Episode339

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Episode Media

MP3 pt1

MP3 pt2

Announcements

Security Weekly - Episode 339 for Thursday July 18th, 2013

  • We have a special webcast on SAP Security with our good friends from Onapsis at 2pm ET Wednesday July 24th - see our Webcast page for the registration link. Also coming up at 2pm ET on Thursday August 22nd we have a special webcast with Symantec titled "Fighting Malware: Taking Back The Endpoint". We are looking for sponsors for our September webcast. Contact mike -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Sunday nights at 8:30PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Interview: Troy Hunt

TroyHunt.jpg

Troy is a Software architect and Microsoft MVP, you'll usually find him writing about security concepts and process improvement in software delivery on his blog. He also has a free e-book out "OWASP Top 10 for .NET developers"


Interview Questions:

  1. How did you get your start as a developer and then security?
  2. What advice do you have for those getting started in software/security?
  3. What are some techniques for knowing we are secure? Its one thing to say, "I haven't been hacked" but another to realize you likely have…
  4. What can we do as security professionals to relate to developers?
  5. Should developers hack themselves and try to break their own code? Should QA do more security? Both?
  6. What is most often mis-understoof with repeats to input sanitization?
  7. How should you train your developers to write secure code? Do developers have to want to write secure code in the first place?
  8. What can we learn from Microsoft's model of software security?
  9. What is the number one thing you tell Microsoft developers they can do better when it comes to security?
  10. What are some of the most easy software features to secure? The most difficult?


Five Questions:

  • Three words to describe yourself
  • If you were a serial killer, what would be our weapon of choice?
  • In a game of ass grabby-grabby do you prefer to go first or second?
  • If you wrote a book about yourself, what would the title be?
  • Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?

Tech Segment: OWASP Top 10 – 2013 by Dave Wichers

Dave Wichers Headshot.jpg

OWASP

The Open Web Application Security Project (OWASP) www.owasp.org is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. OWASP is one of, if not the largest open source IT security community in the world today, with over 30,000 active participants, organized into 3 primary ways of participating:

The OWASP Top 10

The OWASP Top Ten is an awareness document for web application security, representing broad consensus about the most critical web application security risks as determined by the OWASP community. The OWASP Top 10 is one of the earliest and longest running OWASP projects, first published in 2003, and updates have been produced in 2004, 2007, 2010, and now 2013. The 2007 and 2010 versions were translated into English, French, Spanish, Japanese, Korean and Turkish and other languages. Translation efforts for the 2013 version are underway and will be posted as they become available. Jeff Williams came up with the idea of developing a Top 10 at OWASP and has worked on it with its coauthor and current project lead, Dave Wichers since its inception.

This OWASP project is hosted at: Top10

The OWASP Top 10 - 2013

Various versions of the OWASP Top 10 – 2013 are available here:

OWASP Top 10 2013 document (PDF). (22 pages)

OWASP Top 10 2013 - Wiki. (Wiki version of the above PDF)

OWASP Top 10 2013 - French (PDF).


The OWASP Top 10 for 2013 is as follows:

A1 Injection

A2 Broken Authentication and Session Management

A3 Cross-Site Scripting (XSS)

A4 Insecure Direct Object References

A5 Security Misconfiguration

A6 Sensitive Data Exposure

A7 Missing Function Level Access Control

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components with Known Vulnerabilities

A10 Unvalidated Redirects and Forwards

Each of the above links to an OWASP wiki page that describes for each Risk:

  • High Level Risk Analysis
  • Am I Vulnerable To this Risk?
  • How Do I Prevent this type of Vulnerability?
  • Example Attack Scenarios
  • References for more details
  • The primary change to the OWASP Top 10 for 2013 is the addition of A9 – Using Components with Known Vulnerabilities.

Please Spread the Word

If you are a web designer or developer, and you aren’t extremely familiar with each of these risks, please review the OWASP Top 10 so you can learn how important these are and the best techniques for how to avoid them. Please spread the word within your organization, and the communities you are involved with to help make sure every developer is aware of these common risks, and how to avoid them as they develop and update the web applications they are responsible for. What’s really sad is that the OWASP Top 10 really hasn’t changed that much since it was first written in 2003. So, ten years later, we are basically struggling with the same risks, which means we aren’t making much progress.

