Announcements & Shameless Plugs
Security Weekly - Episode 283 for Thursday April 12th, 2012
Larry Pesce is in studio, as is Dave "The AV Guy"! Jack is the traveling man, John had his wisdom tooth out today (what a little girl). Carlos?
- You can watch us live at http://securityweekly.com/live or watch the recorded episodes on Ustream
- Register today for Offensive Countermeasures: Defensive Tactics That Actually Work at SANSFIRE July 7, 2012 - July 8, 2012 with none other than John Strand!
- Larry is teaching for SANS, check out Larry's very own dedicated page on the SANS web site for a complete list.
- DerbyCon Call for Papers and ticket registration is: coming up quickly - Friday May 4, 2012 at 10:00AM. The Security Weekly crew will be in attendance for DerbyCon. Training begins Thursday September 27th and the DerbyCon conference runs the 28th thru 30th.
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, Security Weekly Espanol with Carlos Perez and our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini.
- Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/ - We have 5 BSides tickets to give away! Listen to the instructions at the end of Episode 282 for complete details!
Interview: Gene Kim
Since 1999, Gene Kim has been studying and benchmarking high performing IT operations and information security organizations. When Kim was the CTO/founder of Tripwire, he wrote the “Visible Ops Handbook,” which codified how these organizations transformed from “good to great,” which has sold over 200K copies to date. Follow him on Twitter at @RealGeneKim
- How did you get your start in information security?
- Tell us about Tripwire, why did people use it?
- Does detecting which files have changed still hold true today for detecting bad guys?
- What are the top 3 things that the top IT folks do, that few other people do, that make their IT organizations successful?
- What are the top mistakes that IT people make?
- Tell us about Rugged DevOps
- What are the major problems associated with software security?
- What role should the government play in software security, if any?
- What is your novel, When IT Fails about?
- You've recently joined the board of BSides with Jack and there's going to be an upcoming announcement about the audit findings of the 2011 financials. Can you tell us more?
Links of Interest posted 5-15-2012
- Research on high performing IT organizations, and what security controls that predicted 60% of performance
- Presentation that Josh Corman and Gene did on Rugged DevOps at RSA
- Information on the DevOps Cookbook project, which aims to catalog and codify the practices of high performing DevOps organizations that result in extraordinary performance that Gene is co-authoring with Patrick Debois, Mike Orzen, and John Willis
- The Value of Web Exploitation - If web application security is still a new concept for you, you are probably already Pwned.
- Applying Security Intelligence to Patch Management - A common complaint from security professionals I meet, who only use vulnerability scanners to determine the risk present on their network, is their inability to do anything with the results. Typically this has nothing to do with vulnerability scanning, the tools used, or how many systems you have an everything to do with your vulnerability management strategy. If you don't have a plan in place to find, fix, and verify problems, you lose. even a scan of a small network can result in so many possible issues that the results are large and unwieldy. If you are using a scanner, of any kind, you have the ability to filter results. This can be something as simple as what's built into Nessus, or as complex as stuffing it into a database and using a scripting language, or as complete as an enterprise system that lets you carve reports out of huge data sets. Attempts to patch by network team quickly turned into an exercise of determining whether or not discovered vulnerabilities were real. I don't buy this they way its presented. If administrators don't know whether or not a patch is installed, or whether or not the software is up-to-date, or whether or not its configured securely, go get some new administrators. We have seen how quickly exploits can be released for known vulnerabilities and a criminal will move fast to take advantage of a known window of opportunity If an exploit already exists and you haven't patched, you've already lost. This ignores the fact that 1) there are vulnerabilities for which there is an exploit that we don't know about and 2) there are 0day vulnerabilities. Add an exploitability value to the decision-making matrix to calculate the time to patch. Agree, you should do this, Nessus also does this across more exploit databases than any single repository. Furthermore, I don't agree with not patching the less critical things. Software should all be patched, a good pen test will show you how all the exposires could be used together to successfully attack a system. “Any proven exploitable vulnerability must be fixed within 24 hours.” I just don't agree with the "prove" part. If an expoit exists, fix it. There are many variables that come along with a working exploit, and just because you can't exploit it, doesn't mean someone else can't. Don't fall into the trap of having to "prove" an exploit an work. Do you go to your doctor who tells you that you could have a heart attack, and say "prove it"?
- Apple taking technical, legal - Legal action! No, no, no, come on. Implement a security process Apple, pleeeeeeeaseee!
- Dangerous Samba vulnerability affects all Linux systems - PoC is floating around for this one, if you are running Samba, I hoped you've patched already. Handy one for pen testers!
- DDOS attacks on financial services firms explode - Reminds me of the book Daemon, except these attackers aren't so smart, you need to control the financial institutions, not DoS them.
