Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 277 for Thursday February 9th, 2012
- John Strand will be teaching "Offensive Countermeasures: Defensive Techniques That Actually Work" and Carlos Perez will be teaching "Using and Automating the Metasploit Framework" on March 13-14 at the Mid-Atlantic CCDC just outside Baltimore, MD! Register Today at The PaulDotCom Training Web Site
- John Strand will be teaching Offensive Countermeasures at SANS Orlando March 23-24th: Check it out here
- Larry is teaching SEC617: Wireless Ethical Hacking, Penetration Testing and Defenses 5 times this year: vLive!: April 16 - 22, 2012, SANS Cyber Guardian 2012, Baltimore: April 30 - 06, 2012, SANS Toronto 2012, Toronto: May 14 - 20, 2012, Community SANS Ottawa, Ottawa: June 11 - 17, 2012, SANS Sydney 2012, Sydney, AU: November 12 - 18, 2012
- Check out our new shows: Hack Naked TV with John Strand, Hack Naked At Night with Larry and Darren, PaulDotCom Espanol with Carlos Perez.
- Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. Wether you smoke an occasional cigar or daily, this show is for you! Tune in as we review the latest cigars being released and talk "Stogie Tech".
- Don't forget to Follow us on Twitter
Interview: Adam Shostack
Adam is a principal program manager on the Usable Security team in Trustworthy Computing, which performs ongoing research into classifying and quantifying how Windows machines get compromised. Before joining Microsoft, Adam helped found the CVE, the Privacy Enhancing Technologies Symposium and the International Financial Cryptography Association. He is co-author of the book, The New School of Information Security.
- You have an interesting title at Microsoft, it doesn't sound like one that would have been there ten years ago. What does your "normal" day look like?
- Can you briefly describe the idea of the New School?
- The New School of Information Security has been out for almost four years, what are the most encouraging changes you have seen in that time? And the least encouraging?
- The title of chapter five is an Alan Schiffman quote, "Amateurs study cryptography, professionals study economics", a great quote, but I assume some people took exception to that.
- The book challenges some sacred cattle, such as user education. Do you still struggle to make people understand the importance of understanding the human element of Information Security?
- An interesting human element covered in the book was that visible security measures appear to make people less cautious. I have certainly seen people who believed the firewall and anti-virus meant that they didn't have to take any personal responsibility for their actions online. This "dealing with people" thing is tricky.
- The book also promotes what some now call the operationalization of security. While some are picking up the idea, others seem entrenched and are content with the status quo. Have you seen any successes in this area in large enterprises?
- Reports such as those from Verizon, Mandiant, Veracode, Trustwave and others are giving us more information, but the formats vary and the raw data isn't always available. How can we make the most of these reports?
- You have done some creative things to educate people about security. Can you tell us how you came up with the idea for the Elevation of Privilege card game, what it was like promoting it internally at Microsoft, and how it has been received?
- Tell us about Saltzer and Schroeder, their 8 principles, and why a paper that was written in 1974 still makes a whole lot of freaking sense to the computer security industry.
- I was going to post this as a story, but I'd like to hear your thoughts on why breach disclosure is expensive, and will this discourage companies from reporting breaches, even at the expense of fines, etc,
- Easy Directory Traversal with Burp - I love this, Burp is such a powerful tool. Exploring its many features can yield some excellent results. This post covers how to configure Burp to test for directory traversal. May not sound like much, but couple this with some other vulnerabilities, and the data you can gather from this attack, and it quickly leads to shell. Typically the configuration files, which store the database credentials, can be viewed with this attack. Sprinkly in some LFI vulnerabilities, and perhaps you know where to upload your PHP shell. Nice.
- Some IDS comments - Looking at the request and the responses to attacks traveling over HTTP is the key. You see this in several attack tools, how do you know your attack worked? Well, if you get back a 200 response, chances are it worked. On the defender side, looking at the request and response can help identify attacks that were successful, cutting down the noise.
- Standing Desk 2.0 - I think I want to build one of these, I spend way too much time sitting on my ass.
- Infosec: Where’s our “Long Tail”? - Great article from Shack, where should you spend your time? Look at the solutions that are new, specific, or niche. They often are the most innovative and can add a lot of value, even though they are not in the majority, but in the long tail.
- The Toughest Question in Digital Security - It is only recently that U.S. officials have started talking openly about how data losses are driving up the cost of military programs and creating operational vulnerabilities So the question is, though this is bad, what is the impact? You have to learn that a breach has occured, what was taken, know what the attackers intentions are, know when attackers are going to act on the data they stole, then attack risk and cost to that. Good luck, no wonder most people say "who cares".
