SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here
- 1 Sponsors
- 2 Announcements & Shameless Plugs
- 3 Episode Media
- 4 Interview: Mike Wilde of Splunk
- 5 Tech Segment: Security FAIL - Its all around us
- 6 Stories For Discussion
- 7 Other Stories Of Interest
- 8 Happy thoughts for the day
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 164 - August 20th, 2009
- BruCON in Brussels, baby. Are you in Europe around September 16th thru the 19th? Doesn't matter. Be there!
- The Louisville Metro InfoSec Conference in, well, Louisville, offers John Strand as Keynote and serves PaulDotCom Asadoorian as Breakout Speaker. If that were not enough, they will also have a Capture The Flag event and Irongeek! All the above for the very low price of $99 on October 8th.
Interview: Mike Wilde of Splunk
, Michael Wilde is a long time technology evangelist and customer advocate. Affectionately known as the "Splunk Ninja", Michael was an early employee at Splunk, building the pre-sales engineering team and pioneering much of the social media/video marketing & tutorials Splunk has today. Michael worked in pre-sales engineering and management roles at companies such as "Tivoli/IBM, Marimba/BMC, Bowstreet/IBM and Sigaba. Michael lives in Austin, Texas with his family, enjoys the humidity, barbeque, skateboarding, and the occasional cow wandering in to the back yard.
From the Splunk Website:
Splunk is a search engine for IT data. It's software that lets you search and analyze all the data your IT infrastructure generates from a single location in real time. We call this IT Search. No need for databases, connectors, custom parsers or proprietary consoles. Just your imagination and a web browser! Now you can troubleshoot IT problems and investigate security incidents in minutes, not hours or days. Monitor all your applications, servers and network devices from one place. Report on all your compliance controls in a fraction of the time.
Tech Segment: Security FAIL - Its all around us
Firewalls Protect You
Perhaps one of the most overlooked things that I still see is using firewalls to restrict outgoing traffic. You should setup strict outgoing rules that only let your servers connect to the resources on the Internet in which they need. For example, if Windows is your platform, use an internal patching server so that your systems can update from it rather than the Internet. If its Linux, only allow them to you distributions update servers. Everyone should read the following article:
Not just read it, but read it again, then send it to your IT department. Gunar makes several good points:
- Attacks that encompass activity that you do not expect or anticipate are very successful
- People are confident in their security designs, but don't take into account the unexpected
- If you want to beat MJ at something, challenge him to a game of chess
- Attackers will always go after the weakest spot, and attack the low hangin' fruit
I will add that penetration testing can help drive home this point, as can a good audit. You should have both.
VPN will save you
VPN is the new firewall! "Oh its secure, its behind the VPN". VPN does not protect you over wireless, it does not protect the hosts on your internal network. Don't get me wrong, VPN is great, but it has to be designed correctly, and thought of as "remote access" rather than security. I think VPN has become overused, and SSL VPNs just make things worse. With all the problems uncovered with SSL lately, I'd never recommend an SSL VPN. When you design a VPN be sure to include hardening of the services that VPN users are accessing. Example, Email. If users are VPN'ing (I hate using VPN as a verb) to to access the mail server, harden the mail server. Assume the VPN is compromised, now what?
Easy Management = Security
So not the case! A lot of decisions are made, especially focused around IT, for "ease of management". Keep in mind, every time you push the easy button, God deploys another bot into your network. Now, security is most certainly a balance, and each decision should be evaluated and the risks weighed. THe greatest struggle we have is convincing employees and managers that risk is real. Here's an example: an organization that uses DHCP on all the servers and assigns IP addresses by MAC address. This sounds like a great idea to ease management, however it really doesn't If you need to replace a nic or a server, you need to update DHCP. From an attacker's perspective, the options are endless. You can create rogue dhcp servers, clone MAC addresses, the list goes on.
Another example is SSH. Its secure, right? - Depends on the configuration! You need to limit by IP address, restrict remote root, never use password authentication, check the logs frequently.... Yes, I said check them, not just collect them :)
Here is my SSH config recommendation:
# Don't allow root to login remotely! PermitRootLogin no # Enable key auth RSAAuthentication yes PubkeyAuthentication yes # Empty password, really? PermitEmptyPasswords no # Disable password auth, evil ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no # No X11! X11Forwarding no
Stories For Discussion
- IOS BGP DoS - [PaulDotCom] - Any flaw in BGP is just bad.
- Case the joint - [PaulDotCom] - Interesting article on the investigation of a hacker forum site that was taken over by the FBI supposedly.
- DIY 2.4 GHz Spectrum Analyzer ] - [PaulDotCom] - So cool!
- Hacking CSRF Tokens - [PaulDotCom] - Scary stuff if they can break these.
- I love TV-B Gone, Now in EU! - [PaulDotCom] - I can't wait to build one.
- US prosecutors have charged a man with stealing data relating to 130 million credit and debit cards - [MikeP] - Its nice that we have a more cooperative relationship with Russia, at least.
- One more round for the good guys! - [Mick] - Not news: child predator gets busted for trying to meet an underage girl. FAIL: after reviewing the chat logs, the other chats with underage girls were all cops! Way to go cops!!
- AT&T decides protecting Mitnick's account info too much trouble, dumps his account - [MikeP.] - After Mitnick hires a lawyer to complain that his privacy was being invaded by people posting his account info in hacking forums, AT&T decides his $20K a year business is just not worth it. I wonder what that says about AT&T protecting my measly $600 in business.
- Facebook now with CSRF "goodness" - [Mick] - Read this great writeup! Oh boy, is this a peach of an attack! The site where everyone tells all their very personal info can now be used for much evil.
- The Pre spies on you! - [Mick] - Grr! The phone I love is narcing on me! Time to get the iPhone... what? iPhone apps do this too? What's a paranoid^W concerned person to do?
Other Stories Of Interest
- Belarus develops school uniform that makes tin foil hats obsolete - [MikeP] - Tin Hats are cheaper.
- “If You dont like Obama come here, you can help to ddos his site with your installs” - [MikeP] - Offering your computer to an unknown group to take part of a DDOS attack as a form of government protest is, well, a pretty lousy idea.