From Security Weekly Wiki
Jump to navigationJump to search


PaulDotCom Security Weekly - Episode 245 for Thursday May 26th, 2011.

  • El primer Episodio de PaulDotCom Espanol esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
  • Sign up for Blackhat Training Courses:
    • PaulDotCom Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
    • Tenable Security Blackhat Training Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2

Special Spiritual Journey: A.P. Delchi, Spiritual Advisor, Attack Research


EmbedVideo does not recognize the video service "bliptv".

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

A.P. Delchi started out with a TRS-80 and a dream: to prevent Valsmith from breaking into a secured computer network. Since realizing this dream, he's resigned himself to rocking the house as a DJ for the Cult of the Dead Cow, covert operations for the Ninja Strike Force, professional power drinking with the 303, and giving spiritual guidance to Attack Research & Offensive Computing.

Proper Bio:

A.P. Delchi started out with a TRS-80 and a dream : To escape farm country. Since then he has derailed his professional career by associating with the hacker community. This includes rocking the house as a DJ for the Cult of the Dead Cow, covert operations for the Ninja Strike Force, professional power drinking with 303, and giving spiritual guidance to Attack Research & Offensive Computing. Taking a break from these stressful activities he has presented at Pumpcon, Defcon, HOPE , and professional engagements discussing information and physical security, automated reverse engineering, network analysis and incident response. In-between bouts of employment, he has also authored the someday-to-be-published graphic novel CHOWN. Utilizing this unique background and a list of accomplishments that can not be discussed in polite company, he has achieved the holy grail of network defense : being able to prevent Valsmith from breaking into a secured computer network.

The meaning of Life. Do not click until you are ready to achieve enlightenment.

  1. Based on your DefCon talk, you know a thing or two about physical security. What is the number one thing that most high profile/high risk firms are doing wrong when it comes to physical security?
  2. What's the easiest way you've bypassed a high security firm's perimeter?
  3. How much does *good enough* security actually cost, based on your experience?
  4. Based on your bio [above], which is more dangerous - power drinking with the 303, or covert ops with Ninja Strike Force?
  5. Tell us about some of your research into Chinese Injection.
  6. Does the trend of the attacks from that research still show Eastern Europe origin obfuscation into Chinese IP address space? What in your estimation is the ratio of TRUE chinese attacks vs. the rest of the world using Chinese IPs as a scapegoat?
  7. Has the MIT C.E.O S.O.B. ever realized you memorialized him in a web comic?
  8. What does the role of Spiritual Advisor do at Attack Research, or for the industry as a whole?

Guest Technical Segment with Moxie Marlinspike

Moxie Marlinspike is a fellow at the Institute For Disruptive Studies and co-founder of Whisper Systems. He's worked as a software engineer, hacker, sailor, captain, and shipwright. He recently published the null-prefix attacks on X.509, the session-denial attacks against OCSP, and is the author of both sslsniff and sslstrip.

Check out Moxie's awesome film, Hold Fast!

Follow Moxie on Twitter

  1. Tell us about Whisper Systems - what drove you to create the company?
  2. Is a version for iOS on the horizon?
  3. Could you ask Moxie if/when he plans to support other Android systems for WhisperCore? (especially the Samsung Galaxy S)
  4. Tell us how the encryption works for the Android devices.
  5. Can the SD Card be put in another device (like a PC) and decrypted using the passphrase?
  6. Do you have any stories of people who have used RedPhone or other products in oppressive regimes?
  7. Does WhisperCore and the WhisperMonitor firewall block Google's tracking of your data?
  8. Does WhisperCore work on the Android tablets? How is it different than the encryption in Honeycomb operating system?
  9. Tell us about your upcoming BlackHat class - what do you hope folks will take away from it?
  10. Can you share any good stories from your sailing days?

