From Security Weekly Wiki
Jump to navigationJump to search


This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Announcements & Shameless Plugs

Live from the G-Unit Studios Welcome to Security Weekly, Episode 118 for August 17th, 2008

Welcome to Security Weekly, a show for security professionals, by security professionals.

  • Security Weekly SANS Click-Through - Go there, register for fabulous SANS training! Go now!
  • ICE (Integrated Cyber Exercise) - Oct. 1-3 at SANS Las Vegas!
    • Larry and I will each lead a team, names to be announced
    • Attendance and participation is FREE, come join one of our teams!
    • 4 Networks, 1) Attackers 2) Defenders 3) Public/Internetish 4) Spectator Room
    • Looking for food/drink sponsor
    • Featuring wireless, voip, and SCADA!
  • Help support Security Weekly with your donations. Visit http://securityweekly.com and press the DONATE button.Note: Thanks to listener Ken for the donation!
  • NS2008! Paul giving keynote: Things That Go Bump In The Network: Embedded Device (In)Security and teaching SEC535, Network Security Projects Using Hacked Wireless Routers!

Episode Media


Mini-tech Segment - SamuraiWTF

Mini-Tech Segment - The Art Of Fuzzing With TAOF

Fuzzing is so much fun! Josh Wright gave a great presentation on fuzzing, why you should fuzz, what to fuzz, and how to fuzz. It was, well, fuzzy :) I learned about a great little tool call TAOF, or "The Art Of Fuzzing" (its got a Ying Yang symbol and everything). Its a neat little tool that acts like a proxy server, then based on fields, or fuzz points, will do the fuzzing. Its highly effective for web servers, and I plan to do some testing on embedded web servers. Below are some screenshots to give you an intro:

TAOF: Main Page


TAOF: Data Retrieval


TAOF: Fuzzing


Stories For Discussion

TELNET still tops the open port list - [Paul] - This grinds my gears, TELNET, REALLY? FSCKING TELNET!!!!!! WHY!!!!!!! (A kitten dies everytime you expose TELNET to the Internet?)

Barrier web toolbar - [Larry] - This is the toolbar that Dave Maynor was talking about during our panel at defcon. This toolbar integrates into the browser so that it can test site for some issues wile in use - verifying ssl, form input, etc. The only problem is that now that potentlal normal surfing from the client looks like a potential attack to the server. Not to mention, what are the implications of launching an "attack" against a host that you aren't authorized to attack. Plenty of questions, as the tool won't be released until Monday.

DNS Patch Busted? - [Paul] - Have I been out of the loop, or do these exploits really work? I have not tested them, but supposedly they allow poisoning, even with latest bind patches. Can anyone confirm?

Hacked at Defcon - [Larry] - Did you use the defcon network? If you did, it is likely that your traffic was routed through a router in NYC, and then back again. Due to some flaws (in configuration?) of some routing protocols, two researchers were able to surreptitiously re-route all of the traffic...

Nokia S40 Java Vulnerability - [Paul] - Everyone always asks me how real the threat against phones is,a nd I always tell them, "As soon as attackers can make some profit, it will be popular". This vuln may help that cause as, "this vulnerability could affect more than a hundred million mobile phones. This vulnerability is reported to enable attacker to be able to execute arbitrary code on target phones." Mass cell phone pwnage! W00t! I mean, bad....

Get us on the IT crowd! - [Larry] - The IT crowd has a call from all geeks to help spruce up the set for next season. Let's hack the vote and tell ben.capel@talkbackthames.tv that there are a couple of chaps that have this awesome podcast, and even have "HACK NAKED" stickers and t-shits they can provide to the show.

TJX Hackers Used "professional grade" tools - [Paul] - There are a series of facts in multiples articles from computer world reporting on tools used by the TJX hackers. How they used customized software and so-called "professional tools" to break into computers and collect credit cards. While that may be the case, don't be fooled into thinking that it takes an attacker with skills to write this software to perform this attack. You can use totally free and pretty well-documented software to hack into wireless networking (ala aircrack-ng), install backdoors (ala metasploit payloads), and install sniffers (ala Cain & Abel or tcpdump, or even winpcap with windump), then write customer filters and ship the data off-site. Just sayin' its not rocket science :)

Pacemaker-B-Gone - [Larry] - remember that story a while back stating that I was scared about wirlessly programmable pacemakers? Some researchers presented at defcon about thier attepts at using GNU radio to access some of the reprogrammable bits. - with success in turning it off. EPIC FAIL.

iPhones Lead to Pwnage - [Paul] - So timely, as my presentation discusses why embedded systems, such as iPhones, make it easy to steal people's data, and guess what, the wall-of-sheep at Defcon was filled with people's passwords taken from their iPhones.

Joomla fail. - [Larry] - Joomla (a content management system for websites) has a password reset vulnerability in versions 1.5.0 to 1.5.5. the hack appears easy - when authorizing a password reset, a "token" is required, however the system appears to accept invalid tokens, and performs the reset for the lowest numbered ID - typical the administrator.

targeting via social networks - Here's an imporant message - integrate examining social networks as part of an assessment. This splunk ad indicates hat John Topp is with a government agency, but Linkedin says otherwise.

Bring Sexy back - [Larry] - Erratasec is bringing sexy back. Ship an iPhone with SSH and wifi scanning to a client for wireless testing. Add metasploit, tcpdump and metasploit. and you have an awesome method of delivery. Now, me, I'd go for a WRTSL54GS in order to cut costs, especially if you accidentally leave it in the back of a cab. [Paul] - While this sounds sexy, I have more questions than anything. Like, so if you send someone an iPhone and have SSH access to it, how to you tell the iPhone Wifi which network to connect to? Or, enable monitor mode on a Marvel proprietary driver to sniff the wireless network? Also, how to you keep the battery charged when its been in an airplane in high altitude or extreme cold? And how is this not mail fraud? I think an embedded system is the way to go here, just like Larry said.

Microsoft's open kimono - [Larry] - Microsoft is going to start revealing technical details about their patches before they are released. I'm guessing that it will only be to "select partners" so that they can begin creating signatures in advance of the patch release. This is intended to help thwart the reverse engineering race that happens every patch tuesday at 10:00AM

"This Was Just Cool"

Motherboard Walls! - [Paul] - Too cool, I always wondered what I could do with all of those 10-baseT ethernet cards and 486 motherboards, maybe this will help soundproof the studio? Maybe not, but it looks damn cool!