Episode492

From Paul's Security Weekly
Jump to: navigation, search

Paul's Security Weekly - Episode 492

Ferruh Mavituna from Netsparker joins us to talk about the perception of automated scanners, Ofri Ziv will deliver this week's technical segment and tell us how The Oracle of Delphi Will Steal Your Credentials , and in the news this week old code from Linux and BSD is vulnerable, my worst fears about IoT security appear to be reality, voice control, more SSL protected web sites, security for small businesses and hacking doomsday. All that and more on this edition of Paul's Security Weekly.

Recorded December 8, 2016


Hosts

  • Jeffrey Man - Cryptanalyst, infosec analyst, pioneering ex-NSA pen tester, PCI specialist and certified security curmudgeon
  • Jack Daniel - Works for Tenable Network Security and is a co-founder of Security BSides.
  • Larry Pesce, Director of Research and Senior Managing Consultant at InGuardians
    • Larry Pesce, Swami of Security, Oracle of the Online and Hotshot Of Hacking
    • Larry Pesce, destroyer of embedded systems and injector of RF energy.
  • Michael Santarcangelo - founder of SecurityCatalyst.com, author of Into the Breach, and creator of the leadership-driven Straight Talk Framework - with our favorite question, "What problem are you trying to solve?"
  • Joff Thyer - SANS Instructor, Penetration Tester and Security Researcher with Black Hills Information Security.
    • Joff Thyer, Geeking out with the best of them. Known to attract multiple waitresses with a single smile and utterance of g'day. Deployer of cocktail recipes in desperate situations. Hacker of many a thing! If it's got code running on it, it can be hacked.
    • Joff Thyer, musician, proud father, and friend to many.
  • Paul Asadoorian - He is a male who is extremely charming in manner because of his gentlemanly behavior. He has good looks and thinks that women are better than men. He also has a high pain tolerance and likes it kinky.

Episode Audio

MP3

Announcements

  • Make sure you visit http://securityweekly.com/subscribe and subscribe to our new shows including Enterprise Security Weekly and Startup Security Weekly. You can also subscribe to all shows individually, as well as a main feed which contains this show, Hack Naked TV and Enterprise Security Weekly.
  • Take our super cool survey! http://www.securityweekly.com/survey

Interview: Ferruh Mavituna, Netsparker - 6:00-7:00PM

Ferruh Mavituna, Netsparker.

https://ferruh.mavituna.com/

Hacking web apps since 2003, web app sec expert, CEO of Netsparker - http://netsparker.com

Founder of Netsparker Ltd, Product Manager of Netsparker, Web Application Security Scanner. Developed the first and only false-positive free web application security scanner with state of the art accurate vulnerability detection and exploitation features, today used by thousands companies around the world. Changed the automated web application security space. Frequent speaker at several conferences about Web Application Security, released several research papers and tools. Coming from a developer background (C++, ASP, ASP.NET and PHP), working in the web application security area since 2002. Deep understanding of web application security in both sides, attacking and defending. Between 2002-2006 worked for Turkish Army and Police as well as several big clients as freelance contractor, in Turkey, USA, Canada and UK.

We think that many professionals do not believe in automated black box scanners such as Netsparker. It seems that black box scanners are no longer popular mainly because:

   False positives somehow ruined the reputation of scanners. Back in the days they used to generate a lot of false positives and even though we’ve done a lot to eliminate such problem, and we did manage to eliminate it people still don’t believe in the software.


   People believe that there hasn’t been any particular “breakthrough” in the scanners’ making the tools outdated (even though there were breakthroughs, such as what we are doing with proof-based scanning).


   Many believe that scanners cannot scan and find vulnerabilities in modern Web 2.0+ / HTML5 / Single Page applications.


   Pentesters tend to shy away from automation because they think tools such as black box scanners won't find anything that can’t be found manually as well (theoretically this is correct but in real world they don't have that much time).
   People believe that scanners can only find low-hanging fruit.


First of all, considering you are an industry veteran, what do you think of the above? Do you think that what we are seeing in the industry is actually true or not really?

Secondly, we’d like to showcase the capabilities of black box scanners in the next interview of Security Weekly. We’d like to talk about black box scanners in general, and not Netsparker. As in we would be more than happy to mention Netsparker in the interview, but we’d like to keep the interview vendor neutral and focus more on the industry and not on the product per se.

