Episode321

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3

Announcements & Shameless Plugs

Security Weekly - Episode 321 for Thursday February 21st, 2013

  • Come to Security BSides Rhode Island One-Day Conference on June 15th tickets are NOW ON SALE at WePay.com. Featured presentations from Josh Wright , Kevin Finisterre, Kati Rodzon and Mike Murray, Bruce Potter, Joe McCray,Ron Gula, Ben Jackson, Dave Maynor and the entire Security Weekly crew!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 8:30PM EST. Come have a cigar with us!

Interview: Adrian "IronGeek" Crenshaw

Adrian Crenshaw has worked in the IT industry for the last fifteen years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile but stopped once he had to start paying for the tests himself. He's currently working on a Masters in Security Informatics, and is also one of the co-founders of Derbycon.

  1. How did you get your start in Information Security?
  2. How do you go about preparing to record Cons? How do you get all that equipment past airport security?
  3. Tell us about the genesis for Irongeek.com
  4. Which Con are you still waiting for an invite to record? :)
  5. What still surprises you about InfoSec?
  6. What led to the idea of DerbyCon?
  7. What's your favorite piece of hardware?
  8. Who gives more awkward hugs - Jayson Street or Dave Kennedy?

Five Questions:

  1. If you were a serial killer, what would be your weapon of choice?
  2. Three words to describe yourself?
  3. If you had to write a book about yourself, what would it be?
  4. Stranded on a deserted island, which tablet would you take with you if you could only choose one: iPad, Android or Surface?
  5. In the popular game of ass grabby-grabby would you prefer to go first or second?

Announcement

  • We are in the process of archiving and cataloging our technical segments, please visit the Security Weekly Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.

Tech Segment: Building a Security Lab On The Cheap

Having a home lab is really key in our field. There always seems to be projects you want to work on that require a specific OS or software. You just need hardware at home, whether you are pen testing or doing security research. I grew tired of using laptops, and especially my own laptop. Having some low-cost servers will open up the possibilities. I have two Nokia IP 440's that I just keep replacing the hardware in, you can buy them for $150:

http://www.ebay.com/itm/Nokia-IP440-Firewall-w-1-Year-Warranty-Fully-Tested-/170859016335

Probably score them for free if you look hard enough. I've had them for years and always swapped out the parts. You can also get a rack for cheap or free if you look hard enough. I put mine in my boiler room, and I also use a dehumidifier to keep down the moisture. Its not for everyone, and a cloud provider is nice, but the hardware itself you can find for free, and the hardware I bought has come so far down in price that it just makes sense to have your own lab. Here's what I got for hardware

System 1:

13-131-872R MB ASUS|M5A97 LE R2.0 970 AM3+ R $67.99

17-822-005 PSU DIABLOTEK| 350W PHD350 RT $19.99

19-103-996 CPU AMD|4-CORE FX-4100 3.6G 8M R $104.99

20-148-662 MEM 2X4G|CRUCAL BLS2K4G3D1609ES2LX0 $43.99

22-236-155 HDD 500G|WD WD5000AZRX 64M SATA6G % $54.99

I upgraded the RAM on the above system, and thinking of going full out 32GB. It was $80 per 8GB stick at Best Buy off the shelf. I installed Debian, but it booted to a flashing cursor. I think it had to do with the video card, which I also had to buy at Best Buy because the system did not come with one and I wanted to get it running. Bonus though, you can get CUDA cards and use it for password cracking. I went AMD, install was pretty easy. Turns out Debian did not like the video card, but Ubuntu server works well. I plan to run A LOT of VMs on this system with VMware Workstation. I also plan to get Qemu going on it to test firmware.

System 2:

2 x ($79.99) Seagate Barracuda ST1000DM003 1TB 7200 RPM 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive -Bare Drive - OEM $159.98

1 x ($139.99) ASUS F2A85-V PRO FM2 AMD A85X (Hudson D4) HDMI SATA 6Gb/s USB 3.0 ATX AMD Motherboard $139.99

1 x ($128.99) AMD A10-5700 Trinity 3.4GHz (4.0GHz Turbo) Socket FM2 65W Quad-Core Desktop APU (CPU + GPU) with DirectX 11 Graphic AMD Radeon HD 7660D AD5700OKHJBOX $128.99

1 x ($39.99) LG Black 10X BD-ROM 16X DVD-ROM 48X CD-ROM SATA Internal 12X Blu-ray Combo Drive Model UH12NS29 - OEM $39.99

1 x ($23.99) Diablotek PHD Series PHD350 350W ATX12V V2.2 Power Supply $23.99

1 x ($11.99) COOLER MASTER R4-L2S-122B-GP 120mm 4 Blue LED Case Fan 2 in 1 pack $11.99

1 x ($3.99) APEVIA Model CVTPWSW 25" Power switch cable for computer cases that connects to the motherboard

This system I plan to use for media, not much to do with security here though! Hence the Blu Ray drive. Graphics are built into this board, and its pretty low power. I had to buy a power switch too, as the one that comes in the case does not work with all motherboards (lights and switch are together).

You don't have to use all the hardware I have above, stuff goes on sale all the time, and you can build it up slowly. With hardware so cheap and the ability to just constantly swap out parts, you will have fun maintaining your own lab!

