SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
PaulDotCom Security Weekly - Episode 354 for Thursday November 21st, 2013
- We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
- We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details!
- The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!
- Larry teaching SANS classes: Check out his SANS page for the details" 617 in DC in December, and in Orlando in March, Also 571 at RSA
Guest Interview: Martin Roesch
Martin Roesch is the VP and chief architect, Security Business Group at Cisco.A respected authority on intrusion prevention and detection technology and forensics, he is responsible for the technical direction and product development efforts for Sourcefire's commercial and open source product offerings. Roesch, who has nearly 20 years of industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort® Intrusion Prevention and Detection System (www.snort.org) that forms the foundation for the Sourcefire Next-Generation IPS.
- How did you get your start in information security?
- What advice do you have for others getting their start in information security?
- Why did you decide to write Snort?
- Its been a long journey since the early days of snort, can you summarize how you got to this point?
- Wait, I thought IDS was dead?
- How has IDS evolved to detect the latest threats?
- How do you keep track of sessions on 10GB connections?
- Three words to describe yourself
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?
So, I was reading about an FTC panel, featuring Craig Heffner and others trying to improve the state of embedded security. You can read that article here:
Basically, its the same story. Embedded systems security sucks. And yes, even when we polish the message, shave, shower, put on a suite and tie and meet with stakeholders, the baby is still ugly. It comes down to usability and price. They, the vendors, even admit it comes down to usability. They want the consumer to be able to check on the roast in the oven while they weed the garden. I'm not sure which embedded device would allow you to do that, but security is not in the picture. Security is trumped by usability, and we're losing the battle big time. Here is some more evidence:
- Stem Innovation ‘IZON’ Hard-coded Credentials - Because no one would guess that user/user is valid when logging in via the web interface.
- Depth Security: Dahua DVR Authentication Bypass - CVE-2013-6117 - This one is really funny, he actually caught himself on tape dropping his motorcycle. I hope him, and the bike, were okay! ActiveX controls your camera, yuk.
- JunOS crossite scripting - XSS in your firewall, spells trouble.
- Vivotek IP cameras authentication bypass - Spy on people, complete with Python code.
- Integrated Lights-Out security vulnerabilities - security vulnerabilities database - Still, iLO vulnerabilities..
- an isolating firewall - This is a really awesome firewall distribution for setting up a quarantine for infected systems. It uses its own IP stack!
- Hierarchy Of Security Product Needs & Vendor Selection… - This one is just funny!
- Security Predictions for 2014 - Care for some predictions?
- "What’s my name? No - Outstanding post from Wendy. Us pen testers we like to enumerate usernames. Those users, oh those users, they love to forget their usernames. So we run into this problem, where we have to expose the username somehow, and this means attackers can enumerate it. The best take on this: Wendy says if attackers can do harm because they have a valid username, your application is in trouble!
- resets user passwords following rash of account hijack attacks
- The Boss Over Your JBoss Servers? -- Dark Reading
- Back to the Future in the Name of Better Security
- password database hack gives forum admins the jitters
- flaws put world leaders at risk of TERRIBLE TRAFFIC JAM
- backdoor squirts code into SSH to keep its badness buried • The Register
- of forum software firm vBulletin spawns host of zero-day attacks- The Inquirer
- Beware: Angler Exploit Kit Targets Silverlight Vulnerability
- Hunt: Adobe credentials and the serious insecurity of password hints
- Ormandy: QNX
- Unpacking Firmware Images from Cable Modems
- Dave Kennedy testifies in front of Congressional Committee on the security of healthcare.gov TrustedSec Congressional Hearing Report
- Your LG Smart TV knows you are watching midget porn LG Smart TV logging usage
- Github bans weak passwords as many accounts were brute forced Weak Passwords suck
- Facebook mines data in Adobe Breach to identify potential re-used passwords Facebook warning
- MA police department pays crypto locker ransom - "we were never compromised"