Episode338

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3

Announcements

PaulDotCom Security Weekly - Episode 338 for Thursday July 11th, 2013

  • We have a special webcast on SAP Security with our good friends from Onapsis at 2pm ET Wednesday July 24th - see our Webcast page for the registration link. Also coming up at 2pm ET on Thursday August 22nd we have a special webcast with Symantec titled "Fighting Malware: Taking Back The Endpoint". We are looking for sponsors for our September webcast. Contact mike -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Interview: Onapsis

Selena Proctor, Alex Horan and Mariano Nunez join us from Onapsis.




Five Questions:

  1. Three words to describe yourself
  2. If you were a serial killer, what would be our weapon of choice?
  3. In a game of ass grabby-grabby do you prefer to go first or second?
  4. If you wrote a book about yourself, what would the title be?
  5. Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?

Tech Segment: Schuyler Towne and the Xlock [1] project

X-locks

About & Why

I'm on a mission to recover as much information as possible about the lock-related patents that were lost to the patent office fire of 1836. My primary interest is in the history and the story of the creators of the lost locks, but my goal is to conduct all of the research in public, using Zotero, so everyone can follow along and those particularly inclined can even participate. That rough research will remain available indefinitely, but I will go on to curate and organize the work for publication on the website. Depending on what we recover we could potentially restore entire patents to the patent record, or 3D print working locks based on their drawings. We could solve a mystery, or rewrite history.

How

Specifically, I'm using Zotero to do a rough sorting of the research and bring any collaborators into the same working environment. I assign fellow researchers a specific name or patent to research. We also have 2 transcribers working on the project at the moment who are dutifully transcribing myriad hand-written documents. I'm using a number of publicly available databases in my research, but we also have a couple people with more impressive academic/institutional resources who are providing access to some private databases as well.

References

You can get the background on the patent office fire just by googling, but right now the only good resource for the project is at http://x.lock.gd


links referenced in the segment:

Link to one of my talks where I cover much of the history: http://www.youtube.com/watch?v=jqjacHSTd48&feature=c4-overview&list=UUBDpLXSbLHkPVocZgMuBTMw

Link to the book I mentioned "The Amateur Cracksman" which was recommended to me by Legion303: http://books.google.com/ebooks/app#reader/dQ81AAAAMAAJ

Talk from RVASec that covers in great depth the great lock controversy of 1851, they just released it this morning: https://www.youtube.com/watch?feature=player_embedded&v=kTQWPrl_Tao

Plugs

Easiest way to be in touch with me is twitter: @Shoebox, and if ever your school, company, whatever, wants to hear about the history and anthropology of security, hit me up! You can find a collection of previous talks at lock.gd/o

Announcement

Stories

Paul's Stories

  1. The Five Most Common Security Pitfalls In Software Development - I am growing tired of such articles, the first thing it says is "check your inputs". Well duh, if developers don't know that by now, we're in trouble. Seems like they want you to register to get the rest of the article. I can save you the trouble: 2) Get training 3) Plan for security early 4) Test for security in dev and QA 5) Use secure libraries. This is all well documented stuff, the real challenge is getting software companies as a whole to put an effort into security. Like Microsoft.
  2. Feds asked to sit out Defcon hacking conference this year - Well, I mean, with everything going on, can you blame them? You, evil Government, spy on us, put hackers in jail for silly things, attack us with drones, audit folks for politcal beliefs, and so on. So, ya know what, this year at Defcon, you can stay home. Okay, that's really exageratted, but likely how it played out as more of a anti-establishment type move in protest of some of the things that are happening. I think its pretty unfair if you are an honest person working for a 3-letter Government agency and want to attend Defcon.
  3. HP admits to backdoors in storage products - I recently wrote an article about Nessus support for NetApp. I also just did a podcast with Brian Honan. Funny thing, I come to the conclusion that many are hard pressed to apply security (patching and hardening) to their own critical infrastucture. Which could have backdoors. Which, if you are running the HP storage devices mentioned here, does have backdoors.
  4. D-Link routers multiple security vulnerabilities - Yep, that would be a screenshot of a Metasploit module which can gain remote shell on just about every popular D-Link router on the market. Looks like fun! maybe someone should create a proof-of-concept worm to show just how vulnerable these devices are. Oh wait..
  5. A Bad Talk Ain’t The End of the World - Neat article from Bill Brenner, moral of the story: Know your audience.
  6. Web Shells Collection Page Updated - Great resource, and recently updated. Every pen tester should have this bookmarked.
  7. 4 Things You Should Know Before Your Team Writes Another Line of Code - A much better article, comes down to: Not taking on too much (boiling the ocean), management buy-in, regulations and knowing where the data lives.
  8. Asleep at the Wheel
  9. Open Security Research: Potential attack vectors against Z-Wave®
  10. Microsoft gives Windows app developers 180 days to patch -- or else
  11. US gov SMASHES UP TVs and MICE to nuke tiny malware outbreak

Larry’s Stories

  1. Dear god, your US tax dollars hard at work - [Larry] - Gov't agency Economic Development Administration (EDA) gets notified of a possible virus on systems, consultant comes in and finds one or two run of the mill things. What does the agency do? Cuts off all internet access and destroys bunch of gear: "EDA's CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice. The destruction only stopped—sparing $3 million of equipment—because the agency had run out of money to pay for destroying the hardware."

"The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development of a long-term response. Full recovery took close to a year."

W. T. F.

  1. DEF CON to feds: We need a break - [Larry] - Jeff Moss, founder of DEF CON asked the feds not to come this year. Why? With all of the recent hullabaloo about the NSA, tensions are high. I think that the message was short sighted, but might be in the best interest of the feds in order not to risk safety…
  2. [2] Andriod flaws in signatures] - [Larry] - The article doesn'g go into a lot of detail, but it appewars possible that an "rogue" update can be added to an already installed app without breking the signature used to create the origianl app sandbox. That said, if one could do that attack against an app signed by the system key (IE a key from a system app) what could now grant access to the entire system.
  3. Oh, HP.. - [Larry] - More with the backdoor accounts in firmware, with bad passwords at that. HP says that it does not give access tot he data on the storage device….but is does give access to the certificate stores as well as a "reset to factory defaults" option. Ooops.
  4. Florida bans computers and smartphones - [Larry] - this is why folks that don't understand technology should not write legislation about technology. Let's talk about the failure in wording: "any machine or device or system or network of devices" that can be used in games of chance". Can be used. Not are used. Just because you can, doesn't mean you will, but the law doesn't take that into account. Although, it will be really hard now for said legislators to revise this bill without the aid of computers. Or collect taxes. Or register vehicles. Or use computers in patrol cars.
  5. Cisco/Linksys XSS and More Cisco/Linksys XSS - [Larry] - YAY! XSS in home routers! Paul, is this a dead horse yet? Oh, yes, we DO need to keep beating it. Thought so.

Jack’s Stories

Paul and Larry already covered all the stories I was going to list this week. So I'll just promote @HackerRoad, a cross-country road trip to and from BSides Las Vegas and DEF CON. Stay tuned for stupidity from the road.

  1. Russia rolling out new security technology: typewriters.

Allison's Stories

Patrick's Stories