= Announcements & Shameless Plugs =
Live from the
PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 103 for April 3, 2008
pauldotcom.com/sans/ PaulDotCom SANS Click-Through] - Helps pay for cool stuff and general insobriety* [http:// pauldotcom.com/sans/ Network Security Projects Using Hacked Wireless Routers with Larry] Orlando, FL. on Thursday, April 24* [http:// pauldotcom.com/sans/ Cutting Edge Hacking Techniques with Paul] in N. Kingstown, RI on April 15-16* [http:// pauldotcom.com/sans/ Pen Test Summit] - June 2-3 to be attended by Larry
* [http://oshean.org/events/detail.aspx?story=3765§ion=235&year=2008 Rhode Island Linux Install Fest] - Come and install Linux, help people install Linux, install Linux on different devices and systems (at least show up for pizza and b**r)
* [http://michaelboman.org/wiki/index.php?title=Custom_Laptop_Skins Custom Laptop Skins] - Mike Boman made us some. They rock!
= Tech Segment: The Hacker Princess =
= Stories For The Week =
[http://www.darknet.org.uk/2008/04/iframe-piggybacking-on-google-searches-to-install-malware/ Stored Search Queries Hosting hidden iFrames] - [
PaulDotCom] - This is an example of how broken the web is currently. Why do you need to store other people's queries? Also, why allow tags in people's search queries?
[http://hackreport.net/2008/03/31/need-a-firewall-for-that-virtual-machine/ Virtual Machine Firewalls] - [
PaulDotCom] - Is this a good thing? In some ways yes, for server deployments this has the potential to help, and it makes a neat barrier when virtual machines are used on the desktop. However, similar to anti-virus, are we just introducing more software which then presents more risk because its yet another program that could have a vulnerability? Like, whatever happened to hardening your software and applications? I think the trend towards adding more software needs to end, and we need to be more focused on hardening and security configurations.
[http://nmap.org/changelog.html Nmap 4.6 is out!] - [
PaulDotCom] - Important to note here that the OS fingerprint and service detection databased have been implemented into this version. This means all of the geeks like us who scanning devices, like iPhones and WRTs, should have better fingerprinting. Still testing...
[http://blog.ncircle.com/blogs/the-lens/archives/2008/03/but_i_egress.html Egress is important] - [
PaulDotCom] - Quote from article on Hannaford breach: "Clearly, there was a pathway back out of the network that Hannaford should have closed," So, if nothing else, you can use your IDS/IPS to look at, and even block, ougoing traffic. Certainly monitor it. Okay, so your host may get compromised, but if you catch it risk away you can mitigate risk siginifigantly. Now, I'm not saying let attackers waltz into your network at will, but a critical component to your security infrastructure should be looking at outgoing traffic. This can be done very cheaply with Snort and the emerging threats ruleset.
[http://www.coresecurity.com/?action=item&id=2206 Remote Buffer overflow in SILC] - [
PaulDotCom] - Core found this bug and I find a couple of things interesting. First, patch your SILC servers ASAP. Second, this was fixed immediately by the team, Core notified on 3/19, it was patched on 3/20. Hurray for open source!
[http://www.securityfocus.com/bid/28381 Linksys Auth Bypass Vulnerabilities] - [
PaulDotCom] - This has been in the security news a lot lately. Its been known since 2003, uncovered by ginsu rabbit, that version 1.00.9 of Linksys firmware had auth bypass issues. These are just more auth bypass issues. You should never be running version 1.00.9, its had these problems since 2003, and they've been public since then.
[http://www.cisco.com/en/US/products/products_security_advisory09186a008095ff31.shtml Ciscoworks built-in TCP backdoor] - [
PaulDotCom] - No, this is not a belated April fools joke, Cisco really did build a tcp backdoor root shell into their product. Helps when you forget the password, also saves time by attackers as you don't even have to deploy metasploit or core agent, its already got root shell backdoor!!!!! For more Cisco hilarious vulnerabilities, http://www.cisco.com/en/US/products/products_security_advisory09186a008096fd9a.shtml go here], this is a command execution vulnerability that allows you to "Successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to cause a denial of service condition, obtain sensitive configuration information, overwrite configuration parameters or execute arbitrary commands with full administrative privileges". Defense? Lock down your internal applications, only allow a few workstations to access them. A great way to do this if they are running on Windows if to enforce an IPSec policy. And obviously, keep them patched. Maybe don't even open the web application at all, and implement Radmin with two-factor authentication to gain access to them, using a local web browser.
[http://cansecwest.com/agenda.html Check out talks from CANSEC] - [
PaulDotCom] - Don't get hung up on the pwn2own contest. Yes, its such a sexy thing to exploit a system and get fabulous $$ and prizes. Again, I am glad they run the contest as it forces a few vulns and exploits out of the woodwork, and promotes disclosure that leads to the bug getting fixed. It does not prove that any operating system is more secure than the others, which is a ridiculous claim. If they only put up an ubuntu system, it would get pwn'd in the first 30 minutes. Those that think an operating system loaded with software is more secure than another operting system loaded with different sofwtware is just wrong. All software has holes, and we ALL run way too much software. In any case, don't forget to check out all of the other cool talks from CANSEC, presentations forthcoming.
[http://www.scribd.com/word/download/2363025?extension=pdf Blackboard XSS - With Worm Code!] - [
PaulDotCom] - Its funny, I did some testing with Blackboard years ago, and guess what, it was riddled with XSS holes. Guess what? It still is! Now, consider this, "Tests, quizzes and assignments are easy to create and deploy, and a variety of tools for evaluating performance contribute to instructor efficiency while providing timely feedback and reporting for students." This vulnerability could be used to collect credentials to the blackboard system, giving the attacker an opportunity to login and wreak havic (esp. if creds are the instructors). This hole has the potential to compromise the integrity of all courses being hosted in the system. This is bad, not to mention any sensative information stored in the system could become compromised. Also, some systems may use the same id/password for other systems, for example the same userid and password for blackboard may be the same to login to a financial aid application, and thats where the good information is stored. Also, if you were to find a persistant XSS, you could inject malicious code into the application itself, and deploy a trojan to all of the computers that accessed blackboard.