Difference between revisions of "Episode167"

From Security Weekly Wiki
Jump to navigationJump to search
(Created page with '{{Advertisements}} = Sponsors = {{Sponsors}} = Announcements & Shameless Plugs = PaulDotCom Security Weekly - Episode 166 - For Friday September 4th, 2009 * Thursday Septemb...')
 
m (Text replacement - "[pauldotcom]" to "[Paul Asadoorian]")
 
(37 intermediate revisions by 6 users not shown)
Line 5: Line 5:
 
{{Sponsors}}
 
{{Sponsors}}
  
= Announcements & Shameless Plugs =
+
= Shameless Plugs & General Announcements =
  
PaulDotCom Security Weekly - Episode 166 - For Friday September 4th, 2009
+
Security Weekly - Episode 167 - For Friday September 11th, 2009
  
* Thursday September 10th - come meet PaulDotCom at the Boston OWASP meeting to be held at Core Security near South Station. More info to follow....
+
* We're looking for two interns - local to the Rhode Island area, listen to the podcast, into linux, able to lift 30 lbs, and if possible, willing to perform post-production work on the podcast.  If that description sounds like you, please send us a note via psw [at] Security Weekly [dot com]
 
 
* We're looking for two interns - local to the Rhode Island area, listen to the podcast, into linux, able to lift 30 lbs, and if possible, willing to perform post-production work on the podcast.  If that description sounds like you, please send us a note via psw [at] pauldotcom [dot com]
 
  
 
* The newly minted [http://www.pittsug.org Pittsburgh Information Security Users Group] invites all to their [http://www.pittsug.org/content/capture-flag Capture the Flag - "Hax0r style" event] on September 17th.  They invite all to "Red Team" some Linux and Windows boxes and collect cool prizes.
 
* The newly minted [http://www.pittsug.org Pittsburgh Information Security Users Group] invites all to their [http://www.pittsug.org/content/capture-flag Capture the Flag - "Hax0r style" event] on September 17th.  They invite all to "Red Team" some Linux and Windows boxes and collect cool prizes.
  
* [http://louisvilleinfosec.com/ The Louisville Metro InfoSec Conference] in, well, Louisville, offers John Strand as Keynote and serves PaulDotCom Asadoorian as Breakout Speaker.  If that were not enough, they will also have a Capture The Flag event and [http://www.irongeek.com/ Irongeek]!  All the above for the very low price of $99 on October 8th.
+
* [http://louisvilleinfosec.com/ The Louisville Metro InfoSec Conference] in lucky Louisville offers John Strand as Keynote and serves Security Weekly Asadoorian as Breakout Speaker.  If that were not enough, they will also have a Capture The Flag event and [http://www.irongeek.com/ Irongeek]!  All the above for the very low price of $99 on October 8th.
  
* [http://www.sans.org/info/46903 Community SANS: Sec 542 Web Application Penetration Testing] - SANS is pleased to announce Community SANS Providence, running Monday, October 5 - Saturday, October 10.  Larry will teach Security 542:  Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.
+
* [http://www.sans.org/info/46903 Community SANS: Sec 542 Web Application Penetration Testing] - SANS is pleased to announce Community SANS Providence, running January 11 - 16.  Larry will teach Security 542:  Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University. Also coming up, 617 on Calgary sometime in March!
  
= Interview: Nick Harbour shares some [http://rnicrosoft.net rnicrosoft] Forensic Software goodness=
+
* [http://www.rochestersecurity.org/ Rochester Security Summit] - Larry and Ed Skoudis to give Keynotes.  What can get better than that? October 28 - 29 in Rochester NY!
  
