Episode271

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here



Announcements & Shameless Plugs

Security Weekly - Episode 271 for Thursday December 22nd, 2011.

  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. We are working on our top ten cigars released in 2011. We've been painstakingly smoking cigars, enjoyed with fresh coffee and single malt scotch in my nice warm workshop. Its a hard job but someone has to do it, and we're, ya know, toughing through it.

Episode Media

MP3 pt 1

MP3 pt 2

Guest Interview: Jason Fossen

6:00 PM ET

Jason Fossen is a principal security consultant at Enclave Consulting, a published author, and a frequent public speaker on Microsoft security issues. He posts his thoughts on Windows Security on the SANS Windows Security Blog.

Jason-fossen.jpg
  1. How did you get your start in information security?
  2. I think of you as the "Windows Security Guy", are you comfortable with that label?
  3. Did you always focus on Windows? Was it out of love or necessity?
  4. How has Windows desktop security evolved since Windows 98?
  5. What is the biggest mistake people make when it comes to Windows security?
  6. What is the easiest thing you can do to improve security on Windows systems that has the greatest impact?
  7. Do you find that many shops are configuring SSL properly and setting up their own CAs?
  8. Why don't more people enable the IPsec technology in their domains?
  9. What are the security qualities in Windows 8?

5 Questions:

  1. In a game of ass-grabby-grabby do you prefer to go first or second?
  2. Windows 98, Windows Vista, or Windows 7?
  3. If someone were to write a book about you, what would the title be?
  4. Three words to describe yourself?
  5. If you had a choice, who would you make out with: Bill Gates, Jessica Alba, or Ed Skoudis?

Paul's Stories

Stories are typically not all that great this time of year, so I prepared a segment for our listeners

Paul's Top Ten Tips For Penetration Testers - 2011 Edition

  1. Know a Scripting Language - I don't care if its Perl, Ruby, Python, or LUA. Learn one, it comes in handy. Use it on pen tests too. You will find weird conditions, write a script to exploit
  2. Get good with a web application pen testing toolset - Doesn't matter if you write it yourself or use Burp, but get good with a toolset. You may be doing just a test of one web application. Or, you may be doing some other testing and believe me, you want to spend time with anything that could possibly be a web application.
  3. Keep current with the Metasploit Framework - There are so many tools that are part of Metasploit, and I don't do this as often as I should. Download the latest, review the release notes, and play around with the tools within.
  4. Spend some time with S.E.T - Hands down the best toolset for client-side testing. Know it, use it, love it and then give Dave hugs.
  5. Generate your own payloads and test them - Get your hands on some anti-virus software, install it on Windows VMs and test your payloads. Don't use Virus Total, they report the payload to anti-virus companies.
  6. Maintain your own password lists - There are lots of lists out there, but they need to be tuned for the job. Create your own scripts and lists for each job, it helps increase your chances for success.
  7. Use Automated tools - Look, tools that can automatically check for thousands of vulnerabilities save you time. People say they run them, but not the way you run them. Use them, it saves time.
  8. Don't Use Automated tools - Don't rely on automated tools to do your job. They are not human, and most of you are in fact human. Fire up a browser and explore. Look for those logic flaws, exploit the human, that's what you are getting paid for.
  9. Know the value of your services - Be able to correctly convey the benefits of penetration testing to your company and/or customers.
  10. Learn a happy dance and stick with it - Most importantly, learn a dance. When you experience success on a penetration test, do the dance. After you've been pen testing for a while, you should be good at the dance. Demo!

Larry's Stories

  1. The future of SSL? - [Larry] - The "inventor" of SSL claims that due to the flexibility of SSL, additional authentication mechanisms can be used and bolted on. I'd argue the same way we went from SSL 1.0 to 3.0 then to TLS. Light on details, but seems like there may be hope? I still think we need to develop a new method now, as SSL is flawed based on the current trust mechanism.
  2. Metasploit TFTP - [Larry] - ok, maybe we bashed Metasploit a little last week (and maybe HD can come on to discuss?) but how about some praise? A new TFTP client installed, which drew my attention to the TFTP server functionality - this is great for using with RW SNMP community strings to pull running config from Cisco devices, which may reveal TTY passwords and enable passwords stored as a 7 (not 5 even though we could brute force md5 or use rainbowtables) that might have some reuse  :-)
  3. EFF advise on how to keep data secure at border crossings - [Larry] - Solid advice, and some of it good procedure for keeping our date secure in general. Some general advice includes doing encrypted off-site backups with encrypted stream to offsite location, as well as full disk encryption.

Jack's Stories

There was that one time at band camp... oh, wait, not that kind of story.