Paul's Security Weekly - Episode 373 for Thursday May 15th, 2014
And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!
- This segment is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
- and by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out Tenable's other cool products such as the passive vulnerability scanner and SecurityCenter Continuous View. Visit them on the web at www.tenable.com
- Really quick:
- Be sure to check out our new 4 day Active Defense and Offensive Countermeasures class at Black Hat Vegas!
- You can purchase Hack Naked T-Shirts online via http://shop.securityweekly.com get yours today!
- Attend the show live if you are in the RI area, check http://securityweekly.com/attend for details
Guest Interview: James Jardine
James Jardine is a Principal Security Consultant with Secure Ideas, LLC. James has over 12 years of software development experience with over half of that focusing on application security. During his long development history, he has had the opportunity to write both large enterprise applications, thick clients, and mobile applications. He has held many roles including senior developer, software architect, and application security expert. In addition, James is an instructor and author for the SANS Institute. He is also a contributing blogger for the Secure Ideas blog, the Jardine Software blog, and the SANS Appsec blog.
"We are working on an update to SamauriWTF to version 3.0 which will be used in the Orlando Web Pen Test class we are doing in June and the MobiSec Distro for the BlackHat class on Mobile Pen Testing"
- How did you get your start in information security?
- What is the most secure programming language?
- With open-source software, how can we best make sure the code is secure? Ala OpenSSL bug.
- To static analaze or not?
- What add-ons to web software frameworks are the best at adding a layer of security? Is it worth it?
- How do we certify that software is secure?
- What advantages does .NET have over other frameworks?
- What is one flaw that works awesome for pen testers against .NET?
- What are some great tools for web application test in the discovery phase?
- What is the best way to handle authentication in a web application to prevent default passwords and authentication bypass?
- When coding a .NET app, what is the best way to store user credentials in the database?
- Three words to describe yourself
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- If you could have dinner with one celebrity, who would it be?
Ten more questions to ask at random:
- If you had super powers, what would they be?
- A penguin walks through that door right now wearing a sombrero. What does he say and why is he here?
- If we came to your house for dinner, what would you prepare for us?"
- Pick two celebrities to be your parents."
- What do you think about when you are alone in your car?
- What song best describes your life?
- If you were a Star Trek® [or Star Wars® ] character, which one would it be?
- If you were 80 years old, what would you tell your children?
- What is the record amount of time you have gone without a shower?
- What is the geekiest thing you've ever done/created/bought/said?
Tech Segment: Ty Miller
- This segment is brought to you by Black Hills Information Security, THE source for all your penetration testing needs and active defense! Visit them on the web at blackhillsinfosec.com
1)About & Why
With hackers striving to become the Picasso of the IT world, we are seeing more creative and abstract attack techniques being developed to bypass defences.
As a defender, it is becoming increasingly important that you understand the deep and dirty inner workings of how these attacks compromise your systems and establish a connection with the attacker in order to effectively protect your environment.
From the offensive point of view, organisations are becoming increasingly paranoid about suffering security breaches, and rightly so. This means that they are investing heavily in security and implementing more advanced prevention mechanisms. As an attacker or penetration tester, we are facing the reality that many pre-packaged attacks are being detected, which means that we need to become creative to stay ahead of the defensive controls.
So lets increase your exploitation success rate! Wouldn't it be great if you could write your own shellcode to bypass security controls such as firewalls, authenticated proxies, intrusion prevention systems, and threat detection systems to increase your exploitation success rate? Well now you can!
"The Shellcode Lab" training at Black Hat USA teaches you the ins and outs of each of the major attack techniques. Not only that, every student learns how to actually develop their own variety of custom shellcode from scratch for Linux, Windows, and Mac OSX.
The course is structured in a way that every student succeeds! 95% of students have never touched shellcode before, but by the end of Day 1, every single student has written from scratch "Mac OSX 64-bit Port Bind Shellcode" to gain a remote shell on the victim host.
The development of the shellcode is presented using easy to learn techniques. Starting off with an introduction to different shellcoding techniques on each platform, an introduction to basic memory management and assembly, followed by creating simple shellcode to write to stdout and call functions.
This gives students a base understanding and practical experience to develop simple shellcode. The complexity is then increased to more useful shellcode such as command execution, dynamic Windows shellcode, setting up backdoor listeners using sockets, shellcode networking to remotely gain a command shell, and egg hunter shellcode to search through memory for our payload. All of this is done whilst holding your hand so that you don't miss a beat. Students will also learn about staged-loading shellcode to bypass security controls, and kernel level shellcode to perform privilege escalation.
Students are taught how to encode their shellcode using the Metasploit Exploit Framework (MSF), and insert it into exploits that will be used to show that their shellcode was successfully executed. They will learn how to use MSF to generate shellcode for a variety of platforms, as well as create a Metasploit Payload Module so that your shellcode is available to all Metasploit exploits.
For the Tech Segment, we are going to step through one of labs from our Black Hat course "The Shellcode lab" where we develop shellcode from scratch to spawn a command shell on Linux.
