Top 5 Faux Security Concepts
Faux (adjective) - artificial or imitation; fake:
1) Firewalls - So many people, even to this day, put so much faith in firewalls. XP SP2 firewall helped worms, but also helped the malware industry. Attackers will always find ways around the firewall.
2) Anti-Virus Software - Here is another technology that people rely heavily on. May I point you to Vomm, http://blog.info-pull.com/2007/01/update-17th-october-2006-aviv-posted.html, which defeated all AV sigs, and Snort too.
3) Patching Cycles - Those responsible for Microsoft systems (Oracle, and other too) love the regular patching cycle. It gives them time to plan, test, and implement patches in a controlled manner. However, during this process they are getting owned six ways to Sunday. Furthermore, you have heard many people come on this show and describe how they were able to find new attack vectors for a vulnerability based on the patch and/or while researching the vulnerability (Nessus, Core).
4) Passwords - We've all said it on the show, passwords suck. Two-factor authentication is good, but often fails (ever see the movie DOA?)
5) Wireless Security Of Any Kind - This is one topic that we have covered on the show quite thoroughly, and quite frankly I believe we have established that there is no such thing as true wireless security. WPA2 is good, use it. Be careful of new wireless mediums like WiMAX, EVDO, etc.., they very well could go down the same patch.
Stories For Discussion
My pal L1n0xx (from Toorcon, gave a talk about avoiding Windows built in firewall) is giving a talk at HackCon in Europe. While there he submitted his passport to be downloaded and read! He is a funny man. - Nick D - I txt'd L1n0xx when I saw this and he said "I did it for the lulz".
Root DNS Servers under attack - [NickD - Details are that a botnet is blasting the servers with >300byte DNS requests. Port 53 was going nuts. Also DOD and ICANN DNS servers (G and L) took the worst hit and were basically disabled. - Nick D [Larry] - Nick, got link? Is it me, or does a greater than 300 byte request seem small? (I know DNS requests ARE small). This is a big story that wasn't a story. The internet kept chugging along, this time. - NICK D - Not so much. No link is necessary as these details are exclusive :) .. trust me on that one. In anycase, yes there are 13 root servers, but the fact someone was able to take down 2 of them pretty easily for a long time is the story here. Also people were affected in that if they hit G or L the dns query would stall until it went to another DNS root server. It was enough to cause delays.
ImmunitySec's SILICA released! - Uses Nokia 770! - NICK D
Trend UPX DoS and potnetial compromise - [Larry] - It says remote, but not really remote. More like a client based attack. Feeding a system using one of the vulnerable Trend scanning products will get the scan of a UPX packed file to DoS the machine. Whoops. Condidering UPX is very popular with malware authors... I;m sure you can see the disaster waiting to happen.
Why You See So Much SPAM - [Paul] - "By infecting two machines with two different known spam Trojans (Trojan-Proxy.Win32.Lager.gen and FiveSec.Spam.Agent.vx), we were able to capture over 6,000 image spam messages in a period of only 35 minutes" and "with our bandwidth, these bots combined are capable of sending over 12,000 messages an hour". Imagine what a botnet of thousands of hosts can do... [Larry] - I have imagined it, and I see penny stock image spam. yuck.
802.1X to prevent rogue AP? - [Paul] - Defense-In-Depth, WIPS and 802.1x are a great combination, as the author points out an attacker could easily grab an existing AP that may already be an exception to your 802.1x policy, maybe its allowed by MAC address, which can be easily read from the outside of the device. [Larry] ...and certainly a well tuned WIDS will pick up that the fingerprint of the new AP doesn't match the old one (by either wireless MAC, if not changed, new SSID, or by wired side fingerprinting). Now, if possible, replace with an identical model rogue.
Vista firewall - != Secure as MS says it is - [Larry] - Microsoft has been touting that Vista is significantly more secure. MS even added outbound firewall filtering - too bad ALL of the outbound rules are set to allow. This reminds me of the default OS X firewall - great technology underneath (no comment about MS), just poorly configured. Poor configuration = eventual compromise.
Oakley is a security company? - [Paul] - So, you have the RFID shielding wallet (Thanks Joe!), but what about all that stuff in your computer bag? Like, well, your computer? [EVIL Larry] - So, not only can I protect, but I can use this backpack to shield RFID that may be used for asset tracking, on say, a laptop or a.....BABY! Now get thee to a pawn shop!
VMWare Guest OS Isolation Vulnerability - [Larry] - The beginnings of breaking out of a VM? :-) Allows for transfer of clipboard information clipboard information...sure no big deal that is a feature - yeah but it doesn't work as described. Hmm....actually, this might be lame?