Announcement

Stories

Paul's Stories

  1. How Easily Can a Moving Car Be Hacked? | Motherboard - Heh, this has me thinking of Daemon, cars that kill people! Now there are researchers working on testing if this is a reality.
  2. Why help desk employees are a social engineer's favorite target - I think this is pretty simple, the help desk is there to help you. Therefore, its the first target, because if its your job to help me, then I need you to give me my username and password, because that helps. This does help you focus your security training, make sure the help desk gets the most training, they are the most targeted andthe most susceptible. They also have access to all of the accounts...
  3. Researchers To Highlight Weaknesses In Secure Mobile Data Stores - BYOD and mobile is still a hot topic, or is it? Its one of the more interesting challenges, but does it really matter today? Does mobile malware pose a serieous threat to your org? I still think people are stuggling with patching, vuln managment, malware on desktops and system hardening. Mobile and BYOD is something that really hasn't caused you any problems, so securing it now would take away from building the fundementals. Or, maybe, I've just smoked too much crack this week...
  4. Researchers hack Verizon device - I heard Verizon is pulling these off the shelf, sounds like a serious problem. If you thought you were safe by not using Wifi, you are not. If you thought the NSA was the only one listening to your calls, you are wrong.
  5. Most enterprise networks riddled with vulnerable Java installations - And here is my supporting evidence, well, at least some of it. We talk about all of these sexy topics, Wireless, Mobile, BYOD, APT, Cyberwar, etc.. (Drink up!). However, the reality is that two-year-old Java vulnerability still exists in your network, is most accessible through phishing attacks, attackers are well versed in exploiting it, and will bypass Anti-Virus and potentially go undetected in your network. Can we fix this problem first? And another thing, along these lines, if you have one system on your network missing a critical, easy to exploit, vulnerability on your network, is that okay? Many will say "We gave up on patching everything". I say you gave up on security entirely. How many ways can we decribe how just one critical vulnerability can lead to a complete compromise of your entire network, systems and data?
  6. How the Glass hack works - Finally, an awesome use of QR code to pwn stuff, like Google Glass. Also, a terrible implementation of Wifi security.

Larry’s Stories

  1. Google Glass, WiFi and QR codes - [Larry] - I Like it, and I suspect to see more of this. One comment that I saw stated that "You've made the virus from Snow Crash that only infects nerds. Yes, Google glass gets configured with QR codes. If you want to join a wireless network, you scan a QR code. But if that network is malicious…you join a rogue network the can MiTM your traffic.
  2. Network Solutions DDoSed - [Larry] - I heard several things about this attack; that sites hosted at NetSol were compromised, DNS was compromised to redirect sites, and DNS was under DDoS Eitherway, I'm surprised it has taken this ling for a giant to fall. Sorta brings into account about using third parties for DNS and such, but what are the alternatives. I had a conversation with someone that said that this is a bad thing about DNS not being available for the energy industry, IE not being able to manage critical energy devices. I argued that if you can't manage your internal critical devices because the entries are hosted at a server public to the internet, than you have bigger problems with you infrastructure and security then a DNS outage…
  3. DHS Fail - Larry] So, DHS tells fols with clearance not to view a page at an article at the Washington post, as it contains an image that was leaked by Snowden that was Top Secret, and by doing so would violate your NDA, and subject you to legal action by raising the level of your unclassified workstation to classified…but the info WAS classified, now is in the public domain, so is technically not classified any more.
  4. YAY MOBILE APS! - [Larry] - Especially Tumblr. They were posting logins in plaintext (IE http) via their mobile apps. No Firesheep needed, cause they were too lazy to even to https for the login then revert to http cookies for the rest. Yeah, I sorta get why they do that based on the paucity of processing cycles on mobile devices but this is just sad. Also it should be noted that you may want o add some custom handlers to your firesheep setups for mobile apps fir this very reason…

Jack’s Stories

  1. Microsoft responds to the "NSA backdoor" stories Qouth Microsoft: "We do not provide any government with direct access to emails or instant messages. Full stop."
  2. The latest episode of the Freakonomics podcast talks about some great US DoD documents on "ethical failures". The annual "The Encyclopedia of Ethical Failure" is published to provide ethics training for US government employees. If you are responsible for employee training, even if ethics aren't part of your realm, this is a great example of engaging, amusing, and useful training. Not Death-by-PowerPoint(tm). The latest version is available here, and last year's is available as a Word doc
  3. Remember when MIT pretended they weren't evil? Yeah, they're blocking Kevin Poulson's FOIA filing over Aaron Swartz's files

Allison's Stories

  1. My Blackhat talk! - "Denying Service to DDOS Protection Services" I found out how to bypass a lot of cloud based DDOS and WAF protection and I'm going to present it at Blackhat. We're releasing a tool to automate this bypass and a bunch of techniques you can use in combination with it. I'm totally psyched about this talk so I think you should attend it if you're going to be in town.
  2. "Other" Consumer Reports: What You Should Know about "Specialty" Reports - So privacy and massive data aggregation(a la NSA) is in the news a lot lately. This link is very interesting because there are already a lot of databases out there that aggregate info that can be used against you. There is a lot of material here but you should read it and educate yourself, lest you end up getting punished out of nowhere because your profile in these databases indicates that you're a "high risk". You have some rights under the law to request your report and dispute issues, but you can't exercise those rights until you know about them.
  3. Who’s Behind The Styx-Crypt Exploit Pack? An interesting look into uncovering the individuals behind a commercial exploit kit. Sometimes you can attribute malicious code to the author and this article has some original research on doing just that.

Patrick's Stories