Episode211

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Sponsors & Announcements

"And now from the dark corners of the Internet, where the exploits run wild, packets get sniffed, and the beer flows steady its PaulDotCom Security Weekly!"

"Sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable's Security Center extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable – Unified Security Monitoring!"

"Core Security Technologies, helping you penetrate your network. Now version 10.5 full of Jive! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool."

"Cenzic, create a Hailstorm for your web applications! Sign up for a free trial of the Hailstorm software or scan remotely with their new online service to keep you web applications in check."

"And Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!"


PaulDotCom Security Weekly - Episode 211 - For Thursday September 16th, 2010.

  • Shoecon 9/18/2010 - Sept 18th "ShoeCon is being held as a charity event for the Matthew Shoemaker Memorial Care Fund. Matthew or “Shoe” was a fellow security professional, DC404 member and InfoSec podcaster who left behind two children. Thanks to the generosity of DC404, this event will be held in conjunction with their September meeting at the Wellesley Inn-Atlanta Airport. This is a donation driven event where all the proceeds will go to the Shoemaker Memorial Care Fund."
  • Announcing Hack3rcon!The con will take place on Oct 23-24, 2010 at the Charleston Civic Center, alongside CharCon, a gaming conference that will interest many of you as well. Tickets are $40 for the whole weekend.
  • Mark Baggett teaches SANS 504 during SANS San Antonio for 6 days. Come learn Hacker Techniques, Exploits & Incident Handling! November 13th thru 20th.

Episode Media

mp3 pt 1

mp3 pt 2

Tech Segment: Stuxnet: Facts & First Impressions

I have to say, I am very impressed with this malware. It does some really awesome things, but also its a bit stupid. Here's what I found so far:

  • It uses 4, count them 4, 0-day exploits. Not all the exploits are still 0day though. First one was the LNK vulnerability, second was the print spooler. Word is there are two more and of the privelege escelation variety for MS Windows systems. These two have not been patched yet, but MS is aware of them.
  • Tough to say if they wrote the 0day, bought it, traded for it, contracted with a foreign government
  • It uses USB sticks to spread, my guess is to target "air gapped" networks commonly used in SCADA?
  • It targets Seimens (pause for Larry joke) PLCs and will download and install a PLC rootkit that is installed on the PLC itself
  • Malware expert Dennis Brown says that the infection type and C&C is basic, it does not randomize file names or use Fast Flux for C&C or DNS
  • The C&C was so lame that Symentec now has control over it
  • It also had an exploit for a Windows vuln for 2008, which it would only executeon control systems networks, and contained basic checking for this type of network. If it was on a corporate network of sorts, it would not execute the 2008 vuln
  • Most malware is out to steal information, this one has the potential for sabotage. could also be used for blackmail.

Stuxnet Resources

http://www.langner.com/en/

http://www.digitalbond.com/index.php/2010/09/14/stuxnet-fingerprinting-a-specific-target/

http://www.digitalbond.com/index.php/2010/09/13/stuxnet-the-siemens-affect/

http://www.securelist.com/en/blog/2291/Myrtus_and_Guava_Episode_MS10_061

http://www.networkworld.com/news/2010/091410-siemens-stuxnet-worm-hit-industrial.html?source=nww_rss

http://www.networkworld.com/news/2010/091410-siemens-stuxnet-worm-hit-industrial.html

http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx

Guest Interview: Vincent Liu

Vinnie Liu is a Managing Partner at Stach & Liu. He has been a professional penetration tester & manager of penetration testing teams for over a decade. Vinnie recently co-authored the 2nd edition of "Hacking Exposed: Wireless" and is co-author of the upcoming 3d edition of "Hacking Exposed: Web Applications".

Stories For Discussion

  1. Social Engineering bank robbers, via @HumanHacker
  2. Getting sucked into Stuxnet - [Larry] - Wow, Stuxnet is turning into a great find for folks who are into conspiracy theories. From specifically targeted malware (to one power plant), to unlicensed software, to other infections allegedly serviced by the same integrator, integrator with 2 year old malware on their website…I suspect this rabbit hole goest quite deep.
  3. Evil Wifi, w/captive portal - [Larry] - Oh man, I need to get off my butt and build one of these setups. Evil Wifi, karma, metasploit, and an actual internet connection. Now you'll rope them in, and keep them on…
  4. Mapping via the PSTN - [Larry] - Wardialing isn't dead, it has just evolved! nothing like wardialing to reverse map names to phone numbers for all of Malibu.
  5. Backwards compatibility on so many levels - [Larry] - Regression testing? Nah. A linux kernel bug from 2007 made it's way back in to the kernel, in the portion that converts 64 bit code to 32 bit for backwards compatibility. Sure it requires credentials, but privilege escalation is always a nice thing to have in your back pocket.
  6. Samba Buffer Overflow - [pauldotcom] - Who knew! A remote exploit for Samba! Just how many buffer overflows will be uncovered in SMB? Seems to have a long history of problems, with Samba and on Windows.
  7. Teensy Programable HID [pauldotcom] - I think we should all have these. I saw another post where the dude loaded a PDF exploit on a thumb drive, called it "HR.pdf" and left it in the bathroom and got shell. I do think that basing the USB attack on U3 or a vulnerability is risky. U3 has largly been disabled and patched, and vulnerabilities do get patched. I think all pen testers need to build these devices as its the most reliable way to execute an attack because its a HID.
  8. Exploit Store Good For Enterprise Security? - [Pauldotcom] - I mean I get it, exploits are cool and all, but no so sure a marketplace is better for security. I actually think the open-source metasploit model is best, its free, open to the world, everyone can use it, and it levels the playing field. Now, it does arm the attackers, but also gives the defenders and the vendors access to the same information. Paying for exploits is one model, but limits access to the information and software to test your network, and limits vendors from including them in their products. So, my vote, just keep adding exploits to Metasploit and don't charge people for them. I also don't agree that the hurdles in operating systems are really protecting people, there are ways around them. I do agree that pen testers attack people, and software vulnerabilities only get you so far. Including social enginerering components, like with SET, make you very succesful, and point out areas that need attention in your defenses. You could have all the 0day in the world, but most attackers are going to just guess a password. Lets fix that problem before we claim buying/selling/trading exploits makes things better.
  9. Shaq\ Attacks The Internet! [pauldotcom ] - Such an awesome storie, Shaq allegedly hacked into a mistresses voicemail, deleted messages, and changed her password. He also threw a laptop, his own, into a lake behind his house. Shaq needs to watch our videos on effective methods of data destruction.
  10. Evil Wifi Using OS X and La Fonera - [pauldotcom] - I think this is a great post and very effective even at present time. Lure people to your captive portal, sniff traffic, own their DNS,and still give them access to the Internet. I'd imagine you could configure the La Fonera or similar device to do it all.
  11. Adobe 0day with Stolen Certificate - [Larry] - Not sure about running that executable, no worries, it is signed with a stolen cert!

Other Stories of Interest