Nick Harbour is a malware analysis expert with extensive experience in Incident Response and Computer Forensics.  He specializes in advanced R&D for information warfare, forensics and anti-forensics and reverse engineering. He is the developer of numerous free computer forensics tools such dcfldd, tcpxtract, fatback, Mandiant Red Curtain and FindEvil, Anti-Reverse engineering tool PE-Scrambler and the Reverse Engineering tool APIThief.
+
=Episode Media=
  
 +
[http://media.libsyn.com/media/pauldotcom/pauldotcom-SW-episode167.mp3 mp3]
  
Quetions for Nick:
+
= The "''... are those surfboards that you're trying to conceal over there?”'' interview with [http://www.thoughtcrime.org/about.html Moxie Marlinspike] =
  
#How did you get your start in information security?
+
Moxie Marlinspike is a fellow at the Institute for Disruptive Studies with over thirteen years of experience in attacking networks. He is the author of sslsniff and sslstrip, the former of which was used by the MD5 Hash Collision team to deploy their rogue CA cert. His tools have been featured in many publications including Hacking Exposed, Forbes Magazine, The Wall Street Journal, the New York Times, and Security Focus as well as on international TV. For money, he is a licensed USCG Master Mariner, and delivers yachts worldwide.
#Which tool have you had the most fun writing and supporting?
 
#Favorite tool you use that you have not written?
 
#Who do you follow on Twitter?
 
#What was it like working in the DoD Computer Forensics Lab?
 
#Are there any crazy photos of you on the Mandiant website?
 
  
= Tech Segment: Recovering Firefox Passwords =
+
Moxies website: [http://www.thoughtcrime.org thoughtcrime.org]
  
To quote Carlos, "shell is just the beginning". Now that we have access to a machine, we can gather all sorts of goodies from the machine; we just need to know where to look.
+
Moxie's [http://www.thoughtcrime.org/software.html tools]
  
Some of my favorites are to grab Firefox passwords.  Prior to version 3.5, (for version 3) the list of sites were stored in signons3.txt.  With a master password set, the other items that you'd need are key3.db as well to recover the master password.  For Firefox versions 3.5 or better, you'll also want to grab signons.sqlite as well.  For a detailed description of the contents and format of each of these files, check out the [http://securityxploded.com/firepassword.php FirePassword] page.
+
Do yourself a favor and read some of Moxie's [http://www.thoughtcrime.org/stories.html stories!]
  
But why recover these usernames and passwords?  How many people do you know let their browser store passwords for them?  Personally, I know a lot.  These users store passwords for just about everything; personal sites, banking and corporate resources.
+
Questions for Moxie:
  
Yes, corporate resources.  Now, if you have credentials to these resources, this may open up a whole new world to your testingImagine that you now have credentials to all sorts of web based management utilities where you can get access to a million credit card numbers, or something as equally juicy.
+
#How did you get your start in information security?
 
+
#You live what many would consider an alternative lifestyleWhere do you find get the guts to live so brazenly free?
So how do we do itOk, first grab the signons3.txt and key3.db files (or signins.sqlite for Firefox 3.5) and get them to a system where you can work with them. I'm finding that a windows system is best, given the tools available.  I'm using Windows 7 in a VM, with firefox installed. Many of the tools like to look for the default Firefox profile directory, so I often copy the files there - I'm not concerned about the install of firefox in this VM. 
+
#More importantly, where do you keep a totally rad server farm while on the move?
 
+
#SSLSeriously dude, you are breaking the internet? Is SSL really that broken?
One tool that we can use to view the password stores is Firefox itself.  Of course Firefox 3.5 uses a different format for storing passwords has changed; they now store them in a sqllite database. If we copy over our files to the default firefox profile (C:\Documents and Settings\<user>\Application Data\Mozilla\Profiles\<random>.profle in many cases) for an older version of Firefox.  Fire up Firefox, (be careful, it needs updates!), and go to Tools, Options, Security, Saved Passwords, Show Passwords.  Neat, now we have the URL, username and password! 
+
#Surely, stuff like OCSP cannot be defeated with a single character? Can you describe some of the work that goes into dissecting the protocols to find issues?
 
+
#What can we do to fix it?  What is the next evolution?
Uh Oh, you mean now we are being asked for a master password? Well, we need to provide one in order to view the passwords!  Now we can use another tool on windows to obtain the master password.
+
#Where is your favorite port?
 
