Episode214

From Security Weekly Wiki
Jump to navigationJump to search



Sponsors & Announcements

"And now from the dark corners of the Internet, where the exploits run wild, packets get sniffed, and the beer flows steady its PaulDotCom Security Weekly!"

"Sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable's Security Center extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable – Unified Security Monitoring!"

"Core Security Technologies, helping you penetrate your network. Now version 10.5 full of Jive! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool."

"Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

"And Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!"


PaulDotCom Security Weekly - Episode 214 - For Thursday October 7th, 2010.

  • Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend.
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Tech Segment: Paul's Nessus Scanning VM

I've been working on updating my Nessus scanning VM that I use for the advanced Nessus course. There are some tips and tricks I had to do in order to get third party tools working such as Nikto and Hydra. Nessus has plugins that are wrappers for these tools. I like to use Hydra because it lets you upload custom username and password dictionaries. My suggestion for people is to use a small, custom username and password dictionary for Nessus scanning. Nessus contains plugins that will test for certain default or easily guessable passwords, however Hydra lets you upload custom ones. Keep it small though, as it will add time to the Nessus scan. Nikto is also nice too, as it will test web applications for some different stuff.

Step 1: Failed Ubuntu Upgrade

I am running Ubuntu 9.10. I attempted an upgrade to 10.10, I started by prepping:

  • Take a snapshot
  • apt-get update and upgrade
  • reboot for kernel upgrade
  • change package repos
  • Do another update and upgrade

The upgrade completed, and I got a horrible error:

aptitude install procps
aptitude: symbol lookup error: /usr/lib/libstdc++.so.6: undefined symbol: _ZNSt7num_getIcSt19istreambuf_iteratorIcSt11char_traitsIcEEE2idE, version GLIBCXX_3.4

Thank God for the snapshot! I reversed the upgrade and will wait. 10.10 is stable in 3 days, so hopefully an upgrade at a later date will go better.

Step 2: Hydra

A new version of Hydra has been released, so of course I want the latest:

  • Download Hydra 5.8
  • Important to install in /usr/local so Nessus an find it:
 ./configure --prefix=/usr/local --disable-xhydra

-Thanks to one of my students, Gebhard, These are the fixes to the Makefile needed to compile Hydra successfully on 9.10:

-XLIBS= -lssl -lncp -lpq -lsvn_client-1 -lapr-0 -laprutil-0 -lsvn_client-1 -lapr-0 -laprutil-0 -lssh -lcrypto
+XLIBS= -lssl -lncp -lpq -lsvn_client-1 -lapr-1 -laprutil-1 -lsvn_client-1 -lapr-0 -laprutil-0 -lssh -lcrypto

-XIPATHS= -I/usr/include/subversion-1 -I/usr/include/subversion-1
+XIPATHS= -I/usr/local/subversion/include/subversion-1/ -I/usr/include -I/usr/local/include -I/usr/local/subversion/include/apr-0/
  • now build it and install it:
# make
# make install

Now you can upload dictionaries and use Nessus:

HydraNessus.png

Make sure you reduce the number of threads!

Step 3: Nikto

  • download nikto and install it:
wget http://cirt.net/nikto/nikto-2.1.3.tar.gz
 tar zxvf nikto-2.1.3.tar.gz 
 cd nikto-2.1.3
 mkdir /opt/nikto
 cp -r * /opt/nikto/

Edit nikto.pl and change the path:

$NIKTO{'configfile'}  = "/opt/nikto/nikto.conf";    ### Change this line if it's having trouble finding it
  • Edit /etc/profile
export PATH=$PATH:/opt/nikto:/opt/nessus/bin:/opt/nessus/sbin
  • Re-compile and re-index the plugins:
/opt/nessus/sbin/nessusd -R
  • restart Nessus:
/etc/init.d/nessusd restart

And then you will see it in the preferences:

NiktoNessus.png

Guest Interview: Brian Honan

Mr. Honan is the European editor for SANS NewsBites and founded the Irish Reporting and Information Security Service, Ireland's first national CSIRT (Computer Security Incident Response Team). He is also the author of "ISO 27001 in a Windows Environment".


