- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 156 - June 18, 2009
- 2009 South Florida ISSA Conference and Exhibition - June 24th Learn more!
- SANS Raleigh Durham - June 22 thru 27th: SEC 401 SANS Security Essentials Bootcamp - The first step in the path to Enlightenment! Taught by Mark Baggett!
- DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam with the tantalizing title of "FAIL". We will also be having an invite-only party, so stay tuned!
Guest Tech Segment: Rob VandenBrink
We have a special guest technical segment on "Man in the Middle Attacks in a Virtual World' by Rob VandenBrink.
Rob is a consultant with Metafore LLP in Ontario, Canada. His areas of specialization include Network Infrastructure design, Network Security and Virtualization. Rob is an STI Masters Degree student with the SANS Technology Institute, and holds a variety of current SANS and Cisco Certifications.
This evening we'll be chatting about Man in the Middle (MITM) attacks against Virtual services. Specifically we'll be discussing how a successful MITM attack can be mounted against a VMware Guest migrating from one ESX host to another, using VMotion. VMotion moves the machine while it's running, without a service interruption.
First, I want to be absolutely clear that Vmotion isn't an "insecure service", and that VMware is not an "insecure product". VMware and Vmotion are alive and well in thousands (if not more) datacenters, and because of this we've selected this product and this common operation to demonstrate with today.
This demonstration and the slides are lifted from SANS SEC557 - Virtual Security and Operations, an excellent security course which covers both the technical and operational (and non-technical) challenges in deploying virtual infrastructure into a datacenter.
MITM attacks are most often attacks against confidentiality. They run at layer 2 (more on this later), and are most often seen in switched ethernet environments (though fiber channel MITM is also possible). Passive MITM attacks concentrate on stealing information as it transits without modifying it - the data is intercepted, saved away, then forwarded on. This is by far the most common MITM attack. It's easy to mount, difficult to catch red-handed, and very difficult to prevent in most environments.
Active MITM attacks actually involves changing the data as it's intercepted. This is less commonly seen, as it's much more difficult to pull off. Simply changing the data isn't a problem - for instance, purchasing an item online, then modifying the "ship-to" quantity isn't any more difficult than intercepting that value. However, now the ship-to quantity does not match the invoice quantity. This mismatch is very likely to be detected by the application, or noticed by a "human eye, model 1, mark 1" that might be looking at a final invoice or shipping label.
We'll be demonstrating a passive MITM attack on Vmotion.
Mini Tech Segment: The Pre is rooted! Now what? by Mick Douglas
You need to do two things first...
Next, you can do some fun things like: setting up a local shell (Warning: this is a bit hard to use... until WebShell or another better terminal is available, I think I'll just SSH or novaterm onto my Pre.)
Add your favorite tools: nmap kismet (don't know what WiFi driver to use yet) tshark
Stories For Discussion
- The revolution will be spread in 140 characters or less - [Mick] - Twitter has hit an interesting and powerful place in the world. Who knew a "waste of time" would end up as a mouthpiece for regime change?
- Sloooooowwww - [Larry] - Slowloris, a new Apache DoS tool. It doesn't require much bandwidth, and only small keep-alives.
- Month of Twitter bugs - [Larry] - Here we go again! I do like these projects, but to what aim? Either way, I hope tey release a bug to increase my followers.
- Validate your inputs - [Larry] - By intercepting the HTML posted to the Apple store, you can add an iPhone to your cart without apparent contract, or credit check. Of course, these are non-susidized prices. Theme for my week, given I'm TA'ing SANS 542.
- Month Of Twitter Bugs - [pauldotcom] - there is just something really sexy about the "month of" bugs. you can call it what you want, but in the end it gets some pretty serious media attention. also, whatever seems to be the focus of the "month of bugs" gets is laundry aired out, public attention, and eventually patches. i know, i know, responsible disclosure, blah, blah, but i am siding on with the month of bugs helps us be more secure in the end, because lets face it, thats where we'll take it if people stop disclosuing bugs in any fashion.
- Tons of anti-virus software bypass vulnerabilities released - [pauldotcom] - I believe its important for these to be public, and it also looks like Thierry Zoller has done a good job with the disclosure end. My question is, when will people realize that Anti-Virus software may do more harm that good? I will take the stance that Anti-Virus software does more harm that good by creating a false sense of security. People will happily click on stuff, download files, and stick USB thumb drives because, well, "I've got Anti-Virus software, so I'm safe!". Wrong! I'll go back to my most recent blog post, your greatest weapon is common sense! In the enterprise A/V should be transparent to the end user, it should exist on your gateways and file servers, and even inspect traffic as it moves through your network. Train your end users, and if you use an endpoint security solution it needs to be smarter than the dumbest end user. Here's the thing, signature-based A/V still falls short of that requirement.
- Nice Wiping Tip - [pauldotcom] - Giving the finger to forensics, I love it! Linux is so great, the built in tools are just so flexible and provide so much functionality. I don't know why anyone would run Windows as their primary OS, it just gets in my way!
- SMS Hacking - [pauldotcom] - This just has security fail written all over it. SMS presents a huge risk to organizations, and here it sounds like some researchers are taking it to the next level and finding some vulnerabilities. The most attractive feature for attackers is the "wlaways on" nature of sms. i don't think you will see a smartphone botnet, at least not yet, but certainly if you could come up with a way to steal data from people's phones that would be great. the problem is that its too widespread, people have all sorts of different numbers and its tough to target an organizations cell phone precense without some accurate information gathering. I'm thinking that you break into a company, steal the directory, parse cell phones, then launch an attack
- Common Sense: Your Greatest Weapon - [pauldotcom] - In this post I point out some security FAIL, in a fishing tale kind of way :) I was fishing one day, and observed what the fish were eating, and then used that information to catch more fish. To put a different spin on it, thats what the bad guys are going. They are looking at what the fish (i.e. users) are eating and adapting. As defenders, we are doing a poor job of adapting. From wireless, to not checking logs, to over dependance on A/V, sometimes I feel like we all suck. I did manage to identify strategies that work and are worth putting effort into, policy & procedures, vuln management, and system hardening. So there, go do it :).
- PCI Debate: Level 2 Merchants Now Require QSA - [pauldotcom] - There is good and bad that goes along with this. As Brian would say, the PCI cheerleaders are cheering about it. They say it will help a lot of organizations, because now these organizations need to be audited, and it will find some things that need to be fixed, security will improve, and everyone will be happy and take off early on Friday to go drink beer. The other side, is that many PCI QSA will do a lack-luster job, create a false sense of security, and the overall state of information security will degrade, in the meantime putting more money into the QSA pocket. I mean think about it, the times are tough, so lets boost some PCI business by requring level 2 merchants. Awesome.
- iPhone 3.0 - over 35 security updates - [pauldotcom] - Wow, and hear I am, the apple fan boy that I am, jumping up and down for joy at copy/paste and voice memos. I dig a little deeper and realize that I was bent over a barrel running iPhone software! Holy freaking security updates, I mine as well just publish all of the information on my phone to the Internet. I feel dirty, like that scene from Ace Ventura when he finds out that woman is really a man, and starts squeezing toothpaste in his mouth and showering, scrubbing, etc... Yea, like that. I think I'm switching to an N95 or a Pre real soon now, oh wait, I just shelled out more $$ to Apple for a 3G S. At least my phone will look pretty.
Other Stories For Discussion
- Opera Browser beta opens up your machine to file sharing - [Mikep] - Beta version allows access to files/folders and pictures over the web ... Let the Black Hat games begin!
- No ties this year... - [Mikep] - Father's Day gift ideas for White, Black and Grey Hat dads.