Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Announcements & Shameless Plugs
Welcome to PaulDotCom Security Weekly, Episode 134 for December 18th, 2008. A show for security professionals, by security professionals.
- HACK NAKED TV - Hack Naked TV is in the works, we are putting the final touches on Episode 1 and it should give you something to tie you over the Christmas break as this will be the last episode of the year!
- PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- Monthly Security Webcast - Late-Breaking Computer Attack Vectors - Dec 23rd 2PM EST REGISTER HERE
Interview: Daniel Hoffman
Mr. Hoffman is a world renown mobile security expert. He joins SMobile with more than 10 years of experience in mobile security. He has built his expertise as a Telecommunications Specialist with the U.S. Coast Guard, IT Director and as Senior Engineer at Fiberlink, architecting security solutions for the largest companies in the world. He has been the keynote speaker at numerous security events including Hacker Halted, InfoSec World and ChicagoCon and is known for his live hacking demonstrations and videos, which have been featured in the Department of Homeland Security's open source infrastructure report. Mr. Hoffman is the author of "Blackjacking: Security Threats to Blackberry Devices, PDAs and Cell Phones in the Enterprise.
- ChicagoCon Presentation: Smartphones Aren't Currently Being Exploited - And the Titantic is Unsinkable
Questions for Mr. Hoffman
1. Is there any Mobile IDS technologies being developed? It might help people understand the risks.
2. Are any of these platforms more secure then then others? Or are they all relying on the due diligence of the users? If you had to pick, what's the most secure? Android? Iphone? Is the chose based on OS security or application security.
3. What so you think the role of the provider is in securing (and demanding security) from the phone vendors?
4. What vendors are starting to see this as a good area to start developing software for?
5. What can we do? Some also might argue, what's the value in compromising a phone....
6. Do we find some of the same issues with the embedded devices that we find with other consumer devices? They aren't tested properly? Poor programming practices?
7. Any predictions for the next 12 months? Two years?
Stories and Tech for Discussion
Bothunter - [John Strand] - John will be talking about his fun adventures with bothunter and how it represents a paradigm shift that many organizations need to make. Assume that you are compromised and approach accordingly. Remember, the attackers are not "out there" they are already in your parameter.
CheckPwnt? - [Larry] - Apparently some folks were able to gain access tot he Checkpoint SVN tree for source code for the VPN and other devices. In analysis of the code, they apparently have been able to develop a remote root exploit, as the boxes are linux based. This is one of those cases when having a box delivered from the vendor, and not being able to test appropriately - or review code, is a bad thing. Who's protecting the protectors?
Who needs SIM card? - [Larry] - Office gear being sold at bargain basement prices from the McCain/Palin, picked up a couple of Blackberries for $20 each - no chargers, dead batteries. Upon charging and powering, the devices contained 50+ contacts and e-mails from September to 4 days before election day. Laptops were being sold as well, which were "operational", but said would be wiped beforehand...
Browser Rider - [John Strand] - Sure BEeF is cool. But competition is even better. We will be taking a quick look at a tools that does many of Wade's cool BEeF tricks and comes with some new tricks of its own.
All I want for Christmas is.... - [PaulDotCom] - I now present to you, the PaulDotCom Listener Christmas list:
Web App Testing Tools Question - [PaulDotCom] - Thoughts on this one? For Windows, use Cygwin and whip up a Perl script if you need to, or use Active Perl. To test web apps, you may need to do this. Java applications are just like any other, so test them for XSS and SQL injection just as you would a PHP app, at least to start. Use BEEF to break into the clients, XSS doesn't help you break into the server unless you hook the sysadmins browser. - John (Strand) has a nice video on BEEF that is hosted by Irongeek. It can be found here
Exploit Shield - [PaulDotCom] - So, yes, client protections can be bypasses. Just look at how malware writers have made swiss cheese out of every A/V product on the market. Putting more software on your computer allows for more vulnerabilities. However, with the seeming rise in 0days for common applications, primarily on Windows, I'm going to give this a try. My new strategy, and potential recommendation for clients, will be to use A/V and software that looks at exploit behavior. Could these be the same product? Maybe, but my guess is that have two from two totally separate vendors is going to give you much better protection, and now may even warrant the risk and management overhead.
iPhone Spy Software - [PaulDotCom] - I thought this statement was interesting:
it appears that vendor number two may be able to jailbreak, install, and then un-jailbreak the iPhone during its installation.
Looks like some pretty neat firmware manipulation. I find it interesting if malware is able to hide and re-infect via firmware upgrades or re-flashing. This means they are hiding on an area of flash that is not touched during an OS upgrade or re-installation. Its like hiding in the BIOS of a PC, and when you re-install Windows, you get re-infected. I would think that a simple checksum of the bootloader would solve this problem, no? But then again, what if the OS is infected and responsible for checking the checksum? Hrmm.....
3rd Party Security - [PaulDotCom] - I run into this problem so often, just what do you do about those pesky 3rd parties? They may have various levels of access to your network, but at what point does their security become your security? This is probably one of the most overlooked policy areas for so many organizations, and creating enforcable policy is hard. But heh, its Christmas, lets take a crack at it:
- The 3rd party should allow you to do penetration testing of them. I've done this with hosting providers. If you host one of my web sites, I get to poke at it whenever I like (with proper notice). This is a great way to test all of the new web app testing tools that come out and get updated every week.
- If the 3rd party needs to maintain equipment on your network, this equipment has to comply with your network access policy. You do have one of those, right? It does say that no one can plug in anyting into the internal network that isn't up to date on patches, right? And you check for that every so often?
- If 3rd party needs remote access, it must comply with your policy and be secure. This gets tricky, some vendors will cling to TELNET and RDP like some do to guns and religion. This is unacceptable, it needs to be encrypted. But, do you give them access to your VPN? What is the login? When does it expire? What about the VPN key, now its in possession by a 3rd party? Interesting issues...
Multi-Lingual Social Engineering for Hire - [PaulDotCom] - So, I'm a nerd, right? (Yes) Remember in Star Trek when they had a universal translator so they can talk to all kinds of different races and beings? This is like that, except for social engineering, universal pwnage. Ahh, hacking, the universal language of truth (wow, and I haven't even started drinking yet!)
BUUUUUUURP - [PaulDotCom] - Has been released, need to check this out...o
Metasploit DeCloak - [PaulDotCom] - "All I want for Christmas is your internal IP, all I want for Christmas is your internal IP...!!!!". Love it, internal address space comes in handy, especially when you are emailing people or browser hooking and want to attack or scan internal resources.
IRS not reviewing own audit - [Larry] - Sure, collecting logs from IDS/IPS/WIDS, Servers and so on don't do you much good if you aren't looking at them with some regularity.
Amex website XSS - [Larry] An XSS attack in the American Express website left users vulnerable for 2 weeks (or more!). A user was able to use XSS to obtain cookie values of a differrent user after they had log in, effectively hijacking the session. The individual attempted to contact Amex through several venues to no avail. So, why does this stuff have to be so hard to report, or fall on deaf ears (train your staff answering), and, as the founder of PCI, are the checks that are required really working?
File drop via remote DNS Cache - [Larry] - Wow, an application for anonymous messaging with Kaminsky's DNS flaw. Pretty freaking cool...