Episode248

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Announcements

PaulDotCom Security Weekly - Episode 248 for Thursday June 16th, 2011.

  • Los tres primeros episodios de PaulDotCom Espanol con Julio Canto, Lorenzo Martinez, y Chema Alonso esta disponible aqui. Tenemos mas entrevistas en las semanas que vienen....
  • Sign up for Blackhat Training Courses:
    • PaulDotCom Blackhat Training Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat August 1-2. Every student gets a FREE "Hack Naked" t-shirt and sticker!
    • Tenable Security Blackhat Training Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2

Episode Media

MP3 pt 1

MP3 pt 2

Interview: Joshua Drake, Accuvant

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

Joshua "jduck1337" Drake is a Security Researcher, Metasploit Developer, and former Skateboarder/BBoy who finds himself asking "If you're not seeing persistent attacks, maybe you're already owned?".

7:30 PM

  1. How did you get your start in Information Security
  2. What was your main research focus with Metasploit?
  3. What are you working on for Accuvant?
  4. Where are the best places to find and download vulnerable software for "testing"?
  5. What are some of your favorite tools and/or techniques used for finding and exploiting vulnerabilities?
  6. What about exploit frameworks, what are your favorite features of each?
  7. Metasploit recently developed a "pay for exploits" program, what are your thoughts on this?
  8. We hear you've joined Charlie Miller, @nudehaberdasher and @hustlelabs at Accuvant, what kind of projects are you working on?

Interview: Steve Carmody, Shiboleth

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

8:15 PM

Steve Carmody is an IT architect at Brown University and coordinator of the Shibboleth project, the goal of which is to extend Web-based applications and identity management for secure access to resources among multiple organizations. Steve is involved with the InterPlone project and a "firewall lover".

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. Shibboleth- Software developed by Internet2 to enable the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies that control what information about a user can be released to each destination. More information on Shibboleth.

  1. How did you get your start in information security?
  2. What are some of the challenges associated with authentication and single-sign on?
  3. If you had to describe to my grandma what Shibboleth is, what would you say? (Keep in mind she got a DVD player for Christmas once and had no idea what it was)
  4. what are the dangers associated with single sign on?
  5. Has this been adopted by companies in corporate America? Whats the ROI?
  6. Does it support SecurID?
  7. What are some other single-sign on products and how do they compare?
  8. If its open-source, how do you compensate developers and people on the project?
  9. Are you still going "shoes optional" at Brown around the office?

Interview: Eric Fiterman, Rogue Networks

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

9:00 PM

Eric M. Fiterman is the founder of Methodvue, a forensic and security services company, and Rogue Networks -- a security startup housed in a new Baltimore-based cybersecurity incubator program backed by Northrop Grumman and the University of Maryland. Eric is a former FBI Special Agent and firmly believes in a "clothing mandatory" hacking policy, and in his spare time enjoys hacking smart cards and watching 'World's Strongest Man' competitions.

Eric was last on Episode 184

Proper bio: Eric M. Fiterman: is a former FBI Special Agent and founder of Rogue Networks and Methodvue, two companies focused on delivering cyber security products and services to the federal government and private businesses. Eric began his career as a FreeBSD/Solaris software engineer and is actively involved in the incident response, forensic analysis, and security engineering domains. Eric currently serves as an expert witness for federal and state civil cases involving trade secrets protection, financial fraud, and computer crime. Eric has received several commendations and awards for his investigative work, including a service award from the United States Secret Service for his investigative contributions to law enforcement.


The field of forensics has changed more in the past 2 years than it has in the last 10. This is due largely to sweeping changes taking place in large enterprises that are virtualizing servers, desktops, and moving services to cloud platforms. This has some interesting implications for people who collect and analyze digital evidence. The "old school" forensic methodology always taught us to hard shutdown computer systems to preserve evidence and reduce the possibility of altering evidence with a soft shutdown. But what about servers that share storage with ten other servers? Is it acceptable to kill a cluster of servers if we don't have to? What about a virtual server? How do we hard kill a virtual server? What about write blocking? How do you write block 500 TB of storage? What about cluster or distributed file systems? How do you handle snapshots, redo logs, iSCSI/NAS, VMFS, clones...

Virtualization is introducing a slew of new concepts into the field of forensics, and forensic practitioners need to be aware of these changes in order to respond to incidents in the new virtual data center. During this segment, we'll discuss some of these topics in a sneak peek of a hands-on lab course on virtualization and forensics at BlackHat this year.

