Episode194

From Paul's Security Weekly
Revision as of 22:37, 26 June 2013 by Rkornmeyer (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 194 - For Thursday April 8th.

  • Notacon! - April 15th - 18th in Cleveland, Mick will be presenting two talks and be a part of a panel discussion! You may also try to get him to discuss hockey!  ;-)
  • QuahogCon - This will be the next conference that we will be attending. We will have t-shirts and other special things to give away and sell. Larry is giving not one, but TWO talks!

Episode Media

mp3 pt 1

mp3 pt 2

Guest Interview: RSnake!

INFO

RSnake is the CEO of SecTheory, blogger at ha.ckers.org, and enjoys long walks on the beach, roasting puppies, and chopping wood as his muscles ripple in the hot summer air. He's worked for Digital Island, Exodus Communications and Cable & Wireless in varying roles and currently contributes to the security strategy of several startup companies.

RSnake roasting puppies

Questions

  1. How did you get your start in information security?
  2. It seems you have primarily been focused on web application attacks, what got you started in that area and what are some of the things you found early on that interested you?
  3. How has web application security changed over the years?
  4. What led to the creation of the XSS cheat sheet? Do you keep this actively maintained? What about the RFI list?
  5. What is the most interesting XSS attack you have ever seen?
  6. What is clickjacking and how is it used for fun and profit?
  7. At the pen test summit you mentioned to me an Apache DoS attack, how did you find it and as far as you know was it ever used in the wild?
  8. How much responsibility for security falls within the browser, and how much falls with the end user?
  9. If you could make one change to browser security architcture, what would it be?
  10. What are some of the risks with Flash what people should be most concerned about? Is that something Adobe should fix, does it lie with the implementation, or both?
  11. Why is Google evil?
  12. What is the most dangerous threat when it comes to web application security?
  13. How should we approach auditing web applications, automated scans, manual scans, or source code audits?
  14. What keeps you awake at night?
  15. Why do people like attempting to hack your site so much?

Tech Segment: Capturing SSH Credentials

Lately there have been a number of our vulnerability assessment customers that don't understand why we get worked up when they only use a standard UserID and Password for SSH authentication. The theory is that if you use a strong enough password it will be next to impossible to crack.

We also see behavior at a lot of the conferences from people who should know better. We see attendees using their commuters on the "free" network with a feeling of security because they use SSH tunnels. Sure SSH is great, but there are more secure ways to run it.

So, we decided to create a video showing them that yes … there are ways to attack a user running SSH other than the standard SSHv1 hijacking attacks in tools like Ettercap-ng.

Capturing SSH credentials

What does this prove? Well, it proves that we can re-direct your SSH traffic to a system that we control and we can view your UserID and password. Yes, there will be fingerprint errors. The scary thing is that many admins and security pros will simply click through the errors to get to their system.

This video highlights two main issues of concern. Simple UserID and password is bad. SAs and sec pros that are not trained to take warning messages seriously are exposing your network to a large risk. Time to address both issues. For SSH use Public Key Authentication. For the admins, train them to take the damn SSH warning messages seriously.

The setup I used for this attack can all be run from Backtrack 4. You will also need to install the Kippo SSH honeypot.

Pay special attention to the Issues page that gives you instructions on how to get past some common errors. No one is to big to RTFM.

- John Strand

Stories For Discussion

  1. See, the Blink Tag IS Evil! - [Larry] - HAHHAHA. REmote code execution in Webkit due to a failure in an unregiseted call back in the blink container....
  2. Your Insider threat can be anywhere - [Larry] - Even your IT department! Ouch, BofA IT employee writes and deploys software to ATMs that does not record cash withdrawrals…
  3. Shadowservers' analysis of Ghostnet - [Larry] - After infiltration, they performed a thorough analysis of the compromise methods, C&C infrastructure, and where the attacks were targets. Interesting read for the metrics alone.
  4. Orphaned SSL root cert? - [Larry] - This has potential to be full of fail. Two root certs listed in Firefox and Safari, claim to not owned by the folks who have names on them. Of course this could be due to misplacement from MAA fallout. I loved the comment from Jack Daniel on this one…
  5. The iPad bandwagon - Security in the Enterprise - [Larry] - Yeah, I'm going there. Let's talk about the features and failures (VPN, Device encryption, passwords, management) and how one might or might not allow these in your organization.
  6. A fre things that you need to get right for security? - [Larry] - Not all that technical, but some VERY important things to be aware of from a procedural and posture peerspective.
  7. So Easy Nicole Ritchie can do it - [Larry] - Yes, Nicole Ritchie is a social engineer and hacker. She was able to convince the password for some celebrity friends Twitter accounts from a third party, and "fraped" her friends. SURPRISE!
  8. SSH Netcat mode - [Larry] - Wow, netcat killer? Now with SSH encryption?
  9. New Jeresy and e-mail privacy - [Larry] - Ok, coproration has rights to your e-mail? what about Lawyer client confidentiality. Personal e-mail from a work computer? To a lawyer. oooh, messy.
  10. Root certificates: ownership is key - [Pauldotcom] - Its really nice to see Mozilla stepping up and actually auditing the root certificates they trust in the browser. One question, does Microsoft do this? What about Apple? There was a question about one root cert, which ended up being owned by RSA. Mozilla was ready to pull it, but RSA suddenly came up and claimed it. Kinda scary, but I seek comfort in knowing there is an audit taking place. Makes me feel good about using Firefox.
  11. Meta XSS - [Pauldotcom] - while i don't believe this is a groundbreaking thing, I think its neat to find all the places to execute an XSS attack. For example, Josh Wright once showed me one via bluetooth by setting the name of his phone to an XSS string. There are all sorts of examples, like wireless SSIDs, entries in logs. What is your most interesting XSS attack vector (wasn't Irongeek doing something with this topic as well?)
  12. Are you down with NTP? Yea you know me! - [Pauldotcom] - HD Moore released some cool stuff with NTP. HE figured out you can get a list of clients that use a particular NTP server. He also released an NTP DoS attack. This is VERY cool stuff. You can find his presentation at www.securitybsides.com (he did it at RSA B-sides, video is on ustream), and also talked about it on risky business podcast over a month ago.

Other Stories