From Paul's Security Weekly
Announcements & Shameless Plugs
Security Weekly - Episode 301 for Thursday September 6th, 2012
- Register NOW for: Offensive Countermeasures: Defensive Techniques That Actually Work SANS Las Vegas on September 23-24, 2012
- NEW Register for our brand new Defensive Countermeasures: Foundations of Network Protection being offered by Blackhat in conjunction with the HALO conference.
- Be sure to check out the The Stogie Geeks Show! For cigar enthusiasts, by cigar enthusiasts. Live broadcast this Sunday night, 8:30PM EDT.
Interview with Marc Maiffret
Marc Maiffret is the Chief Technology Officer at BeyondTrust, a leading vulnerability and compliance management company, and was a co-founder of eEye Digital Security.
- How did you get your start in information security?
- Tell us about your work at eEye and your work in the early days there.
- Back in 2007, you left eEye to start work on a mobile phone application - what would do you think is needed in the Mobile arena now that is NOT security related?
- What research do you think needs to be done that no one is doing now?
- 100,000 Vulnerabilities - Security vulnerabilities measured in numbers is sometimes a scary thing. At some level there you can prove strength or weakness in numbers. If you count vulnerabilities, for better or worse, how are you qualifying them? Severity? Exploitability? Ubiquity? All those things, and more, can impact your view on the matter, in fact it can make it matter, or not. The point being, try not to play the numbers game. There is a "shit ton" of vulnerabilities out there, and what we do to prevent them from happening in the first place and how we deal with them in the real world is what matters.
- Schneier on Security: CSOs/CISOs Wanted: Cloud Security Questions - This is one topic which we did not debate, that is the cloud. I think, like security vs. obscurity, its a simple solution on the surface. For example, if you care about your data, don't store it in the cloud. Similarly, if you care about the security of anything, don't just obscure it, secure it. Wow, that sounds even cheesier than I thought.
- Secret account in mission-critical router opens power plants to tampering | Ars Technica - This speaks to the continued lack of awareness in device manufacturers when it comes to security. I'm baffled that they have not solved the problem. The common problems they have, such as easily exploitable vulnerabilities, are easy to fix. It requires two things: Awarenesss training for developers and QA (ala Rugged/DevOps) and regular security assessments. In the grand scheme of things, it doesn't cost all that much. In the end, you produce a better product. Hopefully the market has changed, and customers value security as one component of a great product. Or maybe I live in a dream world...
- The Social-Engineer Toolkit (SET) v3.7 Street Cred has been released. « - Java 0-Day is in SET. Coupled with the other Java payloads, this ensures your phishing success. On the defense side, I disagree with everyone saying "Disable Java" or "Disable Flash". There is going to be users that require this technology. Those are the users we will target. Sure, it reduces your attack surface, and that does help. But I believe what people miss the boat is just how deep "security" needs to go. Its more than layers. Its more than awareness and technology. Its about doing all sorts of things to keep your organization resilient to attacks, and having a plan to deal with successful attacks and minimize damage.
- Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords « Thireus' Bl0g - Nice crack...ing.
- BYOD creates generation of workaholics - Saying that BYOD adds 20 hours to your work week is ridiculous. How much work can you really get done on your smartphone? If your spending that much time in email or some such thing, you need to re-evaluate your strategy. Devices and technology should make you more productive or your doing it wrong. However, it does increase the threat landscape.
- 3 security mistakes your management is making now - I have to say, and this usually never happens, I agree with Roger, at least on the first point of testing vendor products. I think a lot of people get this wrong. It goes deeper than what Roger stated. Sure, you should test out products before you buy them, and even use them on real production networks. Also, you have to understand your problems, develop requirements, and research the right way to test, install and configure the said products. Many don't do this and end up with the wrong products for the wrong reasons. Along these lines, products that work for others may not work for you, so don't put too much stake in what works for others. I also agree that priorities couldn't be more wrong. Attacker are successfully phishing you, so lets buy an IPS and firewall. WTF? The whole thing about "drift" is bit puzzling, but I think it just needs better clarification. Configuration management is important. The first thing most do wrong is never define a secure configuration. If you've made it that far, most don't do much to keep the systems in a secure state. The toughest organizations to break into are ones that have a secure config and work to keep systems that way.
- [papers - How to Use PyDbg as a Powerful Multitasking Debugger] - Love the Python debugger, just sayin'.
Jack's Predictions about events in the Past
- FBI hack turns out to be fake Lame!
- Romney tax return hack also appears to be fake too. Doubly lame!
- Is it time to knock infected PCs off the Internet? Interesting discussion on whether or not service providers should be more proactive in preventing botnet activity.
- Software meant to fight crime is used to spy on dissidents Another strong argument for Internet privacy if ever I saw one.
- More bitcoins got stolen I have only two words for this... http://www.youtube.com/watch?v=rX7wtNOkuHo
- Latest Java update contains more security flaws Again... http://www.youtube.com/watch?v=rX7wtNOkuHo
- Infrared cameras can scan for drunks in public When this becomes available for sale I'm buying it.
- Bittorrent monitors discover filesharers within 3 hours Although not directly related to security, I find any insight into the methods of piracy countermeasures to be fascinating.