From Paul's Security Weekly
Announcements & Shameless Plugs
Security Weekly - Episode 305 for Thursday October 18th, 2012
- Be sure to check out the The Stogie Geeks Show! For cigar enthusiasts, by cigar enthusiasts.
Interview Dan Kuykendall
Dan manages NT OBJECTives’ software development and has an extensive background in web application development and security and is co-host of "An Information Security Place" Podcast.
- How did you get your start in information security?
- We are seeing the proliferation of apps using JSON, AJAX, REST, etc. These apps have vulns that aren't being tested by scanners and people don't know how to test them, yet there are serious vulns there.
- What about HTML5, what are the new vulnerabilities and protections? How can we test them?
- What are the challenges, and solutions, for an automated scanner to overcome authentication?
- How do you handle technologies such as Flash?
- Which seems to have more vulnerabilities, in-house written apps, open-source or commercial? Or are they all even? What advice do you have for folks looking to acquire an application to solve a business problem?
- Scanners traditionally have trouble with certain vulnerabilities, which ones are the most problematic?
- Are people testing them by hand? If so, what can you do to be the most efficient?
- Scanners haven't really kept up with the application technology and the coverage gap is widening. Scanners need more application coverage. They will never cover all of the app, but they should cover more. What are your thoughts on that as pen testers? How do you balance manual and automated testing?
- Which vulnerability, with respects to web applications, goes unnoticed and unlatched the most?
- What training options are available for application developers?
- What advice do you have for folks who want to get started and learn how to test web applications for security?
- NEW Register for Offensive Countermeasures: Defensive Tactics That Actually Work being offered at SANS CDI.
- Incident Response in 3.08 MB - Always nice to see folks, like our good friend and Stogie Geeks co-host Tim Mugherini, writing about tools that work. This product just sounds useful: The idea behind Carbon Black (CB) is to monitor code execution. A small Windows agent is deployed to each host throughout the enterprise. This agent hashes each process, monitors the sub processes, module loads, registry edits, file writes, and network connections. Digital signatures and the activity of each binary is stored on the CB server.
- National Weather Service Hacked - In other news, snow storms are reported in Miami, earthquakes in the mid-west, and its been raining in San Diego for 3 weeks straight, but sunny and 75 in Seattle. CSRF and XSS strike again!
- The Importance of Security Awareness - User awareness is still kicking around, and everyone seems to have a different take. One thing we all agree on is that it leaves gaps, which is why you need other stuff to protect your organization. After exploring this topic, I am of the opinion that you need an awareness program. There are several companies providing this type of service, go seek them out, get a solution to educate your users that fits you, and your budget/ROI, and run with it. I firmly believe this is something everyone needs to have, just like a firewall or IDS (as lame as that sounds). Know how much return each defensive measure provides and use it accordingly.
- Zero-day attacks last much longer than most would believe - This speaks to the huge problem we have with software security. On average, its takes 10 months to uncover a 0day vulnerability. Yikes, 10 months is a long time and a lotof damage will occur.
- Pacemaker hacker says worm could possibly 'commit mass murder' | Computerworld Blogs - Barnaby Jack strikes again, in what could be a huge problem. This is something that has always bothered me, what happens when criminals take advantage of technology to damage people? Sure, many evil hacking groups launch DoS attacks and break into places like Sony. Thats the least of our worries, as when attacks can affect people's health and well-being on a mass scale, its a game changer. We've seen some car hacking stuff, but pacemakers hit the "heart" of the matter. The response seems to be as much diluted as it always has been, lots of finger pointing and disbelief.
- Infographic: Top password mistakes - Computerworld - There has to be an infographic that shows why infographics suck and are horrible. This one has some interesting facts, but basically outlines the same password problems. For your organization, look at two-factor authentication. I believe we are seeing the cost to implement and maintain such a system go down dramatically, meaning a much higher ROSI (Return on Security Investment). Its a lot more user friendly and effective than ever.
- Don't secure the internet - Perhaps the most interesting article I've read in quite some time (and I read A LOT of articles). Diffie talks about how a completely secure Internet wouldn't be useful, and the most compelling statement is how attackers make way less than we do using the Internet. This is a MUST READ. He also says not to write your own "Secure" code, that never works. And hints towards a trusted model for computing.
- Web app design at the core of coding weaknesses - Well, duh. Unsure what to think about the vague HTML5 comments in this article: "It's absolutely not a liability. If a hacker can break in with cross-site scripting (XSS), HTML5 is pretty cool because you can make a really cool exploit kit….the payloads can be a lot cooler and a lot stronger," Shema acknowledged. "But HTML5 has a lot going for it with security measures." So, we can exploit it better, but it has protections? Weird. There stil exists little economic incentive to write really secure web apps, its not a driving econonomic factor for most. Until then, exploits will happen. I hear all the timehow web apps that should be secure, like online banking and financial apps, have huge gaping web app holes.
- Public Wi-Fi hotspots pose real threat to enterprises - I could have told you that 5 years ago, or more, in fact, we did. The only thing that has saved us in regards to wireless security is that the attacker still has to be in range and remains largely opportunistic.
- Computer Viruses are Rampant on Medical Devices - Hospitals are getting hit constantly with conventional malware, and old software versions turn their networks into swiss cheese. This is a problem!
- Could hackers change our Election Results? Why not? Who says it hasn't happened already?
- More about the Huawei trainwreck Huawei is an easy target as a foreign company, but hopefully, once the dust settles, the same security standards will be applied to domestic companies making buggy software.
- How real is the Threat of C****war? Can we please have some sane voices enter the conversation? There are threats out there, but the language they use right now only serves to scare people.
- Activists Targeted by Corporate Made Malware If you're one of those writing attack tools- I'm not going to tell you to stop, but I'm going to say please be aware of how it could be used.
- US Gov websites abused in ongoing spam campaign Even .gov links are not always trustworthy!
- High Bandwidth DDOS are now Common Too bad.