Episode312

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3

Announcements & Shameless Plugs

Security Weekly - Episode 312 for Thursday December 13th, 2012

  • Ed Skoudis Has A Christmas Special - Welcome our latest official sponsor, The SANS Institute! Christmas is special, Ed is special, so of course an Ed Christmas special is going to be, well, special! You will be hearing a lot more about some of the different programs and curriculums at SANS over the course of next year.
  • Insert Big Announcement Here
  • The Stogie Geeks Show! - For cigar enthusiasts, by cigar enthusiasts. Our top ten new cigars for 2012 will be revealed tonight!
  • Please subscribe to the Security Weekly Insider Newsletter for all things Security Weekly, discounts on training, and updates on cool stuff we're doing (like looking for people to help, take people under our wings and teach them security, etc...)
  • We are in the process of archiving and cataloging our technical segments, please visit the Security Weekly Technical Library. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
  • Bsides everywhere baby! Likely there is one near you, so check the web site www.securitybsides.com. Next local BSides is in Boston and has been moved to May.

Paul's Stories

  1. WOW! Paypal Sends Me 5000$ For A Command Execution Vulnerability | Learn How To Hack - Ethical Hacking and security tips - Pretty neat how you get offered a job if you can find bugs in someone's application. This is a slippery slope, some may get a job, others may get an orange jumpsuit and a cell mate named "bubba", but hey if it's worth the risk to you, go for it. This person is still in college, which is impressive. Less than impressive is just how many flaws are in Paypal. You would think that someone like Paypal would pay close attention to security, but it seems they do not. This makes me want to give up on security entirely, until I remember that I get paid to find vulnerabilities...
  2. No, Executing Offensive Actions Against Our Adversaries Really Does Have High Risk (Deal With It) - "The danger here is that some of the proposed activities are illegal and may result in significant criminal penalties and civil liabilities for the companies and personnel who engage in them." - Uhm, thats the thing, we never advocate you do anything illegal, ever. "They could also result in reputational damage, loss of stock value to shareholders, retaliatory actions, and diplomatic crises." - So, if you are implementing "Active defense" and doing things that will hurt the reputation of your organization, you are doing it wrong. There is always a chance that an attacker will retaliate, which is why you must have a solid foundation for security before you implement offensive countermeasures. A diplomatic crisis? Really? Clearly you are not CEO of some Cyber company, but a screen writer of pure fiction. So maybe you should do a little research before you write an article? As for legality, maybe you should do some more homework and bring up some actual case law, which cases exist to support "hacking back", especially when collaborating with law enforcement. The case of the man in Texas who shot people robbing his neighbor's house is exactly the type of case we talk about, as an example of what no to do. People get caught up in the "hacking back" notion who are acting out of frustration, anger, or really any emotion. Listen folks, its not about feelings. Its about catching the bad guys. Mr. Horn, who chased after two people robbing his neighbor's house and shot and killed them, was acting on emotion. I personally do not believe someone who steals should die as a punishment. That just doesn't make sense to me. Mr. Horn could have easily taken out a camera and collected enough evidence, hiding in the bushes, maybe even stalled them with some kind of distraction, rather than shoot and kill. Now, if the robbers were armed and came into his home shouting they were going to kill him, that's a different story. Don't underestimate law enforcement. I've found usernames and passwords to drop boxes used by "cyber criminals" (drink). You know what I did, I turned them over to law enforcement. Did I test them to see if they were valid? Sure. Did I go to jail for that? No. Because I exercised good common sense and didn't just run out of my cubicle with a shotgun.
  3. Lock maker starts to pay for hackable lock fixes - It only took national news coverage to get them to do the right thing: Onity had originally planned to generally offer to fit a mechanical cap over the access port or to ask customers to pay for a "firmware upgrade" where the board in the lock would be replaced. This plan was apparently removed from its site in the following weeks. Now, it appears the company has moved to a more heavily subsidised approach to resolving the problem. Really, a plastic cover? WTF? You make locks bitches, man up and actually implement some S-E-C-U-R-I-T-Y. That is what the locks are intened to provide, right? Good to see them trying to do the right thing, rather than trying to make money off their own mistake!
