Episode278

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Announcements & Shameless Plugs

Security Weekly - Episode 278 for Thursday February 16th, 2012


  • John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".

Episode Media

MP3

Interview: Jeremiah Grossman

Jeremiah Grossman founded WhiteHat Security in August 2001, and is a world-renowned expert in Web security. He's a founder of the Web Application Security Consortium (WASC), and was named one of InfoWorld's Top 25 CTOs for 2007. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Follow him on Twitter at @jeremiahg


JGrossman.jpg


Four years and 4,000 websites video, slides

  1. Tell us about the "Top Ten Web Hacking Techniques of 2011" survey
  2. What is the most common web application bug?
  3. Which web application bug is the hardest to make people understand?
  4. What is the hardest web bug to fix? Easiest?
  5. Why haven't people learned not to code in XSS bugs into their applications?
  6. Will we forever see CSRF bugs and will they just continue to persist and have people underestimate them?
  7. Whats the latest web application vulnerability that we will all be talking about?
  8. What are the pros and cons to automated web application testing?
  9. What are the pros and cons to manual web application testing?
  10. From Twitter: Are web application 0day vulnerabilities different from non-web app 0day vulnerabilities?
  11. Lets say you have a large organization, and they have 50+ web apps, how do you test them all?
  12. I'm sure you get asked this one all the time, so let's ask it again: what advice do you give web developers who want to enter the fast-paced and sexy world of web security?
  13. How do we reach all of those web developers who aren't part of the infosec echo chamber?
    1. And students
    2. And those folks who "aren't developers, they just make a few websites"
  14. There is always a lot of discussion about the value of certifications in infosec, but the Certified Application Security Specialist credential has retained its cachet. As one of the founders, what lessons can you share with other certification bodies such as (ISC)2 and ISACA in their attempts to remain relevant?

Stories

Paul's Stories

  1. Security Advisory: Vulnerabilities in D-Link DAP 1150 - security vulnerabilities database - Same old song and dance, many model D-Link routers have issues such as default passwords, CSRF, and suffer from brute force attacks. The thing that scares me the most is that people are running these things and have no clue that they are vulnerable. Until such time, as I don't know, maybe never, or maybe when their bank account is empty and they are left wondering why. ADSL routers are the scariest, because whose job is it to update the firmware? The provider, who is already losing money, or at least cost cutting, and the first thing to go is security. Sorry, no shiny rainbows at the end of this story.
  2. PHP Vulnerability Hunter v.1.2.0.1 Released - I could write this very easily in the form of a script that detects if you are running PHP, and returns "Yes, you are vulnerable" if you are. On the flip side, this is a neat little tool to mess around with as PHP applications are notorious for having issues, so running a specialized little fuzzer against them may be worth your while.
  3. Avi Rubin: All Your Devices Can Be Hacked - Just an FYI, we prevent computers from being stolen, and stop people from getting viruses from your computers.
  4. Twitter Enables HTTPS By Default At Last - Uhm, a little late no? We've been saying it for years, SSL IS THE SOLUTION TO ALL YOUR SECURITY PROBLEMS!
  5. PSA: Paula Deen - Freaking great post, deep fried cheese filled brownies for everyone! Paula Dean is a great chef, until it comes out that she has diabetes. Same thing happens in security, your doing X and it seems okay, until it relates to something bad, then someone comes up with a solution, and everyone gravitates to it. Its a very interesting social aspect of security.
  6. Why are we talking philosophy instead of technology? - I disagree with this article. We don't need more non-technical talks, and we really don't need less of them. What we need is balance. We should have 10% talks be really high level, 10% be extremely technical, and the remaining 80% should be a balance of technical and non-technical aspects of security.
  7. I Want to Detect and Respond to Intruders But I Don't Know Where to Start! - Start with thinking about how an attacker would attack your network, like your web server, then talk about how you would respond. You'd likely need to look at the logs. If you aren't collecting them, hey look you have something to do now!
  8. The Cloud’s Low-Rent District - The cloud in general is a slum, and Amazon is the slum lord.
  9. Continuous patching – is it viable in the enterprise? - I disagree with Raf, we need patches, lots of patches all the time. Its simple, how can someone else (e.g. the vendor) tell you when you should apply a patch? It makes ZERO sense. Rothman makes more sense in the case.
  10. I’ve always wondered how many vulnerable devices - Answer: LOTS.
  11. Dumping Cleartext Credentials with Mimikatz - Sweet post!
  12. What people think industry analysts do - This is just classic
  13. Cisco Zine: Nmap for IOS? No - Neat, a portscanner for Cisco IOS! Uses TCLshell.
  14. Employment for security professionals at all-time high - We are in a great field, however now we have a problem, finding talent. So, if you need a job...
  15. Android Security Threat From 'Reverse Smudge Engineering' - If you eat lots of pot

ato chips, this could be a security risk! Put the chips away, bitch...

  1. Adobe issues Flash Player update
  2. The Sudafed Security Trade-Off - Its no secret, people use Sudafed for two reasons: Clearing up your sinuses when you get a cold (its the only thing that works for me) and cooking Meth. So since people use it to cook Meth, we must "Ban" it and require a persciprion. If you do the math, this could mean a $1.5 billion dollar bill for the healthcare industry. It goes to show that making something harder to get doesn't always make it more secure. I think this most closely relates to people using their own cell phones and tablets, the moment you try to ban them, it will just have horrible reprecussions, like people using them anyway without you knowing. Getting back to cookin' meth, according to the great TV show "Breaking Bad" you can use a different chemical process using "methlymine", which the characters in the show have to steal because you can't walking into any store and just buy it).
  3. Been Caught Stealin' - People steal SIM cards out of stuff, like traffic lights.
  4. Penetration Tests: Not Getting 'In' Is An Option - I almost want to d

iagree and say you need to define what "getting in" means to your customer, and then attempt to do just that, and then see if they can detect/prevent it, if they do, move to plan B, C, D, etc... Its all about defining goals, and yea, sometimes its not about getting in.

Larry's (taken over by Darren cause Larry is a slacker) Stories

  1. Mountain Lion preview (OSX 10.8) - Apple has released a preview of OSX 10.8 due for release later this year. New security feature called Gatekeeper is coming. Looks like developers with valid Dev IDs will create a certificate that will be used to sign all their work. In the event a given developer does something wrong the cert can be pulled and the apps will not run. There are 3 levels of options the iphone option I call it where you can ONLY use apps on the app store nothing else can be installed, or install from anywhere but must have certificate, and lastly the install from anywhere cert or no cert option.
  2. iPhone Address book access - Apple is set to fix an issue that app developers were allowed to gather users contact list with out permission from the phones owner. Now you will be prompted with a pop up asking if you wish to allow this access.
  3. patch patch patch patch and then patch some more - Yet another Adobe 0day.
  4. Insder threats are real - Example that your own employees are your biggest threat.
  5. Nortel hacked for years - Former Nortel exec (they are all former now) says they were compromised for years and Nortel didn't try to hard to stop it.

Jack's Stories

  1. Domain seizure This stuff gives me seizures alright. Jotform.com, a business providing hosting for online forms, has been seized by the Secret Service. “They have disabled the DNS without any prior notice or request,” Of course the registrar involved is GoDaddy.
  2. Privacy, what's that? Retailer Target knew the teenage girl was preggo before her dad did. Hilarity ensues (not really)
  3. Panic!! Or not. Dennis Fisher has a good, reasoned write up of the RSA key research.
  4. 0-day exploit middlemen are cowboys, ticking bomb at least according to Christopher Soghoian.