Episode237

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Announcements

PaulDotCom Security Weekly - Episode 237 for Thursday March 31st, 2011.

  • SOURCE Boston on April 20 - 22- Paul and Larry will be there to hang out, talk beer and drink security.
  • PaulDotCom Blackhat Training - More details coming soon, but we are on track to offer "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat this summer in Vegas baby! Registration links coming...
  • DerbyCon : Louisville, Kentucky – September 30th to October 2, 2011 with practically all of PaulDotCom in attendance. Catch our special training session on "How to survive a Dave Rel1k Man Hug".

Episode Media

MP3

Guest Interview: Michael Gough (pronounced **Goff**) and Ian Robertson ... The 'Thoughtful Hackers'

Ian is a security guy who spends his time trying to improve the security of his community, state and country. He is Director of Information Security with the State of Texas and 1/2 of the newly dubbed 'Thoughful Hackers'. You can catch simple, straight-forward and actionable advice through his website CyberSecurityGuy.com

Michael is a Senior Risk Analyst for the State of Texas and the local Austin BSides lead. When he's not beering and mountain biking, he spends his time blogging at HackerHurricane.com. He is also the author of the Syngress Published "Skype Me!" and "Video Conferencing over IP" books and is the 2nd half of the 'Thoughful Hackers' security research team.


Security researchers Michael Gough and Ian Robertson have identified a vulnerability impacting a widely popular security card key access system, and produced a first-of-its-kind exploit on a smartphone platform to prove it. Larry called "shenanigans" on this in Episode 235 and they're here to give us the skinny. They'll tell us about how they found the vulnerability, its exploitability, how the system is fundamentally flawed on several levels, what needs to be done and what they're doing to help protect others.

  • First off, sorry 'bout the shenanigans, but in this industry often times the proof is in the pudding, and videos are cool, but sometime get overlooked. How do you think the awareness on this issue is working?
  • So, to be frank, what is the issue, and what is Caribou all about?
  • Caribou is for the Android, but, will the underlying exploit work elsewhere?
  • We understand and respect the path you've chosen for disclosure, but how has the experience been working with CERT and the vendor? Bases on the status now, do you think the vendor is taking the issue seriously, and will you ever get to (if you choose to) release Caribou?
  • Tell us about some of the other technical challenges with accessing the technology to make the exploit work?
  • How pervasive is this type of problem in your opinion? How about other vendors? How about embedded, and access cotrol systems in general?
  • Why do you think that this particular instance is such a mess? Is it the vendor's fault? The installer's? The customer? Or just a lack of understanding all around?

Guest Tech Segment: Deral Heiland “PercX” and Pete Arzamendi “Bokojan” on Multi Function Printers and PRAEDA

Deral Heiland is a Senior Security Engineer for the foofus.net security team and is co-founder and president of the Ohio Information Security Forum. He's here tonight to discuss his ShmooCon presentation on Multi Function Printer pwnage.


In this presentation they go beyond the common printer issues and focus on harvesting data from multifunction printer (MFP) that can be leveraged to gain access to other core network systems. By taking advantage of poor printer security and vulnerabilities during penetration testing they were able to harvest a wealth of information from MFP devices including usernames, email addresses, authentication information including SMB, Email, LDAP passwords. Leveraging this information they have successful gained administrative access into core systems including email servers, file servers and Active directory domains on multiple occasions. They will also explore MFP device vulnerabilities including authentication bypass, information leakage flaws, and XSS flaws. Tying this altogether they will discuss the development of an automated process for harvesting the information from MFP devices with the beta release of their new tool ‘PRAEDA’.

Stories For Discussion

Larry's Stories

Revenge is a dish best served uploaded to youtube [1]

Jackie Chan is dead and Samsung sells laptops with key loggers!! (well hold on) [2]

