Episode309

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Episode Media

MP3

Announcements & Shameless Plugs

Security Weekly - Episode 309 for Tuesday November 20th, 2012

  • Bsides everywhere baby! Likely there is one near you, so check the web site www.securitybsides.com. Next local BSides is in Boston on February 23d.
  • Please fill out Intern Mike's survey for which locations and what SANS Mentor-led courses you'd like to see in the Boston-area.

Interview: Josh Shaul

  1. How did you get your start in information security?
  2. What advice do you have those getting started in information security? Specific advice for those interested in Database security?
  3. What are some of the most common problems with database security?
  4. Compared to operating systems, other software and devices, how easy/difficult is it to patch up and fix security problems on the database?
  5. Why do people tend not to pay attention to database security?
  6. What are some other examples of database vulnerabilities, specifically the stupid easy ones to find and fix? What about the more difficult ones?
  7. Are all databases pretty much in the same shape security-wise?
  8. What are some technical things we can do to secure databases? What about the soft-skills?
  9. What are the top 3 things you can do to secure your database?

Stories

Paul's Stories

  1. New 64-bit Linux Rootkit Doing iFrame Injections - So here you are with kernel-level access to a server, and what is your next step as an attacker? Oh, just modify the web pages to embed an iFrame and pwn users visiting pages with drive-by malware. This really speaks to the state of security today. No longer does the server even matter in most cases, its more important to attackers to go after the desktop, and just use the server as a jumping off point to do it. Even if you have kernel-level access to a server, the real profits are in the compromised desktop market. Go figure.
  2. Children should be at least 13 years old to use Internet: Poll - Two things: You should not shield children from using technology, that in itself is a crime. Second, the only way to keep children safe is to educate them, implement controls, and monitor. Third, okay so three things, whatever you put in place to restrict will be bypassed.
  3. Researchers warn of 'Cool' exploit platform - IT News from V3.co.uk - I thought this story was cool...
  4. Malware Made Which Can Share A Smartcard Over The Internet - I mean, why wouldn't you want your smart card on the Internet? The Internet is for sharing, and sharing is caring. Oh and the Internet is for porn.
  5. Facebook to roll out HTTPS by default to all users- So yea, did you guys hear? There is this thing called SSL, and it can make the Internet more secure! No more viruses, no more phishing, no more SPAM, no more keystroke loggers, we have SSL! The best part is that now Facebook is using it, so we can all be secure when we are sharing pictures of our drunken esscapades, videos of babies farting, sleeping dogs, and your cat chasing a laser. More importantly we can securely share our personal information...
  6. Hackers break into FreeBSD with stolen SSH key - Remember what I said about the client being the critical link in security? Yea, so the way you hack an entire BSD operating system distribution is to pwn one of the developers.
  7. The convergence of biological and computer viruses - Okay, not what I thought either. Examples are RFID, some crazy bastard implanted himself with an RFID chip. Then showed you can infect a computer with a virus from the chip, and vice versa. Not sure exactly how you get a virus on your RFID chip, requires more research...
  8. HoneyDrive – Honeypots In A Box - While not everyone should jump on honeypot deployments, it can be useful for many. Important points: Honeypot should be deployed in dark IP space (we have plenty of dark IPv6 space, but its not-so-useful), keep it far away from production systems (even virtualization), monitor it closely, send the logs to a SIEM.
  9. Hardcoded Passwords Leave Telestra Routers Wide Open - The firmware upgrade was the only means of removing the unchangeable default logins introduced by Netcomm into the BigPond Elite Wireless BroadBand Network Gateway line. When will vendors learn not to do this? -- Allison edit: I think the firmware download page might be here: http://go.bigpond.com/help/technical_support/
  10. Obama signs secret directive to help thwart cyberattacks - The Washington Post - Secret, yet I'm reading about it. I gue ss the contents are secret. What does this mean? We have no idea, hopefully it means we get to hack our enemies, but thought we are already doing that.
  11. Technical Support - Welcome to Huawei.com - And speaking of router flaws, I love it when an SNMP query returns login credentials!
  12. ircmaxell's blog: Anatomy of an Attack: How I Hacked StackOverflow - The "How I hacked" posts are awesome, a must read.
  13. VMInjector - DLL Injection tool to unlock guest VMs | SECFORCE :: Blog - nice tool for gaining access to h osts, and more importantly unlocking them. Sure, you can access a host and gain access to a guest, but you still may need to unlock it..
  14. Owning Computers Without Shell Access | Accuvant - Again, the powerful features of a framework are the payloads, like these for gaining shell access...
  15. Rebootuser – VulnVoIP (Vulnerable VoIP) – The Fundamentals of VoIP Hacking - A vulnerable on purpose VoIP distribution

Larry's stories

Jack's FutureHistory

  1. Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data Air quotes around "hack" in this case, it was incrementing numbers in URLs.
  2. Sure, I'll be your Unicorn says Wendy Nather- who has an interesting post on her Idoneous Security Blog discussing the scarcity of women in InfoSec.
  3. Children should be at least 13 years old to use Internet at least according to a poll conducted by the University of Michigan. Seen and not heard, or surfed?
  4. Senate bill rewrite lets feds read your e-mail without warrants A bill which was supposed to improve privacy protections has been bastardized to do the opposite. Yay political spinelessness.
  5. Privacy? What Privacy? Girl expelled from school for refusing to wear tracking chip.

Allison's stuff

  1. If Movie Hackers Were More Like Real IT Guys This video made me laugh. Reminds me of when people ask me to hack unrealistic things.
  2. McAfee founder says he's not a murderer, flees police Did you check out his blog? http://www.whoismcafee.com/ You can judge for yourself.
  3. Malware uses Google Docs to communicate with C2 server I don't see this as being very long lived. Google is going to take notice of this and do something about it.
  4. Anonymous targets Israeli websites over Gaza war Maybe they can also hack their guns... and shoot them with their hacked guns...