Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 279 for Thursday March 8th, 2012
- John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing and Defenses 5 times this year: vLive!: April 16 - 22, 2012, SANS Cyber Guardian 2012, Baltimore: April 30 - 06, 2012, SANS Toronto 2012, Toronto: May 14 - 20, 2012, Community SANS Ottawa, Ottawa: June 11 - 17, 2012, SANS Sydney 2012, Sydney, AU: November 12 - 18, 2012
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, PaulDotCom Espanol with Carlos Perez.
- Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Whether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".
- Security BSides everywhere: Iowa, London, Chicago, Austin, Charleston, more. http://www.securitybsides.com/
- Don't forget to Follow us on Twitter
Interview: Tanya Baccam
Tanya is a SANS senior instructor, courseware author and consultant on perimeter security, network infrastructure design, system audits, and Web server security. Tanya is a widely respected expert on Oracle Database security and owner of Baccam Consulting.
- Tell us how you got your start in Information Security
- Has the threat landscape changed towards databases since you began to focus on database security?
- What are your top things to check when it comes to tightening database security? What are some of the quick wins that companies should look at for database security?
- What tools do you use in your everyday work to defend and validate the information in your client's databases?
- What are your favorite tools for securing the perimeter?
- Should penetration tests be separate from audits?
- Where should the penetration testing teams report to, IT? Seems like there is a conflict of interest...
- Do auditors need to be more technical or do we need a new role in audit for technical folks?
- I once suggested that it was frustrating that executives listen to auditors and not penetration testers. Is this, in your opinion, because penetration testers simply do not have the right communcation skills (as was suggested very rudely by a listener in email) or is is because penetration testers don't ever have good news for executives?
- As we move towards a mobile workforce, have database vendors kept up with security or are they falling behind?
Guest Tech Segment: Doug Burk on Security Onion
Doug Burk is a SANS GSE and Community Instructor, Network Security Monitoring enthusiast and author of the Security Onion. He's on to give us an overview of Security Onion and it's main features.
Security Onion download
- Testing the Security of Virtual Data Centers - Attacking virtualization servers via the API is a very productive form of testing. The API, if you can bypass the authentication, allows you to control all of the systems and even take screenshots of all running VMs! This is a super cool hack, and can have devistating effects on your infrstructure, such as allowing attackers to disable VMs, delete them, and all sorts of nasty stuff. You really need to spend time hardening your VM layer, as it protects all of the systems running on it, so its time well spent. In the words of a PaulDotCom sweeper (in slurring drunken speach) "Pick a good password".
- Slide Show: 10 Movie Scenes Of Authentication Worth Rewatching - Somewhat interesting take on mostly older movies and how they do authentication with voice and retina scans. Demolition Man has the best retina authentication, as Wesley Snipes removes the eyeball from someone to escape from prison. Not sure how this relates to security and authentication as we experience today, but maybe proving that authentication sucks in the movies too.
- Healthcare Security Pros Need To Speak The Language Of Finance - This article just wreaks of security fail. Its the age old problem of getting executives to buy into security. They use the analogy of the bag of silica that comes with jewelry, and how we still need to have a warning label that says "do not eat". I just don't get it, if you are stupid enough to eat the silica, you should get sick. Wait, am I saying that if you are stupid enough to believe that you are secure because you use Apple products and therefor your are secure, that you deserve to get hacked? Yes, that is what I am saying. The real problem is convicing management of the top things you can do EFFECTIVELY to keep your data safe are justifiable. This is where we fall down, the perception we have of what actually keeps things secure is warped. Do I have the answer? Not really, but there has to be some correlation between staffing, skills, tools, and process...
- 5% of websites have had at least 1 SQL Injection vulnerability without needing to login - This data comes from Whitehat Security, so I am confident in the numbers. However, keep in mind this comes from people who have actually hired a company to test their web security. In reality, this number is much higher on the general Internet.
- Engineer Shows TSA Nude Scanners are Useless - This really proves that TSA is security theater. I like to think that there are people actually testing TSA security, airport penetrationt testers if you will, using any means neccessary to get through ariport security with weapons or explosives (well, maybe not shooting up a TSA checkpoint or anything). Obviously there is not. There is too much money at stake for the people who sell the scanners. So, a researcher sewed a pocket to the outside of his shirt and put a metal container in it. Since the scanners, both types, use a contrast to the background, the metal case did not show up because it fell outside of the persons body. Of course, nothing will be done and we will continue to be subjected to unknown amounts of radiation when traveling.