The flow of the course starts at:
- Teaching basic assembly and shellcoding concepts including writing small and null-free shellcode, - Followed by 32-bit shellcoding on Linux to ease the students in, - This leads into more advanced 64-bit Mac OS X and Windows shellcoding. - The course then teaches how to integrate your shellcode into public exploits, - Students then create a Metasploit Payload Module that they add into Metasploit. - We then use the shellcode that students have developed in the course to actually exploit vulnerabilities to compromise systems.
For the Tech Segment, we will first step through:
- the structure of the assembly file, - including the code segment, - what registers we need to use, and - what functions we need to call.
This will then be followed by coding up some shellcode in assembly, including showing a few techniques on how to achieve things like clearing registers, locating strings, and calling syscalls.
We will then demonstrate a nice and easy way to compile the assembly, extract the shellcode, and run a test program to test that our shellcode functions as we expect.
We can do a quick demo of how to make shellcode small so that it fits into more exploits so that you can compromise more systems.
The Shellcode Lab: https://www.blackhat.com/us-14/training/the-shellcode-lab.html Practical Threat Intelligence: https://www.blackhat.com/us-14/training/practical-threat-intelligence.html
Threat Intelligence Website: http://www.threatintelligence.com Threat Analytics Website: http://www.threat-analytics.com Twitter: @tyronmiller (https://twitter.com/tyronmiller) LinkedIn: http://www.linkedin.com/pub/ty-miller/16/a45/963
- This segment is brought to you by http://www.blacksquirrel.io/ - Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.
- and by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
- and by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at pwnieexpress.com
Hopefully I can clean this up and make a proper article of it, in response to this I wrote this:
So, lets ask the question what value does the annual pen test derive? We’ve covered this extensively on the show.
Could this money spent on a penetration test be put to a different and better use? - Sure, you could spend money on a lot of things, like training, more security staff, products and more. Is that better? If you shifted your pen test budget and spent money on different things who do you know its working? How do you know you spent the money on the right things? Pen testing helps you focus your budget on the right areas.
Penetration tests attempt to answer the question, “Can my controls be breached?”
If this is the only question your pen test is answering then you got the wrong pen test. Pen tests should answer questions like:
- How could I be breached? - How much damage to my business could a breach of that kind do? - Where am I most likely to be breached given my current defensive posture? - What can an attacker do once I’ve been breached? - How long will it take me to detect the breach? - How well do the people in my organization react to a breach, or someone trying to breach security?
Assumptions they claim people make:
- My controls are not already breached - part of a penetration test now includes breach/malware discovery
- Breaches only happen due to missing controls and pen tests discover that - I think this is a correct assumption for a well-defined pen test
- Pen test test all routes into the network - More importantly is to test the routes inside the network and out of the network in addition to the routes in.
“Mandiant assesses hundreds of organizations around the world every month, and we find 95% of them “breached” “ - hum, thats because people call you when they’ve been breached or think they have been breached.
“The attackers employed advanced means to bypass these controls and got in without being noticed.” - Thats the point of a pen test, except the difference is you get to find out how without incurring damages.
“ If I were to use an analogy, getting breached is like falling ill. “ - Getting breached is not like falling ill, its more like someone broke into your house or car or office. Or more like someone picked your pocket. There are some major differences:
- Illness does not use the Internet to find out information about its victims, infections are random by organisms that do not have brains and reasoning like humans
- Some illnesses are a result of genetics, which doesn’t come into play when you build an organization. You get to choose which defenses you put in place and control your weaknesses. As a human, I can’t control the fact that I am genetically predisposed to high cholesterol
- Despite the fact you get sick, you still likely go to the doctor every year for a check up. And at Jack’s age, that entails a penetration test…
- In a network, there isn’t such a thing as treatment, there is just removal. You wouldn’t put your network on antibiotics and fight an infection. Infections happen, and they all need to be removed, there is no middle ground in terms of treatment.
- Brown HIV researchers make Dropbox secure with nCrypted Cloud - Should we have to make something like Dropbox secure or should they do it for us? WHich is better?
- Penetration Testing Has Come Of Age – Now It’s Time to Move On | M-unition
- Bitly hackers stole user credentials from offsite database backup
- Moar Shellz! «
- carmaa/inception · GitHub
- BugsCollector | Web security tricks
- Computer Forensics in Fiction
- "Linux ""got root"" kernel bug patched after five years at large"
- "Kippo Users Beware: Another fingerprinting trick
- "Google opens up Glass to the US masses for $1
- Is that Twitter account a bot? Researchers make app to find out
- Don't let hackers know Mandiant founder checks his email on an iPad. Oh.
- Deactivated User Accounts Die Hard
See you at BSides Nashville this weekend.
- Krypt3ia's Assessment of Operation Saffron Rose/Operation Flying Kitten is a good read, and debunking of some vendor $STUFF
- Troy Hunt rants on disabling paste in password fields and I agree, it makes me crazy. OK, crazier.
- A five-year old hole in the Linux kernel has been patched