Paul's Stories

  1. Apple Infultrates Jailbreak Community? - [pauldotcom] - This would be such a cool story, if it were true. Lets pretend for a moment that there is actually evidence to suggest that Apple has planted a mole in the jailbreak community. First, for all you lawyers and want-to-be-lawyers out there, are their legal implications here? If you are a company, and a group is "hacking" your products, can you legal plant a mole to collect information? John and I talk about offensive countermeasures for defenders, and there are lots of cases of defenders gettiing into underground groups for collecting information. What about the other way around? I'd use the term "espionage" but not sure if it applies. Sure, stealing IP is not so cool, but is this stealing of the Jailbreakers IP if the IP to begin with is a 0day in a product they don't own, but rather 0wn?
  2. Printer tool releaseed: printFS - [pauldotcom] - Pretty cool printer research tool has been released. I have to say, I wish there was a nice direct way to steal print jobs over PJL. Creating a distributed file system is really neat, but the real dangers of printers fall into two categories for me: Stealing print jobs and using printers as a jumping off point. I'd also throw in modifiying the printer to do two things: 1) Send malicious code to a client computer when they request downloading drivers and 2) Modifying the web server to serve malicious pages (Java/Javascript).
  3. Please don't hack my virtual girlfriend - [pauldotcom] - First, LOL. And yes, I'm serious: "CloudGirlfriend.com claims that it will create the perfect cloud girlfriend, one who will tweet and post adoring messages on a user¿s Facebook wall and one that the user will never have to deal with in real life.". This is operated by a REAL GIRL (likely in India?). I can just see it now, stealing my girlfriend with XSS talk at Defcon. I mean, how do you know its a real girl? I love this too "The right virtual girlfriend can be just like having a real long-distance girlfriend, without the hassles," I'm curious, not having a virtual girlfriend before, what kind of hassles are associated with an online girlfriend? "Sorry honey, we can't cyber tonight, I have a hand cramp..."
  4. Taking Back "Cyber" and "Hacker" - [pauldotcom] - Yes, lets take these words back dammit! They are so often used incorrectly. Okay, I'm the first to admit, I'm not an expert when it comes to the English language. However, here's my take: First, "cyber" is NOT a noun. I think this is the first golden rule of "cyber" (ha! see, cyber noun is BAD). I've heard people saying things like, "This doesn't apply to "cyber". Cyber should be, first and foremost, a verb, like "cybersex" or "Hey baby, want to cyber?". The grey area for me is using it as an adjective, like "cyberwar", "cyberwarrior", "cyber attacks". I can see the point, it distriguishes war, warriors, and attacks from guns and ninja swords, to exploits and packets. However, its way over used, so please, please limit the usage of it as an adjective. As for the word hacker, the rule is simple, you can use it as a noun, "A hacker figured out how to transmit Zigbee packets". You can use it as a verb, "I want to hack my badge". What we need to be careful is to not to use it to describe evil without another adjective. So, "Hackers gain unauthorized access to the bank". I'd prefer "evil hackers", but even then I have trained myself to use the word "Attackers" instead.
  5. Facebook posts to great wall of China - [pauldotcom] - Evidence suggests that Facebook sends data to China. I heard rumours years ago that Facebook was somehow tied to the CIA. Could this be true? Whats true is, your data is not really yours once you put it on Facebook. You have lost control of it the moment to push "Share". I mean, the button on Facebook says "Share", so don't cry privacy if you use Facebook. Its public, which means its shared with the CIA and China, get over it. What does this mean? It will be used by someone to profit in some way and maybe even to market to you or even embarrass you. So, golden rule: don't post embarring stuff to Facebook.
  6. Key skills for penetration testers - [pauldotcom] - So many people ask me "what do I need in order to get into information security and be a penetration tester?". This article hops on some points that are really important. I always say "you need to be a hacker". However, I LOVE this concept: You need to be good at both convergent and divergent intelligence. Here are some definitions: "Convergent intelligence is the ability to derive a solution from the evidence available to us, while divergent intelligence is the act of taking a single thought or concept and finding multiple applications for it." So, big difference between "There is a brick wall and we can knock it down with a hammer" and "We found a brick, what can we do with it?". The "what can we do with a brick" is convergent, and a skill that is most important for security and pen testing. You find an answer, and need to spawn ideas off of it, this is useful for pen testing and defense.
  7. mysql.com hacked - [pauldotcom] - You'd think they would know better, right? I think it really shows that security is not about knowledge, its about practice. And I'm not talking about going out into the woods and kicking a tree, I mean you training schedule is 6 days a week, and incorporates diet, cardio, internal, and external styles.
  8. Don't limit your penetration testing - [pauldotcom] - there has been a lot of debate about the effectiveness of penetration testing. What is the value? I mean, we know if you are missing a patch, you should apply it. Having said that, here's a warning: You should not be using penetraion testing to figure out what you need to patch, just patch it. Also, I think we have moved beyond the point of using penetration testing to "see if you can get in" or even "what can you do once you get in". I think we all need to embrace the concept of constant penetration testing and persistence. Have people find ways in, then see how long they can stay in. How can you detect them? What you really want to do is uncover how your processes can improve to detect and respond to attacks, and THATS the real value.
  9. The iPad Proves CIOs are Useless - [pauldotcom] - Okay, I would replace "useless" with "ineffective". I believe you need to look into the title, and make the job function match. "Chief Information Officer" right, meaning its all about the information, NOT the technology. So, I believe it does not matter what the technology is, employees need to be the consumers of technology and information. The problem is that fundementally there is a flaw. We don't protect our information, so therefore technology that makes information more accessable is bad and IT says "no". You should say yes, and do your job of protecting information. I'm not saying its easy, but thats your job. Telling people they can't use iPads, cell phones, and even Windows is just silly. Fact is, people will use them anyway. One of the big problems is email, as we've seen its a vital piece of your IP. I still maintain that if you can create a company to protect and encrypt email, you'd make a lot of money. BUT, it comes down to usability, whatever you put in place has to be usable, going back to the debate about cloud with respects to speed and usability that we discussed with Hoff. I also think saleforce.com would make a killing selling an appliance, but they may hurt them more than help them...

Darren's Stories

Carlos's Stories