Tech Segment: Intrusion Detection Snippets
Importance of Layer 3 Analysis - I use IPAudit, what a PITA!
Wireless Intrusion Detection - Its important, and with Aruba it can be a really cool!
Stories Of Interest
Apple Firewall Still Sucks - [Paul Asadoorian] - When will Apple learn that some users actually know how to use the ipfw, netstat, and lsof commands to check that the firewall is working? This article does a great job of pointing out why the OS X firewall still does little to offer protection. My question, could the Windows XP SP2 firewall actually be better in this regard?
Side Note: Granted that most Malware today is going to just bypass the firewall, even if it tries to block outgoing traffic.
Hacking GSM - [Larry] - We've talked about hacking GSM before, which in the US is illegal to do, AND research. Fortunately, it isn't the case in other countries. At this past August's CCC Camp some folks were talking about using a USRP (the same that Josh uses to hack bluetooth) for cracking GSM and the associated Encryption A5/1, which appears to be weak. So, potentially, the former "secure" communications may not be so secure. Here we go with more new encryption algorithms!
BT Home Hub CSRF Examples - [Paul Asadoorian] - GNUCitizen actually released the exploits for firmware version 22.214.171.124. They also serve as some great examples of CSRF attacks, esp. the little snippet of PHP that emails the attacker with the URL of the management interface of every compromised router. Sweetness!
How secure is your Colo? - [Larry] - Want the data? Go Oceans 11, 12 and 13 on 'em. In Chicago burglars broke into a Colo facility, by tazing and beating the only night guard in order to beat the surveilance cameras, and cut through a reinforced wall with a power saw to bypass the prox cards readers, biometric access, key pads and man traps. That doesn't sound to secure to me - especially since that this is the 4th time in 2 years that it has been broken into!
Quote of the week from Richard Bejtlich:
"This is another example of Attacker 3.0 exploiting features devised by Developer 2.5 while Security 1.0 is still thinking about how great it is no big worms have hit since 2005."'
Students Hack PeopleSoft - [Larry] - This is an older story out of California State University from 2004m but is still relevant. One of the two accused worked in the university It department, and through "hacking" was able to obtain passwords for more priveleged accounts to the web system. The attack was discovered during an audit - the University had just converted to PeopleSoft when the attack happened.
All Hail Qmail - [Paul Asadoorian] - Nine years and not one exploitable vulnerability. Wow, just wow. I remember using qmail back in the day, maybe its time to pick it up again. However, don't forget that exploitable software vulnerabilities are only one attack vector. A default password, social enigineering, and other "hacking without exploit" type attacks could lead to a compromise, but nice to know that the code is pretty solid.
WabiSabiLabi founder jailed - [Larry] - Want to buy exploits? How about wiretaps? Allegedly Roberto Preatoni was part of a Pen-test team that was charged with testing Telecom Italia - apparently the test was successful and it would appear that Roberto kept some of the discoveries for himself.
WabiSabiLabi co founder arrested - [Paul Asadoorian] - Apparently for wiretapping while he was a pen tester. Ouch, yikes, not good! This is scary, how much do you trust your pen testing team?
Quick, time to exploit Quicktime - [Paul Asadoorian] - Yikes, 5 remote exploit vulns in Quiktime. Holy crapper, how long have those been there? I like that it hits all platforms, OS X, Vista, and XP. This will be a profitable exploit.
Hushmail not so "hush" - [Larry] - Hushmail turned over clear text e-mails from their encrypted service by retrieving passwords from the server side encryption, with the stored user credentials - blowing the claim that even Hushmail employees can't read client e-mails.
Big Botnets, Storm, and the future - [Paul Asadoorian] - Storm is nasty, bad guys are gaining the capapbility to stay ahead of us and hide big botnets in the vast Internet space we have created. Its kinda cool in a way, but scary too, as most people are getting hacked and will never have a clue.
Automobile wireless DoS - [Larry] - A "rogue" transmitter in an automobile at a parking garage caused a DoS on other similarly equipped autos in a 50M radius. Apparently it wasn't really an attack, but a device that was malfunctioning.
Comments From Our Listeners
If you guys like Phish Tank, you should check out LinkScanner. They build a database of exploit scripts going around the web, with some community features, and it scans websites in realtime to see if the site uses any of them. You can then set it to block either the exploits or the whole site (both by default). You can also use it manually for free, both at their website and as a free product.
I've been beta testing from them since inception, and it's great. I know it sounds like it would be burdensome to scan sites in realtime (even Google results, in Firefox too!), but they've done a great job of making it really transparent, and it's relatively cheap, too. A good deal all around.