Difference between revisions of "Episode397"

From Security Weekly Wiki
Jump to navigationJump to search
Line 72: Line 72:
 
#[https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf ] - Doesn't matter which CMS you run, they all were found with this backdoor.
 
#[https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf ] - Doesn't matter which CMS you run, they all were found with this backdoor.
 
#[http://motherboard.vice.com/read/michael-ossmann-and-the-nsa-playset Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools | Motherboard] - This one is for Larry and Joff...
 
#[http://motherboard.vice.com/read/michael-ossmann-and-the-nsa-playset Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools | Motherboard] - This one is for Larry and Joff...
#[http://www.darknet.org.uk/2014/11/critical-xss-flaw-affects-wordpress-3-9-2-earlier/ Critical XSS Flaw Affects WordPress 3.9.2 And Earlier] - Oh, and if you run Wordpress, have lots of p
+
#[http://www.darknet.org.uk/2014/11/critical-xss-flaw-affects-wordpress-3-9-2-earlier/ Critical XSS Flaw Affects WordPress 3.9.2 And Earlier] - Oh, and if you run Wordpress, have lots of people who can do upgrades. Lots of people.
eople who can do upgrades. Lots of people.
+
#[http://securityvulns.com/news/Apple/TV/1411.html Apple TV multiple security vulnerabilities] - I really want to see an attack against a platform like this. Put some code on it, use it to harvest credentials, even credit card info? Not sure if that's possible, but I always wonder.
#[http://securityvulns.com/news/Apple/TV/1411.html Apple TV multiple security vulnerabilities] - I really want to see an attack against a platform like this. Put some code on it, use it to
+
#[http://threatpost.com/remote-code-execution-in-popular-hikvision-surveillance-dvr/109552 Remote Code Execution in Popular Hikvision Surveillance DVR] - RTSP has some buffer overflows, oh and then there is this: "the devices also ship with a default username (admin) and a default password (‘12345′)". I need a drink. We're all doomed. Its a hacker's playground out there, stock up on booze.
harvest credentials, even credit card info? Not sure if that's possible, but I always wonder.
 
#[http://threatpost.com/remote-code-execution-in-popular-hikvision-surveillance-dvr/109552 Remote Code Execution in Popular Hikvision Surveillance DVR] - RTSP has some buffer overflows, oh
 
and then there is this: "the devices also ship with a default username (admin) and a default password (‘12345′)". I need a drink. We're all doomed. Its a hacker's playground out there, st
 
ock up on booze.
 
 
#[http://www.darkreading.com/dont-discount-xss-vulnerabilities/d/d-id/1317706 Don't Discount XSS Vulnerabilities] - Great article on XSS, Johannes is quoted as stating that XMLRPC requests
 
#[http://www.darkreading.com/dont-discount-xss-vulnerabilities/d/d-id/1317706 Don't Discount XSS Vulnerabilities] - Great article on XSS, Johannes is quoted as stating that XMLRPC requests
  are being used to bypass same origin. Great point. And people tend to give a much lower priority to XSS, likely because the attack success depends largely on the context of the vulnerabil
+
  are being used to bypass same origin. Great point. And people tend to give a much lower priority to XSS, likely because the attack success depends largely on the context of the vulnerability. Sometimes its not likely to be exploited. Other times it can be used to dive deep into your web site and results in root. The trick is figuring out the difference. From a defense standpoint, apply your patches. Likely a patch for XSS will not blow up your site, it could, but in all the years of maintaining web sites, I still recommend to apply those patches. Unfortunately, this means upgrading the entire application, where you get bug fixes, security fixes, and "features". Which could lead to more vulnerabilities. So, get good at upgrading...
ity. Sometimes its not likely to be exploited. Other times it can be used to dive deep into your web site and results in root. The trick is figuring out the difference. From a defense stan
 
dpoint, apply your patches. Likely a patch for XSS will not blow up your site, it could, but in all the years of maintaining web sites, I still recommend to apply those patches. Unfortunat
 
ely, this means upgrading the entire application, where you get bug fixes, security fixes, and "features". Which could lead to more vulnerabililties. So, get good at upgrading...
 
 
#[http://www.spgedwards.com/2014/11/regin-when-did-protection-start.html Regin: When did protection start?]
 
