From Security Weekly Wiki
Jump to navigationJump to search


Security Weekly - Episode 239 for Thursday April 14th, 2011.

  • SOURCE Boston on April 20 - 22- join Paul and Larry on Wednesday for awesome talks on why defense is sexy and tracking down ex-girlfriends using geo-location.
  • Security Weekly Blackhat Training Part 1 Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
  • Security Weekly Blackhat Training Part 2 Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
  • Larry is teaching SANS 617 SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses in the only country he is licensed to teach in - Canada! Catch him in Victoria May 9 to May 14th.
  • Register now for the 8th Annual Charlotte ISSA Security Summit featuring the 3 buffest people in InfoSec: Security Weekly, Ed Skoudis, and Chris Hadnagy, all on May 5th.

Episode Media

MP3 pt 1

MP3 pt 2

Guest Interview: The founders of DerbyCon

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Dave "Rel1k" Kennedy currently holds the World Record for most hugs given at a conference. When he's not readying the next earth shattering version of SET, he can be found curating his Ken doll collection.

Martin Bos is PureHate. While others merely seethe, he practically saturates in pure unmitigated anger. We'd go on, but he'd pop a cap in our ass.

Adrian "IronGeek" Crenshaw is the original creator of the "Shake Weight", but his blueprints were destroyed by a malicious USB. He's on to tell us how not to make the same mistake he did.

  1. How did you come up with the idea to run a security con? What inspired this decision?
  2. Tell us why we should go to DerbyCon, what makes it different than all the other security conferences (aside from the gratuitous man hugs)
  3. What are some feature talks at Derbycon? Any exclusives?
  4. Lets talk about training, why did you decide to run training and what are some of the courses that will be offered?
  5. So, here I am, a "Security guy" working for a company, and I am going to my manager asking for permission to attend Derbycon, what do I do?
  6. Many conferences feature talks by security researchers that have found a vulnerability in some product, software, or protocol. They talk about said vulnerabilities, exploits for them, and then MAYBE if there is time, they talk about defense, how can we change this? Who is this really helping?
  7. Dave, please give us an update on SET, the Social Engineering Toolkit
  8. Martin, what kinds of things are you working on with respects to backtrack? How about rainbow tables and password cracking?

Guest Tech Segment: Malicious USB Devices: Is that an attack vector in your pocket or are you just happy to see me?

\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Adrian Crenshaw has worked in the IT industry for the last thirteen years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He would love to show you his USB stick.


While a fair amount of research has gone into blocking malicious software (viruses, worms, trojans, spyware, etc.), comparatively less time has gone into researching malicious hardware devices. There are many examples of malicious hardware, to name just a few: backdoored routers, surreptitiously installed hosts that act as pivots on a network, PS/2 key loggers, etc. The topic of malicious hardware can be pretty broad, so we are concentrating this talk specifically on malicious USB devices. USB devices are of special interest as they often require less user interaction to install on a system than other types of hardware peripheral (PCI cards for example) meaning less attention may be paid to what tasks they are doing under the user’s nose. While modern Operating Systems have ways to help mitigate the threats, little seems to be done by current security systems to thwart malicious USB devices. The purpose of this talk is to inform the viewer about different classes of malicious USB devices, what can be done to protect systems from such hardware, make recommendations as to best practices to secure environments, and to increase awareness of malicious USB devices in general.

