Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 293 for Thursday June 21st, 2012
- Register today for Offensive Countermeasures: Defensive Tactics That Actually Work at SANSFIRE July 7, 2012 - July 8, 2012 with the Jimmy Hendrix of South Dakota - John Strand!
- Episode 300 of PaulDotCom Security Weekly will be recorded and streamed live on Friday August 31st in support of of a cure for Breast Cancer. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!
Interview: Jonathan Cran
Jonathan Cran is the CTO of Pwnie Express. Previously, he built and ran the quality assurance program for Metasploit, where he focused on automated testing, bug smashing and release engineering. He blogs at Pentestify.com
- What were some of the greatest challenges working at a university and how did you overcome them?
- What promted you to create OMGEasyMon - Simple host / service monitoring tool?
- Developer of the EAR Project - What is the EAR project? How is Rails 3 for a development platform?
- Started the db_funner - a db-centric interface to metasploit. - What are some of the advantages and challenges of putting Metasploit data into a database?
- Developer of Metabot, an easy-to-use framework for IRC bots that give you control over common security apps (metasploit, nexpose, etc). - Is IRC an effective command and control still today?
- How does one go about creating a reliable cross-platofrm exploit?
- How big is the problem of exploits being created for popular software and not sharing, just using them for profit?
- Can we sit here today and say that Microsoft has some of the most advanced anti-exploitation techniques? What have they done right? What else are they doing with Windows 8?
- What types of technologies are you looking to build into the Pwnie Express?
Tech Segment: Fiddler2 with John Strand
Please take a look at the video tech segment here.
There is an issue that penetration testers are going to face more and more in the coming years. How do you intercept http or https traffic from an application other than a browser? We have seen this on a number of different penetration tests in the past few months and thought we should talk a bit about one of our favorite tools for the task, fiddler.
Fiddler is pretty straightforward. Fire it up and it will start intercepting the traffic that leaving your Windows system that uses the Windows HTTP libraries.
With a few small configuration changes. it can also be configured to intercept HTTPS as well.
The ability to intercept HTTPS traffic is significant because many standalone applications will use HTTPS to communicate with other servers. By importing fiddler2's certificate into your systems certificate store you should be able to intercept and manipulate the traffic fairly easily.
We have seen the need for this capability on a number tests where we have been testing stand-alone applications for medical and finical information. With this ability you can intercept, record and even manipulate traffic as it is heading through fiddler.
As a final note, it does not work for all applications. If an application uses libraries other than the ones utilized by Windows you will need to use other methods. But that is a topic for another tech segment.
- DerbyCon Call for Papers and Ticket Registration is: available online. If you have not yet registered or submitted a talk, please do so now.
- Episode 294 will feature an interview with Marcus Sachs
- Listen to the The Stogie Geeks Show, dedicated to the cigar enthusiast, complete with puking and tripping on rocks!
- Security BSides everywhere: Cleveland, Las Vegas, Los Angeles more. http://www.securitybsides.com/ - We have 5 BSides tickets (only 3 left) to give away! Listen to the instructions at the end of Episode 282 for complete details, or submit a technical segement!
- Windows 8 Harder For Malware? - "Windows 8 will come with a radically redesigned user interface, dubbed Metro, which was designed in part to give Windows that same feel across smartphones, desktops, laptops and tablets. " Okay, so I understand that Windows 8 will come with more memory management in support of buffer overflow protections. Microsoft has been the leader in this area, and it would be interesting to see how that impacts exploits. On the flip side, I don't want an interface that is remotely the same on my desktop as it is on my tablet or phone. Then again, I really didn't think anyone would need or want an iPad, not many households have two. Go figure.
- Do You Scan with Network Security Controls Enabled or Disabled? - I've been adjusting my strategy on this one. First, this is going to depend on the type of testing you are performing and the goals and requirements of the assessment. Having said that, I like to test with all the "shields" up, at first. This tests to see just how far I can get without tripping an alarm or getting blocked. Again, depends on the goals of the test, sometimes you have to do this without client-side testing in scope. Sometimes, in the name of time and your customer's money, you have to take some shortcuts and run a noisy little scan. I think its more important not to get blocked, because who checks their logs all the time anyhow? Then, have them whitelist your IP addresses and run some more tests and find vulnerabilities. Then, have them turn it back on, and see if you can evade defenses.