Multiple QNX Vulnerabilities for the QNX Fanboy - [Paul] - Gee, wonder who that could be.... - NICK D - Those are some DAMN weak vulns man. Clipboard world readable? and A user can debug SUID apps.. this is all assuming you got local access to begin with. There are probably like 10 similar vulns in Linux/Mac OSX and Windows right now that no one really cares about. Besides, Scoreboard, look at the track record. If this is the worst vulns for QNX in the last decade than I would say it has been fairly successful. :) OUUUUUUUUUUUUUUUUUuuuuuuuuuuuu
Vista: say "Start, Shutdown" - [Larry] - This one is a bit old, due to no regular show last week. But MAX-LULZ. Vista voice commands can be read in from the system speakers. Can you say noise cancellation?
PHP 5.2 Safe Mode Bypass - [Paul] - When will PHP security get BETTER? Never? [Larry] PHP Security == Friendly Fire
Solaris 10 ICMP Panic [Larry] - Oooh, Solaris. Patch for Solaris 10, because a single ICMP packet processed by the system can cause it to panic. No details released. Can you say Fuzzer? Oh, go update BTW.
My Car Has A Virus! - [Paul] - Okay, so maybe its on my TomTom GO910, however, F-Secure talks about malware on this device infecting a PC when you connect it up. Apparently these viruses were conveniently included by the manufacturer, how nice of them! [Larry] Some of the headlines on this were very misleading, indicating that your car would get a virus. Unless your car is operated by a windows box - oh the jokes could go on there for hours.
Discover Hackinstan - [Paul] - What's Hackistan? A) The source of the world's security problems B) The nation where a new identity is born every second C) A country where your credit card numbers are vital to GDP D) A place where everyone has your PIN # and mother's maiden name. Do they mean Russia?
OMG - LED Lights giving us the finger, it must be a bomb! - [Paul] - Wow, Boston PD must feel stupid, foiled by Aqua Teen Hunger Force.
Remember the Lame Digital Armaments Hacking Contest? - [Paul] - The vulnerability was disclosed, "Grsecurity Local privilege escalation exploit". Nick, don't you run that too? :)
I just talked to Brad Spengler on AIM, he is the lead project manager of GRSec... :)
(13:50:19) Brad Spengler: in their pre-advisory
(13:50:19) Nick D: ...
(13:50:25) Brad Spengler: they said the bug was in a certain function
(13:50:27) Brad Spengler: which it was not
(13:50:34) Brad Spengler: so we went on the best evidence we had
(13:50:34) Nick D: ohhh
(13:50:40) Brad Spengler: we had looked at the function, which was trivial
(13:50:45) Brad Spengler: and saw that there were no problems
(13:50:50) Nick D: was the bug really bad? as in local priv. esc. bad?
(13:50:52) Brad Spengler: and looked into the company in question
(13:51:01) Brad Spengler: DoS most likely
(13:51:06) Brad Spengler: very hard to exploit reliably i think
And it is fixed now.. so ... they were wrong.
Random MD5 Sums? - [Paul] - So, if you are going to release nasty 0day code, and dont want to be "Apple-PR-ified", you release the hashes of you files before you release the exploit. Halvar released an md5 AND a sha1 hash, does this mean there could be a problem with either of these? hrmmmmm, Further Evidence?
Interview with Stephan Esser - [Paul] - PhP security is hard.
If you are a Veteran, be afraid, be very afraid - [Paul] - Are they sending this info to Hackistan?
Security Vendors insult our intelligence - [Paul] - So, as a vendor, you feel the need to separate yourself from the rest with "unicycle riding Security Pros telling us all about their solutions", and "Hackistan (yes you read that correctly) had some fur wearing communist era actors using fake Russian accents in what can only be described as Borat does InfoSec". Oh, and we now have booth babes!
Choose Your Friend's Skype Ringtone! - [Paul] - Besides being *endless* amounts of fun, you could exploit the Vista voice commands! What fun!
Be an Admin at RSA - [Paul] - what a great way to get some good credentials...
Why Does Skype Read Your BIOS? - [Paul] - Scary.
Other Stories/Sites Of Interest
http://pressesc.com/01170856527_us_strong_privacy_bill_senate - NICK D - Key features of the bipartisan legislation include increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data. EXCELLENT
Get Your Phreak ON - [Paul] - Sweet site that contains info on hacking cell phones, telecom, and even has an exploit database.
Social Engineering Tests Document - [Paul] - Not too much info on this topic, so thought I would include a link.