Stories For Discussion

Larry's Stories

  1. Does your SSL solution have Moxie? - [Larry] - A great article from Moxie Marlinspike on solving our current SSL model issues, what's broken, and how the trust model isn't working anymore. Will DNSSEC work as a fix? Likely not. Discuss. (I see some riony in the use of SSL to view this article)
  2. Linksys information disclosure - [Larry] - It figures, this gets released the day AFTER I could have used it on an asessment. While I was looking at a WAP54G, I'm betting that the same is there, especially when you have debug access cna can run sustem commands via default credentiuals (remember the Gemtek embedded ID?)
  3. SQLmap 0.9 released - [Larry] - Thanks to KJo for pointing this out to me. So, why is it important? Well, SQLmap is an awesome tool, but takes some understanding to figure out all of your command line options. However 0.9 now has a command line driven WIZARD, that makes getting your feet wet much easier. I plan to check this out on some of my upcoming assessments.
  4. A nice little IPv6 DoS - [Larry] - Yeas, DoS is lame, I know. But this particular instance of DoS seems pretty trivial (the tool exists as part of the thc-ipv6 package - flood_router6), and affects many major vendors. So, what's it do? Flood the network with bogus IPv6 router announcements and the routers and other devices consume all of their resources until the flood is stopped. Interesting to note that the initial discovery was almost a year ago, and vendors have been notified. Microsoft has no intention of fixing, nor will a host based firewall protect against it (wrong layer). Come on now, how long have we been talking about and trying to implement IPv6? And now long have we had to test this stuff? Before it was included and enabled on all these devices?...

Paul's Stories

  1. Wordpress Exposed - Not good, another large project has a major breach. How does this happen, "0day attack", "missing patches"? If you run a major project, such as Wordpress, you are a major target. You have something that bad guys want, and they will try to get it. You need to do a better job of patching and monitoring your systems, implement strict controls, and make security a much higher priority. I think in a lot of cases, you need more than one person implementing security and controls for your site. One may say that we are in fact out numbered, that there are far more folks trying to break into systems than defending them. This is kinda messed up, because in my experience its easier to break into a system than to defend it.
  2. Stealing iPads at a Security Conference - At ISC West 2011, a dump thief tried to walk away with an iPad. They were caught on camera, and likley be showcased on the next "Thieves Caught On Camera" TV show. Intrusion detection for the win, however how would a more sophisticated attacker fair?
  3. Firewalls Are Vulnerable Too - This just adds fuel to the fire on, er, well, firewalls. NSS Labs came up with a "TCP Split Handshake Attack" that fools the firewall into thinking that your IP address is allowed. Still working on getting the details of the attack, but this is another black mark for firewalls. The more things you put on your network, the more potential vulnerabilties. You have to design your network as if there was a "hole" in the firewall, or several holes for that matter.
  4. French "Hacker" Arrested After Being on TV - 6 days after the segment aired, he was arrested. If you are a "cyber criminal", don't go on TV. Duh! Another canidate for our dumb criminal TV series :)
  5. Taking Control of Coreflood Botnet - DOJ and FBI have been given the green light to setup server that will allow authorities to send commands to infected computers and shut down the botnet. Yes, this is "hacking back" in action, for a good cause, and will clean up upwards of 2 million infected computers. Finally, some good news for the good guys. Of course, we should work to prevent 2 million computers from getting infected in the first place...
  6. Social Media + Social Engineering FTW - This is a sad story of a very successful penetration test, though depends on which side your on. Simple recon of the executives, including phone numbers and schedules, was found. Linkedin is truly a double edged sword. Now, a little help desk social engineering, and you have the email account of C-level. This is too easy. Why can't we make this harder? A little training and information limiting makes this attack harder. But, how do you stop people from putting information on social media sites? The network is the wrong place to do this. What a mess... Lets stop trying to fix this with Firewalls and Anti-Virus, and fix this problem. Fix the process! This is much harder than putting in a firewall or rolling out laptops with anti-virus. It involves making people follow rules.
  7. Arming You HR Department - I've never been a big fan of security taking on the role of HR policy inforcement. I believe security's mission is to protect the intergrity of your organization's data from attacks against the computers and network. Detecting employees browsing porn does not fall into this category. Paraben's USB stick can help, give them to your HR folks and when a manager suspects something, let HR investigate. This little USB stick can detect all sorts of porn, image headers, DVDs, IE Cache, and more. Best part, for HR, is that it has a "blur" feature to prevent you from seeing the things you'd rather never see, that cannot be unseen. So, long live the Snort "nipple clamp" rules and letting HR deal with the blury nipple clamps.

Darren's Stories

Carlos' Stories