Stories For Discussion

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

PaulDotCom Blog Roundup

Larry's Stories

  1. App pulled, passwords disclosed - [Larry] - App created as an an alternative to the iPhone lock - uses standard password, but if guess incorrectly takes a picture with the camera of the user. Cool. Well, the uncool part is the developer was sending the unlock passwords back to himself for "statistical analysis" of common unlock codes.
  2. EU wants to ban creation of hacking tools - [Larry] - How can this be good? Didn't Germany already try this, and all it does is push the intelligence elsewhere, and make folks who are trying to do good things, criminals.
  3. Privacy Leaf? - [Larry] - Nissan Leaf, when using the in dash computer, will access RSS feeds for stuff like fox news, etc. As part of the request, the Leaf send location information, speed, and destination (if programmed into the onboard Nav system. In the clear. No way to disable it.

Paul's Stories

  1. [The Strategic different of 0day http://seclists.org/dailydave/2011/q2/101] - Dave Aitel brings up a very interesting debate. If you were to scan the Internet today, how many remotely exploitable, good ole' fashioned buffer overflows would you find? What if you review the past 20 months of patch Tuesday, you would only find MS08_067, not so useful anymore. Dave asks if this means there are no more remotes because they've been fixed, or are we relying on client-side and web app and not paying attention to remotes?
    • Anton Chuvakin asks: "Anybody want to bet whether the bugs died OR the disclosure? :-)"
    • Rafal Los says, "Why slave over nOP sleds and guessing at just the right memory addresses and hoping a system doesn't crash when you can walk right in through the web app and take what you want, or worse, implant yourself"
    • Jericho says, "The value of a remote in Windows or a big software package as Dave outlined, has been far more valuable than the presumed marketing impact of releasing an advisory on it."
    • Robert Lemos weighs in "How is social engineering + client exploit not greater than or equal to a remote server vulnerability from a functional level? The former gets you inside the firewall, the latter -- not necessarily."
  1. 10 things to look for when hiring IT sec - I agree with the list, however I think technical knowlege is important too. Sure you can learn, but there needs to be a foundation. Also, Passion is good, but not as broad as described, you need to be passionate about your work too.
  2. [ http://nakedsecurity.sophos.com/2011/06/15/usb-autorun-malware-on-the-wane/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29 Autorun leads to less USB malware] - Okay, sure, its less autorun enabled malware and that helps, but lets not forget the HID devices and teensy. Of course, this does prevent attackers from infecting just any device, and thats good.
  3. Stop Asking for Crap You Don¿t Need and Won¿t Use - Here here! I've seen this A LOT over the years. People list features in an RFP, and it gets added by the vendor. However, this feature is never used and only made a requirement because either "it sounded cool", "management thinks we need it", "competitors products have it". These are not reasons to add a feature to the product, then the products become boated, then people complain. So please, just stop. Really think about what you need in a product. There's also a lot to be said for an API. Many features get added because you are the largest customer for vendor X. No one else uses that feature but you, so please if you are a larger company, hire some smart developers to interface with said products API.
  4. Creating Web Sites For Spammers - "a "Free anonymous web hosting" site, which allows anyone to create any page with a simple POST request." No, just please say it isn't so! A web site that lets you upload HTML. WTF is that all about? Its just not a responsible thing to do and you should block this site everywhere you can. If you are the ISP for this site, burn their servers, virtual or not.
  5. THE INTERNET IS FOR PORN - Dear Lulzsec, I am writing to tell you that while we secretly love you, leave the porn sites alone. I know, I know, its fun to hack into web sites and expose user data, and while we don't condone your methods, leave the porn out of it. The Internet is for porn, and we all need to work together to make sure the porn stays where it should, online and available to all 24/7. k, thx, bye.
  6. Metasploit Exploit Bounty - I think they are doing this right as patches have been released for the vulnerabiliites. The price is a bit low, $500 and you get a week to write it, and it has to bypass DEP and ASLR and be written for Metasploit. Still, while this benefits Metasploit, it helps the rest of us too. Often there are vulnerabilities which require some work to get exploitation. Companies wil accept risk, but if an exploit ends up in the framework, people will remediate.

Listener submitted content

Infosecurity Experts Unite to Create Global Cyber Security Research Agenda - special request from the pauldotcom IRC channel ... "can you bring this in the pauldotcom news to get them all drunk? :)"

BitCoin gets bitten! Makes you wonder if this is state sponsored... hmmmmmm.....

iPopular because iPhone Apple plans to remove all the uncomfortable parts of spontaneous conversation by noting in an app how compatible your music collections are or where you've visited (with the iPhone in tow) so that you can meet that special someone.