PaulDotCom Security Weekly - Episode 227 for Thursday January 20th, 2011.
Guest Interview: Joe McCray of Strategic Security
Joe McCray has over a decade of experience in the security industry with a diverse background that includes network and web application penetration testing, forensics, regulatory compliance and last but not least with his one true love, TEACHING, er, rum and coke! The following description of Joe is spot on:
Have you ever seen Man on Fire? If you haven’t and you like watching kick-ass, kick-you-in-the-teeth, relentless, Denzel-Washington-type of-action-flicks. Our interview this week is kind of like Denzel in Man on Fire but with less guns and more SQLi strings meticulously crafted to pwn your databases
- What do you mean by WAF identification and bypass is the future of Web Application Penetration Testing?
- Tell us about your anti-forensics projects.
- What has creating organizations like LearnSecurityOnline and Strategic Security taught you about people? About the state of pentesting? About the InfoSec industry? About yourself?
- So how do we make sure we don't fall into the trap of becoming a "A Scanner Monkey"?
- Tell us about the class you took on Oracle? I think its a great story and starts to answer the question of how to build your skillset, just how do you do that?
One of the things we love at PaulDotCom is how people create cool tools and share them with us. Innismir (or Ben) saw our tech segment on SpiderTrap and wanted to extend it into the realm of PHP.
He came up with WebLabyrinth. This is not just a simple port of SpiderTrap, it extends and enhances the capabilities of the tool quite a bit.
There are some nice features like random 404 and 402 messages. It also supports the input of a file for the random text. He uses the first chapter of Alice in Wonderland, which is a very nice touch. It also has the code to force GoogleBot to go away.
Because it is PHPified it makes it far easier to implement into your web infrastructure. Just create a hidden link that a crawler will detect and you are off to the races.
Below is a video of it running:
I also want to take a couple of seconds and plug mayhemiclabs.com/. When Innismir sent me a link to his site I was delighted to find another site to add to my RSS list. They seem to have some really cool research going *cough* *cough* Larry… And, they have some well thought out posts.
Stories For Discussion
- Thought - Uptime and old software are bad - I have a server with 400 days of uptime. That used to be good, now it just means I have a vulnerable kernel. Wait, I guess it meant the same before too huh. Crap. Also, yes I still run 10.4. Wow you say, you run 10.4? Yes, and now I understand why people who worked for the University I was at hated my recommendations for upgrading. I see it now, and I did not understand the big picture. If you have something that works really well, accomplishes your goals, and the upgrades offer none or little benefit, why should I change?
- USB Cable is not an attack tool - [pauldotcom] - I think its great that someone has made a cable to do USB HID attacks. Thats just freakin' cool stuff.
- Nudity - There's not an app for that - [pauldotcom] - Such a shame.
- Its Hard to Argue with Shell - [pauldotcom] - 0day in SCADA software posted, again. CN-CERT did not handle this one properly and US-CERT had to step in. This brings up a lot of interesting topics, such as the propper way to run a CERT, handle disclosue, and the seemingly endless stream of 0day in SCADA software. This is not new, I think these are attaintable goals: CERTs working with vendors, researchers working with CERTS and vendors, and writing more secure software. Right?
- CVSS, Andriod, Google, and Exploits - [pauldotcom] - I don't know about you but this it was possible to obtain the contents of files on an Android device by simply persuading its owner to visit a web site under attacker control seems like a big problem. Inital CVSS was 3.5, not good. We've seen a ton of great security research on mobile phones, and it seems like this is like a web app in the 1990's, or maybe even today, its a playground and users just don't care. Here's what I see as something we need, updating of phones over the carrier network that apply security updates.
- Speaking of Hacking like its 1999 - [pauldotcom] - The new chevy volt will have an Internet IP address. This will become an interesting form of hacking fun for a while, then someone will likely figure out how to monetize it. I'm thinking you could tie into the systems that will pay tolls, update your GPS maps, and maybe even conduct commerce. Be cool to go through a drive through and pay for your food without reaching for your wallet, eh?
- HELP WANTED - [Larry] - Need help? Got a job to be filled? here's my resume, with an added chunk of malware.
- Hacking wireless car keys - PDF - [Larry] - a RELAY attack. Neat. Because the key is essentially ON all the time, we can extend the distance, even over a higher frequency link.
- Andriod in China - [Larry] In China Andrios pwns j00. Preinstalled trojans, yes, tha tsiphon your credit and send premium SMS. Now, what's to say this couldn't happen with other hardware?