- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 170 - For Friday October 9th, 2009
- Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "PaulDotCom" at checkout to save 20% on all security book titles!
- Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
- Mark Baggest's class: http://www.sans.org/charleston09_cs2/description.php?tid=672 Charleston, SC - November 9 - 14, 2009
- We're still looking for an intern for the podcast - local to the Rhode Island area, listens to the podcast, into linux, able to lift 30 lbs, and if possible, willing to perform post-production work on the podcast. If that description sounds like you, please send us a note via psw [at] pauldotcom [dot com]
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running January 11 - 16. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University. Also coming up, 617 on Calgary sometime in March!
- Rochester Security Summit - Larry and Ed Skoudis to give Keynotes. What can get better than that? October 28 - 29 in Rochester NY!
- Hackfest Canada! - Mick will be speaking/ranting from the Great White North! November 7th, you'll want to be there! Quebec, Canada (This con is so cool it's happening in two languages!)
- 10 PRINT "GOTO DOJOCON November 6-7, 2009"
- GOTO 10
Tech Segment: Larry discusses "Username harvesting from Social Media"
One of the things that I'm spending a lot of time with lately is improving and updating some recon and intelligence gathering techniques for penetration testing and black box assessments. I happened across a script that one of our listeners shared with me, and he's since turned it into the start of a sourceforge project.
So, great, were doing an external assessment and we've discovered a bunch of serves that we can attempt to brute force to gain entry. We've got a uber rocking dictionary which we can massage with john, but that about user names? Enter the power of social media!
Everyone wants to be connected nowadays. We've got a multitude of social networks to connect with. But how about one where we tout our professional accomplishments and list our employers, past and present. Linkedin to the rescue.
Yes, the Reconnoiter project form Jason Wood (@Jason_Wood) can really help us out here. With a few command line arguments we can use a component of the project (written in python) to harvest names based on company affiliation from Linkedin via google search:
python usernameGen.py "Company Name" <number of pages>
As an example, lets get one page of results from google on Microsoft:
python ./usernameGen.py "Microsoft" 1 groyal garrenr royalg lyoung lyssay youngl hmoghazi hatemm moghazih tghazali tarekg ghazalit eaddo erica addoe ekaddo
We note in the output that it has found several names, and output them in sever common username formats; First name last initial, last name first initial, and first initial, last name. The script will also take into account a middle initial on output if defined as well!
This is a great start. I've submitted some (ugly) code back to Mr. Wood to output the simmer name variations to separate files, so that if we are able to determine later that one format is in use we can reduce the number of false usernames in our pool.
Quick and dirty. I'm looking to contribute some of my scripts to the project, if Mr. Wood will have them.
Stories For Discussion
- More webmail cracked passwords posted - [MikeP] - Ok, does Google have to copy _everything_ Microsoft (Hotmail) does?
- Moxie's null-prefix certificate makes the rounds - [MikeP] - Moxie's tools at work in showing how SSL certificates are broken.
- Adobe Reader/Acrobat exploited again! - [Mick] - I'm getting *really* tired of posting these... yes this is NOT a repeat.
- Next evolution of Security needs? - [Larry] How about security for robots? Apparently it can be quite easy to hack a robot and take control of it… either having it commit suicide, or do something destructive… Where's the robot firewall, IPS and AV.
- FREE MOXIE! - [Larry] - Ok payola, you need to stop being tools. They locked Moxie Marlinspike's payola account for TOS violations. He takes donations for SSLsniff, and SSLstrip (a tool with ethical purposes), and SOMEONE ELSE releases a wildcard cert for paypal.com, so they suspend his account, claiming he's got tools to hack paypal. However, paypal has no issues keeping up accounts for other hacking tools such as Wireshark…
- speaking of SSL - [Larry] - Given Moxies research with nulls in certificates, one might consider using a browser who's crypto functions aren't broken. Wget maybe? Guess again if wget is older than 1.12.
- Stolen hard drives - [Larry] - Wow, 68 drives that "contained some encoded data, including voice recordings of eligibility and coordination-of-benefit calls used for training purposes". They aren't too worried, as the data was encoded. What does encoded mean? sure, audio can be encoded, just doesn't mean encrypted! "The retrieval of member data from these drives would require highly-specialized expertise and software". Hmm, lemme think, I know some of those people.
- Social Engineering Podcast - [Larry] - Haven't listened yet, but you know it is gonna be good.
- Yes, P2P is still an issue in the millitary - [Larry] - Good for me as a researcher, bad for a victim.
- SecureMii - [Mick] - The US DHS is testing a way to "improve" the screening process. Apparently fidgety people are guilty. And the circus music at the Airport Security Comedy Show goes even louder.
- Great Article On RDP - [PaulDotCom] - RDP is one of those protocols that everyone uses, but few take the time to properly secure. There was no "worm" associated with this flaw, just a paper and an update to the CAIN tool, so its goes relatively unnoticed. If you are using RDP make certain that its done using TLS, and test your configs and setup to be double sure, because, you wouldn't use TELNET on your network, would you?
- Statistics from 10,000 leaked Hotmail passwords
- Netgear Puts Out A Wrt Killer? [PaulDotCom] - Stil hass binary drivers, WTF? Netgear's own site even says, "myopenrouter.com", how can you have an open router with binary drivers? This is yet another attrocity in the embedded sytems space, and sadly people will install DD-WRT and think its the greatest thing since sliced bread, when in facts its stale and moldy...
- It Pays To Watch Your Logs - [PaulDotCom] - This is great example of how watching your logs can pay off, and how easy it can be to detect someone fuzzing the parameters on your web site. Its nice when you can just browse the site and find things with the app that are broken and lead to security problems. However, sometimes you need to just throw every kind of SQL injection attack at a parameter, and that can be thousands of iterations, which is noisy. Best bet in this case is to get the source code, open source or otherwise, and run the app locally to test it.
- Spoofem.com releaesed desktop client - [PaulDotCom] - Caller ID spoofing is useul, whether you are messing with your neighbors, friends, or maybe doing some SE for a client, its a handy thing.
Other Stories Of Interest
Help rename AutoNessus - [Mick] - What's in a name? Help the AutoNessus project (FYI: NOT AFFILIATED WITH TENABLE SECURITY) out by renaming it.