+
#Who has the best roofs for crashing for the night and do you have any tips for finding the best public bathrooms?
FireMaster to the rescue.  [http://securityxploded.com/firemaster.php FireMaster] is a master password brute force tool, against key3.db and signons3.txt.  It will do all of the typical brute force attacks; dictionary, hybrid and bruteforce.  It is a fairly simple tool to use, but here are a few examples.  In these examples, Firemaster is in the same directory as key3.db and signons3.txt so my profile path is set as "." at the end of the command:
+
#Tell us about the "Institute for Disruptive Studies"
 
+
#What's the craziest incident or thing you've seen in your travels?
[Update:  During the writing of this segment, I noted that the author updated FireMaster so automatically detect the version of Firefox based on the storing of the information in signons3.txt or the sqlite method!  We can now use this tool to get the goods from Firefox 3.5 as well.]
 
 
 
A dictionary attack:
 
 
 
<pre>FireMaster.exe -d -f wordlist.txt .</pre>
 
 
 
Note that you need to be careful with your wordlist.  I used a copy of the all inclusive free version from ftp.openwall.org which I had to convert LF to CRLF.  I also had to remove words with spaces and non US character sets.  If I didn't I got a nasty crash from FireMaster.  Can you say buffer overflow anyone?
 
 
 
A hybrid attack:
 
 
 
<pre>Firemaster.exe -h -f wordlist.txt -n 3 -g "0123456789" -s -p .</pre>
 
 
 
Again, same wordlist issues.  With the hybrid, it will append (-s) and prepend (-p) the number of characters (-n 3) as defines by the defined character set (-g).  The larger your number of characters and character sets the more time you will need.
 
 
 
A brute force:
 
 
 
<pre>FireMaster.exe -b -l 10 .</pre>
 
  
This one will set the max password length to 10 characters (-l), so adjust to you needs.  It also uses the default character set of "abcdefghijklmnopqrstuvwxyz*@#!$123" which you may also need to tailor with the -g option.  On my machine this would take over 300,000 days to complete at about 120,000 guesses a second.  On a high end, non-virtual system the guessing jumped up to about 250,000 guesses a second for about 160,00 days to completion.
 
 
My vote is for a good dictionary.  We covered scraping websites for making dictionaries before.
 
 
I've also had some good luck with Firefox Password recovery from top-password.com.  Granted, it wasn't free, but the $18 was something I could afford for expenses on an engagement. It won't crack or bypass the master password, but may be a little more safe than a machine running an old version of firefox.  Just another option.  It hasn't been updated for Firefox versions 3.5 or better signons.sqlite yet.
 
 
So, want a free solution?  The author of FireMaster has a command line [http://securityxploded.com/firepassword.php FirePass] and GUI [http://securityxploded.com/firepasswordviewer.php FirePasswordViewer] tool to do the same, with Firefox 3.5 support!
 
 
= Tech Segment: Attacking VPN =
 
 
= Mini-Tech Segment - Penetrating VPN Concentrators =
 
 
There are a few nice tools available that allow you to enumerate, and hopefully penetrate, VPN concentrators.
 
Typically this will be all you will find on a remote assessment.  Let me set the record straight, VPN's are a good thing.  They reduce your overall exposure to the Internet.  However, they need to be hardened, just like everything else on your network (including your users).  Below are some quick tech tips to enumerating and attacking VPN systems.
 
 
== PPTP ==
 
 
PPTP is a crappy protocol (pun intended). I think what many people miss is that PPTP is similar to the wireless protocol LEAP (Remember LEAP?) that uses MS-CHAPv2 for authentication.
 
