PaulDotCom Security Weekly - Episode 249 for Thursday June 23d, 2011.
- This month's Late Breaking Computer Attack Vectors webcast will be given by Carlos on Wednesday June 29th at 2 PM EDT
- Los tres primeros episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez, y Chema Alonso esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
- Sign up for Blackhat Training Courses:
- PaulDotCom Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
- Tenable Security Blackhat Training Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
- DerbyCon : Louisville, Kentucky – September 30th to October 2nd. Catch Carlos Perez's training session - "Automating Post Exploitation with Metasploit" Friday and Saturday of the Con from 4:00PM to 9:00PM.
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, and Watch our Videos!
- You can Add us on Facebook where we can be "friends"
Interview: Chris Gates
Chris joined the original Titan Team (Lares) in 2011 as a Partner & Principal Security Consultant. Chris is a member of the Metasploit Project, a major contributor to the carnal0wnage attackresearch blog and is known to enjoy business logic flaws, misconfigured databases and the occasional client-side attack.
Chris joined Lares in 2011 as a Partner & Principal Security Consultant. Chris has extensive experience in network and web application penetration testing as well as other Information Operations experience working as an operator for a DOD Red Team and other Full Scope penetration testing teams. Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his CISSP, CISA, GPEN, GCIH, CEH, and Security+. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, ChicagoCon, NotaCon, and CSI. He is a regular blogger carnal0wnage.attackresearch.com and is also a regular contributor to the Metasploit and wXf Projects.
- How did you get your start in information security?
- What's the distinction you make when you say that "repeatable" pentests are really vulnerability assessments (with exploitation) vs. actual pentesting
- What do you consider to be a successful penetration test?
- What are some of the things organizations typically are missing in their security programs?
- Which is better for you on a penetration test: SQL injection or easily guessed password(s)?
- How do you get potential customers to sign-on to a "real" penetration test? Social engineering in the pre-engagement phases?
- What is the Web Exploitation Framework?
- What's the difference between w3af and the wXf framework?
- Will wXf ever be part of Metasploit?
- Tell us about your research such as the recent Attacking Oracle Web Applications With Metasploit talk
- We need to start a drinking game - this time based on how many times Chris says "fuzz" or "fuzzing".
Tech Segment: Catching base64 on the network with Kevin Fiscus of NWN Corportation
Kevin is a security architect and consultant with 2 decades of experience in information technology and a decade in compliance, which we won't hold against him. He is currently the Director of NWN Corporation's Security Technology, Assessment and Response (STAR) Team
Kevin will be on to discuss work he's been involved with detecting base64 using Snort. Instead of detecting basic web authentication, he'll be going over other malicious uses for base64 encoding including evading DLP systems that don't involve basic web authentication. Specifically, using snort and a variety of regular expressions to catch base64 on the network.
Stories For Discussion
PaulDotCom Blog Roundup
- Penetration Testing The Insane - Wow, just when I thought we had beat this topic to death, out comes Pete Herzog with a refreshing look at security and testing. The first thing you have to realize is that vulnerability and patch mangement only take you so far. This is sorta like the new firewall, while it provides some protection, it still leaves you feeling vulnerable and awake at night at 3am asking yourself if you're going to be the next RSA or Sony. Pete calls for a return of real penetration testing. The type of testing that is going to look deep into your environment, tie systems together, string up multiple small vulnerabilities, and tell you where your real problems are. The problem is, no one wants this type of testing. I think its two reasons, they know you will find holes, and its cheaper to just run a vulnerability scan and limit scope to finding stuff that in the end, really doesn't matter.
- Is your email address worth more than your credit card number? - Sounds silly at first, but what hurts more? Your email address can be used for targeted attacks, and access to your email account is even worse. To expand upon what Rich stated, what is worse having your credit card stolen online or someone gaining access to your email? Email is used as a form of authentication, several service rely on access to email as authentication. Same with your phone. Example: Emailing or Texting your forgotten password. Don't sit here and tell me you've never forgotten your password to something either. Credit card theft has not become your problem, its the merchants and providers. So, I agree, your email is worth more at this point.
- ModSecurity Challenge - Are you one of those people who laugh in the face of the al mighty WAF? Then this is for you, a contest to test ModSecurity and try to hack a site protected by it from the Trustwave interior. They have setup Modsecurity to proxy 4 insecure web site demo sites, so hack away!
- Dear Vendor, No more "IE only support" - The user, yes the user, has the right to choose the browser. There, I said it. I mean, we should be able to choose our own operating system, right? There are a lot of reasons to give people a choice, personal preference, mobile devices, and more. Its like saying, "You're invited to this great party, but you have to drink Coors Light". Yes, IE is the Coors Light of browsers.
- Staples Sells Computer Equipment with User Data - Don't forget to wipe (those of you with toddlers can appreciate this). Its simple to remove the data from your device, so don't leave it up to a place like Staples, because they forgot to wiepe some of the used gear they were selling in Canada, eh. An audit found a good percentage of systems that had not been wiped. Yikes.
- Its Not About Protecting Your Crack - So there is a lot of buzz lately about cracking passwords. JTR getting bought, GPUs with enormous crack...ing power, etc... But really, as Carole says, if an attacker gains access to your hashed passwords, thats the real problem, not how long it takes to crack them. Don't get me wrong, in a penetration test, this can be useful, as people re-use passwords. But lets look at why your hashes are getting stolen, and fix that problem. Carole made a good analogy, "Using the time it takes to crack a password as a measure for security is like measuring the speed of bullets coming at your head". Well put.
- Open Source Secure Solution to Dropbox - Our good friend Xavier shows up how to use gpgdir to create secure file storage. Nice, I wish more people would use gpg for things like this. Take a poll and ask people if they use encrypted email or file sharing, then cry after you tally the results.