- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 156 - June 18, 2009
- 2009 South Florida ISSA Conference and Exhibition - June 24th Learn more!
- SANS Raleigh Durham - June 22 thru 27th: SEC 401 SANS Security Essentials Bootcamp - The first step in the path to Enlightenment! Taught by Mark Baggett!
- DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam with the tantalizing title of "FAIL". We will also be having an invite-only party, so stay tuned!
Guest Tech Segment: Rob VandenBrink
We have a special guest technical segment on "Man in the Middle Attacks in a Virtual World' by Rob VandenBrink.
Rob is a consultant with Metafore LLP in Ontario, Canada. His areas of specialization include Network Infrastructure design, Network Security and Virtualization. Rob is an STI Masters Degree student with the SANS Technology Institute, and holds a variety of current SANS and Cisco Certifications.
This evening we'll be chatting about Man in the Middle (MITM) attacks against Virtual services. Specifically we'll be discussing how a successful MITM attack can be mounted against a VMware Guest migrating from one ESX host to another, using VMotion. VMotion moves the machine while it's running, without a service interruption.
First, I want to be absolutely clear that Vmotion isn't an "insecure service", and that VMware is not an "insecure product". VMware and Vmotion are alive and well in thousands (if not more) datacenters, and because of this we've selected this product and this common operation to demonstrate with today.
This demonstration and the slides are lifted from SANS SEC557 - Virtual Security and Operations, an excellent security course which covers both the technical and operational (and non-technical) challenges in deploying virtual infrastructure into a datacenter.
MITM attacks are most often attacks against confidentiality. They run at layer 2 (more on this later), and are most often seen in switched ethernet environments (though fiber channel MITM is also possible). Passive MITM attacks concentrate on stealing information as it transits without modifying it - the data is intercepted, saved away, then forwarded on. This is by far the most common MITM attack. It's easy to mount, difficult to catch red-handed, and very difficult to prevent in most environments.
Active MITM attacks actually involves changing the data as it's intercepted. This is less commonly seen, as it's much more difficult to pull off. Simply changing the data isn't a problem - for instance, purchasing an item online, then modifying the "ship-to" quantity isn't any more difficult than intercepting that value. However, now the ship-to quantity does not match the invoice quantity. This mismatch is very likely to be detected by the application, or noticed by a "human eye, model 1, mark 1" that might be looking at a final invoice or shipping label.
We'll be demonstrating a passive MITM attack on Vmotion.
Mini Tech Segment: The Pre is rooted! Now what? by Mick Douglas
You need to do two things first...
Next, you can do some fun things like: setting up a local shell (Warning: this is a bit hard to use... until WebShell or another better terminal is available, I think I'll just SSH or novaterm onto my Pre.)
Add your favorite tools: nmap kismet (don't know what WiFi driver to use yet) tshark
Stories For Discussion
- The revolution will be spread in 140 characters or less - [Mick] - Twitter has hit an interesting and powerful place in the world. Who knew a "waste of time" would end up as a mouthpiece for regime change?
- Sloooooowwww - [Larry] - Slowloris, a new Apache DoS tool. It doesn't require much bandwidth, and only small keep-alives.
- Month of Twitter bugs - [Larry] - Here we go again! I do like these projects, but to what aim? Either way, I hope tey release a bug to increase my followers.
- Validate your inputs - [Larry] - By intercepting the HTML posted to the Apple store, you can add an iPhone to your cart without apparent contract, or credit check. Of course, these are non-susidized prices. Theme for my week, given I'm TA'ing SANS 542.
Other Stories For Discussion
- Opera Browser beta opens up your machine to file sharing - [Mikep] - Beta version allows access to files/folders and pictures over the web ... Let the Black Hat games begin!
- No ties this year... - [Mikep] - Father's Day gift ideas for White, Black and Grey Hat dads.