 
Reference: http://www.willhackforsushi.com/code/asleap/2.2/README
 
 
Basically this means its vulnerable to password brute force guessing attacks.  You can use the Asleap took mentioned about, but you will need a packet capture of a successful authentication to use it.  pptp-bruter from the fine folks at THC (The Hackers Choice) is a bit dated, but can work really well.  It takes just a simple word list and the IP of your PPTP server:
 
 
<pre>thc-pptp-bruter 10.78.3.10 -n 10 < wordlist.lst </pre>
 
 
I think some of the code in thc-pptp-bruter may be a bit dated as some systems will not accept the authentication handshake from it, and it just keeps trying the same 10 passwords over and over again.
 
 
== IKE ==
 
 
IKE is the key exchange protocol used in IPSec based VPNs.  IPSec is great, but make sure you configure it correctly.  This means never using agressive mode and choosing strong encryption protocols and hashing algorythms (Like AES, etc..).  One of the best resources on this topic is actually the ike-scan documentation User Guide:
 
 
Reference: http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide
 
 
Tons of great information here on how to enumerate and attack VPN systems.  There are two basic commands that I put together in order to attack systems, the first one figures out what kind of encryption and hashing algorythms are in use:
 
 
<pre>./generate-transforms.sh | xargs --max-lines=8 ike-scan 10.99.2.11</pre>
 
 
The above command runs ike-scan against a target using all the different key combinations.  You can download the web site from the NTA Monitor web site.  Once you figure out what the VPN concentrator like, you can fingerprint it using the UDP backoff technique:
 
 
<pre>
 
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
 
10.99.2.11 Main Mode Handshake returned
 
HDR=(CKY-R=c60fc677eb1c7f5d)
 
SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
 
--- Ignoring 80 bytes from 216.87.243.8 with unknown cookie 749c204df5af3877
 
 
IKE Backoff Patterns:
 
 
IP Address No. Recv time Delta Time
 
x.x.x.8 1 1251660594.483955 0.000000
 
x.x.x.8 2 1251660604.484525 10.000570
 
x.x.x.8 3 1251660614.489095 10.004570
 
x.x.x.8 4 1251660624.485665 9.996570
 
x.x.x.8 5 1251660634.486235 10.000570
 
x.x.x.8 6 1251660644.490805 10.004570
 
x.x.x.8 Implementation guess: Cisco IOS 12.1, 12.2 or 12.3 / Watchguard Firebox / Gnat Box
 
</pre>
 
 
There are attacks for aggressive mode, all documented nicely in the ike-scan user guide.  There are other tools as well, but these seem to be my standby.  Once you fingerprint the VPN you can then look for specific vulnerabilities, or set one up in your lab and find some new ones :)  Its an important point that I want our readers/listeners to take away from this one, just because the tool available is outdated, don't put it past an attacker to modify or extend it.  If you assets are worth it, they will spend weeks/months/years making tools and exploits to break into your network.
 
  
  