#[http://www.spgedwards.com/2014/11/regin-when-did-protection-start.html Regin: When did protection start?]
#[http://windowsitpro.com/blog/strength-numbers-why-layered-network-protection-priority Strength in numbers: Why layered network protection is priority] - So A/V, Patch and "web protection
+
#[http://windowsitpro.com/blog/strength-numbers-why-layered-network-protection-priority Strength in numbers: Why layered network protection is priority] - So A/V, Patch and "web protections". While all those things will help, you need to go so much deeper. Patch and configuration and process go hand-in-hand. Endpoint protection is important, and relying on A/V is so 7 years ago. EMET comes to mind, as does a good strategy for re-imaging. Web applications comes down to educating developers and having a good testing process. And so. much. more.
s". While all those things will help, you need to go so much deeper. Patch and configuration and process go hand-in-hand. Enpoint protection is important, and relying on A/V is so 7 years
+
#[http://www.infosecurity.us/blog/2014/11/21/all-your-base-are-encrypted "All Your Base] - Eff makes efforts to encrypt the Internet. "The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires." Its true, the barriers to properly implementing and maintaining TLS are huge. The big guys get it right, sometimes. Curious to see what comes next...
ago. EMET comes to mind, as does a good strategy for re-imaging. Web applications comes down to educating developers and having a good testing process. And so. much. more.
+
#[http://reversemode.com/index.php?Itemid=0&id=80&option=com_content&task=view Reversing Industrial firmware for fun and backdoors I] - Some updates posted here, I wonder if everyone has updated their firmware? Likely not... We seem to lack adequate testing tools, given the nature of embedded systems and how each one is unique. How does your enterprise ensure firmware updates across devices?
#[http://www.infosecurity.us/blog/2014/11/21/all-your-base-are-encrypted "All Your Base] - Eff makes efforts to encrypt the Internet. "The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires." Its true, the barriers to properly implementing and maintaining TLS are huge. The big guys get it right, someti
 
mes. Curious to see what comes next...
 
#[http://reversemode.com/index.php?Itemid=0&id=80&option=com_content&task=view Reversing Industrial firmware for fun and backdoors I] - Some updates posted here, I wonder if everyone has u
 
pdated their firmware? Likely not... We seem to lack adequet testing tools, given the nature of embedded systems and how each one is unique. How does your enterprise ensure firmware update
 
s across devices?
 
 
#[http://reversemode.com/index.php?Itemid=0&id=77&option=com_content&task=view Reversing DELL's DRAC firmware] - Turns out, this firmware does not use /etc/shadow. This means the backdoor
 
#[http://reversemode.com/index.php?Itemid=0&id=77&option=com_content&task=view Reversing DELL's DRAC firmware] - Turns out, this firmware does not use /etc/shadow. This means the backdoor
 
found is not accessible remotely. Oh well. This happens when you are reverse engineering firmware. You find artifacts, but sometimes they are not used in the production environment. Maybe
 
found is not accessible remotely. Oh well. This happens when you are reverse engineering firmware. You find artifacts, but sometimes they are not used in the production environment. Maybe

Revision as of 19:55, 25 November 2014



Episode Media

MP3 < Not yet published!

Announcements

Paul's Security Weekly - Episode 397 for Tuesday November 25th, 2014

And now, from the dark corners of the Internet, where exploits run wild, packets aren’t the only things getting sniffed, and the beer flows steady its Paul’s Security Weekly!

  • This interview is sponsored by Palo Alto Networks creators of THE next-generation firewalls, helping you enforce network security policies based on applications, users, and content. Visit them on the web at www.paloaltonetworks.com
  • And by The SANS institute the most trusted source for computer security training, certification and research. visit www.sans.org to learn more
  • And by Tenable Network Security, the creators of Nessus, the worlds best vulnerability scanner. Check out the new Nessus Enterprise and Nessus Enterprise cloud, engage your IT department in the vulnerability management process today!
  • And by Black Squirrel. Pentest Networks from Your Browser! Exploit the limits of network security through just a browser. Have a Chrome exploit in your toolkit? Good, but for the rest of us there's Black Squirrel. Visit blacksquirrel.io for more information.

"Now, fire up a packet capture, pour yourself a beer, and give the intern control of your botnet..."

"Here's your host, a man who's chest hair really isn't on his chest, in a hair length rivaling Jack's, Paul Asadoorian"

  • Security Weekly Announcements:
    • Check out the SteelCon competition. Enter to win a SecurityTube Training course. You must write documentation for an open source project. Details can be found on the website. http://www.steelcon.info/competition/documentation-competition/
    • Larry teaching SANS 617 Wireless Ethical Hacking and Defense coming up in Orlando April 11-18 and Berlin, Germany June 22-27

Guest Interview: Paul Coggin

Bio

Paul Coggin is a Senior Principal Cyber Security Analyst with Dynetics, Inc in Huntsville, Alabama. Paul is responsible for architecting and securing large complex tactical, critical infrastructure and service provider networks. Paul’s expertise includes tactical, service provider and ICS\SCADA network infrastructure hacker attacks and defenses as well as large complex network design and implementation. Paul’s experience includes leading network architecture reviews, vulnerability analysis and penetration testing engagements for critical infrastructure networks.

