Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 274 for Thursday January 19th, 2012.
- Sign up for PaulDotCom training at the Mid-Atlantic CCDC March 13-14 - John Strand will give "Offensive Countermeasures: Defensive Techniques That Actually Work" and Carlos Perez will give "Using and Automating the Metasploit Framework. Visit http://pauldotcom.com/training for all the latest training courses offered by PaulDotCom!
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, PaulDotCom Espanol with Carlos Perez and our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. You can subscribe to all of our shows by visiting the PaulDotCom Homepage and using the subscription links in the upper right hand corner.
- John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Register Here
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing and Defenses 5 times this year (discount code may be in our future):
Interview: HD Moore
HD is Chief Security Officer at Rapid7 and founded the Metasploit Project in the summer of 2003 with the goal of becoming a public resource for exploit code research and development. He is also known for his work in WarVOX, AxMan, the Metasploit uncloaking Engine and the Rogue Network Link Detection Tools.
HD was last on PaulDotCom in Episode 200, June 2010
- Tell us about some of the recent changes to the Metasploit framework, specifically removing and adding functionality.
- What are the advantages of the new Metasploit API over the old one?
- What are the differences between the open-source versions of the Metasploit framework and the commercial versions?
- What is your favorite new feature added to Metasploit in the past 6 months?
- What are the future directions of the Metasploit project, where are you taking features in the future?
- How do people contribute code to the Metasploit project?
- What are some of the most useful, but not-so-widely known, features in the Metasploit framework?
- Tell us about the reason for the move to Git, removal of db_autopwn and the death of XMLRPC.
- What is the status of Warvox? How about using other VOIP methods other than IAX, such as SIP without the need for asterisk?
Guest Tech Segment: Dave "Rel1K' Kennedy on SET 3.0
Dave is a security ninja who regularly crushes pirates and vikings with his man hugs. A founder of DerbyCon, Dave likes to write exploits and is heavily involved with BackTrack and the Social-Engineer Framework. Dave is on to give us a glimpse into SET v3.0: "The Baby Knuckles" edition.
- For those that don't know, what is SET and what is it used for?
- There are several other tools that can do email phishing, what makes SET special? (other than its author will hug you if you use it)
- What is new in SET version 3.0?
- What is your favorite feature inside SET?
- What feature is least used but most useful?
- What features are you working on in the future and why?
- toolsmith: Security Onion - Rave reviews for the "Security Onion" distribution, which seems to have Snort, with all the fixin', working perfectly together. This is not an easy task and I am happy to see a distribution tackle this problem. Certianly on my list of toys to play around with.
- T-Mobile reused staff passwords - A hacking group has dumped internal login-in details for T-Mobile staff revealing the US telco had reused passwords for multiple accounts. I believe everyone does this, and how bad it is depends on the context. I mean, you shouldn't use the same password to protect multiple assets, but it happens. I think of organizations that are managing tens of thousands of devices, there is bound to be password re-use. I ts a tough thing to get rid of in your environment. This is why I'm still a huge fan of network-based password brute forcing on a regular basis. People need constant reminders not to use weak passwords or not re-use a password. You need to tune your IDS/IPS to look for this, oh wait that assumes you are using clear-text. See, its not so easy now is it? This is why constant password attacks, with the correct amount of reporting on the backend, are a useful tool to secure your environment (though some do not agree with me).
- Using False Alarms to Disable Security - This is a great story of how criminals kept setting the alarm off, waiting for police to respond, then setting it off again, until the police just disabled the alarm altogether. I wonder how well this works in IT security? For an IDS analyst, very well, in fact I lost track of how many times I would tune out certain noisy events, now I am begining to wonder if someone wanted me to tune them out!
- Why should senior management be involved in security decisions? - This seemed to boild down to a series of questions: Are we obligated by law or contract to HIPAA? Are we obligated to PCI? Are we exposed in the way we handle crtedit card data? How long can your business operate with reduced computer facilities? Which facilities are most important to the mission? How will we respond to illegal activity on our network? Attacks from outside? In the event of a breach? What are our employees permitted to do with social media outside of work hours on their own computers? - If you are the security team, you should have already been asking those questions of your management, and tailoring your security program accordingly.
