Difference between revisions of "Episode258"

From Security Weekly Wiki
Jump to navigationJump to search
Line 42: Line 42:
  
 
== Larry's Stories ==
 
== Larry's Stories ==
 +
#[http://www.securitygeneration.com/security/reverse-ssh-over-tor-on-the-pwnie-express/ Reverse SSH via TOR on the Pwnie Express] - [Larry] - Thanks Seb! So, got your Pwnie express installed in a victim, er client, but all of your services outbound don't work, or are monitored too closely?  How about tunneling the traffic over TOR?  Well, now you can.  This may be a great option for using your evil Pwnplug, but it may also be good for some legitimate uses too.  On another note, SJ has also released some setup automation [http://www.securitygeneration.com/security/pwniescripts-for-pwnie-express/ scripts] for the server setup at his blog as well.
 +
#[http://37signals.com/svn/posts/2992-while-setting-up-an-account-at-the-national ok, passwords are bad…] - [Larry] - …but these security questions aren't getting any better either. Really, "What is your preferred internet password?" Really, pick something better.  I do like some of the comments for, if possible making up your own (or more from [http://www.schneier.com/blog/archives/2010/04/fun_with_secret.html Scheneir]: Q: Would you like to go on a date with me? A: Sure, Friday is free. Let me know where to pick you up.  So how do we solve these type of problems, that make it easy for users?
 +
#[http://www.scmagazine.com.au/News/271391,us-uni-warned-then-hacked.aspx Fix?  No, hack.] - [Larry] - How long does it take to fix XSS on the University of Vermont web site?  More than a month apparently after reporting, and the individual that reported got frustrated, and then went and hacked the site to prove a point.  Now I don't agree with the end method, but I do think that a month was too long to fix.  I think this may be a case of political issue getting things fixed (a problem!) or some folks not understanding the issue with XSS (a problem!). How long has XSS been around for, and why are folks still just not getting it?
 +
#[http://isc.sans.edu/diary.html?storyid=11527&rss Should we still test patches?] - [Larry] - Rob has some great discourse here about the volume of patches that most companies have to deal with from both an OS, application amd client app stand point.  The argument is that do we have time to test the volume of patches, or do we potentially remained owned for up to a year? Sure we get a "bad patch" and maybe that one takes us out for a day, and that's an acceptable risk…but what about when you deploy a GOOD patch to all of your workstations the breaks your mission critical application?  Discuss.
 +
#[http://blog.c22.cc/2011/09/04/ssl-certificate-impersonation-for-shits-and-giggles/ Impersonating…ChrisJohnRiley?] - CJR created a metasploit module for connecting to and capturing an SSL cert, and generating a fake one using as many values as possible  from the valid cert.  One neat trick he points out - make the cert expire "yesterday"…oops, that must be the problem.
  
 
== Paul's Stories ==
 
== Paul's Stories ==

Revision as of 17:56, 8 September 2011


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 258 for Thursday September 8th, 2011.

  • Jack wants to hear if you've experienced Sec Burn Out, so target your firm for a replacement.
  • We're spinning up a new mini-podcast/videocast and we and we're looking for topics from our listeners.

Guest Interview: Alex Hutton

7:30 PM EDT

Alexhutton.jpg

Alex Hutton is Director of Operational Risk at A Financial Institution and was formerly Sr. Analyst in Risk Intelligence with Verizon Business. Alex has served as an information risk and security consultant for over 15 years, serving companies from the Fortune 10 to the SMB market. In 2007 ITSecurity.com named Alex one of the industries 59 most influential people.

Special Guest Tech Segment: Chris Grier talks about The Commoditization of Malware Distribution

8:15 EDT

Chris is a security researcher and works for Vern Paxson as a postdoc at ICSI and Berkeley and is on tonight to give us a walk thru of his paper "Measuring Pay-per-Install: The Commoditization of Malware Distribution".

You can find Chris' other research here.

  1. You've done quite of bit of research on underground economics - how much money are honest people leaving on the table?
  2. What is your estimate for Twitter traffic that is solely Spam?
  3. Your Click Trajectories: End-to-End Analysis of the Spam Value Chain paper lists just 3 banks for the spam transactions. Did you have any hypotheses how these 3 banks got so involved with this business?
  4. Tell us about the Geographic Distribution of malware findings for the Pay Per Install paper.

Stories For Discussion

Blog Round Up

Larry's Stories

  1. Reverse SSH via TOR on the Pwnie Express - [Larry] - Thanks Seb! So, got your Pwnie express installed in a victim, er client, but all of your services outbound don't work, or are monitored too closely? How about tunneling the traffic over TOR? Well, now you can. This may be a great option for using your evil Pwnplug, but it may also be good for some legitimate uses too. On another note, SJ has also released some setup automation scripts for the server setup at his blog as well.
  2. ok, passwords are bad… - [Larry] - …but these security questions aren't getting any better either. Really, "What is your preferred internet password?" Really, pick something better. I do like some of the comments for, if possible making up your own (or more from Scheneir: Q: Would you like to go on a date with me? A: Sure, Friday is free. Let me know where to pick you up. So how do we solve these type of problems, that make it easy for users?
  3. Fix? No, hack. - [Larry] - How long does it take to fix XSS on the University of Vermont web site? More than a month apparently after reporting, and the individual that reported got frustrated, and then went and hacked the site to prove a point. Now I don't agree with the end method, but I do think that a month was too long to fix. I think this may be a case of political issue getting things fixed (a problem!) or some folks not understanding the issue with XSS (a problem!). How long has XSS been around for, and why are folks still just not getting it?
  4. Should we still test patches? - [Larry] - Rob has some great discourse here about the volume of patches that most companies have to deal with from both an OS, application amd client app stand point. The argument is that do we have time to test the volume of patches, or do we potentially remained owned for up to a year? Sure we get a "bad patch" and maybe that one takes us out for a day, and that's an acceptable risk…but what about when you deploy a GOOD patch to all of your workstations the breaks your mission critical application? Discuss.
  5. Impersonating…ChrisJohnRiley? - CJR created a metasploit module for connecting to and capturing an SSL cert, and generating a fake one using as many values as possible from the valid cert. One neat trick he points out - make the cert expire "yesterday"…oops, that must be the problem.

Paul's Stories