Episode231

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Announcements

PaulDotCom Security Weekly - Episode 231 for Thursday February 17th, 2011.

  • Larry teaching SANS 617 "Wireless Ethical Hacking, Penetration Testing, and Defenses" Community style Monday, May 9, 2011 - Saturday, May 14, 2011 in Victoria, BC.
  • Source Boston, DerbyCon!

Guest Interview: Stefan Esser


Stefan Esser is best known in the security community as the PHP security guy. He founded the Hardened-PHP Project to develop a more secure version of PHP, which evolved into the Suhosin PHP Security System. He now works as head of R&D for the german web application company SektionEins GmbH that he co-founded.

Stefan on Twitter

Stefan's blog

  1. Tell us about your recent presentation on ASLR on jailbreaking
  2. What are your thoughts on Apple's recent decision to add ASLR to iOS 4.3 to stop jailbreaking? You reported that dyld_shared_cache was shifted as a whole block - does that help jailbreaking?

Tech Segment: Trent "Surbo" Lo: An Evite from Surbo? Probably an invitation for trouble.

As a security researcher working in the industry for well over 10 years, Trent protects a Fortune 500 communications company as a key member of the incident response team specializing in the detection of malware and web-based attacks. As a part of the hardware hacking site I-Hacked.com, Trent uses his talents to discover and expose vulnerabilities in hardware and software products.

Surbo's presentation will explore the multiple security issues within Evite and exploit them using Social Engineering attacks for huge lulz. Grab a beer and sit back as you watch the fireworks while the bride confronts her "friend" who just called her fat. Go ahead, click "YES" to that Evite because after this presentation there will be no more dull parties! From taking over accounts, impersonating guests or banning them forever, Evite just got a whole lot more fun.

Stories For Discussion

Larry's Stories

  1. Computer fraud…by Modem - [Larry] - When I saw this I said, how the hell did this guy get enough machines infected to steal $8M by having his zombies dial premium rate numbers… The I looked and the case was recently unsealed and was occurred from 2003 to 2007. Still I wonder how many still have dial up modems or fax cards to make this a profitable venture anymore..
  2. 7 ways to not get hacked by Anonymous - [Larry] - So many things wrong with that title. First off I think it should be 8 ways, but make #1 "Don't be douchebags." Ok so here's the list:
    • 1. Don't assume what type of attack will manifest - That's some solid advice. You should prepare, within all acceptable reasons for your highest risk scenarios.
    • 2. Use tried and Tested CMS - Sounds ok, but think about some of those alleged CMS…Joomla, Wordpress, etc. Not much better, but the argument against a custom system does have some merits. All CMS sucks.
    • 3. Use strong password hashing - Fair, but even well hashed passwords can be bruteforced with enough time and computing power. We've talked about passwords often enough that you know they are broken.
    • 4. Use Strong passwords - Ditto. Sure, but how about something better?
    • 5. Don't reuse passwords - Very good advice, but mere mortals may have issues. Back to the password issue again.
    • 6. Keep patches current - Yes, for know exploits, you should be doing this stuff, especially if it doesn't break functionality. Don't be slow about it either. I'd say to do restrictive firewalls and such, but the cases in point here wee privilege escalation, which means they are already on the box…
    • 7. User awareness of social engineering - Yes, yes 1000 time yes. Even then it still won't sink in, you still should try. Yes, even "smart" security folks can fall for it, and get someone to open ports on your firewall.

3. Tracked by user name - [Larry] by reusing the same user name across many public sites, folks have the ability to track your habit, comments, purchases and the like. This can be valuable for a spammer, but I'd also argue that tools that track this type of information could be very helpful for attackers/pentesters…

4. Attacking the wireless attackers - [Larry] Well, sorta. A Buffer overflow in aircrack-ng allows for DOS condition when processing malformed EAPOL. Dos now, but listen to this form POC exploit:

Given that we have plenty of room for payload and that the tools are usually executed with root-privileges, we should be able to have a single-packet-own-everything exploit at our hands. As the attacker can cause the various tools to do memory-allocations at his will (through faking the appearance of previously unknown clients), the resulting exploit-code should have a high probability of success.

Ouch. Maybe that was why my Kismet with autowep turned on kept crashing the other day...

