Episode145

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 145 - March 19, 2008

IMPORTANT - For those who wish to listen to older episodes via iTunes and other RSS feed readers you may need to delete the feed and re-add it. We recently changed servers for our archives which can be found at http://archives.pauldotcom.com. Again, this is important as the current hosting services will NOT extend past March of 2009.

  • Training event in Southern N. E.! SANS@Home - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM discounted (10%) class

Special Guests: Sherri Davidoff & Jonathan Ham

Jonathan is an independent consultant who specializes in large-scale enterprise security issues, from policy and procedure, through staffing and training, to scalable prevention, detection, and response technology and techniques.

Sherri is a longtime information security consultant specializing in forensics, penetration testing and incident response.

philosecurity Blog - Sherri's Blog

Weblog Blog - Jonathan's Blog

Episode Media

mp3

Tech Segment: Network Forensics - Beyond the Hard Drive.

Download The Presentation Slides Here

Network Forensics allows you to recover evidence that does not even exist on endpoint hard drives.

Network equipment such as web proxies, firewalls, IDS, routers and even switches often contain evidence that can make or break an investigation. A great deal of evidence flows across the network but is never stored on a workstation or server hard drive. Network analysis allows one to recover evidence from network-based devices in order to speed up investigations and results in a stronger attack analysis.

A hard drive is just a small part of the picture. Even if an attacker is smart enough to clean up tracks on the victim system, remnants remain in firewall logs, web proxy caches, and other sources. Network Forensics lets you follow the attacker's footprints and examine evidence from the network environment.


Tech Segment: Dump some memory and play with it.

Windows? Memory? Clear text password? Check!! - [strandjs] - Having Sherri and Jonathan on I just cannot pass this up. Windows XP systems have your password in clear text. Yep. Cleartext. This is a new way of running tech segments. I will be trying to run them as videos every now and then. We have to pimp PaulDotCom TV somehow...

Stories For Discussion

0) Scanning vulnerable Linux distributions with Nessus - [Paul] - Paul's first blog post as product evangelist for Tenable.

1) PWN2OWN OWND - [Larry] - Charlie miller does it again, only seconds after the contest opens. Apparently, he'd been looking for exploits in Safari for the last year, and made sure it worked perfectly. Update - [Larry] - IE8 on Windows 7, and firefox both fell by Nils. Also another Safari exploit. We still have all of the mobile platforms to go...

2) TinyFAIL? - [Larry] - Eeep. Fox News twitters with a link, and that turns into a mysql error...which starts to reveal server config errors. More investigation shows that the php.php reveals all sorts of info, including that the server was running as root:wheel. TinyURL has fired back saying root was never used, so this story is still in flux.

3) SMM compromise - [Larry] SMM (System Management Mode) is the portion of the Intel processors that runs above the hypervisor. Researchers have found a way to exploit the Intel caching mechanisms to jump from the hypervisor at ring 0 up a level to SMM. The only way to detect the exploit is to disassemble the system and perform some hardcore analysis. Compromising SMM allows you to communicate with services at lower rings for rootkits, etc, likely giving the ability to even hide the activity from the hypervisor. Interesting to note SMM has been available in every processor since the 386...

4) ATMs, not hardware card skimming - [Larry] Troj/Skimer-A - malware installed on windows based ATMs that intercepts the magstripe readers, and likely keypad (for pin info). The magstripe interface uses undocumented Diebold system calls, so to me it seems like an inside job, or someone with time and money. Diebold claims to have seen this activity as early as January. more details...

5) Twitter Security Cam - [PaulDotCom] - Our friend Bill from i-hacked has configured a super cool (and geeky) method of detecting if someone's been in your house or near you computer. You take a webcam, Linux, and Twitter and each time it detects motion you get a tweet with a twit pic of, well, say, someone like Larry trying to steal your beer :)

5a) ** Camera Refurb - [PaulDotCom] - Speaking of cameras, this is a pretty cool hardware hack to bring a camera back to life. Neat!

6) Screenshot Meterpreter Script- [PaulDotCom] - Screenshots are awesome, I love them! They tend not to be all that interesting on servers, mostly just screensavers. However, if you break into a client system, they are gold. Nothing speaks more volumes in a pen test report like a screenshot of a desktop accessing the ERP system, or configuring the phone system. What I REALLY, REALLY want is something that will take a screenshot movie. Now THAT would be HOT! It could even do things like display keystrokes on the screen :)

7) Independent Attack Discoveries - [PaulDotCom] - Just when you thought that you found a 0day, its not :) Recently Johanna found some problems related to an Intel caching bug, only to find out that others had discovered the bug in 2005. This speaks volumes towards disclosure, if you found a bug, others might have too, so vendors need to fix them!!!

8) Give Your Password To PaulDotCom - [PaulDotCom] - I love this vulnerability, " when subscribed to by the target user, will cause the target user to be presented with an authentication dialog. When the target user enters their username and password, the information will be sent to the podcast server." So awesome! I wonder how many people would just enter their iTunes password? Free music for all!!!!!

9) Safari, Internet Explorer, and Firefox Taken Down by Four Zero-Day Exploits

10) USB Sniffing - [strandjs] - Humm... This is timely. I am in Lake of the Ozarks in MO presenting on bypassing AV and IDS/IPS and I notice that the hotel has a "Business Center". When I take a look at the business center I notice that all of the the credit card readers are USB, and all of the cables and connections are exposed... Also, all of the boxes were running Windows and had not been patched is some time. Check out hardware USB keyloggers here

11) Expect a call from your boss - [strandjs] - I love it when news sources like USA Today enlighten us to security issues. No.. There was no sarcasm in that previous sentence. The thing that gets me is news sources like this one tend to be the only places that many mid-level and upper-level managers get their information. Sad.. Just Sad.

12) Just one Box - [strandjs] - That is all it takes. You remember when you were in gym class or any competitive team sport and the coach would yell "We are only as strong as the weakest link!!!" He/She/??? was right. This piece of malware infects a single box and serves up DHCP with DNS server settings to a malicious DNS server. Nasty... Very nasty. Is Core or the Metasploit team listening? Maybe a new plugin for Core or script for the Meterpreter is in the future. I bring this up because if we as pentesters and the tools we use are to mimic real-world attacks we need a plug-in soon. Oh!! BTW! All hail the Internet Storm Center team and the good Dr. Johannes Ullrich.

Other Stories Of Interest