Episode286

From Paul's Security Weekly
Revision as of 20:52, 3 May 2012 by Paul Asadoorian (Talk | contribs) (Paul's Stories)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 286 for Thursday May 3d, 2012

Special Guests: Mike Yaffe, Alex Horan, Selena Proctor

Introduction

Alex is a Senior Product Manager for Core, a serial hoarder, and certified Breadth and Depth expert. Previously he ran the System Engineering team at Core, helping to provide training and customer support services to CORE IMPACT'S user base. Alex brings a deep knowledge and understanding of vulnerability assessment, penetration testing, and network administration to his work at Core as well as to cigar smoking.

AlexHoran.jpg

Mike Yaffe is the Director of Marketing for Core, and a pretty one at that. At Core, Mike is responsible for driving the company's strategic marketing efforts for CORE INSIGHT Enterprise.

Yaffe.jpg

Questions

  1. Do you need to exploit a vulnerability to know that you have a vulnerability?
  2. Why is it that people feel that you must show that a vulnerability is exploitable before you fix it?
  3. Web application vulnerabilities are by far the most difficult to show the impact, how can we best exemplify vulnerabilities such as XSS and SQLi?
  4. From a penetration testers perspective, how can we best utilize automated tools?
  5. When procuring a penetration test, how can we differentiate between the "good" and the "bad"?
  6. With the current measures in place to prevent exploitation, how much longer does it take to develop a reliable exploit?
  7. What value does automated exploitation provide to the enterprise? Isn't most of the value what happens after the exploit?
  8. What are some things that can be automated in post-exploitation?
  9. What stuff works now when automating in post-exploitation, and more importantly what areas need more work?
  10. Given that the underground market has exploded, How can we get better at testing for 0day exploits?
  11. When we embark on finding vulnerabilities, exploiting vulnerabilities, determining the affects, and generating a report, what can we do to improve the process that comes after that?

Stories

Some More Plugs

  • DerbyCon Call for Papers and Ticket Registration is: happening NOW. The PaulDotCom crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
  • Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!

Paul's Stories

  1. Life as a nautical broadband specialist - This is just a sweet gig: His typical shipboard network includes a Kerio Control firewall, which he configures to filter and prioritize network traffic passing through the VSAT link. The firewall also provides antivirus protection and network monitoring, and a VPN connection that allows his company to perform remote maintenance and support when customers are cruising. Working on Yachts, in all the pictures the weather is nice. Be cool to hack from the boat!
  2. Is it So Bad for the CIO to Report to the CFO? - Conventional wisdom says that the CIO must report to the CEO or risk losing stature, authority and access to the power center of the company. Reporting to the CFO is bad, the theory goes, because IT is then viewed as a nonstrategic operations group where the governing principle is saving money. Uhm, I tend to agree here. The CFO is all about the cash rules everything around me (G), and the CIO is trying to make things work. Where does the CSO sit in all this?I like it when all the C-levels report to the CEO, then they get to figure it out and balance each other out. When C-levels report to anything other than the CEO, it spells trouble.
  3. CIOs: Will You Be Relevant in 2017? - I'm seeing where this is going: Cheap smartphones, tablets and apps mean users are buying their own devices and aren't happy with company-supplied PCs, software or BlackBerrys. Meanwhile, software-as-a-service applications let users bypass enterprise systems for cheap applications they can pay for out of their own budgets -- and prefer to use. If you are not adapting, you will die. I also believe there are some companies that may not need a full-blown IT department. However, I do see security as important, regardless of how you are implementing technology.
  4. Two Things I Wish Companies Cared More About: Cloud & Acquisitions Risks - Good stuff: Hold My Beer. Gonna Hook Up The Plumbin' For This New Acquisition! Often times the article says, all you have to do is search Google for "confidential" and the name of your next acquisition...
  5. Free Wi-Fi in Exchange for Dog Poop - I shit you not: owners who deposit poop in the special bins in 10 parks in Mexico City will be rewarded with free Wi-Fi, broadcast through routers shaped like doggy bones.
  6. From LOW to PWNED [4 Browsable Directories] - This is a great example of oh so many things. First, your low vulnerabilities are not always low and need to be looked at by a human. Second, you can't just use the CVSS score to determine if a patch should be applied. Directory browsing, for example, could allow you to look at icons, or download the config files from the web server containing the database passwords.
  7. From LOW to PWNED [1 Exposed Services and Admin Interfaces] - This is another area that needs some attention. A vulnerability scanner may say a service is running. But you have the short list of easily guessable passwords, and guess what? That Low vulnerability is now giving someone admin access to your switch or router.
  8. Advanced Attacks Call For New Defenses - Dark Reading - This article is just not sitting well with me the industry needs to make it more expensive and cost-prohibitive for the bad guys to hack, like sandboxing and Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) technologies do. Security is more than just software security. And its even more than buffer overflow protections. Sure, this is part of it, but stop the press (esp. you Dark Reading Room) and take a look at what real security looks like. First, fix the damn code that's broken in the first place. Second, sometimes breaking in means guessing a password or using expect behavior on the system. Third, fix your code.
  9. Wireless Printing in the Enterprise - Input Output - This just sounds like a bad idea: Telecommuters can print documents to the office printer without visiting headquarters (“Hey boss, you’ll find that report waiting for you!”). Also, and perhaps more convenient than useful, you can send pictures from a smartphone to a photo printer while you're out. And all of this can be done securely so only intended recipients retrieve the printed information.
  10. The 99% Goes Cyber
  11. Iran makes its own anti-virus software – would you buy it?
  12. Fun with Password Managers
  13. Boeing Paying Hackers to Break into Their Systems

Jack's Stories