Episode282

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 282 for Thursday April 5th, 2012

  • We have beer from listener Jared, thanks Jared you rule! *hugs*
  • Larry teaching for SANS, check out the SANS web site for a complete list.
  • DerbyCon Call for Papers and ticket registration is: coming up quickly - Friday May 4, 2012 at 10:00AM. The PaulDotCom crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Whether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".
  • Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away!

Episode Media

MP3 pt 1

MP3 pt 2

Interview: Dan Geer

Dan Geer.png

Introduction

Please join us in welcoming Dan Geer to the show, the Chief Information Security Officer at In-Q-Tel. Dr. Geer serves as Principal of Geer Risk Services as well as an entrepreneur, author, scientist, consultant, teacher and architect.

He served as the Chief Scientist Emeritus and Vice President of Verdasys Inc, the Chief Technology Officer of @stake Inc. In addition, Dr. Geer has was Head of systems development at MIT's Project Athena (the first large-scale academic distributed computing and networking environment), where his staff on his watch pioneered Kerberos, the X Window System, and much of what is take for granted in distributed computing.

Dr. Geer has testified before Congress on multiple occasions and has served in formal advisory roles for the Federal Trade Commission, the National Science Foundation, the Treasury Department, and several others. He served as President of USENIX, the advanced computing systems association. Dr. Geer holds a Sc.D. in Biostatistics from the Harvard School of Public Health and a S.B. in Electrical Engineering and Computer Science from MIT.

Questions

  1. How did you get your start in information security?
  2. what was one of the first security problems you ever had to deal with? Has much changed since?
  3. What problems does a monopoly, such as the one some believe held by Microsoft, cause for security?
  4. Has Microsoft turned things around to present less of a security threat to society?
  5. Are there cases today where monoculture helps security? What are some good examples where monoculture hurts security the most today?
  6. Does running different systems increase security or just make it more difficult to manage? For example, many embedded systems are very weak, however they are so special purpose and all just slightly different, that it makes it difficult to exploit on a mass scale.
  7. What are your thoughts on APT? Is this really a new trend, or just old news with a different spin?
  8. Do you believe that attackers are being more successful or are we getting better at detecting and reporting on breaches? Or, is it something else, such as how we rely more than ever before on technology?
  9. What are some of the biggest mistakes people make when they are measuring risk?
  10. What is the cause of so many breaches in the past few years, is it a technology problem or a people problem or both?
  11. How much does the effectiveness and size of the IT security department weigh into security for an organization? Do the ones getting breached just simply do not have enough talented security professionals?
  12. Everyone seems to be talking about mobile security. is this really a new problem, or the same problem but on a different scale? What makes it so challenging to produce a secure mobile device, and how do we best manage this platform? (or do we?)

Interview: Alan Paller

Alan-paller.jpg

Introduction

Alan Paller is director of research at the SANS Institute. Alan directs SANS research programs including the widely used Internet Storm Center, oversees SANS NewsBites, the popular bi-weekly summary , and @RISK the weekly authoritative summary of all new vulnerabilities. Alan has testified several times before both the House and Senate, and in 2001 President Clinton named him as one of the first members of the National Infrastructure Assurance Council.

Earlier in his career, Alan was an entrepreneur who built the first large computer graphics software company, took it public and merged it into a New York Stock Exchange company. Alan also created The Data Warehousing Institute, wrote two books: The EIS Book: Information Systems for Top Managers (Dow Jones, 1990), and "How to Give The Best Presentation of Your Life (ISSCo, 1978), and chaired more than 150 national and international conferences ranging from the CIO Perspectives conference put on by CIO magazine to the SCADA Security Summits in the US and Europe sponsored by SANS. Alan's degrees are from Cornell University and the Massachusetts Institute of Technology.

Recently Newsweek was quoted as saying, "Paller is kind of a real-life version of Professor Charles Xavier, the X-men comic-book character who heads a school designed to find and nurture young mutants with supernatural powers."

Questions

  1. How did you get your start in information security?
  2. How did you start The SANS Institute and what were your goals for it early on?
  3. Tell us one funny story that happened along the way when starting SANS
  4. What are the top 3 mistakes people make when giving a presentation?
  5. What are 3 things that we should all do better when giving a presentation?
  6. What is CyberQuest?
  7. How do people get involved with CyberQuest?
  8. What do they gain for participating?