We’d like to highlight some facts during the interview, such as:

   There is no other solution that allows you to scan 100, 1000 or more websites and highlight the real exploitable issues within a day or two.


   It is the closest you can get to emulating a real-world malicious attack. The attacker does not have access to your code but uses scanners (most probably cracked versions of commercially available software) and/or manual methods to find vulnerabilities in your website.


   Scanners can find vulnerabilities in modern web applications and web services.


   The false positive issue is a thing of the past, especially with Netsparker. We have the proof-based scanning technology (would it be possible to stream this video during the interview: https://www.youtube.com/watch?v=uF9eGAfBh8A)


   Black box scanners do not only detect low hanging fruit vulnerabilities. And that takes us to the next point;


   A black box scanner can find vulnerabilities that your team cannot find. Some vulnerabilities that black box scanners can detect can not be identified manually (because the tester will not try 50 attack variants on every single input of every single page). You need automated tools to detect them.
   A tester, or a group of them do not know every single bypass and different tricks or issues. For example not every tester knows the details of CSP or how to exploit a out of band SQL Injection in Oracle, while the team behind Netsparker, or any other scanner typically has been researching such issues for years, got feedback from 1000s of customers and have been perfectioning the scanning engine for years.

Ferruh mostly focus in these technical areas: Web Application Security Research, Automated Vulnerability Detection & Exploitation. https://www.netsparker.com/blog/web-security/exploiting-csrf-vulnerability-mongodb-rest-api/ https://www.netsparker.com/blog/docs-and-faqs/export-netsparker-web-security-scan-web-application-firewall-rules/ https://www.netsparker.com/blog/docs-and-faqs/selenium-netsparker-manual-crawling-web-applications-scanner/

Technical Segment: Ofri Ziv, Detection Development team at GuardiCore - 7:00PM-7:30PM

Ofri Ziv, GuardiCore.
Ofri Ziv, GuardiCore.

Ofri Ziv leads the Detection Development team at GuardiCore which is responsible for security research, detection and development of data analysis algorithms. Ofri is a veteran of the Israel Defense Forces Corps (IDF), where he led groups of security researchers and was in charge of the IDF’s elite cyber security training program. He has been instrumental in the threats discovered by GuardiCore including this recent one as well as PhotoMiner and also unveiled the infection monkey open source cyber security testing tool when he recently presented at Black Hat.

Security News - 7:30PM-8:30PM

Paul's Stories

  1. Fast comparison of Nessus and OpenVAS knowledge bases | Alexander V. Leonov
  2. Could this be you? Really Offensive Security Engineer sought by Facebook
  3. Buffer Overflow in BSD libc Library Patched
  4. Solar Power Firm Patches Meters Vulnerable to Command Injection Attacks
  5. New Call to Regulate IoT Security By Design
  6. Old Linux Kernel Code Execution Bug Patched
  7. OpenVPN to Undergo Cryptographic Audit
  8. Hacker Claims To Have Pushed Malicious Firmware Update To 3.2 Million Home Routers
  9. Millions exposed to malvertising that hid attack code in banner pixels
  10. Trend Micro Says Cyber-Attacks Will Continued Unabated in 2017
  11. Comodo Partners with cPanel to Enable AutoSSL
  12. Hacking Doomsday: Your Cyberattack Survival Checklist
  13. IBM Watson for Cybersecurity Inches From Research to Reality
  14. NIST's Cybersecurity Framework offers small businesses a vital information security toolset - TechRepublic
  15. Daily Motion video sharing service named in breach claim of 80M accounts
  16. The Flowering Of Voice Control Leads To A Crop Of Security Holes
  17. TalkTalk Wi-Fi Router Passwords Stolen
  18. Russia Accuses Hostile Foreign Powers Of Bank Attacks
  19. IT Professionals' Cyber-Security Confidence Levels Fall, Survey Finds

Larry's Stories

  1. distributed CC guessing
  2. IoT and your kids
  3. ads, why we hate you so
  4. Oldie but goodie, WUDS
  5. Lloyds of Londin EMP study

Joff's Stories

  1. Linux Local Privilege Escalation
  2. The Daily DDoS (CloudFlare)