[[Image:Sanslogo_vertical.jpg|frame|left|[http://www.sans.org/training/description.php?mid=682 SEC535 - Embedded Device Hacking Training]]] [[Image:Psw-logo.jpg|frame|left|[http://pauldotcom.com/videos/ PaulDotCom Security Weekly TV]]] [[Image:linksys.jpg|frame|left|[http://www.amazon.com/gp/product/1597491667?ie=UTF8&tag=pau0e-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=1597491667 WRT54G Hacking Book]]] [[Image:tenablelogo-sm.jpg|frame|left|[http://www.tenablesecurity.com Unified Security Monitoring]]] [[Image:corelogo-sm.png|frame|left|[http://www.coresecurity.com Worlds Best Penetration Testing Tool]]] <br style="clear:both" />
= Announcements & Shameless Plugs =
Live from the
PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 102 for March 20th, 2008
pauldotcom.com/sans PaulDotCom SANS Click-Through] - Helps pay for cool stuff and general insobriety* [http:// www.sans .org/training/ description.php?mid=682&portal=da3aea87ef936355ce37f70db3e8b4c4 Network Security Projects Using Hacked Wireless Routers with Larry] Orlando, FL. on Thursday, April 24* [http:// pauldotcom.com/sans/ Advanced Network Worm and Bot analysis with Steve Marcelino] in N. Kingstown, RI on Tuesday March 25* [http:// pauldotcom.com/sans/ Cutting Edge Hacking Techniques with Paul] in N. Kingstown, RI on April 15-16* Pen Test Summit on June 2-3 to be attended by Larry
* [http://oshean.org/events/detail.aspx?story=3765§ion=235&year=2008 Rhode Island Linux Install Fest] - Come and install Linux, help people install Linux, install Linux on different devices and systems (at least show up for pizza and b**r)
= Tech Segment: Nessus Upgrade 3.2.0 =
Some great new features:
* Support for IPv6 targets (for the Linux, FreeBSD, Solaris and Mac OS X flavors)
[http://www.networkworld.com/news/2008/031808-four-good-reasons-for-security.html?fsrc=rss-security Security and HR should talk] - [Larry] - One thing that I think is important with security policies is the unilateral enforcement of of the policies. One thing that becomes disappointing is all of the work that goes in the enforcement of the policy, and the offender is given a slap on the wrist, and the incident is swept under the carpet. This, in my opinion is a bad thing.
[http://www.msnbc.msn.com/id/23724857/ Social Networking Evil Twin Lands Somone in Jail!] - [
PaulDotCom] - Some countries frown upon this type of attack, esp. if you live in Morocco. "A Moroccan computer engineer who was imprisoned for creating a fake Facebook profile of King Mohammed VI's younger brother said Wednesday he only did it out of admiration for the prince." Yikes, he was eventually granted a pardon, but goes to show you how serious this attack could be. Good thing for Larry and I we live in the US and were just impersonating Twitchy :)
[http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9069818 PwN To Own - Cansec 2008] - [
PaulDotCom] - So rather than just a single mac book pro, there will be a Windows, OSX, and ubuntu Linux laptop for hacking. Prizes include $10,000 for a 0day on any platform. This year there will be more strucutre, and care, as to not let a 0day slip into the wild over the wireless or bluetooth networks. I think this is a fun exercise, and I hope that more than one bug is found and properly disclosed. This can be good for the vendors as well, they get some free security research out of it! So, have at it guys, find lots of bugs and hopefully we will see patches.
http://www.linuxdevices.com/news/NS7602396677.html Linux Zigbee Embedded devices for home security?] - [
PaulDotCom] - I dunno, maybe its just me, but I don't trust any qireless signal when it would come to my home security system. Also, as zigbee becomes more mainstream, what ARE the security implications. Well, lets take a look and learn from history:
* 900MHz cordless phones and headsets - [http://www.darkreading.com/document.asp?doc_id=143779 pwned]
So, if history is correct, Josh Wright will crack zigbee, setting us all free like Neo from the Matrix....
