From Security Weekly Wiki
Jump to navigationJump to search

Episode Media


Paul's Security Weekly - Episode 365 for Thursday March 20th, 2014

  • This segment is brought to you by Black Hills Information Security, THE source for all of your penetration testing needs. Please visit www.blackhillsinfosec.com for more information and use the contact page to request a quote!
  • Paul will be hosting this year's Mid-Atlantic CCDC (www.maccdc.org) next week, and speaking at the Northeast Linux Fest which will be held on April 5 of 2014 at Harvard University, April 7-8 at SOURCE Boston (stay tuned to win a free SOURCE Boston ticket!), Charlotte ISSA conference on April 24, and the NOLA conference in New Orleans in June.

Guest Interview:


Gary McGraw is an author of many books and over a 100 peer-reviewed publications on IT security. In addition, Gary McGraw serves on the Dean’s Advisory Council for the School of Informatics of Indiana University, and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by informIT). [1] Gary is the Chief Technical Officer at Cigital Inc.[2] In addition, he serves on the advisory boards of several companies, including Dasient, Fortify Software, Invincea, and Raven White. He holds dual PhD in Cognitive Science and Computer Science from Indiana University.[citation needed] In the past, Gary McGraw has served on the IEEE Computer Society Board of Governors.

  1. How did you get your start in information security?
  2. What advice do you have for those getting their start in information security?
  3. What prompted you to focus on software security?
  4. I really like your description of a bug versus a flaw, can you elaborate?
  5. What are the economic drivers for producing security software?
  6. Does the consumer or customer need education to demand more secure software? In other words, will software be insecure until the market demands it?
  7. What is the number one mistake developers make resulting in insecure software?
  8. How often does software need to be penetration tested?
  9. What are the components of a secure software development process?
  10. Lets say I am the CISO of a large enterprise with more than 100 applications in use, some off-the-shelf and some developed in house, where do I start applying application security? How do I ensure the code being produced is not vulnerable to attack?
  11. What tools/methods are available to IT organizations to gain insight into applications for logging and vulnerability identification? How do you detect malicious behavior inside of an in-house developed application?

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. If you could have dinner with one celebrity, who would it be?

Tech Segment:

Tech Segment: Wordpress Defacement: Lessons Learned

This segment is brought to you by Palo Alto Networks, please click the banners on our web site and register for a free video presentation on their technology. Also, an interview with Palo Alto is being scheduled, tune in for that segment and learn how to qualify to win a free PA-200 Firewall, a $2,500 value. We will be giving away 5 of these babies, so stay tuned!

On March 14, 2014 the securityweekly.com website was defaced (index.php was modified) by an attacker at approximately 6:30AM EST. We discovered this attack, via Twitter in fact, at 8:00AM that morning. Our web site was restored and operational by 11:00AM that morning, and forensics investigations are continuing.

FYI: This system does not contain any subscriber or sensitive information about clients, listeners, or subscribers. There was no evidence that the compromise spread outside of this system. The system defaced is only used for content distribution, and only contained our own user accounts, and as such all of our passwords have since been reset.

What we know

  • At 6:30AM a new account was added to Wordpress, username "jacko"
  • At 8:00AM two full*time employees were pulled off assigned duties and focused on incident response
  • Our Wordpress instance was patched and up*to*date, and most plugins were up*to*date as well. Plugins requiring updates had no known vulnerabilities or associated exploits publicly available
  • There were 6 updates for packages on our Debian system, however none of the updates fixed any serious security vulnerabilities (just a DoS condition in PHP)
  • There were several entries in the logs that indicated a brute*force login attempt to the Wordpress instance
  • After a thorough forensics investigation (still ongoing) it was discovered that the account used by the original web developer had a password which was never changed (changeme123)
  • We discovered that the .htaccess file was not put back after a Wordpress update, which provides an added layer of protection for the login process
  • Permissions on the index.php and other files in the plugins directories did not have strict permissions applied (also likely an artifact of a Wordpress update)

What we did to remediate the vulnerabilities

  • We put back the .htaccess file in the wp-admin directory
  • All user accounts not in use were removed, and all passwords were reset to 16 character random values
  • All Wordpress plugins were updated
  • All Debian packages were updated
  • Debian was upgraded to the latest version, we were running a version only supported by security updates
  • File permissions were corrected
  • WP*scan was run and all issues reported were corrected, primarily file permissions and other low severity issues
  • Wordpress plugins not required to operate the site have been temporarily disabled
  • We have an open position for a new web developer

Future projects planned to prevent future incidents

  • Resources will allocated to more regularly apply maintenance and patches to the systems for Security Weekly
  • We are researching better ways to get more logging from Wordpress
  • Mod_security will be implemented
  • Performance issues will be addressed, and HTTPS will be implemented site*wide (currently only available on the login pages)
  • Security controls will be documented, monitored with Nessus, and alerts generated when a security control goes missing
  • Further active defense countermeasures will be added to the site (again, once performance issues are addressed)
  • Even more regular web application penetration testing will be performed


This segment is brought to you by Pwnie Express! Don’t Be the Next Target: See All the Things in a new webinar on March 26th at 1:00pm EDT. In this learning session, attendees will see how corporations are effectively leveraging the product solutions available from Pwnie Express to “See ALL the Things.” Click here to register!

Paul's Stories

  1. Beware this big iOS flaw -- and it's not alone | Security & Privacy - CNET News - Interesting how Apple has taken a step back in security, leaving it open for kernel exploits to attack crypto, meaning they really 0wn your phone. Article also goes into other security-related items on Android. performance versus security is a debate that will rage on forever.
  2. Lenny Zeltser on Moats - Relate your security woes to an economic moat. (EDIT) Okay, I get it now after some context. The wider your moat, the more economic advantage you have against competition. Security, in theory, should contribute to your moat, making it wider and deeper, further separating yourself out from the competition.
  3. Are Credit Monitoring Services Worth It? - Pretty much what we already know, but in the context of Brian, who uses these services and is attacked often. They are like an IDS, but not like an IPS.
  4. Carnal0wnage & Attack Research Blog: Webmin Brute Forcing -
  5. WordPress XML-RPC PingBack Vulnerability Analysis - SpiderLabs Anterior
  6. "To Err Human


Jack's Stories of Joy and Wonder

  1. NSA attorney insists US tech giants knew of NSA data collection. And they wouldn't lie.
  2. My personal rant on missed opportunities Chip and Pin? I just wanna buy Fish and Chips.
  3. Defense Department Adopts NIST Security Standards
  4. The CIA allegedly hacked Senate computers to delete information on torture and [NSA cheerleader Feinstein is outraged.
  5. More than 162,000 “popular and clean” WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system’s pingback feature.
  6. Fake SSL certificates deployed across the internet Netcraft has found dozens of fake SSL certificates impersonating banks, ecommerce sites, ISPs and social networks. Some of these certificates may be used to carry out man-in-the-middle attacks against the affected companies and their customers.
  7. [http://1raindrop.typepad.com/1_raindrop/2014/03/sympathy-for-the-devil-cormac-herleys-password-research.html Great stuff on Gunnar Peterson's blog about Cormac Herley's latest work on passwords.

Allison's Super Stuff

Joff's Adventures On The Interwebs..

  1. http://pen-testing.sans.org/blog/pen-testing/2014/03/16/tor-nonymous-using-tor-for-pen-testing - Using TOR proxy to obscure your IP address during a penetration test.
  2. http://blog.strategiccyber.com/2014/03/20/user-account-control-what-penetration-testers-should-know/ - What Pen testers should know about Windows UAC