Episode171

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 171 - For Thursday October 15th, 2009

  • Syngress Publishing - Quench your thirst for knowledge at syngress.com and use the referral link or the discount code "PaulDotCom" at checkout to save 20% on all security book titles!
  • Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
  • Phreaknic 13 - Get your Phreak on! Oct. 30-31st in Nashville, TN! Billy Hoffman among other presenting...
  • Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running January 11 - 16. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University. Also coming up, 617 on Calgary sometime in March!
  • Rochester Security Summit - Larry and Ed Skoudis to give Keynotes. What can get better than that? October 28 - 29 in Rochester NY!
  • Hackfest Canada! - Mick will be speaking/ranting from the Great White North! November 7th, you'll want to be there! Quebec, Canada (This con is so cool it's happening in two languages!)
  • 10 PRINT "GOTO DOJOCON November 6-7, 2009"
  • GOTO 10

Episode Media

mp3

Tech Segment: John Strand shows us how Windows Prefetching hits the "Easy" button

When talking with Rob Lee at SANS Boston last month he said there is not enough discussion of how Windows prefetch works and why an incident responder would care. Turns out there is quite a bit of goodness to be gleaned from prefetch when it comes to finding malware and what programs have been run.

Also, it is very helpful for a penetration tester. Ever want to know what role a machine serves? Ever want to know what process are started regularly? Well prefetch can help you with that too.

Finally, some malware (i.e. rootkits) hide any file with the name of the rootkit in it from the user. There are ways to still identify some of the rootlkits by looking at some of the configuration files in the prefetch directory.

Take a look at the following video for a demonstration.

Be sure to check out the following links for more details!

  1. Windows File Analyzer - Nice tool for looking at the prefetch files on a system. Automatically parses some of the more useful information.
  2. The Forensics Wiki's writeup of prefetch
  3. prefetch Doh! A fair warning about jumping to conclusions about what certain programs in the prefetch directory actually mean.
  4. Prefetch_info another nice tool that will show all of the dlls associated with a prefetch entry.

Stories For Discussion

  1. EPIC and PATCHES - [Larry] We typically gloss over patch tuesday as we all know it is chiming than you should be patching. However this week has been epic all around with 13 from Microsoft and 28 from Adobe. How do you deal with this many patches and deploying and TESTING in your organization? [Would this help?
  2. When default isn't safe - [Larry] - Wow, so the default setting on the machine is too powerful. remind me of software that you have to configure before you use that is too open to the start, like some p2p clients.
  3. Nuke the Modems! - [Larry] - Why I <3 Warvox. 66 nuclear plants asked to upgrade their disaster response systems from dial-up because replacements are no longer available, and "The use of modems inherently introduces cyber security vulnerabilities to the systems to which they are attached.". So, the replacement VPN system won't have cyber security issues? No, the modem is several minutes to days away from every creep on the planet, vs milliseconds.
  4. Seriously, Wi-Fi Alliance, are you on crack? - [Larry] - I'm not sure I like where this is going: Direct WiFi connect between devices, or a mesh. This sounds prime for hackery to me, especially since it is looking to be for audio and video devices. Not to mention those looking to bypass corporate policy…
  5. Rick Roll Of Doom - [PaulDotCom] - I found many of the "new" MS vulnerabilities interesting this week. There are two, MS09-051 and MS09-052 that deal with malicious audio files that can exploit vulnerabilities.
  6. Finally A Patch! and Finally A Patch! - [PaulDotCom] - I just don't understand the point of holding back on these patches. It begs the question, is it easier to write a patch or an exploit? Even better question, which one is easier to regression test? So, I can see the point, MS doesn't want the patch to break things, however, I can't understand why its released out of cycle? Do people really just wait until the patches come out to do anything about vulnerabilities? Are they implenting the workardounds? Seriously, I want to know what people are doing! Email us!
  7. ActiveX & IE Vulns - [PaulDotCom] - Holy crap, if I used Internet Explorer, I'd be crapping in my pants (good thing Larry sent me diapers a while back, that and I don't use IE). There are tons of remote exploits that hit IE, ActiveX, and Office extensions related to ActiveX. Most of which are executed through a browser. Remember, the browser just needs to render the code, user's don't need to purposely visit a particular site, just browsing the Internet, no matter where, they may encounter the exploit. Is there truly less risk running Firefox as a browser? If so, how easy/hard is it to standardize on Firefox for web browsing, but still allow IE for local sites? Hrmm, put that in your pipe and smoke it when your are designing your defenses, makes my brain hurt a little.
  8. MS Fixes The SSL NULL Byte Attack! - [PaulDotCom] - This is good, bad for attackers, good for defenders. Carry on.
  9. Did you see my new picture, its me dressed up like an EXPLOIT! - [PaulDotCom] - This is perhaps the most scary thing we've seen in a long time (no, not my picture, but the exploit). I've been asking around, is it really as easy as uploading a picture to your favorite social networking web site, getting people to go to it with IE, then when the pic is rendered, BAM! exploit and payload deployed POOF you are part of my botnet. The zombie army will get stronger with this vulnerability, because, well of course people have two use IE, they have to browse the web, and by God they have to look at pictures! I also wonder how easy/hard it would be to detect pictures with a specific signature that carry this exploit code.
  10. Adobe Recommends disabling Javascript - [PaulDotCom] - I picked this up from Liquid matrix, what, you're not reading Liquid Matrix? Shame on you! Dave says it right to Adobe, " Sure. Disable javascript. How about, just a thought, writing some good code? Hmm, ya think? Maybe?" Well put, but what is there incentive to write good, FREE, software? And why does everyone just use Adobe anyhow? Why can't MS include a PDF reader in the operating system like Apple? Wouldn't that make things easier? I mean look at IE, oh wait, nevermind!
  11. Cum Security Toolkit - [PaulDotCom] - I have to say, it was sheer pleasure using this software. "The cum security toolkit (cst) contains a cgi vulnerability scanner and a port scanner, and can be used as a hacking tool, or as a security vulnerability assesment tool." Giving new meaning to "Penetration Test"! You, some networks are just plain messy.... Okay I'm done now, oooohhhhh!
  12. I'm Not Secure and You Can't Make Me - [PaulDotCom] - I'd like to first introduce a great blog called "fudsec.com", I really like their attitude :) Kevin's post is a good one, the jist is there is a point solution for all your problems and the industry scares you into buying them. Agree, this is bad. However, I'd like to address the comment that one way to make a system or network completely secure is to turn it off (what happens is someone turns it on? or social engineers someone to turn it on?)l. Or as Larry says, bury it in concrete("Hi, I'm from the gas company, we need to start drilling NOW or you will all die), or unplug the network cable (Oh, I'll just enable wireless, or plug USB wireless into it for just a minute...). Don't get lulled into this false sense of security, if it has data on it that people want, an attacker will get access to it, provided the pay-off of obtaining the data or systems outwieghs the time spend getting it. I digress... Kevin then goes on to say that risk management and smart design decisions, and VERY IMPORTANT protecting from known and unknown threats is key.

Other Stories Of Interest

Help rename AutoNessus - [Mick] - What's in a name? Help the AutoNessus project (FYI: NOT AFFILIATED WITH TENABLE SECURITY) out by renaming it.