 
= Stories For Discussion =  
 
= Stories For Discussion =  
 
+
# [http://sourceforge.net/projects/dvwa/ Damn Vulnerable Web App - new version] - [Paul Asadoorian] - I love this tool, it not supports authentication, which is cool, and a challenging thing to test for.  DVWA is kinda like your coach holding a punching pad to train you for a fight...
#[http://go.theregister.com/feed/www.theregister.co.uk/2009/09/03/apache_website_breach_postmortem/ The story behind the Apache.org compromise] - [Larry] - and now we have the details behind that compromised SSH key.  Seems reasonable, but I'm missing something about the solution of the from="" and command="" usage to keep the keys from being used form third partiesI thought that the way it happened was through a backup.resture that used the keys to copy data form one machine to the otherThey compromised the backup, and used the backup to overwrite on a restore. That seems like a perfectly legitimate use of the keys, with the same source and commands...
+
#[http://hackaday.com/2009/09/09/windows-7-and-vista-crash-via-smb-exploit/ SMB Fail] - [Larry] Yep, a single packet crash, as well as a bunch of other goodies for Vista, Win 7 and Server 2008.
#[http://feedproxy.google.com/~r/kees/~3/voKzLVTAND0/dutch-forensics-institute-open.html Getting lucky?] - [Larry] - Here is a good reason why password and encryption brute forcing can be good. Sometimes you get luckyApparently the Netherlands Forensics Institute was able to get lucky and crack the encryption on a very large store of child port to be used as evidenceThey got lucky, as the needed bits were at the beginning of the key space.
+
#[http://www.hackinthebox.org/index.php?name=News&file=article&sid=32951 Encrypting Facebook] - [Larry] - A Facebook app for keeping some of your updates encrypted, and viewable only by certain key holdersWow, go see some social media security stuff to get an idea why this is bad.  Here's a tip:  Don't post it.  Also this looks like a good way for encrypting bonnet C&C.
#[http://www.offensive-security.com/blog/backtrack/backtrack-4-pre-final-kernel-update/ BT4 Kernel update] - [Larry] - Ya, there have been some kernel vulns recently, and this is exactly why they went with the update methodIf you use BT4, I highly suggest that you update.
+
#[http://pictureisunrelated.com/2009/09/10/must-unplug/ Rogue?] - [Larry] - Sometimes the easiest solution is the bestNeed to get that rogue device in an organization?  Try a simple sign. Sometimes, just like social engineering, implying that you have authority is just enough.
#[http://www.computerworld.com/s/article/9137451/Court_allows_suit_against_bank_for_lax_security?source=rss_security Sued for lax security] - [Larry] - Bank customer gets owned, legit user and pass gets used to steal their money, and judge orders that the bank is negligent because they only use single factor authentication for online bankingI wonder, does this set precedence for other types of suits like this? [Mick] SQUWWWWWWEEEEEEEEEEEEEEEEEE!!!! Is this the dawn of a new day!  Will data custodians be held accountable?
+
#[http://www.hackinthebox.org/index.php?name=News&file=article&sid=32961 DDoS tracking] - [Larry] - Verisign launches a new service for tracking DDoS in an attempt to note the precursors to a DDoSHmm, to what value really? I mean, I'd think that the ramp up for a DDoS would tropically be pretty quick, giving any notification a very short window.
#[http://news.cnet.com/8301-13578_3-10320096-38.html POTUS Power!] - [Mick] - "Don't worry, we're from The Government!  We're here to help!" Oh boy! is this a chilling billIf we give up enough freedoms, we'll be safe, right? Right?!?
+
#[http://feedproxy.google.com/~r/SecurityCatalyst/~3/3OBq_S0ey4k/ Wait, did education work?] - [Larry] - It seems that maybe some folks are beginning to actually take not of phishing in their e-mail boxes - so much so that when a company send a legitimate e-mail, many folks think it is a phishing attempt - because thy use the same practices that they warn their customers about.
 +
#[http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx?pubDate=2009-09-08 MS009-048] - [Larry] - Hmm, maybe that re-write of the TCP/IP stack should have had a few more eyes on it? What a messNot to mention, some of the fixes where patches are not available include a "firewall" as a reasonable defense…According to Richard Bejtlich [http://taosecurity.blogspot.com/2009/09/ms09-048-on-windows-xp-too-hard-to-fix.html it is too hard to fix on XP]
 +
# [http://www.theregister.co.uk/2009/09/09/microsoft_windows_security_bug/ 2nd Zero Day for Windows 7 has been patched in the final version] - [MikeP.] - A vulnerability affecting Microsoft SMB2 can remotely crash the box or allow (or [http://www.microsoft.com/technet/security/advisory/975497.mspx remote code execution] with proof-of-concept code that has been published; a Metasploit module is out.
 +
# [http://www.newscientist.com/article/mg20327255.900-how-to-shortcircuit-the-us-power-grid.html Got batteries?] - [Mick] - Looks like it's official, the US DHS finally gets "proof" that the US power grid is hackable(Psst! if you put it behind the firewall, *everything* will be safe!!)
 +
# [http://www.wired.com/threatlevel/2009/09/anonymous-hacks-australia/ Anonymous not just against Xenu anymore! ] - [Mick] - The folks who are famous for [http://www.youtube.com/watch?v=MSGWkcFEL44 crashing Mubix's party] are up to it againThis time, they are getting the party started with the entire country of Australia!
 +
# [http://unu1234567.baywords.com/2009/09/10/rbs-wordpay-hacked-full-database-acces/ Holy SQL Injection Batman!] - [Paul] - Scary SQLi in RBS web site leading to a whole bunch of sensitive information to be leaked.
 +
# [http://i8jesus.com/?p=75 Cross-protocol XSS with non-standard service ports] - [Paul] - Some interesting research going on here...
 +
# [http://www.microsoft.com/technet/security/bulletin/ms09-049.mspx?pubDate=2009-09-08 Wireless Vulnerabilities That No One Talks About] - [Paul] -  
 +
# [http://feedproxy.google.com/~r/PenTestIT/~3/qk9KLo-1ZRk/ Another Pen Test Live CD Distro] - [Paul] - This is getting out of control now :)  However, the list of tools they added above and beyond backtrack is really neat.  BUT, how good are the tools and do they do what you need them to?  I truly believe we all need to carve out some time each week to play around with security tools, and Live CD is great for this.  Once you find the ones that you like, and actually work, build them into your own system, not a Live CD.
  
