- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 169 - For Friday September 25th, 2009
- Mark Baggest's class: http://www.sans.org/charleston09_cs2/description.php?tid=672 Charleston, SC - November 9 - 14, 2009
- September 30th at 2:00 PM EDT - Register for the WhiteHatWorld Late Breaking Computer Attack Vectors Webcast Sponsored by RSA.
- We're still looking for an intern for the podcast - local to the Rhode Island area, listens to the podcast, into linux, able to lift 30 lbs, and if possible, willing to perform post-production work on the podcast. If that description sounds like you, please send us a note via psw [at] pauldotcom [dot com]
- The Louisville Metro InfoSec Conference in lucky Louisville offers John Strand as Keynote and serves PaulDotCom Asadoorian as Breakout Speaker. If that were not enough, they will also have a Capture The Flag event and Irongeek! All the above for the very low price of $99 on October 8th.
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, running January 11 - 16. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University. Also coming up, 617 on Calgary sometime in March!
- Rochester Security Summit - Larry and Ed Skoudis to give Keynotes. What can get better than that? October 28 - 29 in Rochester NY!
- Hackfest Canada! - Mick will be speaking/ranting from the Great White North! November 7th, you'll want to be there! Quebec, Canada (This con is so cool it's happening in two languages!)
Interview: Tom Wilhelm discusses his book Professional Penetration Testing: Creating and Operating a Formal Hacking Lab
Tom Wilhelm conducts Risk Assessments for a Fortune 500 company, is an Adjunct Professor at Colorado Technical University, and contributes to several publications including Hakin9 magazine. Tom has spent 15 years in the Information System career field, was the founder of Heorot.net and developer of the De-ICE PenTest LiveCD project, and has received the following certifications: CISSP, SCSECA, SCNA, SCSA, IAM.
- How did you get started in information security?
- What was your role in the army?
- What is Heorot.net? Why did you start it?
- Tell us about the De-ICE PenTest LiveCD project, what is it and how should people use it?
- What is the difference between a whitehat, blackhat, and an "ethical" hacker?
- Why is your book different from other books on penetration testing?
- Do you need certifications to be a penetration tester? College education?
- What are some of the common mistakes people make from a project management perspecitve when conducting a penetration test?
- How do we best convince people that they need a penetration test? Further, how do we convince them they need depth in testing which includes client-side, web apps, social engineering, etc...?
- What advice do you have for someone who is just starting out in IT and wants to progress to be a penetration tester?
Tom's website: www.de-ice.net
Tom's Training Courses
Tech Segment: Tips for strong passwords & encryption
Randomly generate passwords - This is such an easy thing to do. There are so many different ways to do it! OS X for example has a built-in password generator. Keepass for Windows not only encrypts your passwords, but can generate random ones. There are thousands of examples of random password generators using Bash, here's the one that I use:
cat /dev/urandom|tr -cd "a-zA-Z0-9-_\$\?"|fold -w 9|head
Okay, so /dev/urandom is not all that random, but works in this application (even works way better than the Dan Kaminkly password generator!).
Encrypt Your Passwords - This is a great application for PGP. If you are using Linux or OS X, this can all be done from the command line. Generate some keys and start encrypting! If you hunt around on the web there are some tutorials on how to make scripts that will allow you to edit your password files, and automatically decrypt/encrypt them. Again, on Windows you can use Keepass or similar applications. This not only applies to your own passwords, but passwords in your organization, such as:
- Keys for IPSec/RADIUS/SNMP
- Root passwords to systems or Domain Admin accounts
- Passwords for backup accounts
- Web logins for internal applications
- Encryption keys for just about anything
Encrypt Over The Encryption - SSL sucks. I mean lets face it, its truly broken. So I don't trust it for my email or chat communications. I still use it, but add layers on top of it. Two great examples are PGP and OTR. I encrypt my emails with PGP (Thunderbird aith the enigmail plugin works like a champ). I also use OTR (Off The Record) to encrypt all of my IM chats. This uses a public/private key to encrypt chat between two people.
Stories For Discussion
- Get over it. - [Larry] - Ok, so you, Mr. Bank, e-mail a file with names, addresses, tax identification numbers and other details on 1,325 customers to some random Gmail address, and now you sue Google, because the recipient never e-mailed you back to see if they complied with your demands to destroy it? Wait, so how is this Google's fault? Where was your file encryption? E-mail encryption? Data exfiltration system? Besides, once you screwed up, take responsibility and assume the worse... [Mick] This might just get fail of the month in my book. You CANNOT sue your way to "security"
- a case of not knowing what you've got - [Larry] - Razer's site gets compromised, and gets mouse and keyboard drivers infected with an ASPROX variant. Users download/update and get infected for a few days. Why? Razer makes hardware tailored to the gaming market, who the article claims, often turn off their AV to get better game performance. Now, instead of a spam bot on those gamers machines, how about stealing game credentials. Bob, I'm disappointed in your apparent lack of reckon.
- Should "Patch Tuesday" updates include a free virus scan? - [Larry] - A quick opinion for Mr Adrian Kingsley-Hughes at ZDNet: NO! Discuss.
- bnap-qnap - [Larry] - So, adding sekret extra decryption keys is bad. Get it? I didn't think so.
- More C&C goodies - [Larry] - So, here's another protocol to inspect on your network for bonnet C&C Google groups, or usenet. alt.news.botnet.control anyone?
- Tracking a murder suspect via the intertubes - [Mick] - Interesting vid explaining how they found the alleged "Craig's List Killer". Warning -- the video starts slow, but it gets to some actual tech about halfway through.
- Practice What You Preach - [PaulDotCom] - This is great, so called security professionals not practicing what they preach. I think for many, this is a calculated risk decision and not sloppyness. We may not run anti-virus software, but we're careful users who harden our systems and monitor activity. We use multiple forms of encryption, etc... Now, I'm not making excuses, we need to lead by example!
- Making Sense Of The SANS Report - [PaulDotCom] - This is a good analysis of the SANS report and reminds us to question the validity of a study. Patrick and I used this for talking points last week and had a good discussion on risky business. I think being a pen tester its hard not to support the fact that web applications and client-side attacks are wildy successful, but we need a solid study to prove this. The problem with many reports is that they provide a very narrow view and don't support all of the statements contained in the report.
- Forcing Payloads Through Restrictive Firewalls - [PaulDotCom] - What an awesome post from HD! This is a great way to get a payload to communicate through the firewall. I'd like to see future versions use UDP, ICMP, or even other protocols (multicast would be so cool!) that could further penetrate through firewalls. From the defeners perspective, this is going to look like an outgoing portscan, so if you're paying attention to your firewall or netflow logs, you should pick up on this. You are paying attention to your logs and devoting at least 10 person hours a week, right?
- Metasploit "Unleashed" - [PaulDotCom] - I think this is a great effort for a great cause and seems to be very complete documentation for Metasploit.
Other Stories Of Interest
- FCC Chair gives speech that's 100% for net neutrality - [Mick] - This is a long read, but so very worth it. I've been waiting for someone who "gets" this issue, and it looks like the US FCC is off to a good start (in this guy's opinion) FTL:"Our work now is to preserve the brilliance of what they contributed to our country and the world. It’s to make sure that, in the 21st century, the garage, the basement, and the dorm room remain places where innovators can not only dream but bring their dreams to life. And no one should be neutral about that."
- Twitering Humador - [PaulDotCOm] - I So want to make one.