From Security Weekly Wiki
Jump to navigationJump to search

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 259 for Thursday September 15th, 2011.

  • Don't forget to check out Hack Naked TV - where John Strand promises to record from an airport bathroom near you!
  • We're spinning up a new mini-podcast/videocast (Hack Naked at Night with Larry and Darren) and we and we're looking for topics from our listeners - specifically, what type of pentest device do you want us to build out of a roomba? Send suggestions to psw@pauldotcom.com

Guest Interview: Dino A. Dai Zovi

7:30 PM EDT


Dino's blog

  1. In your Source Boston Keynote you talked about Attacker Math - what was the keynote about?
  2. Why might java a preferred vector for exploit for attacks?
  3. Explain the reasoning why Exploiting the kernel is the cheapest path from Unprivileged Native Code Execution to Privileged Code/Command Execution
  4. Tell us about JailBreakMe's signficance.
  5. How did you come up with the reasoning that "The cost to discover and reliably exploit a vulnerability in a particular product is less than the sum of a claimed Pwn2Own prize for that product, the value of the laptop, and the value of fame to that researcher.
  6. If your defense is cheaper than their offense, you will gain the advantage - give us some examples of cheap defense that leverage very well.

Carlos' questions for Dino

  1. Will the meterpreter like implementation on OSX be finished?
  2. Has he taken a look at the comments in the rails code that form part of the profile manager backend in OSX Lion Server?
  3. With Apple making such big blunders with the LDAP Auth, delay on the diginotar revocation and the problem with validating certificates, does he believe the security of the product was vetted properly? could this be another "Vista, introduce a secure OS but mess up much other stuff" release?

Guest Tech Segment: Elie Bursztein talks about An Analysis of Private Browsing Modes in Modern Browsers

8:15 EDT

Elie Bursztein is a postdoctoral researcher at the Stanford Security Laboratory. His research combines the advances in machine learning, cryptography, data mining and HCI to create more usable and secure systems. He's on tonight to take us through some of the security weaknesses in Private Browsing modes.


  1. Explain the distinction you're making when you indicate "Firefox and Chrome, [attempt] to protect against a local attacker and take some steps to protect against a web attacker, while Safari only protects against a local attacker."
  2. How do browser extensions undermine private browsing modes in the various browsers?
  3. Do each of the browsers handle their extensions the same in private browsing mode?

Elie's website

Elie on twitter

Stories For Discussion

Blog Round Up

Larry's Stories

  1. AR Drone anyone? - [Larry] - AR Drone retrofitted with an SBC and 3G connection, finds your wireless networks, pwns then scans your networks. Then once boxen are pwned, they will connect outbound to your server. Guess who put my ideas for a partially finished project. On another note, I think I need to go to Usenix Securty next year.
  2. Packed craft VM - [Larry] - Want to get down with your packed foo? How about this Live CD from Mike Poor inguardians/packetstan? Boot it up and all the tools you will need to Capture, Analyze, craft anr replay packets are there. This sounds like a great companion to TCP/IP Illustrated.
  3. Typosquatting pwnage - [Larry] - So, here's another take on the evil twin attack - typo squat domains that are similar to real ones, then accept all incoming information. Evil twin? Yeah, go register all the domain names similar to subdomains - IE se.ibm.com vs. seibm.com. It was shocking to me to see that the research captured 20 GB of data in just a short period of time, jsut on people's mis-typing. I'd love to see the results of some of our e-mails over at paul.com
  4. Dude, where's {my|your|anyones} car - [Larry] - Australian shopping mall rolls out iphone app so that you can find your car when you forget where you park in the garage. Just plug in your plate number, and it uses the garage camera system with license plate recognition to tell you where it is. Ther is at least two problems: One, you can search for ANYONE's plate to see if they are there. Two, portions of the API were posted publicly (read as leaked) on a text sharing site, which in combination with analyses of the URLS used by the app allow for public querying to the internet, without the app. So, aside from the privacy issue, how is that DLP solution looking?
  5. [1] - [Larry] - Luigi Auriemma wants information to be free, so true to his word he released a metric buttload of vulnerabilities (with associated instructions) for 6 different SCADA manufacturer systems.