Stories For Discussion

PaulDotCom Blog Roundup

Larry's Stories

  1. ooooh, maps - [Larry] - Now, I'm a sucker for an awesome visualization. Take the last section of your logs (IE the tail) and have this tool Geolocate by IP address and put some nice little light on a map. might be neat for seeing how many visitors are coming form China to your site (I mean, you do business in China right?), and see China light up on the map. This might be a neat visualization tool for analyzing honeypot logs. Paul, is this bringing sexy back?
  2. Who stole the files in my BUKKIT? - [Larry] - I have to hand it to Robin Wood (@digininja) for creating Bucket Finder, a tool for brute forcing Amazon cloud storage Buckets. The tool takes a wordlist and tries to see if an Amazon Bucket exists for this name. If so, it tries to determine if it is a public or private Bucket. Robin dod a great write up of his testing for some limited Buckets, and the content that they contained - about 5% are public, and of those Robin claims are mostly personal photo or mp3 storage. Some, however contain sensitive information such as SSNs and a "bunch of other documents that shouldn't have been online". These are the types of things that scare the crap out of me about "cloud". To me it seems as if we are having to re-live some of the same old things that we learned in 1998 about putting things on the internet. On another note, when you create a Bucket, it is proivate by default, so you have to make it public. How about folks that upload to your Bucket, do they know it is public? Or how about taking a provate Bucket public without examining the contents first…
  3. Get your free 'sploitkit here! - [Larry] - We're seeing a nice little arms race of exploits kits coming out free, or having source code leaked. Is this just a way to get our first one for free, and get hooked into buying more? Now that just about ANYONE can get into cybercrime (DRINK!) if you know where to look, at little to no cost, I suspect that we'll see more of it as well as some code forks with very interesting new features and innovations. To sum up a quote from the article "If the ZeuS leak was like giving a machine gun away for free, giving away exploit kits is like providing the ammo," said Aviv Raff, CTO at security tools firm Seculert."
  4. do you have a facebook page? - [Larry] - oh, you do, but you can't get there form work? does your company? Wait, how's they do that? A great discussion (part 1 of 2) from @jruffer over at socialmediasecurity.com on exceptions to corporate policy for marketing departments to get access to Facebook, capturing credentials and then exploiting that "buy now" link to sent you to exploits sites, all because the exception was made with out any other security considerations, by people and with people that have less than a clue about security.

Paul's Stories

  1. 4 tips to get a CFP subission accepted - I love going to conferences, and so many of us love attending and speaking at conferences. I've had the pleasure of speaking at several conferences lately, and its been great. Speaking at a conference starts with a CFP submission, and sometimes you get accepted and sometimes you don't. Jeremiah Grossman has some excellent tips, including 1) The BIO ¿ differentiate and build credibility, 2) Title & Abstract ¿ Get to the point!, 3) Submit early, submit often, 4) Follow-up and be responsive. One other thing, I think its great we have all these conferences. Some say we have too many, I say there are never enough! When we can get together and share ideas, its a win! I think it also shows how compassionate we are about what we do.
  2. Apple admits it has malware - Okay, well, duh! We all knew this was coming, and I think there are a lot more pwned Macs out there than people realize. Operating systems protections in OS X are weak, as are monitoring tools, and users believe they don't get virues. Let the pwning continue!
  3. Harvard Hosting Porn! - "Score! Get the lotion!" Chapman said in his online article, "Harvard.edu: An Ivy League Pornographic Playground," that he discovered pictures of naked women in addition to explicit language and links on a Harvard physics council Wiki site and a Harvard Law blog.". So, check this out, its actually really easy to scan all of your web sites to 1) see that its easy to host random content and 2) if they are hosting porn. Obviously folks in EDU are not doing this, as I was dealing with this problem when I worked at a university. I believe technology exists to find the low hanging fruit vulnerabilities in web sites, which is all the attackers are going after in this case. This could easily have been XSS, but then again, no one at EDU cares about that either. Maybe they care that they are hosting porn, but its clear that the message of security goes through fits and starts in the academic space. Usually, really bad things happen, and most people fix the problem. But fixing the problem makes it hard for users, so they reverse the security, until something bad happens against, rinse, lather, repeat.
  4. Adult Content Filter Listens for Sounds of Porn - "researchers from the Korea Advanced Institute of Sciences and Technology keyed in on audio from pornography, which is distinct and easy to detect." All I have to say is, "ooooooooohhhhhhh ahhhhhhh baaaaaabbbbby"
  5. Wake up: PLCs are still vulnerable - Putting random code on systems is bad, there is this thing called integrity, and vulnerabilities seem to ruin the integrity of devices. Even more amazing, no one seems to care. Several reserachers are proving that SCADA systems are vulnerable, and everyone ignores this. I think we all need to start looking hard at embedded systems vulnerabilities, and force the vendors to start producing secure code. If you, as the customer, start complaining, and telling other customers to complain, maybe, just maybe, people will listen. Having said that, where can we educate people on easily finding these vulnerabilities? I think thats our best shot.
  6. Internet Explorer is still the problem: "cookiejacking" - HITB presenter just released some techniques for cookie stealing. Everyone loves to support IE, but when will we realize that its not a secure platform? Here's another case where we need to convince vendors to act. Support all major browsers, I believe Chrome and Firefox can offer a lot more security than IE. There, I said it, now you can send me hate mail because all the apps you bought require IE.