- Ray Ozzie says the PC is dead - The PC is dead because people hack them, nothing else ;) There is a lot of talk about mobile security, however, the battle is still on the desktop.
- Stolen iPad leads to 780lb crystal meth seizure - So they let the police in to invstigate a stolen iPad, which they had tracked to their location using the location tracking in the iPad. Not sure if they recovered the iPad, but they did find 780lbs of Meth. Can you say dumb criminal of the year?
- The one tiny slip that put LulzSec chief Sabu in the FBI's pocket - Supposedly he logged into IRC just once without using Tor! All criminals make mistakes, well most anyhow.
- Researchers find MYSTERY programming language in Duqu Trojan - The creation of a dedicated programming language to construct the communications module shows how skilled the developers were, as well as providing evidence that significant financial resources were ploughed into developing the Duqu Trojan project. Pretty cool finding. Never heard of the MYSTERY programming language before, is that like Ruby?
- Chrome Falls In First Five Minutes Of Hacking Contest - While this is the headline, check this out: While the hacks against Chrome are notable, by the end of the first day of the Pwn2Own competition, teams had successfully demonstrated hacks against all of the browsers. Yea, so browser security sucks all around.
- toolsmith: Pen Testing with Pwn Plug - Love the pwn plug, can't wait to get more hands on with one (if you know what I mean). Dave is a great guy and I look forwad to seeing more come from this project.
- Experts avoid AV because they can - the rest of you should still use it - Do as I say, not as I do. As John says, A/V is like your smallpox vaccine, you know you need it, you know the virus could still be out there, so why not protect yourself? However, if we as security pros are the "doctors" and "nurses" if you will, shouldn't we protect ourselves? Maybe this is where the anolog falls down.
- Enumerating URLs from IP Addresses Using Bing’s Search API - This is perhaps one of the handiest scripts for pen testers! Give it a list of IP addresses and it uses Bing to enumerate all of the domains and URLs hosted there. So useful.
- The lost phone project - [Larry] - So what really happens when you lose your cellphone? Symantec tried an experiment, and intentionally lost 50 smartphones across the US and Canada. The phones with installed with tracking a tracking app, and just about all revealed that the finders snooped through the phones looking at the sensitive information, and trying the "stored passwords"
- Github/Rails hack - [Larry] - YAY!, github had a vulnerability in which third parties could insert thier oen keys into any project. The person who found it, added his keys to the rails project and added a humorous commit in order to perform the ntotification. Yikes. I'd argue 2 things: 1. audit all your keys in your git repositories. 2. Call for a code audit of your git projects.
- linode bitcoin heist - [Larry] - Attackers gain access to linode's network gear, then eventually get access to linodes management application, allowing full control of all of linode's shared hosts. From here, the attackers had full control of all of linode's servers, ad the attackers used this to transfer bitcoins out of the hot wallets of at least one bitcoin exchange.
- Chrome falls in Pwn2Own - [Larry] - … and more importantly, Pwnium, Google's Chrome hacking contest. In prior years, Chrome didn't fall, but apparently offering hefty bounties changes all that. It just goes to show, that as an attacker, if there is some monetary value to it, any application os worthy of an attack. Oh, and the bug found yesterday has already been fixed and released.
- NASA lost complete control of networks 13 times last year - [Larry] - Yikes. To quote from the congressional testimony, "In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorised access to NASA systems. Our ongoing investigation of another such attack at [Jet Propulsion Labs] involving Chinese-based internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts." Ooof.
- Kitties and Titties - [Larry] I mean, what's not to like. I'm still having a hard (huhhuhuhuhuuhuhuhu) time finding the kitties though.
- Mandiant M-Trends Report The latest Mandiant M-Trends Report is out. It is vendor generated, and has an agenda, but it is data. As always, apply your selection bias, confirmation bias, and other usual filters. (Registration, email link grab the 4.3Mb, 28 pg PDF ritual required)
- Is Offense being pushed underground? Interesting post by Dennis Fisher about the state of offensive security and information sharing.
- The Could is Falling! Either that or Microsoft Azure just had an embarrassing leap day bug.
- IE6 through IE10 Pwned At CanSecWest Pwn2Own the latest browser to fall is Internet Explorer (Chrome fell first, repeatedly, and hard).
- Police Drone Crash This adds safety to the concerns people have over domestic use of drones; what should have been a PR photo op crashed. Literally.