PaulDotCom Security Weekly - Episode 238 for Thursday April 7th, 2011.
- Episode 1 of PaulDotCom Espanol is available for download! Get it here
- SOURCE Boston on April 20 - 22- Paul and Larry will be there to hang out, talk beer and drink security.
- Born To Run (and Hack) - Don't forget to sign up for Hacker run! Team Pesce is training in April for Purple Stride on May 15th.
- PaulDotCom Blackhat Training Part 1 Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!
- PaulDotCom Blackhat Training Part 2 Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2
- Larry Teaching SANS 617 SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses in Victoria 2011 May 9, 11 to May 14, 11
- Register now for the 8th Annual Charlotte ISSA Security Summit featuring the 3 nuttiest people in InfoSec: PaulDotCom, Ed Skoudis, and Chris Hadnagy, all on May 5th.
- DerbyCon : Louisville, Kentucky – September 30th to October 2, 2011 with practically all of the PaulDotCom crew in attendance. Catch our special training session - "The magic number of times you can say 'cyber' before starting to look like a complete idiot".
Guest Interview: Chris Palmer from the Electronic Frontier Foundation has a method to fix HTTPS
Chris is a software engineer and sometime musician. Like Tron, he fights for the user and tries to make software and information more secure, usable, accessible, and available. He works at the Electronic Frontier Foundation as their Technology Director and is on to tell us Its Time to fix HTTPS
- Tell us what you mean by Perverse Incentives - what's the fundamental problem with CA's?
- Certificate Authorities
- Browser Vendors
- Explain to us how IE runs as Low Integration Level and if User Account Control is virtualized, then how can it silently update the cert store?
- What do you mean by "Usability requires empathy."
- How would Trust On First Use; Persistence of Pseudonym change things?
Guest Tech Segment: Ryan Barnett challenges you to a XSS Street-Fight
Ryan Barnett is a Senior Security Researcher at Trustwave, the lead for the ModSecurity web application firewall project, and taskmaster of the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects.
Ryan Barnett is a Senior Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs -the advanced security team focused on penetration testing, incident response, and application security where he focuses on web application defensive research and serves as the ModSecurity web application firewall project lead. In addition to his work at Trustwave, Ryan is also a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. He is also a Web Application Security Consortium (WASC) Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Web Honeypots Projects, as well as, the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache and is a frequent speaker at industry conferences such as Blackhat and OWASP.
Ryan will provide an overview of various cross-site scripting (XSS) attacks and defense or evasion lessons learned while working with Trustwave's Web application firewall (WAF) customers. XSS can be used by attackers to bypass access controls and he'll go over cutting-edge XSS protection methods.
Download his presentation slides here: XSS Street Fighting
Stories For Discussion
- Epsilon a different take - [Larry] - Yes, we've al heard about the Epsilon breach, and now all of our e-mail addresses belong to spammers, and that now they have ripe information for Spear Phishing. We'll I take a little bit of an argument. Is it really Spear Phishing, when the spammers will use millions of e-mail addresses in a particular context; Millions do not seem like spears, bit more like a large net. Net Phishing for minnows? this is of course not to say that the spammers don't have some really good information. My second issues is with the breach disclosure. There were so many companies affected, that maybe the SAME worded e-mail for notification from all of the vendors is now starting to hit the spam bucket? I think mine are, as I know I'm customers with a few companies on the list, and I have yet to receive notice form all of the affected companies, when I know others have received them (I'm looking at you Tivo, 1800-Flowers, Crucial.com, Marriot Rewards, Target and Verizon). That said, I wonder how much of a cluster fsck the whole breach notification stuff is hosed at many of these companies…
- Cracking Filevault Sparsebundle - [Larry] - while not exactly earth shattering, it just goes to show that with enough time, tables and John the Ripper it is possible to crack salted SHA-1 hashes on a decently powered machine, and get access to the filesystem.
