Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards
Stories Of Interest
Alicia Keys MySpace Page distributes trojan - [Paul] - Its interesting that they use the "install this codec" tactic, the very same tactic used by the lame OS X trojan. However, and serious, when related to browsing adult web sites what are you willing to put at risk in order to view porn? Note to all users, don't install codecs, ever, just use Windows Media Player or VLC latest versions and you should be able to play everything. If not, then its just not worth it.
Oracle buffer overflow - [Paul] - So, I may have things to say about a vulnerability/exploit culture, however vulnerabilities and associated exploits in software that is used to house so much critical data is a huge problem. Couple that with organizations that don't patch Oracle! Yes, I have personally spoken with so many organizations that just simply do not patch Oracle, or take years to apply patches. This gives attackers too much time and the advantage, a bad combination.
Apple fixes the libtiff vulnerability - [Paul] - So, Apple released firmware version 1.1.2, but how many people will apply it given that most people want to unlock their phones and this fix could disrupt that? I just need to go buy two iPhones, one for me to use, and one for me to hack. Furthermore, if I want to exploit an iPhone, do I need a vulnerability? What if I just send a user a payload? hrmm.....
Nikto 2 Released, holy crap! - [Paul] - This has been a loooong time coming, and lots of additions are included. I ran it against a site today, and it found something really interesting. Apparently some .NET sites have a page called Trace.axd, which gives out a whole bunch of debug info. I was able to find the server root patch (i.e. c:\site\blah), versions of code, and all sorts of information about the app and requests. Very handy for web app testing.
Special Note: Suru is cool! As the sensepost guys stated, its a very nice web app tester. You set it up as a proxy, then browser to your target. It lists all of the pages you visit, and captures headers. Then you can capture the requests and edit them. Replace any field with "FUZZCRTL" and you can control what gets sent to that field of the web app and fuzz it. They have some standard templates which fuzz for XSS and SQL, and some other stuff and list out the response to each test in a separate window. You can then browse to each of the results and see the output for yourself. Neat stuff, more to come.
Some Good Apache mod_rewrite rules - [Paul] - Rewrite rules are a good thing to implement to help protect your web application. For example each request made by Nikto has a user agent value of "Nikto". Now, this can be easily changed, however its good to catch some of the obvious stuff.
"Hacker of the year Arrested" - [Larry] The Swedish Hacker who set up a "rogue TOR exit node", and monitored the exiting traffic (and then published the results - including usernames and passwords for embassy e-mail accounts) was arrested, however no charges were filed. Dan Egerstad spoke out in an article, outlining the hack, and why people misunderstand TOR. Lets discuss why this is wrong on many levels... (Thanks to our listener Matt for the article)
Reporting three breaches in one day - [Larry] - Montana State University reported three separate breaches in one day - fortunately all were small in scope. First, an unencrypted USB token containing student SSNs was lost. Encrypt! Use PGP/GPG on files or Truecrypt (however Truecrypt needs Administrator rights to install (and use?). The second two were for publishing two (on separate occasions) Excel spreadsheets on the University web site with student SSNs contained within. User education and regilar content checking! Apparently the files were "copied to the wrong location", then the folder was copied to the web server. Hmm, a quick google search of the affected domain for sensitive file types (say, Excell :-) ) would have turned this up quickly...
Apple released a crapload of patches - [Paul] - Some interesting ones are the flash player exploit, which could cause damage by malicious web sites, Safari too has some vulns, which I wonder if these transfer to mobile safari? Oh, and a while bunch of kernel priv escalation exploits, which although OS X does a good job of letting you run as a regular user, can just bypass that process.
INSECURE Mag #14 - [Larry] - Check the first article! W00t to P-diddy! Paul, I'm sure you want to talk about ( I know that I do!) the issues that you posted on the Security Weekly blog about the state of security, and the hunt for vulnerabilites, as opposed to a holistic approach...
Nearly a half million unprotected database hosts! - [Larry] - David Litchfield portscanned just over a million random IP addresses for SQL and Oracle with some surprising results - 492,000 database servers allowed direct connection to unknown hosts on the interent - and most of said servers were not patched and vulnerable to "ancient" attacks. Wow! I'm just floored. We talk about egress filtering all of the time and how it is important, but what about INGRESS filtering! If it doesn't need to be available on the internet, shut it off! If it does, allow it with only specified hosts, and or with additional security - say two factor authentication, amongst others.
Owning or Pwning a Tor Exit Node is a powerful thing - [Paul] - details of how a Swedish hacker put up his own Tor exit node and looked a people's email. I don't know why people don't use PGP more.... (Thanks to Matt for this story!)
Not so random after all? - [Larry] - Some Israeli researchers have claimed that the Windows 2000 random number generator is not all that random - and that an attacher can predict all future "random numbers" after learning the first random number state. Microsoft is claiming that this is nto s security hole, because (ready for the quote of the week?) "Information is not disclosed inappropriately to unauthorized users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged on to the local system with administrator credentials," he said. " "Because administrators by design can access all files and resources on a system, this does not represent inappropriate disclosure of information.". What s wrong here: can we get a legitimate user to run code to show said legitimate user the information, and send to a third party: yup. Can we get an administrator account to do the same: yup. Can this info (either as an admin or non-priveleged user) be used to break SSL sessions for any user on the machine: yup! Is any user supposed to be able to view/break SSL without this data?: NOPE! Microsoft recommends practicing defense in depth!
Standalone Drive eraser - [Larry] - What a cool gadget. Now, no need for DBAN, hust use this standalone device. This will wipe drives single pass (standard) or multiple passes (Pro) with DoD approved wiping methods. The pro model can support IDE, PATA, SATA and with some attachments, notebook drives.
Where ya been Microsoft? - [Larry] - Two UK based security Pros hacked XP SP1 with no firewall and no AV attached to an unsecured wireless network in 11 minutes as part of a demonstration on "Getting safe online" to illustrate why patches, AV and host based firewalls ware important. The security pros used freely available tools found on the internet. MS execs were shocked, and reccomend Vista. Go figure!
From "Magnum PI":
I am hoping you can point me in the right direction since I am dead tired at 2:40am on a Saturday and I can't seem to find the info I need. I would like to change the firmware on my Fon router from DD-WRT to OpenWRT. I got this router when they were giving them away for free last year and I immediately hacked it and put DD-WRT on it. After listening to your wonderful shows, I would like to explore OpenWRT to see what it is capable of. Since I already have DD-WRT on this router, how do I go about putting OpenWRT on it now? Thank you for your time.