  1. How did you get your start in information security?
  2. What is ISO 27001 and why is it important?
  3. Do standards help us, or do they just set a low bar for "security" and give people a false impression that they are "secure"?
  4. What is the function of a CERT? How did you come to start the first CSIRT in Ireland?
  5. What are the benefits to a country-wide CERT?
  6. Can companies benefit from having their own CERT?
  7. What can we teach CS students about security? How do we get them to understand security?
  8. What are your thoughts on mandatory breach disclosure? Doesn't it just hurt companies to disclose a breach? What if it doesn't affect customers? How do you enforce such a law if the company handles it internally?
  9. IRISSCERT is running its annual cyber crime conference in Dublin - what's being planned? Rumor is free Guiness?

Background notes on Mr. Honan:

  • Day job is running his own consulting firm BH Consulting, providing ISO 27001:2005 advice & general security guidance
  • Teaches Masters in Computer Science in Information Security at University College Dublin
  • Works with (The European Network and Information Security Agency) and has assisted them produce some of their white papers on security, in particular in the security awareness side of things.
  • blogs at Security Watch and contributes to the Infosecurity Network site and also to the strategy section of Irish online publication called Silicon Republic
  • COO for the Common Assurance Maturity Model which is a security/assurance standard being developed to provide vendors and customers with a transparent means of determining the security of the service offering. It is primarily aimed at cloud providers but can be applied to any IT service provider be they external or internal to an organisation. They plan to go into pilot with the model soon with a view to releasing it later this year/early next year.
  • Campaigned for mandatory breach disclosure laws to be introduced into Ireland and made submissions to the government's working group on the issue, which introduced a code of practise for mandatory breach disclosure in Ireland (1st country within the EU to do so). http://www.dataprotection.ie/viewdoc.asp?DocID=1085&m=f
  • Mr. Honan's Linkedin profile

Stories For Discussion

  1. Evil - [Larry] I'm really loving social network APIs. With them we have the ability to search for all sorts of things about people, this one for their phone numbers. This could get interesting.
  2. World's Sexiest Hacker - [pauldotcom] - Is she? She got busted as part of the Zeus botnet. Yea, it was a slow week for stories! I still think that Larry is the sexiest hacker in the world, Dennis Brown may be a close second.
  3. Topic - "Does NAC Work Good enough" - So here's the thing, as pen testers, we know that NAC doesn't slow us down. If we have physical access we can spoof a MAC address, unplug a printer and use its MAC address, or with VoIP use VoIP hopper to jump VLANs. However, from a defensive standpoint, having NAC helps keep laptops from coming back on the network, prevents contractors and vendors from plugging in infected systems. To that point, does segmentation really work effectively? While you can put all the HR systems on one segment, is that effort really worth it? I tend to believe that putting systems in one segment just moves the problem around. Different segments need to talk to each other, and its not that hard to figure what's allowed and get around it. DMZ I believe is a good thing, but systems want to talk to each other. People will open holes, so is all the firewall administration worth the little protection it provides? I think in security we tend to move the problem around instead of fixing it. I'm saying put effort into patching your systems and monitoring your logs, rather than move the problem around.
  4. Man in the mobile - [pauldotcom] - Bleh, too many buzzwords. However, two-factor authentication that send you a TXT message doesn't work so well if an attacker pwns your phone. So, do better.
  5. Hacking Tire Pressure Sensors - [pauldotcom] - "The wireless sensors, compulsory in new automobiles in the US since 2008, can be used to track vehicles or feed bad data to the electronic control units (ECU), causing them to malfunction." I think hacking cars is neat, but unless there is money to be made, attackers will just yawn. Maybe there will be some pranks, but I don't see this being a huge concern.
  6. Tricking folks into security services? - [Larry] - I wonder how something like this would go over in our industry? I have a feeling not very well. Although I think for a parallel, in our industry if we are able to sneak something in like this, we're in, not just with trickery.
  7. Iphone app data - [Larry] - Buyer beware I guess? But, how would the average consumer ever know? Phone UDIDs (Unique IDS) can be grabbed by the API, and sent via app with other personal information, although it is "prohibited". Some even in cleartext...

Other Stories of Interest