 
= Other Stories Of Interest =
 
= Other Stories Of Interest =
#[http://www.wired.com/gadgetlab/2009/08/augmented-reality/ I can has terminator vision?] - [Mick] - Augmented reality is cool and could be really useful. 'Nuff said.
+
# [http://www.dailymail.co.uk/news/worldnews/article-1212333/Pigeon-post-faster-South-Africas-Telkom.html LAG!!] - [Mick] - Warning: This is not quite RFC 1149 compliant... I think we'll have to call this FeatherNet since birds don't wear sneakers. I wonder what DoS attacks are available? I hear protocol hacking is teh sexay so we should get right on this! dDoS via LOLCATS? IM IN UR NETWORKS EATING UR LAYER ONES!!!
#[http://spectrum.ieee.org/biomedical/bionics/augmented-reality-in-a-contact-lens/0?t# I really would like teh terminator vision] - [Mick] - There are so many potential applications of this I don't even know where to start!
 

Latest revision as of 01:53, 11 October 2014


Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

Security Weekly - Episode 167 - For Friday September 11th, 2009

  • We're looking for two interns - local to the Rhode Island area, listen to the podcast, into linux, able to lift 30 lbs, and if possible, willing to perform post-production work on the podcast. If that description sounds like you, please send us a note via psw [at] Security Weekly [dot com]
  • The Louisville Metro InfoSec Conference in lucky Louisville offers John Strand as Keynote and serves Security Weekly Asadoorian as Breakout Speaker. If that were not enough, they will also have a Capture The Flag event and Irongeek! All the above for the very low price of $99 on October 8th.
  • Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running January 11 - 16. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University. Also coming up, 617 on Calgary sometime in March!
  • Rochester Security Summit - Larry and Ed Skoudis to give Keynotes. What can get better than that? October 28 - 29 in Rochester NY!

Episode Media

mp3

The "... are those surfboards that you're trying to conceal over there?” interview with Moxie Marlinspike

Moxie Marlinspike is a fellow at the Institute for Disruptive Studies with over thirteen years of experience in attacking networks. He is the author of sslsniff and sslstrip, the former of which was used by the MD5 Hash Collision team to deploy their rogue CA cert. His tools have been featured in many publications including Hacking Exposed, Forbes Magazine, The Wall Street Journal, the New York Times, and Security Focus as well as on international TV. For money, he is a licensed USCG Master Mariner, and delivers yachts worldwide.

Moxies website: thoughtcrime.org

Moxie's tools

Do yourself a favor and read some of Moxie's stories!