- Rising Network Insecurity… and the Need to Re-examine Security Fundamentals - 66 percent of IT security professionals surveyed stated that network security is not more secure than the previous year. A surefire sign that we are in fact losing the battle. I think put another way, this means we are implementing technology faster than we can deploy it and use it securely. I think the largest part of the problem is human nature. We have a problem, technology solves it, this helps us make more money and/or be more efficient, so we do it, ignore security, wait until something bad happens, then go back and secure it. By the time this process is complete, you've implemented at least a few other projects, and therefore your security has fallen behind, way behind. We still fail at implementing solutions securely, not to mention going back and fixing the solutions we've implemented before there was any such thing as IT security.
- Understanding collisions and duplex in wireless - Good down-to-earth explanation of how collision detection and avoidance work in wireless networks. It is scary how Wifi operates, but it does seem to work. I believe what most people struggle with is 1) security and 2) deployment issues. Getting the right amount of signal, in the right places, is always the tricky part. And making sure that no one is hacking into your wireless network and clients, is yet another issue. I've yet to come up with any outstanding advice to secure wireless networks, other than use an Ethernet cable. However, I am experimenting with some simple wireless honeypot stuff, and will keep our listeners updated, hopefully with a tech segment soon.
- Microsoft Anti-XSS Library Bypass (MS12-007) - Goes to show that if you are relying on a code module to write secure code, that your code is only as secure as the least secure module. In this case, it may be that you believe your are XSS free because you've implemented the Microsoft Anti-XSS library. You'd be wrong unless you applied MS012-007 to your ASP.NET servers.
- Why more APs aren’t always better - More Wifi basics.
- How To Run Penetration Tests From The Amazon Cloud - Without Getting Into Trouble - Good tip on how to make sure you get permission from not only your client, but AWS as well, before you do penetration testing or vulnerability scans from Amazon's cloud. I'm a huge fan of penetration testing from the cloud, though you need to weigh the risks of the information you collect falling into the wrong hands. However, attackers without permission are going to do the same thing, so I guess its all about making sure your stuff is locked down. So, its okay to have a penetration testing team use a cloud service, as you will get the results and be able to fix them, not so much with evil bad guys. However, take into account your customer's data when doing the penetration test, and use your own descretion on what kinds of data you are putting in the cloud for your clients. General scanning is acceptable, because, well, its probably already on Shodan.
- What the heck is SOPA? - Good overview of SOPA. For my opinion, I believe this is bad. Giving the Government more control of the web, in any shape or fashion, could lead to bad things.
- I Left My Data In El Segundo - Dark Reading - What kind of data do you leave behind when you travel, other than a dirty sock in Nick D's penthouse suite?
- Dusseldorf airport closes security holes - Uhm, someone should mention that airport security is not just physical.
- SE Android - [Larry] - From the builders of the SE Linux project (yes the NSA), we now have the SE Android project. It would be neat to see the adoption of the SE Android stuff into the Android kernel, much like the SE Linux stuff seeing integration into the generic kernel. Of course, I'm sure that it still does not include any FDE…
- Mixed case DNS? - [Larry] - I'm not sure of what this really means yet. However what does camel case DNS queries do? this whole addition of the 0x20 bit encoding is interesting. Johannes says this might be good for additional spoof protection, but I'm wondering if there might be some options for abuse - IE the encoding into binary for data exfiltration.
- [http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/16/BA8T1MQ4E5.DTL City College infected with some sort of data exfiltrating "virus" for 10 years. Appears to have been communicating with Russia, and appears to have started in a computer lab frequented by international students. First, how can they tell it goes back 10 years? Do they really have tcp traffic that goes back that far? Second, I love these quotes from one of the trustees:
Trustee Chris Jackson, also at the presentation, said he was concerned that City College has spent a lot of money on security over the years, but has gotten little in return. "The most basic level of encryption for our computers was never put in place," he said. "That's unconscionable." Peter Goldstein, the college's vice chancellor for finance, defended the college's past efforts at virus protection, saying the school had two firewalls.
- bypass linux screen locks - [Larry] - Yay, poorly monitored git code commits. Want to disable X.org screen locks? just hit CTRL ALT *…
- Koobface hackers exposed go underground - [Darren Technically] Facebook outs the Koobface hackers the "mothership" server goes off line and deleted all social media accounts and seem to be going underground. Supposedly this article also destroyed an ongoing investigation.