LBCAV-Feb08

From Security Weekly Wiki
Jump to navigationJump to search

Late-Breaking Computer Attack Vectors - February 2008

Vendors ship you vulnerabilities

  • Philips Skype Phone Vulnerabilities - [Paul] - Its really amazing to see vendors using default usernames and passwords in this day and age on embedded devices. This one is worse, the username is the same as the password (service/service). What were they thinking, or were they? Companies producing consumer and industry products need to step up their game when it comes to security. Oh wait, there's more, the directory traversal vulnerability discloses your Skype credentials. Sweet! I wonder, how many vendors would let a vulnerability like this slip by in a web application exposed to the Internet? Maybe some, but my point it, whats the difference?
  • Asus Eee PC Root-Out-Of-The-Box - [Paul] - This is just sillyness, why do vendors ship products with known vulnerable software? An exploit for Samba Version 3.0.24 was published early last year!!! I am putting the responsibility for fixing these flaws solely on the vendor. I will again go back to this episode's tech segment and say that its easy and important to scan devices and look for flaws.

DEFENSE: Scan everything that plugs into your network with a vulnerability scanner, review the results, make configuration changes and follow up with the vendor on any unpatched vulnerabilities.

Latest social engineering attacks

  • Best Social Engineering Hack EVER - [Paul] - By sniffing the 900Mhz signals from employees wireless headsets on their landlines, this firm was able to gain enough knowledge to become an insider. They pretended to be an employee that had never been to the facility, printed business cards and everything. They gave the guy a cubicle, coffee, access to the network, everything for 3 DAYS!!!! Don't use wireless headsets or wireless keyboards, and have a process that checks people's ID cards before issuing them access credentials. This fix for this one is policy and process, plain and simple. Not every security hole can be fixed by applying a software patch, and I think that too much emphasis is put on this by the industry, process is the most important thing, once you have that, then you may want to look at tools to help you.
  • Caller-id spoofing by example - [Paul] - This is a neat little interview with someone who used called-id spoofing to exploit an organization. The expoit, trust in caller-id. By spoofing the caller-id of the HR person, the CEO, etc.. you can get people to pick up the phone. If your caller-id is an external number, they might not pick it up, but if its an internal number that corresponds to the CEO, but your butt they will pick it up. Pretty slick, he then goes on to describe attacks that expoit the trust people have in called-id, for example the credit card company. Defense: never trust called-id, get the phone number and call the person or credit card company back.

DEFENSE: Educate your users to identify social engineering attacks (hold classes, put up posters, send them emails). Teach them to question whats happening around them, and especially how to check for identification. Don't use wireless keyboards and headsets, using a wired keyboard or headset does not interfere with business processes 98% of the time. The same goes for bluetooth headsets.

Managing security is about process

  • "Scanning" is more than identifying vulnerabilities, you have to fix them - [Paul] - This is a great article from Jeremiah Grossman and it underscores a very important point. You can have all the fancy wizbang tools you want, however you need people to manage them and the results. This means following up on recommendations, and re-testing to be certain that recommendations are followed and that they fixes actually work. Otherwise, these tools are going to sit around, and when they are used they are going to be a waste of time
  • OSXCrypt - [Larry] - a follow on to our comments about the lack of affordable whole disc encryption. [securethoughts] - OSXCrypt is an open-source TrueCrypt-compatible port for OSX. Larry mentioned he didn't know of any cheap whole-disk encryption solutions for PCs or his Mac. TrueCrypt 5.0 (coming in Feb 2008) will support bootable Windows volumes. OSXCrypt has just released a pre-beta of their software, and should hoepfully be including whole-disk encryption for Intel Macs soon.

DEFENSE: Properly staff your security folks to effectively manage risk.