Questions for Moxie:

  1. How did you get your start in information security?
  2. You live what many would consider an alternative lifestyle. Where do you find get the guts to live so brazenly free?
  3. More importantly, where do you keep a totally rad server farm while on the move?
  4. SSL? Seriously dude, you are breaking the internet? Is SSL really that broken?
  5. Surely, stuff like OCSP cannot be defeated with a single character? Can you describe some of the work that goes into dissecting the protocols to find issues?
  6. What can we do to fix it? What is the next evolution?
  7. Where is your favorite port?
  8. Who has the best roofs for crashing for the night and do you have any tips for finding the best public bathrooms?
  9. Tell us about the "Institute for Disruptive Studies"
  10. What's the craziest incident or thing you've seen in your travels?


Stories For Discussion

  1. Damn Vulnerable Web App - new version - [Paul Asadoorian] - I love this tool, it not supports authentication, which is cool, and a challenging thing to test for. DVWA is kinda like your coach holding a punching pad to train you for a fight...
  2. SMB Fail - [Larry] Yep, a single packet crash, as well as a bunch of other goodies for Vista, Win 7 and Server 2008.
  3. Encrypting Facebook - [Larry] - A Facebook app for keeping some of your updates encrypted, and viewable only by certain key holders. Wow, go see some social media security stuff to get an idea why this is bad. Here's a tip: Don't post it. Also this looks like a good way for encrypting bonnet C&C.
  4. Rogue? - [Larry] - Sometimes the easiest solution is the best. Need to get that rogue device in an organization? Try a simple sign. Sometimes, just like social engineering, implying that you have authority is just enough.
  5. DDoS tracking - [Larry] - Verisign launches a new service for tracking DDoS in an attempt to note the precursors to a DDoS. Hmm, to what value really? I mean, I'd think that the ramp up for a DDoS would tropically be pretty quick, giving any notification a very short window.
  6. Wait, did education work? - [Larry] - It seems that maybe some folks are beginning to actually take not of phishing in their e-mail boxes - so much so that when a company send a legitimate e-mail, many folks think it is a phishing attempt - because thy use the same practices that they warn their customers about.
  7. MS009-048 - [Larry] - Hmm, maybe that re-write of the TCP/IP stack should have had a few more eyes on it? What a mess. Not to mention, some of the fixes where patches are not available include a "firewall" as a reasonable defense…. According to Richard Bejtlich it is too hard to fix on XP
  8. 2nd Zero Day for Windows 7 has been patched in the final version - [MikeP.] - A vulnerability affecting Microsoft SMB2 can remotely crash the box or allow (or remote code execution with proof-of-concept code that has been published; a Metasploit module is out.
  9. Got batteries? - [Mick] - Looks like it's official, the US DHS finally gets "proof" that the US power grid is hackable. (Psst! if you put it behind the firewall, *everything* will be safe!!)
  10. Anonymous not just against Xenu anymore! - [Mick] - The folks who are famous for crashing Mubix's party are up to it again. This time, they are getting the party started with the entire country of Australia!
  11. Holy SQL Injection Batman! - [Paul] - Scary SQLi in RBS web site leading to a whole bunch of sensitive information to be leaked.
  12. Cross-protocol XSS with non-standard service ports - [Paul] - Some interesting research going on here...
  13. Wireless Vulnerabilities That No One Talks About - [Paul] -
  14. Another Pen Test Live CD Distro - [Paul] - This is getting out of control now :) However, the list of tools they added above and beyond backtrack is really neat. BUT, how good are the tools and do they do what you need them to? I truly believe we all need to carve out some time each week to play around with security tools, and Live CD is great for this. Once you find the ones that you like, and actually work, build them into your own system, not a Live CD.

Other Stories Of Interest

  1. LAG!! - [Mick] - Warning: This is not quite RFC 1149 compliant... I think we'll have to call this FeatherNet since birds don't wear sneakers. I wonder what DoS attacks are available? I hear protocol hacking is teh sexay so we should get right on this! dDoS via LOLCATS? IM IN UR NETWORKS EATING UR LAYER ONES!!!