- Malware-infected flash cards shipped out with HP switches - It's unclear how the unknown malware got onto the Flash cards that come bundled with the 10 Gbps-capable line of LAN switches, but an infected computer somewhere in the manufacturing process – possible in a factory run by a third-party supplier – is the most obvious suspect. I wonder how likely it would be that one of these cards ends up in someone's PC? Kind of a lame attack, perhaps the malware was just infecting everything and had no idea it would infect CF cards in the switches.
- Computer software engineers have the best job in the world - This is proof that you can control the results if you can control the survey: The gathered data was used to analyse all the factors of each profession, assessing each job in five key categories - physical demands, work environment, income, stress and hiring outlook. Since many programmers sit at their desk all day, work from home, and work in a field that is in demand, and are paid fairly well, those values will be ranked high. However, stress, which is the most prolific measure, is just one of 5 criteria. Now, we have some really crappy insecure software out there, how does that play into the survey?
- Wicked exploit found in Linux WiFi - This is super cool, and a good reason to support capture the flag competitions: The privileged escalation exploit affects the latest versions of WICD (pronounced wicked) and was successfully tested on a handful of Linux distributions including the latest release of the penetration testing operating system BackTrack. It was not yet tested for remote exploitation vectors. The exploit was discovered during a capture the flag competition by an anonymous student hacker at the InfoSec Institute in the US. The hacker supplied a python version of the zero day, and a patch for WICD.
- PHP 5.2.x filter_globals Subsequence Request Parsing Remote Code Execution - I find it interesting that this bug was fixedin PHP 5.3, but not backported to 5.2. This bug is reported to be able to crash the server, obtain information about PHP, and lead to code execution. I have not seen an exploit in the wild for this one, and right now the Nessus plugin checks the banner.
- Apple's security code of silence: A big problem - I want to harp on this again, Apple needs to wake up. Flashback is just the begining, start paying attention to security. Fan boys need to get over it too.
- 8 Simple Tips to Secure a Mac from Malware - I've seen this story a lot this week. Its pretty weak recommendations, basically stating that you should turn stuff off and not use certain software or services. A much better guide can be found from the NSA or here: http://www.macshadows.com/kb/index.php?title=Hardening_Mac_OS_X. Some of my top tips include: 1) Don't use Safari to browse the web 2) Don't run as administrator 3) Configure the firewall 4) Turn off all the stupid Apple services, like Bonjour.
- FBI concerned about smart meter hacks - [Larry] - file this under the "No Shit, Really" department, as well as the "Hey, I don't wanna say I told you so, but, I told you so" department. Smart meter hacks abound in Puerto Rico (Carlos…?) where folks are offering to lower utility bills for a "small fee". Apparently it is being accomplished not through the 802.15.4 interfaces, but through an IR optical connection called and optical probe, which one can build for under $150 (or find cheaply on fleabay) with widely available software. This is the same type of thing that Don Weber from IGuardians attempted to speak on at Shmoocon this year, but voluntarily pulled the presentation after discussion with the vendors.
- Internet mystery solved? - [Larry] - It is interesting to see how far back internet meme goes, the origins, and finally the unconfirmed identity of the person in the meme. Also interesting is the ties to the great IRC wars of the early 2000's and the ties to the metasploit project. My favorite quote from the article? "The story of Goatse begins with a mustachioed, wiry man in his late forties who goes by the name "Kirk Johnson." Johnson is a prominent practitioner of extreme penetration, which is the extreme penetration community's term of art for sticking huge objects up your ass. For years, Johnson has been rumored to be the Goatse man, based on their similar frame, skills, and matching moles on both Goatse's and Johnson's ass. Reader, I examined the moles. They match."
- Really? - [Larry] - Anonymous offshoot CabinCr3w hacks US law enforcement websites, release info on law enforcement officers, and deface pages including a picture of a scantily clad woman with a printed message. That picture, taken with an iPhone contained GPS metadata, and lead law enforcement right to the attackers, who now are are in jail. On a related note, BOOBIES. My favorite article comment? "Good to see the FBI is keeping abreast of the situation."
- BT5 oday!?! - [Larry] - InfoSecInstitute student allegedly discovered a vulnerability in BT5, in which commands sent to WICD can cause scripts to be created , executed as root. OMG, pwnage of BT5! Uhh, not really. The exploit is in WICD a third party too. so the exploit is actually more encompassing than that, but the BT5 argument is flawed and sensationalist. Why? Privilege escalation on BT5? The default user IS root (sure multiuser BT5? It can and does happen) so why do you need privilege escalation? Additionally, how does one propose to interact with WICD when all interfaces are down by default. Now, that said, kudos to the anonymous student that found the vulnerability, and thanks for sharing.