- Forcing Flash to Play in the Sandbox - The problem with the Sandbox is that there are already piles of crap in it, in that security researchers and bad guys will figure out a way around it.
- It all started with a Pillow Fight…. - I just want to say that classy ladies in a pillow fight for a good cause gets my vote every time. Its good clean fun for a good cause. And lets face it, no one wants to see male security nerds in a pillow fight.
- I’m Sorry I Called Your Baby Ugly … But It Is - Unlike an ugly baby whose appearance is usually beyond the control of its parents, security UIs can be made better. Preach on brother. Across the board I believe there needs to be improvement in the user interfaces of security products. I understand that we are all nerds and we can make do, but that doesn't mean we don't appreciate, and benefit from, a nicely done UI.
- Red Hat Network Satellite Server spacewalk-backend Remote and Local Password Disclosure - Bad, bad, and more bad. Satellite servers control the patches to all your Red Hat systems. If I own your Satellite server, I own all your Red Hat systems. So get patching!
- Trustwave admits issuing man-in-the-middle digital certificate - Whoops, another SSL CA blunder: Digital Certificate Authority (CA) Trustwave revealed that it has issued a digital certificate that enabled an unnamed private company to spy on SSL-protected connections within its corporate network, an action that prompted the Mozilla community to debate whether the CA's root certificate should be removed from Firefox. This is a tricky "issue": Trustwave defended itself by saying that the issuing of subordinate roots to private companies, so they can inspect the SSL-encrypted traffic that passes through their networks, is a common practice in the industry.
- Top 10 pirated movies in the world (infographic) - Some geek movies on the list, like Star Trek and Tranformers, no true hacker movies. Is that because we just buy those movies or pirate them with more stealth?
- How Many Monitors Is Too Many? - So you can justify 4 30" monitors to your manager at work: Using more monitors cuts down on toggling time among windows on a single screen, uh, as you'd expect. Anderson has calculated that it can save about 10 seconds for every five minutes of work if you have a dual-monitor set-up. Over the course of an eight hour day, that's a saving of, oooh, 15 minutes.
- Caffeine fix? Now you can literally inhale it. - NICE! Now, I love my coffee, but being able to get an extra hit of caffiene during the day or night just rocks. Sign me up! Oh yea, there may be health risks, so of course the Government wants to ban this. I won't get all political...
- Backing Convergence - [Larry] - Moxie is asking browser devs to back Convergence, an open source too to provide a notary for SSL certs. This is a really neat concept, but browser devs are concerned that it will not scale and it is too experimental. I say that they should include it, as a toggle on/off option.
- Remotely Wipeable USB Thumbdrive - [Larry] - Lost your drive with sensitive data on it? No problem. This drive connects to cell networks and can be disabled or wiped remoteley. Now, I think this is really cool, but I think there are a few small issues: 1. it is freaking huge. 2. It will only work when powered up/plugged in, so not instantaneous. 3. it requires a separate monthy service, and what happens when an attacker removes the simcard? does it fail closed? 5. how resistant to attack is the protocol? can we DoS or exploit?
- FotoForensics - [Larry] - While I don't pretend to understand the math here this stuff really fascinates me. Upload a photo jpg or png (or reference a URL) and it will perform realtime Error Level Analysis (ELA), indicating likely places where modifications have been made. I tested it with some pictures of…um, yeah, folks who are often airbrushed, and surprisingly this person was not.
- Trustwave bad certs -[Larry] - Oh oh. So, why is TrustWave getting such a bad rap on this one for admitting what they think is a mistake? (No, seriously, what am I missing?). They did appropriate audits, and secured the secondary CA chain appropriately. The issue is that the SSL cert allow for sniffing SSL traffic, common on many products for data exfiltration, etc on corporate networks. It has even been claimed that MANY CAs do this for their customers. Ok, I get it that it will be for ANY site on the internet….
- Satellite Phone Encryption cracked - [Larry] - With $2000 in gear German researchers were able to extract the encryption keys from firmware and were able to re-implement them to decrypt transmissions. They extracted the keys from two separate phones that utilize two separate encryption methods, GMR-1 and GMR-2. Oh, did I mention that it only took 30 minutes to accomplish the task? It does not appear to be an issue for military uses of sat phones, as they often use additional encryption on top of the base handsets.