Paul's Stories

  1. Quantum computer research reaches ¿significant milestone¿ - [Pauldotcom] - So this reminded me of a story. I was teaching a firewall class to a small group of people that were internal administrators working for the same organization I was at the time. I was DEEP into stateful inspection, TCP handshakes, UDP, ICMP (yes, we all had our TCP big boy pants on). The course just happened to cover Netscreen firewalls, which is what we used at the time. It was great fun. Oh right, quantum computing. So we're about three quarters of the way through the class, and I'm jumping up and down with excitement about about dynamic source port allocation or something, and someone raises their hand and asks me this "So, with the advent of quantum computing, we aren't going to need firewalls anymore, right?". The question really caught me off guard, I have to be honest. Remember, encryption is only good if you are using, and using it correctily. Just ask those people who have had laptop stolen or all their email published as a Torrent file on the "interwebs". It begs an interesting philisophical question though, if we can come up with a way for people to authenticate themselves to every service on the Internet, why do we need firewalls? (Sorry my cold medicine has me all "philisophical today").
  2. Cisco Security Agent Web Management Interface Bug Lets Remote Users Execute Arbitrary Code - [PaulDotCom] - I LOVE vulnerabilities like this! You win remote code execution over port 443, where you then win a free trip to the configuration of end user policies and as a bonus you will get an exclusive excursion to "peform other administrative tasks". Consider that this is software that touches every end-user workstation, and its a vacation I can wait to go on. The best part is that most people are giving this vacation away, because well, its on the inside of the network so I don't have to patch it. Thats when BEEF comes in handy to hook your browser, read your bookmarks and URL history, then find the internal IP/Hostname of your CSA console, then hopefull get your browser to send the payload I need. At least thats how I see it going down, and I will have a fancy drink with lots of umbrellasa nd fruit in it, just because thats how I roll on vacation.
  3. Embedding Files into JPEGs - [PaulDotCom] - Where do you keep your malware you want to share with friends? On Facebook, where else? Neat little trick that uses EXIF and other techniuques to inject a file into a JPG image and upload it to Facebook. Now, what would be really neat is if you could inject an EXE and get it to execute. However, the ability to store documents inside an image is a neat trick.
  4. Mcafee and VXWorks Partner for secure embedded systems - [PaulDotCom] - Okay, so let me first start by saying that this is a step in the right direction. I firmly believe that embedded system manufacturers who are looking for improved security, and forming partnerships with security companies is a good thing. However, and this is a BIG however, look at the track record. I wouldn't be doing this justice if I didn't mention the freakin' huge gaping security hole that HD Moore found in a just about all VxWorks devices because they left debug functionality turned on! I'm sorry, but there are just some things that cannot be helped by security companies, and thats poor security practice. Oh, and furthermore so many embedded systems vendors give you a backdoor in your firmware, which gives administrative control, where I can turn off any extra layers of protection. And don't get me started on Mcafee, "Oh look, /proc is a virus, I will just delete it!". Great, thanks for that. Security is not about add-ons and features, its about processes and controls. Wind River came out and said, "But our operating system is secure" and it wasn't, not even close. Security is culture, not products, and I sincerely hope embedded device manufacturers adopt a more security-focused culture.
  5. EXACTLY Why Your Network Needs to be resilent against the 0Day Threat - [PauLDotCom] - I'm not trying to use buzzwords or get popular by using the term "0day threat" (in fact I hate the whole way we say "O-Day", it just annoying). In any case, there is an "O-Day" floating around for Microsoft systems, in particular the SMB service on Windows 2003 AD servers. Ouch. So you're probably saying, "But I have a firewall, IDS/IPS, Anti-Virus software, and patch management.". So do a lot of people, which is why attackers use social engineering and "O-Day" attacks. You have to ask yourself, if someone wanted to target you, how successful could they be? What's stopping them from getting your users to click on a link or open an attachment? What stops your users from accessing SMB on your servers? How do your servers defend against a 0day attack? This is one reason why I love real-world hacking challenges. I've done several over the years, and it always starts out the same way. You have to defend the network for the first hour of the competition without a firewall and without patches. "But thats not fair" people say, but thats the real world. Its like that scene from the movie "Dodgeball" where the coach has them all line up for training. He then takes out a giant wrench,and without warning, hurls it at one of the guys who gets clocked in the face. he then states, "If you can dodge a wrench, you can dodge a ball". So, if you can defend a "naked" network, you can certainly defend one with a firewall and other techniques. Its not so much about protecting the attack to begin with, but what happens afterwards.

Other Stories of Interest

List of beer victims

Left Hand Brewery - Polestar

Left Hand Brewery - Fade to Black

Wells - Banana Bread Beer