  4. Botnet hidden in the Tor network - Uhm, why is this news, haven't botnets always used Tor for all kinds of stuff? Weird.
  5. My 5 Top Ways to Escalate Privileges - Nice article and a handy one for penetration testers.
  6. Offensive security for dummies - Again, another argument from our good friend Martin McKeay, which has no basis in reality: But feasible doesn’t mean right, either in the eyes of the law or morally. If you’re seriously considering retaliatory security, do us all a favor and go review your firewall configuration and logs instead. I can guarantee you’ll find flaws in the configuration that your time would be better spent fixing. First, again, you're not a lawyer, maybe you should talk to one or go read some case law instead of just coming out with a blanket statement about what you believe to be legal and illegal. Second, we're not talking about emotional-based retaliatory strikes that will always end badly. We're talking about attribution, annoyance, setting traps, and actively collecting information about attackers. Finally, you should not implement these unless you have a good handle on security basics. Third, if your firewall is not on the top of the list of things to spruce up to increase security, try applying some patches and implementing a security configuration across all your systems and devices, then worry about your firewall.
  7. Top Mobile Vulnerabilities And Exploits Of 2012 - Really cool attacks described here, well done a must read.
  8. Samsung's Smart TVs Wide Open To Exploits - I really think this is going to become more common. As more people use their TVs for other stuff, it will replace a lot of the devices we use to watch TV (like Boxee, Roku and Apple TV). Attackers very well could target these systems. The attacks here are cool, but remember, an attacker will not likely care to mess with your TV unless they can see it.
  9. Hacking bazaar ExploitHub gets hacked - Supposedly nothing was taken, just a list of exploits, not the exploits themselves. Now, if ExploitHub were to have all of their exploits leaked, that would mean the end of their business. So, they really need to be paranoid about security, their business is at stake. And, they should therefore implement offensive countermeasures :)
  10. My 5 Top Ways to Escalate Privileges - Nice article and a handy one for penetration testers.
  11. Offensive security for dummies - Again, another arguement from our good friend Martin McKeay, which has no basis in reality: But feasible doesn’t mean right, either in the eyes of the law or morally. If you’re seriously considering retaliatory security, do us all a favor and go review your firewall configuration and logs instead. I can guarantee you’ll find flaws in the configuration your time would be better spent fixing. First, again, you're not a lawyer, maybe you should talk to one or go read some case law instead of just coming out with a blanket statement about what you believe to be legal and illegal. Second, we're not talking about emotional-based retalitory strikes, that will always end badly. We're talking about attribution, annoyance, setting traps, and actively collecting information about attackers. Finally, you should not implement these unless you have a good handle on security basics. Third, you're firewall is not on the top of the list of things to spruce up to increase security, try applying some patches and implementing a security configuration across all your systems and devices, then worry about your firewall.
  12. Top Mobile Vulnerabilities And Exploits Of 2012 - Really cool attacks described here, well done a must read.
  13. Samsung's Smart TVs Wide Open To Exploits - I really think this is going to become more common. As more people use their TVs for other stuff, it will replace a lot of the devices we use to watch TV (like Boxee, Roku and Apple TV). Attackers very well could target these systems. The attacks here are cool, but remember, an attacker will not likley care to mess with yout TV unless they can see it.

Allison's Stories

  1. You and Your Research This is a quality 47 minute talk. The essence of it: Everyone who has accomplished cool things has put in a lot of time doing research on the front end. If you want to accomplish cool things, focus on your work.
  2. Police themed randsomware speaks to victims Apparently some randsomware is using intimidating audio files to scare victims into paying. I tried to find the audio file but since this is a new malware, I think I'll have to look for samples over the next few days.
  3. Randsom hackers encrypt entire medical database Randsomware might be the new big scam, when it can have such disastrous consequences and most businesses don't back up their data. I'm going to predict it now. Randsomware the next big thing for 2013.
  4. Project Blitzkrieg Probably the most brazen carding operation to date, if they follow through with it. If you're interested in carders, this story is worth following