor
7:30 PM EDT
Mike Poor is a founder and Senior Security Analyst with InGuardians. Mike is an author and editor of the international best seller Snort 2.1 book from Syngress, and is a Handler for the Internet Storm Center. Mike teaches Intrusion Detection for the SANS Institute and has supported Intrusion Detection and Incident Response teams for the military, and has worked for Sourcefire as a research engineer.
- Mike, describe for us the state of intrusion detection today? Is it still dead? Back from the grave like a zombie?
- What are some of the most common pitfalls that organizations fall into with respects to intrusion detection?
- Is intrusion prevention useful and do you see a lot of organizations blocking attacks with this technology?
- So-called "smart firewalls" seem to be all the rage these days, blending IDS, IPS, and A/V into the firewall, is this a good idea?
- How does our software go about killing us? (Reference: http://inguardians.com/pubs/FriendlyTraitor.pdf)
- Defensively, what is the number one thing that organizations don't do?
- Offensively, what is the one thing that penetration testers can do better?
Five quick questions:
- Is shell just the beginning?
- When playing ass grabby-grabby, would you want to go first or second?
- Windows, OS X, or Linux?
- Who would you rather make out with, Jenna Jameson, Linux Torvalds, or Ed Skoudis?
- 3 words you use to describe yourself...
Stories For Discussion
- Index of /hitbsecconf2011kul/materials - Looks like some truly awesome talks, many of which are focused around mobile security. This is the new threat everyone is talking about, however its a tough thing to include in-scope during a penetration test. First off, you have to be on site for some of the attacks. Second, you don't know if the phone you are attacking is the property of an individual or the company. Maybe we need to start asking for mobile phone numbers of phones that belong to the organization in addition to the IP addresses. I think there is a huge gap in testing that needs to be filled.
- Bad Siri! She'll let anyone use a locked iPhone 4S - Wow, just wow. This is yet another stupid security mistake made by Apple in the past few months. From passwords that don't really matter, now this. Siri is a cool application, and I am just starting to learn about all its features. It pretty much lets you do anything on the iPhone via a voice command, and being able to use it when the phone is locked may be a great usability feature, its a gaping security hole.
- Zero-day exploits are low in number - Here's the thing, you don't need a 0day to gain control of a remote system. Chances are its vulnerable to something, or you can convince the user to install malware for you, no vulnerabilty needed (or guess a password). However, if you really want to be stealthy, you use a 0day. Chances are if an attacker is using an exploit for a 0day vulnerabilty, then they are up to no good and want to go unnoticed. Most malware is focused on exploiting the masses, and if some of the bots get detected its not a big deal. So, i agree with the article, organizations should be concerned and pay attention to 0day.
- Amazon Silk offers increased security on open Wi-Fi networks - So your traffic is encrypted using SSL, how exactly does that protect you?
- Evil Printers Sending Mail - Its unclear if this message came from the printer itself, or if it was generated to look like it came from the printer. In either case, it has a good chance of getting opened by an end user, especially if that organizations has that particular type of printer. There are so many ways to get users to click links, this one is kind of neat because it uses a printer, and we all love printers, and users love printers, and printers love us?
- Sir Tim: PGP for the People? - Sir Tim Berners-Lee demands "PGP for the people". I couldn't agree more, why can't we make PGP more usable? Maybe it needs to be "in the cloud", then everyone would want it and use it.
- How to find out everything that Facebook *really* knows about you - Wow, turns out if you look hard enough, you can generate 1200 pages of data about yourself from Facebook, from deleted postings to "Like" activity. A German reseacher has published his findings..
- Strange But True Penetration-Testing Stories - Turns out these are the same stories that were covered on our podcast by the folks over at Trustwave Spiderlabs. However, it brings up a really good point. Theytalk about how the penetration test was successful because one field-technician account on a PBX was not disabled. With all of the systems and technology you have, its so hard to plug all the holes that its no wonder compromise happens. And thats really the lesson, you're going to 0wn3d, brace yourselves, and be prepared to deal with it. This is another reason why I stress that organizations apply security from the inside out. Focus on securing your data internally, then work your way out so that when someone gets in they have to work hard to get any that is harmful to the organization. Or at least make them hang around long enough so you can detect them.
- Mass SQL Injection Attack Hits 1 Million Sites - I think we're going to see more of this until someone can create a platofrm for people to deploy secure web applcations. Like PHP? ROFL
- Short On Staff - More than half of C-level and IT professionals don't feel confident in their IT security staffs¿ ability to respond to new and emerging threats, according to a study published Wednesday. Uhm, if they are the C-level executives, can't they hire more people? Its a balancing act of course, you want to put a value on your company and its assets, but at the same time feel more secure. Nothing helps you feel, or even become, more secure than qualified exmployees monitoring your network and systems.
- New spyware from Stuxnet developers - OMG Stuxnet! Everyone has a hard-on for Stuxnet, why?
- Schadenfreude, Streisand Effect, the 90's want their disclosure back This has been covered pretty thoroughly, but it is a rant candidate.
- Hackers replace Sesame Street vids with hardcore porn - Since Larry was in disney for the last week and could probably use a good porn story about now.
- Mobile malware waiting for the $$$ to be there - Right now malware on mobile devices is relatively small potatoes.. when will the moment that people start focusing on this? What monetary value has to be there for this to be aggressively attacked using a free game or something. Perhaps the Walled Garden of Jobs is not such a bad idea?
- Siri 'flaw' isn't as bad as it sounds... its a very easy setting change. And how many people lock their phones anyway.
- McAfee and Symantec differ on Duqu - This relates to Paul's Story 11 From what I can read its not Stuxnet return its the next phase or next thing they are working on. Still up in the air if Duqu does anything or is just out there gathering information for what will be the next attack from the stuxnet folks. Still targeting industrial control systems and a very specific group of targets. I am sure McAfee and Symantec sales are on it and the world will be safe /sarcasm.
- VeriSign drops its request to ICANN to shutdown malicious sites - a controversial plan by VeriSign was dropped. They had petitioned ICANN to allow it to scan all domains and shut down the ones that are harboring botnets and malware. Not sure on the details but the link as yet another link to the PDF of the request. so why put this here. Do you think private companies have right or should be doing this sort of thing?