Episode192

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security

Sponsors

  • Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
  • Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
  • Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!

Shameless Plugs & General Announcements

PaulDotCom Security Weekly - Episode 192 - For Thursday March 25th.

  • Notacon! - April 15th - 18th in Cleveland, Mick will be presenting two talks and be a part of a panel discussion! You may also try to get him to discuss hockey!  ;-)
  • QuahogCon - This will be the next conference that we will be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come and enjoy what's sure to be a great Con! [PaulDotCom] - Uhm, should mention that Larry is giving not one, but TWO talks!

Episode Media

mp3 pt 1

mp3 pt 2


Guest Interview: Jeremy Brown

INFO

Jeremy Brown is a vulnerability researcher and spends countless nanoseconds with low level programming, reverse engineering, and fuzzing. Until proven otherwise, Jeremy works as a Vulnerability Research Engineer at Tenable Network Security, runs his own security blog and is the founder of Krakow Labs.

Jeremy's website

Questions

  1. Please tell us how you got your start in information security.
  2. Is it easier to find bugs via fuzzing than it is to review code? Why or why not?
  3. How is browser fuzzing different from protocol or other kinds of application fuzzing?
  4. What are some techniques for intelligent fuzzing? For example, its one thing to know that you've crashed something, but another to know what crashed it and why or how.
  5. Many people are either afraid of fuzzing, thinking that they need to code in assembly language to do it. Also, many do not carve out time to fuzz stuff. What can you say to those people to encourage them to work fuzzing into their daily jobs?
  6. Why don't developers, or even QA departments, Fuzz their own stuff all the time? Shouldn't this be a standard practice? For example, Charlie Miller used this technique to find 20 bugs in Apple software
  7. Tell us about your Dojosec presentation, "From Static Analysis to 0day Exploit". What is static analysis? What tools do you use for static analysis?
  8. What is the Browser fuzzer and how does it work?
  9. wow vuln research sounds sexy how does one get started what tools are free or cheap to get started looking for possible vulnerabilities?

Stories For Discussion

  1. Teach a man to fish... - [Darren] - Pwn2own 3 peat winner is going offering to show vendors that he has found bugs for how to find their own bugs instead of just telling about the vulns he found.
  2. I am in your twitterz - 24 year old Frechman going down for hacking twitter admin accounts and peaking at Obama's twitter account. but hey he is a nice hacker after all that wants to teach us all the follys of online personal data. To bad that may mean 2 years in prison.
  3. TJX / Hannaford hacker gets 20 ass pounding years - [Darren] - TJX hacker gets 20 for his crimes... next story.
  4. Anti-Virus Rants - [strandjs] - Nice little write-up on how we are using Virus Total wrong. Interesting. Well, lets talk about the pros and cons of using Virus Total as part of our penetration testing process.
  5. Should we go easy on Developers? - [strandjs] - This is kind of dumb. It is impossible to make software 100% safe. Is this horse dead yet? You should not build your security architecture around the idea that any software is safe…. Ever.
  6. Bad Guy Caught - strandjs - There are not enough stories of the bad-guys getting caught and successfully tried. But I would like to see the companies that got popped held accountable too.
  7. 'very existence' of US under threat - [strandjs] - Ok, I like to fire up the crowd as much as the next guy. But is this a bit much? I mean it is great to have people giving speeches like this, but sometimes I feel if the rhetoric is to hot people will shut you off. Worse, I think he is right.
  8. Linux Runs In Places You Would Not Expect... - [PaulDotCom] - I find it interesting that the article quotes a statistic that Linux only runs on 1% of computers. They are most likely just talking about desktop computing, not servers or devices. Even more compelling than IBM, the DoD, and Cuba is the fact that your life is surrounded by systems running Linux. Your cell phone, DVD player, video game system, heating and cooling systems, wireless access point, firewall, and your DVR are most likely runnung Linux. Linux zealots will say "Linux is more secure!", which is total BS. Linux is just as hackable on various platforms and devices than any other operating system. Its almost worse than other operating systems, because not only is it vulnerable, but no one is really talking about it because everyone is shouting from the rooftops, "Linux is more secure!". The fact is, its just not. You may think that you can configure it more securely, but how many people do not? With everyone creating their own distribution (Google, Cuba, Panasonic) how can they implement security technologies easily across multiple different types of systems and kernels? The moral of the story is: Never just think something is secure just because its different. And when people say something is secure, don't believe them. Let the flame mail flow from the penguin lovers.
  9. pwn2own Day 1 - Everything has been hacked - [PaulDotCom] - Everything is vulnerable. Here's my proof: Give researchers enough time and they will find a vulnerability and figure out how to exploit it. I'm not sure what else they are trying to prove with this competition. I think that Tipping Point's model is flawed, it just gives vendors more time to ignore vulnerabilities. There exists today an exploit that works on an IE8 system running Win 64-bit Windows 7 (bypassing ASLR and DEP). Safari exploit that works on a fully patched OS X system, Firfox 3 on Windows 7 fell as well. The iPhone fell as well. I'm going to comment about the state of vulnerability disclosure and say that we are enabling. Vendors are given far too much leeway when it comes to vulnerabilities. If you give them time, they will take it. Their not working on the problem, they are just taking time. Time where other people have an exploit and are using it against your systems. If it gets released, boy they sure patch it in a hurry. I believe we need to play a little more hardball with vendors, get them to patch stuff quicker and more frequent. If you have a good patch management strategy you should be able to keep up.
  10. Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device - [PaulDotCom] - This is just an outstanding project by Ircongeek. I strongly suggest that you do it yourself, for several reasons: 1) You know exactly how your device functions 2) its a good learning experience 3) as a security professional, more and more, you need to be familiar with hardware and electronics. I personally plan to build one and make it work. Oh, I should mention that this is a custom USB HID (Human Interface Device). Its like U3, but better, you can plug in a USB dongle and run commands on the host. Way cool. I don't see this being used on every pen test, but it can come in handy.