From Security Weekly Wiki
Jump to navigationJump to search


Security Weekly - Episode 244 for Friday May 20th, 2011.

  • El primer Episodio de Security Weekly Espanol esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
  • Sign up for Blackhat Training Courses:
    • Security Weekly Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
    • Tenable Security Blackhat Training Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2

Episode Media

MP3 pt 1

MP3 pt 2

Interview with Cesar Cerrudo


\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly

COMING SOON: Download the Audio (MP3) Version of this segment here!

Cesar is CTO with IOActive as well as Founder and CEO of Argeniss, based in Argentina. Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications such as Microsoft Windows, Oracle database server, Yahoo! Messenger, and too many others to mention.

Presentation Abstract: Starting with Windows Vista, Microsoft introduced new services protections in Windows operating systems. While these protections were implemented as a defense in depth mechanism, they are far from being perfect and they can be bypassed most of the time making them almost useless. He'll describe the different protection mechanisms and how they can be bypassed when exploiting vulnerabilities in services.

Bypassing Windows Services Protections slides

Follow Cesar on Twitter

  1. What is impersonation and what are tokens?
  2. What is Session 0 isolation? Does it work differently in Windows 7 vs. XP?

Stories For Discussion


\Visit The Security Weekly YouTube Channel for all of our latest videos\!\}

Watch the live video version of this segment above. For more videos and to subscribe to Security Weekly TV visit http://blip.tv/securityweekly

COMING SOON: Download the Audio (MP3) Version of this segment here!

Security Weekly Blog Roundup

  1. Metasploit Post Module smart_hashdump
  2. Getting Started with Web Testing
  3. Stealth Cookie Stealing (new XSS technique)
  4. Review of Kingpin Book
  5. Backtrack 5 install on Samsung Galaxy S

Larry's Stories

  1. 3 times a charm? - [Larry] - …and Sony gets pwned again. Just after they bring PSN back online, they realize that the password reset function relies on 2 pieces of information - the account e-mail address and the account holders birthday - all information that was released as part of the hack. *le sigh* See, I told you there wasn't a lot of checking going on for security issues during the rebuild. Apparently they only tested for negative conditions, not positives ones.
  2. Sponge Bob PWNpants - [Larry] - I had to laugh at this one. There's an SEH exception in the handling of the start up file in Sponge Bob Square Pants Typing for kids. Replace the startup file with this generated one (shellcode encoded with shikata ga nai) and you get code execution.
  3. Siemens Cone of silence - [Larry] - This past week at Takedowncon in Dallas (I just happened to be "there"), Dillon Beresford elected to pull his talk on cascading SCADA vulnerabilities, after some conversations with Siemens (the SCADA manufacturer with the vulnerabilities as indicated in this talk) and DHS, who apparently indicated to him the seriousness of the issue. I sense all sort of conspiracy here, even though I was literally standing next to Dillon discussing the mess with Jayson Street. I find it commendable that Dillon elected to pull the talk themselves, but is that the REAL story? Did Dillon really not understand the gravity of the situation?
  4. Firesheep and Androids? - [Larry] - Looks like the Goog is fixing a problem with the android devices, that when connected to wifi hotspots, (and I'd argue the upstream wired networks too) that they transmit auth tokens for contact lists and calendars over http and not https. I wonder if the situation is really larger than that, and if those auth tokens could be used for other google services as well.
  5. Is that a bug in you phone or are you happy to hear me? - [Larry] - Nice, cisco phone do remote bugging and a bunch of other call sniffing by exploiting the build in web interface.
  6. Wireshark protocol filter overflows - [Larry] Coming off teaching SANS 617 and discussing how fuzzing and writing protocol dissectors can be difficult, here we are with some overflows in protocol dissectors, one even for DECT 6.0 as used in class…

