Episode72

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Tech Segment: Attacking Networked Embedded Devices

1) Enumerate all open UDP/TCP ports and services

2) Test each service for the low hanging fruit (default passwords, etc..)

3) Fuzz the available services

4) Explore the FTP and HTTP sites for information

5) Attempt to gain access to the print queue to grab documents

Tech Segment Reloaded: UNIStimpy

We traded some e-mails woth Eldon Sprickerhoff, and apparently I'd reviewed an older version of UNIStimpy! eSentire has updated the tool with some new features:

All require you to be inline for sniffing...so that the tool can find a valid UNIStim packet to determine UNIStim sequence numbers. Apparently guessing/bruteforcing them would not be that difficult! Once the sequence number (one packet) can be determined off the tool goes.

changeDisplay: We talked about this last week. Allows the changing of the display.

dial: Allows the injection of the phone to "dial" any other number...hmmm. with the inclusion of the --wait option, it will wait to issue the dial until the receiver is picked up. Imagine the issues here.

pickupPickup: To me this tool is a little mis-named (hangupPickup maybe?), sends either hangup or pickup (or combinations) to the PBX. Talk about a confused PBX, not to mention the dropped calls!

terminateConnection: Much like pickupPickup, this issues commnds to terminate calls, but sends to both local sets (say two users in the same office) the packets that the other end has hung up. Evil.

The eSentire guys continue to develop this, and would love to hear feedback, and hear how well/poorly it works. Even a quick not to say that they are using it would be good.

Stories for Discussion

Security Video? - [Larry] - We talked about user education last week, and how it can be an integral part of a good security program. This video, in my opinion, is NOT the way to do it...

Fly Clear Card security - [Nick] - I got a fly clear card, lets see how secure it is!

Safari is the best browser for surfing porn - [PaulDotCom] - No serioously, if you want to hide your tracks, Safari has a feature that will do this. Does this complicate forensics investigations? Where are ovie and brett when you need them? :)

Gain Admin access to Vista - [Larry] - ...without a password. Just use your install DVD, and go to the recovery console. It automatically gives you Administrator rights to the local Vista install without a password. While sure, it seems like a problem, you need to have physical access with a working/available, bootable DVD drive. This has been available with 2000, and XP with other tools...not new. Disable DVD boot and password protect BIOS.

This is Officially the Safari Episode - [PaulDotCom] - Land speed bug finding record set, tools used 1) Hamachi 2) Ollydbg (PS. Hamachi is really good sushi....)

JanusVM - [Larry] - Unrelated to the Janus Wireless project. An Ubuntu based VM that uses TOR, dns-proxy-tor, Squid and Privoxy to anonymous surfing. Just connect to the VM with a VPN client.....

More University Security Breaches - [PaulDotCom] - It seems every week another university gets hit! I proposed regular scanning of the web applications, vulnerability scanning of systems, a good end-user security program, and a well tuned IDS as my defense in-depth recipe!

MadWifi Driver DoS - [PaulDotCom] - MadWifi drivers have fixed some bugs lately, I think its a good thing, it means they are actively finding and fixing bugs. This is good!

Germans Encode Watermarks in Beer! - [PaulDotCom] - Leave it to the Germans, they use beer for everything, including encoding DNA in living organisms that are in beer. I wonder if that changes the taste?

Safari on Windows - [Larry] - Beta sowftware, 2-3 hours for bugs and exploits, oh my. Let's discuss - beta, not for production, Apple's claims of security, disclosure reporting.

Using Safari As an Example... - [PaulDotCom] - So, what does everyone think of this disclosure policy: "give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting. We do not sell the vulnerabilities to any 3rd party.

Love your auditor, but not like that - [Larry] - Internal Audits = good != Bad. Sure we all hate auditors, but think about it from a differnet perspective, have them help you improve your security process, and more buy in from executives. External auditors are good too!

Spamassassin Local DoS? - [PaulDotCom] - Is the ability to overwrite arbitrary files a DoS or a remote exploit? Fight!

Internet Safety - [Larry] - Internet safety month! Talk with your kids about internet safety, especially now that they are out of school and want to communicate with their friends. Don't forget the FiT internet safety flier (need link), and the SANS Internet safety course.

Other factors in security decisions - [Larry] - A great discussion on the process of managing security while taking all of the other concerns - usability, economic impact, perceived threats, etc.

Mantasano's Firewall Mixer - [Larry] - A tool to deal with firewall management challenges - policies, and configuration across sites, and even different models and manufacturers! Cool!

Managing wireless clients for secure networks - [Larry] - Let's discuss on how to prevent wireless clients from connecting to un-secure networks.

Other Stories of Interest