This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.
This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!
Announcements & Shameless Plugs
Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 108 for May 15th, 2008
- PaulDotCom SANS Click-Through - Go there, register for fabulous SANS training! Go now!
- Network Security Projects Using Hacked Wireless Routers with Paul Washington DC, July 23, 2008 SANSFIRE and a joint podcast @ 7:00PM with the ISC folks!
- Pen Test Summit - June 2-3 to be attended by Larry
- PaulDotCom Monthly Webcast - May 28th, 2:00PM EST
- PaulDotCom Mailing List - Come join now!
- PaulDotCom IRC Channel - #pauldotcom on irc.freenode.net
- We have a blog, http://pauldotcom.com, come read it! New web site coming very soon!
JJ (IRC Nick: enhanced) has been actively involved in the security community for over 12 years. His training and professional experience range from high-profile physical security to information warfare. He is an active member of the The raWPacket Security Team, a founding member of the OpenPacket project and a developer for the InProtect open source Nessus front-end project. JJ is also the man behind the The Global Perspective security blog.
Tech Segment: Debian, Oh Dear Debian, Why Do You Hate On Me This Way?
Recently I was asked by Bill Brenner from CSO Online to do a short write up on how I unwind and blow off steam after work. This week, I need all the Kung Fu I can get! Some links:
- Best one: http://metasploit.com/users/hdm/tools/debian-openssl/
- Risky Business Podcast with HD: http://www.itradio.com.au/security/?p=72
9999999999999 != Random
- Mitigating SSH Vulnerabilities using Single Packet Authorization: A quick recap of issues which can affect SSH (and the recent Debian/Ubuntu ones), and why Single Packet Authorization can help defend against these by maintaining a default-drop firewall whilst allowing you access whenever you need.
Tech Segment: Paul's Tech Segment on Why Larry Never Does Any Tech Segments
"Larry is Lazy and on drugs" On with the show...
Incident Response #1 - Lets talk SQL Injection and defense
Incident Response Lesson #2 - Lets talk EDU Phising
Stories For Discussion
Cold Memory Protection - [Larry] - This encryption tool erases the keys from memory that can be acquired by the cold memory reading technique. This tool overwrites the portions of memory with random data where the keys reside, with some For $50 (or $100) a year, I'm not sure the ROI is worth it. Sure, it is neat, but I think that there are cheaper ways of resolving - like user education.
Firmware Hacking From Jedi master - [PaulDotCom] - This is a freaking cool, and very scary hack. Once upon a time someone told me about this guy who was researching network card firmware security. He would go to the store and buy network cards by the dozen. Like the store qould question him and knew him by name. He was researching network card firmware security. I think this is taht guy. Firewall bypass, VM escape, all possible if you can control the firemware running on the wired NIC.
Dave & Buster's CC# theft - [Larry] - Thieves socially engineered the restaurants in order to install sniffers on the POS systems to capture CC data in transit to the servers. Sounds like a serial tap for those pin pad terminals. dark reading room article - [PaulDotCom] - quote: "Officials at Dave & Buster's say the chain has taken steps to close the vulnerability so that it can't happen in the future." How do you close the vulnerability of social engineering putting sniffers on the network? Thats not easy, and who's to say it actually was secured? Plugging a device into the network and sniffing traffic is hard to secure against, esp. when you are posing as the POS repair man. However, don't give the attackers too much cred: http://feeds.feedburner.com/~r/StillsecureAfterAllTheseYears/~3/289114912/the-hackers-tha.html Quote: " it seems the criminals had to continually go back to the restaurants and restart the program when it hung up!" Dude, libpcap, it works great, and has for like 10+ years!
You Home-Grown Web App is not safe - [PaulDotCom] - I saw this during my week, its nasty. Secureworks did a write-up on it thats supposed to be pretty good. Its an attack we will see continue, nice to see that its got a name.
Military Botnets - [Larry] - ...using their old, outdated equipment, not those of citizens. I agree the the military needs a way to "carpet bomb" an enemy's computer system, but I don't think that this is the way to go. To me it would seen easy to defat - just block all military IP ranges...
Who Needs a Virus When You Got Rootkit? - [PaulDotCom] - The stakes are high, attackers want to profit, and going undetected is one of the keys to profit. Check this out "Not surprisingly, anti-rootkit tools did the best, detecting about 80 percent of the rootkits overall, while the security suites found over 66 percent, and online scanners, only 53 percent. Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”" My suggestion, have a process, choose at least three tools, anti-[virus, spyware, and rootkit], install them on a thumb drive, and use it to respond to incidents in your environment. You do have an incident response plan and team don't you? That does include the help desk and desktop team too, right?
Word CSS vuln - [Larry] I don't bring this up so much for the vulnerability itself, but more along the lines of another attack that can be delivered after evaluating metadata to determine who is using which versions of Word.
Ollydbg has a bug - [PaulDotCom] - DoS that is, why is this important? If I write malware I'm putting this bug in ALL my code to hide from malware analysis. This is serious. If you are a malware analisys type person, patch this. But, how many more bugs are there like this? The longer my malware can go undetected and uncategorieed the better, and a DoS vuln can help me do that. Cool stuff.
Rootkit for Cisco IOS - [Larry] - Developed by Sebastian Muniz of Core Security Technologies. This still requires attack code to deliver, and does differ from the code injection techniques, as these run on only one flavor/model. This one runs on multiple models. It begs the question again about trusting your firmware...and how do you know if something has changed?
Apache Mod_Status = Mod_pwnage - [PaulDotCom] - Yes, not only can you grab the server information, but you can see all of the requests! How do you say it Larry, convenient? Yes, very, because if you can see all of the requests being sent to the web server I can parse the data and pluck requests containing sensative information! Sweet, no need for a sexy web application hack, mod_status, nice.
Nessus changes licensing - [Larry] - Interesting. No more delays for the "free" feed, but you an only use it on personal networks. If you use it in a corporate environment or for consulting, you'll need the Professional license at $1200 a year. I wonder how it will work? honor system? Check out the microcast withRon Gula
The treasure hunt is over? - [Larry] - Here's an IE vulnerability from Aviv Raff. Printing an HTML file with "print table of links" enabled can run code on the client system, as the current user, because the lack of input sanitization.
Hack your.....bike? - [Larry] - Yet another bit on hacking embedded systems. This one is pretty cool - they reversed the firmware, and re-uploaded a modified one to always allow a certain code to unlock and re-lock the bike. They managed to hack about 170 of the 1700 deployed!
Just for Fun
Security Wow! - [PaulDotCom] - Love it!