Paul's Stories

  1. Bin Laden Used "Air Gap" Security - 'Holed up in his walled compound in northeast Pakistan with no phone or Internet capabilities, bin Laden would type a message on his computer without an Internet connection, then save it using a thumb-sized flash drive. He then passed the flash drive to a trusted courier, who would head for a distant Internet cafe. - Goes to show you that if you, or your users, are willing to give up a serious amount of usability, it can be traded for security. By air gaping his systems, it made it easier to hide his location and apply security (tough to infect a system not connected to the network). However, how could Bin Laden have been sure that a USB thumb drive was not infected? If I had to attack this setup, I would put malware on the USB thumb drives used by the couriers. Of course, when you infect Bin Laden's computer, there are no networks to connect to, so you have to re-infect the thumb drives coming off the air gapped computer, then send the data once its connected again. This system worked for Bin Laden, but I don't think its perfect security, because, well, there is no such thing.
  2. In other news: Will we know which Porn movies Bin Laden had? - A group is trying to get the information about which porn movies Bin Laden had in his collection. The first question is: WHY? Second, my guess is Burka Porn. Third, what would happen if your porn collection was made public?
  3. A Couple Days of Logs: Looking for the Russian Business Network - ISC found evidence that the RBN was checking the blacklist web site and looking for evidence that they were in fact blacklisted. Sometimes they were, sometimes they were not. It would be interesting to identify this traffic and tell them that they are never blacklists. User-Agents always amaze me, in that bad guys don't do a good job of re-writing these when doing bad things. Its simple to setup a proxy that will re-write your User-Agent to the default IE string, come on people, be more evil!
  4. [Windows 7 almost five times more secure than XP http://news.cnet.com/8301-1009_3-20063220-83.html#ixzz1MpH2BdAB] - I hate studies like this, its just Microsoft trying to get people to upgrade. Does Windows 7 have better security features, sure, I'll buy that. But its not about features, because XP and Windows 7 still run Java and Adobe, so in the end it doesn't matter what OS you run, you're still screwed.
  5. Don't Talk About SCADA Exploits - Here's my take: Most implementing SCADA networks aren't going to fix the problems anyway, so why not make the research public? I'm all for disclosure, release the details on the exploits and defenses to the vendors and customers. Give them some time to implement the fixes, then go pbublic. Maybe it wasn't enough time, but thats a tough variable to define. I think we are keeping too many of the details in tight circles, and not arming defenders and encouraging them to apply the fixes.
  6. Cyber of the week - President Obama's precedent-setting international cyberspace policy spells out the U.S.'s plan to reach out to other nations to help better secure and protect the Internet from cybercrime, cyberespionage, and cyberattacks, while maintaining the fundamental free flow of information and preserving user privacy. DRINK
  7. Silent Android Fix - I also heard that users were being warned not to use Wifi. That really sucks as far as advice goes. As most road warriors know, connectivity is key. This flaw leaks calendar and contacts, and as a pen tester thats freaking great. I know who you are communicating with and where you are going, look out!
  8. Six rising threats from cybercriminals - PCs are now fairly well protected, he says, so some hackers have moved on to mobile devices. - Really, what networks have you been looking at? No doubt, it can be profitable to attack mobile phones, but lets not lose site of the ill-protected PCs, that are more powerful and ubuquitus enough to attack and make money. "Smart Grid" - Sure, attackers are after the "Smart Grid", but lets look at motivations. Theft of service and service disruption are theprimary attack vectors, and this doesn't translate into profits as well as a credit card or bank account. I believe that if someone can find a way to generate (pun intended) money off the smart grid, not save money or bribe people for power which is unliklely to be a good stream of revenue, this will not be widespread. Social Networking - In a typical exploit, says Joffe, someone contacts you on a service like Facebook or LinkedIn, posing as a friend of a friend or a co-worker of someone you trust. - Yes, this will be common, and yes it will be used by attackers to steal information, as long as we go on trusting social networks and using them to store our information. "Cyberstalking" - If you are a victim, you should learn about offensive countermmeasures, and plant traps for those stalking you. Who is stalking me? I know who they are, just look at my metasploit console.