Paul's Stories

  1. Microsoft Patch Tuesday Roundup - September 2011 - Do you know where your sensitive data lives? Have you every tried to find it? Try this, look inside documents and shares for credit card and SSN numbers. Scan your network for all open shares, look for common document names and types. Once you find it, make sure it should be there, then, patch those systems first! One of the things that vulnerability management should answer for you is where is the sensitive data, which systems are missing patches, and which of the vulnerabilities on those systems contains a public or semi-private exploit?
  2. Return of the BIOS trojans - I can't believe we are not seeing more of this! Then again, there are so many different Motherboards, with different BIOS chipsets, at different versions, with different ways to flash them, that, okay, I guess thats why we haven't seen more of them! However, if this becomes more of a problem, you will want to add re-flashing the BIOS to your list of system rebuild instructions. Yea, its an extra step, but think of how much work you are saving in the long run by not re=infecting your machines over and over. The tricky part comes when malware starts getting into all your hardware subsystems, and now you have to reflash the graphics card, sound card, SATA bus, etc...
  3. The drones are here for your wireless - This little goruplug looks interesting. Didn't catch the price, but anything that can be small and dropped off in a network is a sure win.
  4. Can you win the lottery too many times? - Can you win the lottery 3 times? What would you do to look for fraud in this case? Where is the security breach? Kind of an intersting case of forensics.
  5. Defining an Achievable Network Segmentation Process - Should be called defining the "unacheivable", he lists the following items to achieve network segmentation: Gain visibility of traffic, users and assets, Protect communications and resources on both inbound and outbound requests, Implement granular controls on traffic, users and assets, Set a default deny policy on all inter-segment connections - I'm not a big fan of network segmentation on a granular level. Let me give you some examples. First one that works: On a university network, separate the students from the rest of the network. You don't ownt he student machines, so treat them pretty much like the rest of the Internet. Now, this is not without problems. Student take their computers with them, connect them to wireless, and they end up spread out all over the network. Also, treasting them like the Internet works to a point, unless you are certain that everything available to students is available to the Internet? Maybe, maybe not, and here is where it comes unraveled: exceptions. There will always be exceptions to network segementation, and once there is an exception, attackers will exploit it for all its worth. The worst part is, you thought you were protected because you segmented your network. WRONG! How about this, fixx your security weaknesses and exposures, make that priority #1, then do some segmenting. Segmenting just tries to mask the problem, like spraying cologne on yourself after you've just taken a swim in your ceptic tank....
  6. TWiT.tv ¿ malware infects Leo Laporte¿s website - Infected, doh! I know they run Drupal, tough beast to tame. Its getting more and more difficult to maintain a site that accepts content from the end user. If security wins over everything else, your web page looks like something from 1996, and the best you can do for dynamic content is the blink tag (personnaly, huge fan of the bling tag). However, you have all of these wonderful tools available to you that allow people to interact with your site, and even generate content. Usually these sites get 0wned at some point, so you can land on one end of the spectrum or the other, and just be preparred to have a good backup plan and incident response if you allow users to do too much, or you have a greatly complicated site, like Drupal.
  7. FBI hunt hacker over nude Scarlett Johansson photos - If you are a celebrity, you should just have someone mock up some nude pictures of yourself. Make sure they are good too, ones that make you look all sexy. Then, publish them, and then no one really cares if someone steals nude pics of you, because everyone has already seen you naked. Now, other than our slogan being hack naked, why are we covering this story? Marcus Ranum, who also takes nude photos sometimes, lists this defensive mechanism in one of his talks. Its a great idea right, create some fake data, some fake servers, let people hack into them, and that will keep them occupied. But keep the real data safe. Or, leak all the real data. So, if everyone's credit card number was public, there would be no market for stolen credits cards. Okay, thats an extreme case, but you get my point, I hope.
  8. Sophos says Windows 8 anti-virus will be skirted - So, Microsoft will include AV in Windows 8, no big surprises here, I just hope its good. AV compaines are pissed off, but hey, that's nothing new. Microsoft has to show that they care about security, their customers have demanded it, and they have enough lawyers to fight anti-trust suites, their track record shows that too. I say this is a good thing, let Microsoft do some AV stuff, then tack on other products to detect and prevent other nasties. I don't believe Microsoft will have an all encompassing AV product, but maybe they can do the easy low hanging fruit stuff, which forces AV vendors to tackle the harder stuff. So, I approve (now drink because Paul is supporting Microsoft, but still loves his Mac)
  9. Iron Geek: Building a Svartkast with a pretty pink Pogoplug Cheap hardware to leave on someone else's network - Another awesome drop box, I like the pink :)
  10. State of network password cracker art - Comparison Of Features and Services - hydra - Hydra rules, period. New version is awesome, it cranks away hard and fast against your targets. This document shows the speed comparison. Suggestion for folks who run enterprise networks, take your last 3-5 passwords on all of your systems and network great that you commonly used, and confifgure Hydra to go test your entire network. You will have to script some stuff, but this is a great way to test your passwords, and make sure no device is still using an old password.