Paul is a frequent speaker on offense and defense topics related to critical infrastructure networks. He has presented at conferences around the world including Hack In Paris, DeepIntel, DerbyCon, BSides, Hacker Halted, COUNTERMEASURE, TakeDownCon, DeepSec. Paul is a Cisco Systems Certified Instructor # 32230, Certified EC-Council Instructor and a certified SCADA security architect. He has a bachelor’s degree in mathematics, a master’s in Computer Information Systems, a master’s in Information Assurance and Security and currently is pursuing a master’s in Systems Management. In addition he holds a wide array of certifications from Cisco, EC Council, ISC^2, and others.. Paul is the organizer for BSides Huntsville.

Questions/Topics

Five Questions

  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of ass grabby grabby do you prefer to go first or second?
  5. Pick two celebrities to be your parents.


Stories

Sponsors

  • Stories of the week is brought to you by Onapsis the leading provider of solutions to protect ERP systems from cyber-attacks. Customers can secure their SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud risks. Visit them on the web at http://www.onapsis.com/
  • And by Pwnie Express - Check out the community edition and turn your Nexus 7 into a lean and mean pen testing machine. For all those hard to reach places, there's Pwnie Express, visit them on the web at http://pwnieexpress.com
  • And by Black Hills Information Security, the leaders in penetration testing and active defense. Email consulting@blackhillsinfosec.com to request a quote today!


Paul's Stories

  1. "Guest diary: Detecting Suspicious Devices On-The-Fly
  2. Bugtraq: WordPress 3 persistent script injection
  3. google/firing-range · GitHub
  4. [DeepSec 2014 Trusting Your Cloud Provider. Protecting Private Virtual Machines – Armin Simma | Cатсн²² (in)sесuяitу / ChrisJohnRiley]
  5. [1] - Doesn't matter which CMS you run, they all were found with this backdoor.
  6. Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools | Motherboard - This one is for Larry and Joff...
  7. Critical XSS Flaw Affects WordPress 3.9.2 And Earlier - Oh, and if you run Wordpress, have lots of people who can do upgrades. Lots of people.
  8. Apple TV multiple security vulnerabilities - I really want to see an attack against a platform like this. Put some code on it, use it to harvest credentials, even credit card info? Not sure if that's possible, but I always wonder.
  9. Remote Code Execution in Popular Hikvision Surveillance DVR - RTSP has some buffer overflows, oh and then there is this: "the devices also ship with a default username (admin) and a default password (‘12345′)". I need a drink. We're all doomed. Its a hacker's playground out there, stock up on booze.
  10. Don't Discount XSS Vulnerabilities - Great article on XSS, Johannes is quoted as stating that XMLRPC requests
are being used to bypass same origin. Great point. And people tend to give a much lower priority to XSS, likely because the attack success depends largely on the context of the vulnerability. Sometimes its not likely to be exploited. Other times it can be used to dive deep into your web site and results in root. The trick is figuring out the difference. From a defense standpoint, apply your patches. Likely a patch for XSS will not blow up your site, it could, but in all the years of maintaining web sites, I still recommend to apply those patches. Unfortunately, this means upgrading the entire application, where you get bug fixes, security fixes, and "features". Which could lead to more vulnerabilities. So, get good at upgrading...
  1. Regin: When did protection start?
  2. Strength in numbers: Why layered network protection is priority - So A/V, Patch and "web protections". While all those things will help, you need to go so much deeper. Patch and configuration and process go hand-in-hand. Endpoint protection is important, and relying on A/V is so 7 years ago. EMET comes to mind, as does a good strategy for re-imaging. Web applications comes down to educating developers and having a good testing process. And so. much. more.
  3. "All Your Base - Eff makes efforts to encrypt the Internet. "The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires." Its true, the barriers to properly implementing and maintaining TLS are huge. The big guys get it right, sometimes. Curious to see what comes next...
  4. Reversing Industrial firmware for fun and backdoors I - Some updates posted here, I wonder if everyone has updated their firmware? Likely not... We seem to lack adequate testing tools, given the nature of embedded systems and how each one is unique. How does your enterprise ensure firmware updates across devices?
  5. Reversing DELL's DRAC firmware - Turns out, this firmware does not use /etc/shadow. This means the backdoor

found is not accessible remotely. Oh well. This happens when you are reverse engineering firmware. You find artifacts, but sometimes they are not used in the production environment. Maybe it was only used in a test environment or another hardware revision. Or sometimes the firmware is copied from a different hardware device and some features are not implemented.

Larry's Stories

Jack's Stories

Joff's musings from down under