[http://taosecurity.blogspot.com/2008/03/ten-themes-from-recent-conferences.html Taosecurity - Ten themes from recent security conferences] - [
PaulDotCom] - Nothing really new to us here, basically, every organization has compromised machines, but most don't know it, we can never implement 100% security networks, but we can make it cost prohibitive for the attackers. If you are of a signifigant size or interest, you are a target, and therefore have to raise the bar higher.
[http://digg.com/security/Major_Flaw_In_Pennsylvania_Online_Voter_Registration Poor Session Handling and Authentication - Voter reg forms readable] - [
PaulDotCom] - This is a testament to the very sad state of web application security. There was a site with an online voter registration page. Simply changing your voter ID, you could get other people's voter registration data. Nice. Session handling is something that automated web application scanners almost always miss, and something you need to test for manually. Goes to show you, just looking for XSS and SQL injection is not good enough, its just the start. Getting into the programmer's head and figuring it out is always the best way.
[http://www.honeystickproject.com/ Honey Stick Project - Social Experiments with USB keys] - [
PaulDotCom] - Pwning people with USB keys is great fun, and often very successful. You can leave them in the parking lot, give them to the secratary to print a document, and pose as the help desk employee and just insert the key as part of "normal maintenance". However, this site brings up some good points, would you pick up a piece of pizza that was lying on the ground, even if you were starving? If your answer is, "depends on how wasted I was", then you have to go check out this site.
[http://rdist.root.org/2008/03/17/apple-iphone-bootloader-attack/ iPhone Bootloader Attack] - [
PaulDotCom] - The iphone dev team claims to have "jailbreak" functionality on the new, unreleased, Apple iPhone 2.0 firmware. The basis of the attack is that they figured out a way to circumvent the bootloaders checking of RSA signatures. This gives them direct access to the flash, which is essentially game over. This attack is scary for several reasons. First, it means that arbitrary code running on the iPhone is now a reality because access to the flash means you control the entire systems. THis means you can install applications, and evil ones at that. This also means that you can replace the operating system with one of your own, just like our examples in the WRT54G world.
[http://www.veracode.com/blog/?p=82 Scariest Thing According to Panel at Source Boston: Certified Pre-0wned Devices] - [
PaulDotCom] - People don't think about security in a holistic fashion and consider every avenue for attack. As we "solidfy the perimeter", which means nothing because there is no perimieter, attacker are accessing systems and bypassing security in ways that most have never thought of. Think of every device (camera, picture frame, usb drive, firewire drive, ipod, removable media of any kind) as an attack vector. This can become a potential way behind your defenses, especially given most manufacturing is done overseas. What is our defense? Anti-virus you say? I hope you have a better answer than that, for you sake...
[http://blog.washingtonpost.com/securityfix/2008/03/the_anatomy_of_a_vishing_scam_1.html Vishing Scam Example] - [
PaulDotCom] - This is a great example of how attacks will proliferate against our users in ways that we have little methods of defense (right now anyway). The attackers setup a VoIP service, hijacked or setup themselves, then sent text messages to users informing them to call this number to verify their account. No email or browser phishing protect to save you here, only whatever is on your cell phone to protect you (nothing) and good ol' alert users (ha!!!!). The interesting thing is that users were targeted by geographic region, meaning that the attackers had information about users phone numbers (most likely from penetrating another system). The attack that sent the emails went like this: "ompromise of a Web site called whitehousechronicles.com. The attackers broke into the site by exploiting an ancient flaw (in Internet time) in Horde, a free Webmail utility. Once there, they installed a bunch of scripts on the Web server; several of the scripts contained millions of provider- and region-specific phone numbers that would receive the vishing messages, while another listed the credentials needed to log into and send e-mail from dozens of outside e-mail servers.". Nice. Even better, they compromised an email account for "abuse@<some canadian beer company>.com". The password was.....wait for it....abuse. *sigh* Remediation, scan for known vulnerabilities and use a tool like hydra to test for default/stupid passwords would have thwarted a portion of this attack. Defense against the SMS message, where does the provider get involved? Text messages are revenue generators for cell phone companies (unlike how email is a freebie from an ISP). So, its not in their best interest to block them!
[http://www.darkreading.com/document.asp?doc_id=148438 Attacking Smart Cards] - [
PaulDotCom] - A former MS employee has developed a fuzzer that targets the middleware used by smart cards.