Guest Tech Segment: Windows RT vs. Android vs. iOS Forensics with Joey Peloquin

Joey is currently the VP of product development at a mobile security startup. He most recently served as an architect on F5 Networks' global Security Architects team, where he focused on client and mobile security, application security, and authentication and access technologies. Prior to F5 he launched FishNet Security's mobile security practice.

  1. Tell us about some of your findings with the latest versions of Android's OS
  2. How easy is it to reconstruct someone's contacts and SMS messages with Android?
  3. How does iOS compare to Android?
  4. What have you found with respect to Windows RT?
  5. What tools do you recommend for Forensicating each OS?
  6. Which OS do you recommend for consumers? For Tech Savvy? For the Paranoid?
  7. Have you tried Forensics on some of the Mobile Security Apps like silentcircle.com's apps or Moxie's RedPhone?

Stories

Paul's Stories

  1. More Wi-Fi devices with security holes - In all cases, Messner had reported the flaws to the affected vendors many weeks ago; however, he says he has either received no response at all (TP-Link) or that manufacturers don't intend to provide updates (Edimax, Raidsonic) or have released updates without providing any details about what has been fixed (Netgear) This is just bad all around. First, some vendors didn't even respond. Shows you where they put security on their priority list, and makes me wonder just how many more vulnerabilities we could find. I don't even know what's worse, not responding, or responding and saying you are not going to fix the vulnerability! Shameful. The final kicker are the vendors that silently fix stuff. They all hate security in their own way and its frustrating. There are people in the community that want to help embedded security. The vendors don't want to hear it. I have not let go of this problem.
  2. Attribution Delivers Questionable Security Value - I don't agree: "At the end of the day, so what? The Chinese did it," he says. "Someone has exfiltrated data for 4 months, and you know who it is. How does that help you? It's only academically interesting that you can attribute the attacks to China." Its not about just knowing from where the attack came from, its about knowing a little bit about your attacker. Knowing they are associated with a specific group or from a certain country is just one small piece. What you have to be after is a full profile, know who they are, what motivates them, how they do recon, how they gain a foothold, what their end game or motives are. This stuff helps you prioritize both short and long term security measures. "We got hacked by the Chinese" may help your PR, but knowing the details helps you evolve your security strategy. It may not always be about you, knowing how others are attacked is helpful, and that's why the Mandiant report is useful.
  3. VMware promises better security - The answer to me is clear. I want full details on the vulnerability so I can make intelligent decsions about patching and protection. I want patches to come out once the vendor has fully tested them. With those two pieces I can develop my own patching strategy. Without them, Im left in the dark to analyze risk and someone else is defining how I defend my network. Its ridiculous that we have patching cycles and keep information from stakeholders.
  4. Rid yourself of Adobe: New Firefox 19.0 gets JAVASCRIPT PDF viewer - This comes down to who you trust. Do you trust the browser or do you trust Adobe? As I let the laughter settle, I think its scary either way. I do want to see more security put into the browser, but that shift the trust pendulum to the developers of the browser. And lets be honest, there is A LOT going on inside the browser, but then can we groom browser developers to write more secure code than Adobe or Oracle?
  5. Twitter's Response To The Burger King Hacking: Do A Better Job At Protecting Your Password - I have to say, I'm siding with Twitter on this one. Use a good, or even great, password.
  6. Frosty attack on Android encryption - Pretty "cool" attack. Yes, I added this story just to make that corny joke.

Larry's Stories

  1. Finally, the Cloud - [Larry] - That is, Backtrack 5 in the cloud at Amazon EC2! I've been meaning to do this for a while, but creating your own instances requires VMware and an API key and some configuration. That's a lot of work. But Jeff Jarmoc has done all the work for us, and provides is some public AMI instances. Now I know of Jeff and that he's a stand up guy, so I would have no issue using his image. However, I'd generally frown upon public images, as they may come as "Certified Pre-Pwned".
  2. DRINK! - [Larry] - Let's just get that part out of the way… because we are going to sap APT a lot. Aside from the scathing contents of the report, I really have to hand it to Mandiant for having the big brass ones to call out what many of us have been saying for years WITH PROOF. Oh, and providing said proof. One other thing to note is that I've heard rumors that there are folks using the PDF report to deliver malware and payloads vie e-mail, some even spoofing Richard Beijtlich as the sender…
  3. Zombies! - [Larry] - I saw this on last week's show but I wanted to do a quick bit of follow up because zombies. So, more comes out about the alleged EAS device in question by reversing the firmware for hard coded passwords that the apparent end user never changed. Also, several vulnerabilities in this device were reported to the manufacturer only a few weeks before this instance. I'd love to find some via Shodoan. Now to find a fingerprint…
  4. Bad Advice abounds - [Larry] - Nothing like bad advice such as "Rid yourself of Adobe: New Firefox 19.0 gets JAVASCRIPT PDF viewer" (that is the article title). No, nothing could go wrong here! Dump Adobe because of vulns, and dump the other PDF viewers because of vulns, to use, another PDF viewer instead THATI IS WRITTEN IN JAVASCRIPT. Oh, right because noone will find a way to break that, or to break out of the "sandbox". Now we just have a target that is active and in use in the internet. All I can say is, Charlie Miller, start our engine.
  5. Let 'er rip! Who knew? - [Larry] - ...that I've jsut been thinking of my health all along.

Jack's Stories

Allison's Stuff

Patrick's Stories