- Who Doesn't Love Nerd Girls? | Digg Technology - I love nerdy girls, I mean, what nerd doesn't right? This has nothing to do with security, but I figured our audience will appreciate it :)
- Virtual analysis misses a third of malware - Makes me wonder, if malware detects virtual systems and becomes benign, isn't is safer to run a VM? Okay, not entirely true, but malware is getting smarter and analyzing it on virtual hardware is not going to allow you to analyze all of it. With machines being so cheap now, you could convcevably have real systems setup to handle this, I mean how beefy of a machine do you need to infect and analyze?
- LinkedIn hit with $5M lawsuit over lost passwords - I mean really, we're going to sue LinkedIn? Come on now, this is just a waste of everyone's time and money. Do we really want to go around suing people because there was a breach? Who is responsible? How much responsibility lies with the user and how much with the provider? So, if I get hacked, can I sue my ISP? If I don't wear my seatbelt, can I sue the car manufacturer?
- Falsehoods programmers believe about networks - I love this list! I believe there needs to be a knowledge transfer, programmers need to know more about network security, and network engineers need to know more about software security. This would make the world a better place, rainbows, unicorns, free beer, etc...
- Do Passwords Matter? - I spent some time thinking about passwords and password hashes this week. One thing that really caught my attention was just how difficult it is to figure out if you application is implementing password hashes correctly. Does your CMS use a static salt? Not so easy to find out...
- 587.txt - Cool list of directory traversal strings, everyone has these types of lists, ones for SQLi, XSS, etc... We should all share! Also, nice list to script, encode them in different ways. I like working with my own data and tools, that way I know what is being sent, and what is not. Scary to rely on other people's tools and not know exactly what they are doing. So, I think we all strike a balance between our own tools, and reverse engineering others tools to see how they work, or don't.
- What Gets Measured - All of us need to pay attention what gets measured. Even just keying off the title, read stuff and keep in mind what they are measuring and how they are measuring it. I mean, we do this too, "The firewall blocks 90% of attacks". Well, if the only attacks you are measuring are port scans, then yea. This article focuses on turning out security talent, which I believe is important to the future of defending the nation. However, I just hope we are using the talent appropriately, as the digital attacks and defense are so different from the physical world. Sure, we can draw similarities, and those work well for an article or blog post, but not so much in reality.
- Top Four Mistakes Organizations Make When Breached - Funny, my list was 1. Panic 2. Panic 3. Panic 4. Hide the fact that we paniced.
- LastPass 2.0 Released but Beware Default PBKDF2 Setting - Been reading a lot about PBKDF2, partly from our interview with Thomas Ptacek, and as part of the LinkedIn thing. At a VERY high level, it hashes your password more than once. The default setting in LastPass is 1. You want to make it a higher number, like 500. Goes to show you, that given the right tools, people will still use them wrong.
- New Critical Microsoft IE Zero-Day Exploits in Metasploit - Yawn, 0day, IE, blah blah. Sorry, I just find it hard to be excited about this, though its likely a huge issue.
- Joomla 2.5.5 security updates arrives with added features - Seems there is always room for improvement with Joomla security. I'd like to see a better process for securing add-ons, and this goes for Wordpress, Firefox and everything that lets users add code. BTW, if you let users add their own PHP code, it spells trouble.
- https://www.thepaypalblog.com/2012/06/paypal-bug-bounty-program/ - Paypal now running a bug bounty program
- http://www.reuters.com/article/2012/06/13/us-media-tech-summit-symantec-idUSBRE85B1E220120613?goback=%2Egde_1836487_member_124273306 - We've got a lack of talented workers in security
- http://blogs.avg.com/news-threats/chatted-hacker-virus/ - Have you ever chatted with a hacker within a virus?