- Rogue DHCP server for the win.. - [Larry] - Having your own rogue DHCP server just got better. Why? the ISC dhclient accepts information on hostname coming back from the DHCP server that is not properly escaped, that can cause remote code execution. That means I can get shell on your box before it has even finished booting… The part that made me laugh form one of the articles " An attacker must, however, have control of a DHCP server" Um, that's not hard to do…
- Why user management is important - [Larry] - Gucci is prosecuting a former employee, who after being fired on an unrelated matter, access the Gucci network via VPN (with RSA token), and wreaked havoc, deleting virtual servers, e-mail and documents. How? Before termination the employee convinced Gucci staff to enable an RSA token on a fake network account and grant access to the VPN. Months after termination the now former employee still had access. How do we prevent it? How about reviewing access and comparing to HR and contractor records regularly? How about also changing admin passwords after IT employees leave?
- Comodo, RSA, Sony, Others? - We're losing, we need to do better, someone get me a beer. Everyone DRINK!
- Shovel Attentuation - A 75-year old woman took a shovel to a fiber cable and took out Internet access to my home country of Armenia. Georgia, who provided the Internet access says, "We don¿t how she found the optic cable, which was secure". Funny how people have a different view of what "secure" means. Physical security is important! Here's the thing, while it may be exploited less than attacks coming across the Internet, its typically far more damaging.
- THC-Hydra 6.2 - If you have never used this tool, you should. Whether you are testing your own network or doing penetration testing, constantly identifying weak passwords is a must. So many breaches, so many sucessful because someone had a weak password. Weak passwords hide, so much technology and services have crept into our environments, its tough to keep up. Nice patches added that will generate passwords, and support for all kinds of auth methods, TLS support for more protocols, SASL, and more!
- Breaking_In - Cameo from Chris Neckerson? PCI? APT? Can't wait to watch this, just for the LOLs.
- PornWikiLeaks - The real names of Pornstars, names addresses - The web site seems to be a bit shady (not that I spent a signifigant amount of time on it, ehem). The interesting part, and yes there are pictures, is that the information supposedly leaked from a medical database, can you say HIPPA FAIL? Maybe your neighbor, teacher, or lawyer is a porn star on the side, WIN?
- I Love DHCP Vulnerabilities - Any vulnerability that allows for mass exploitation is so awesome. This is a vulnerability in the DHCP client that can be overflowed by a malicious DHCP server. Once you get on the "inside" of the network, this is deadly. Its easy to generate these packets, and many clients are happy to reply. Detection is likely very easy, but how does your network detect local malicious DHCP packets? Curious to see if Cisco has come up with ways to detect malicious layer 2 and local layer 3 packets.
- The "firewallless Network" - Yes, this article suggests not using a firewall. Its a bit scary, I know. The article states: "In many cases a large number of unnecessary and insecure services are running on the network, but are only hidden by a firewall." Aha, so true, something we've discussed a lot in the past. Someone tested this theory, and guess what, they are doing okay (at least as far as they know). Guess what? They used systems hardening? Guess what? They used simple and easy to manage protocols and stayed away from proprietary stuff. Configuration management is important. If you spent more time on configuration management, and borrowed time from firewall management, you'd have a more secure nework. If you had a baseline system, and re-imaged systems that did not meet the baseline, you'd have a more secure nework. Its time to stop talking about how bad firewalls are, and do something to change. Here's your homework: Take a group of systems that exist on your network, figure out what they do, configure them as such, then monitor for changes. Organizations that can do this well will be "resilient to 0day attacks" and "catch the latest malware", with very little help from vendor products. Marcus Ranum tells a great story about the CSO of a major retailer. They use imaging software on all their cash registers. They know exactly what files are created and what behavior is normal. If one falls out of that, makes a random connection or creates new files or processes, its re-imaged immediatley.
- "Insider" Threats Suck - We worry a lot about APT, Malware, firewalls, anti-virus and the like. However, a former employee caused $200,000 damage to Gucci. He tricked former employees into activating a VPN connection. A good example of the more infrequent attacks causing the most damage. However, this attack is easily detectable. While former employees know a lot about your network, you should know a lot about them and their accounts.