Stories

Paul's Stories

  1. Pastebin.com arms itself against misuse - Uhm, and just how do you do that? Oh yea, like this: hire employees to watch for any sensitive information that may be posted on Pastebin.com. That has to be the most aweful job in the universe, watch text on pastebin and tell me if you see someone's password, credit card number, or SSN. God, reminds me of a scene right out of a clock work orange, because you'd have to strap me to a chair with my eyelids pinned open to stay enagaged with that job.
  2. Joomla! 2.5.4 closes more security holes - Hurray for Joomla! Has to be the worst CMS on the planet, more holes than swiss cheese at the shooting gallery. I used to say not to judge software on how many vulnerabilities it contains. I take that back, don't ever run this software. Okay, maybe not never, but if you do better hope you have some serious PHP/Mod_Security Kung Fu... (and a good method of detecting breaches and a good incident response program). Wait, you mean security is more than just applying software patches. Yes. Yes, it is.
  3. Lost Smart Phones and Human Nature - So Symantec "Lost" a bunch of smartphones on purpose, and guess what? When people found them, they accessed the fake personal information. Did we really need to do a test to figure this out? I mean, really, come ON. I think the industry is way playing out this mobile device threat thing. Its clearly being used as a selling point, and nothing more. When it comes down to it, its too difficult of a problem to solve at the moment, so everyone will just either bury their head in the sand, or buy some vendor solution that really doesn't help them. The realy problem is the communications medium is one that you cannot monitor, and you don't own the device in a lot of cases so you can't manage it or control what happens to it. However, you let these devices check email and access coporate information. Doh.
  4. Apple patches Mac Java zero-day bug - I still don't know why this is a big deal. You can spend a few hundred dollars on a cert and drop malware on systems WITHOUT A VULNERABILITY. So why is it that Java vulnerabilities make a big splash in the news and get popular with botnet builders? Makes me think there are some who live in the public eye and get caught, and lots of those who do not.
  5. TSA asks congressional panel to uninvite critic Bruce Schneier - "You Don't uninvite Bruce Scheier, he uninvites you." Total security theater.

Larry's Stories

  1. Brute force Calculator - [Larry] - Neat. Need to convince someone how strong their passwords/hashing algorithms are? This little calculator will give you a good idea how long it will take to crack them. It notes that this is the time for cracking the entire keyspace, which is considerably longer than it takes to recover useful passwords.
  2. AT7T microcell - [Larry] - Yay! Just starting to see some hacks for these devices, so maybe we can repurpose them for our own evil uses. I'm guessing that the person behind this is Kevin F., as I saw some tweets from him yesterday about gaining access to the device as root, and via serial. I wish I had one…
  3. Pwned via used Xbox360 - [Larry] - Researchers claim to have recovered CC number from a used Xbox360 by removing the drive and analyzing. Microsoft claims shenanigans, as the xbox was never intended to store CC numbers locally, and Microsoft wipes drives when they refurbish. Ok, but (and it is a big butt), that I'd argue there is probably some caching of the cc number that occurs (even if temporarily in slack space) and what about those xboxes that have not been refurbed by Microsoft, such as those done by the local Mom and Pop place. I think many folks realize that these devices have Hard Drives, but don't realize that there may be sensitive data on them, let alone how to eradicate.
  4. Social Engineering at teh movies - [LArry] - a Great list of movies that demonstrate social engineering. Go add these to your Netflix queue now!
  5. Unsung Heroes - [Larry] - A great list of tools from CJR that are unknown, often forgotten but are really useful. I'm most interested in the whole pastebin trolling er, monitoring.
  6. Phone home - [Larry] - Cool. FreePBX exploit kicked off by forcing the PBX to dial a number, and payload is executed when the "reverse" call is answered.
  7. Industrial espionage - [Larry] - Now here's something I bet folks don't think enough about, specifically the folks at Nortel. Attacks against Nortel allegedly happened for a long time, and allegedly senior management stood by and did not do anything about it. As a result, did this event contribute to the financial downfall of Nortel based on the loss of their IP.

John's Stories

Darren's Stories

Jack's Stories