Register for PaulDotCom training at Blackhat USA: Defensive Countermeasures: Foundations for Becoming a Devious Defender & Offensive Countermeasures: The Art Of Active Defense July 27-28 & 29-30.
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
PaulDotCom Security Weekly - Episode 187 - For Thursday February 18th, 2010
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, starting March 28th. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.
- Community SANS AUDIT 507 Auditing Networks, Perimeters, and Systems - SANS is pleased to announce Community SANS Atlanta, starting March 15th. Mick will teach Auditing 507 Auditing Networks, Perimeters, and Systems
- SOURCE Boston - Paul will be speaking at SOURCE Boston on April 22nd giving his new talk titled Embedded System Hacking and My Plot to Take Over The World
- QuahogCon - This will be the next conference that we will be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come and enjoy what's sure to be a great Con! [PaulDotCom] - Uhm, should mention that Larry is giving not one, but TWO talks!
- Also, please join our Mailing List, Forum, and sign up for the PaulDotCom Insider! New webcasts coming soon!
Guest Interview: Justin Morehouse and Tony Flick
Justin Morehouse leads the assessment team at one of the nation's largest retailers, founded the OWASP Tampa chapter, and is an adjunct professor at DeVry University. Tony Flick is a Principal with Tampa based FYRM Associates. Justin and Tony are co-authoring "Securing the Smart Grid," which will hit shelves in Q2 of 2010.
Link to presentation
- How did you get your start in Information Security
- Tell us why you are writing your book. Who is the intended audience?
Tech Segment: Automating log history collection on windows
I recently had the opportunity to go up against an interesting challenge. I was asked if it was possible to tell when someone logged on and off of a windows workstation (XP BTW). Of course I said yes, it is possible if the appropriate logging is enabled. the correct logging was enabled.
What I was then asked was if this was possible for 95 users…and we don't know what workstations…for the last 365 days…and we don't have centralized logging for workstations.
Ok, so 95 users, no problem. Turns out finding the workstations wasn't that difficult, as the environment already had some tools for finding out which workstations users had logged into via some SCCM trickery (who was logged in at software inventory, as well as which user profiles were on the machine. Great, now we have a list of workstations to grab Security logs from.
Now, we could not go back 365 days. Yes, there was a very good reason; the workstations were properly configured to only retain the last 90 days worth of logs in accordance with written, documented and approved corporate policy. So, 90 days it is.
Ok, so how do we get the logs off the machines? With 105 machines to look at, using event log viewer manually wasn't an option. I needed something automated. I asked on twitter and heard all sorts of solutions, from tripwire to hynea. Some of the solutions would only grab going forward, but I needed history. Some were too confusing and overkill.
What I settled on was the command line tool from Microsoft/Mark Russinovich, psloglist.exe, part of the PsTools suite. It is able to grab from historical windows event logs with a little but of knowledge. Here's how I used it:
psloglist @machines.txt -d 90 (days) -i 538,540 (event IDs, login and log off) -s (single line) -t "\t" (set tab delimiting) Security > output.txt
Here's what the command line switches do in this example:
@machines.txt - A text file of machines to grab logs from one per line -d 90 - Only grab logs from the last 90 days -i 538,540 - Only grab these specific event IDs related to logon logoff. -s - put the output on a single line -t "\t" - sets the delimiter to TAB Security - pulls form the Security event log > output.txt - sends everything to a file.
In this case I was authenticated to the domain with sufficient privileges, but one could also add the following switches to provide specific username and password:
-u - Username -p - Password (yeah, in cleartext on the command line)
So, on occasion we were unable to connect to the $ADMIN share to grab the logs, usually due the machine being powered off. psloglist lets us know in the text file, as well as on the console, so we can just re-add those names to a file to run as round 2, or more as needed.
After that, is is a matter of pulling the wheat form the chaff. Unix text processing and Excel to the rescue. This part I'm still working on…
I'm interested in hearing the details on some other solutions.
Tech Segment: Multi-FAIL. A discussion on Geolocation, TOS and spell checkers
Stories For Discussion
- Alleged Logic Bomb? Or Vanilla Malware? - [mmiller] - You don't hear about logic bomb every day. You read about this type of attack but you don't see it all that often. Due to not having all of the facts this could turn out to be malware. The interesting bits from this story are what they didn't do right. Which everyone can learn from.
- No, please don't! - [Larry] - OK, you tell me, stupid or not? Scrape the public twitter feed, and note when folks check in to stuff like FourSquare and post it publicly, and note that this might be a good time to rob their house. This is some of the things that I've been casually mentioning through some if the metadata research. Others are claiming that this is a stunt and is irresponsible. What do you think? Who is the irresponsible party? Me, I think you just need to be mindful of what you put on the internet, social media or otherwise.
- The BUZZ knows when to rob you too. - [Larry] Well, at least they know where you live. And so does everyone that "follows" you.
- Look, no more blue screens - [Larry] - Ok, a MS patch causes blue screens, allegedly due to previous infection by a rootkit. MS pulls the patch. Rootkit authors update the tool so it doesn;t cause Blue screens any more. Thanks!
- All in one SIM - [Larry] - Oooh, the possibilities. We purchased used sim cards off of e-Bay, for contacts, call history and SMS messages, now we'll be able to get all of those plus your onboard storage and OS too.
- Please Rob Me Site - [PaulDotCom] - This site is pretty scary, using Twitter and Foursquare it lists people who have Tweeted that they left thier house and geo-locate them using Foursquare. Location services are bad, disable the GPS on your phone and only enable it when you want to. Don't tell the Internet when you will not be home.
- Core To Integrate With Metasploit - [PaulDotCom] - I think there are some awesome things to come from this, but I also think there are some negative implications. First, I think its great that Core can now use Metasploit's exploits, as the open-source community may put bleeding edge or obscure stuff in there that Core may take their time with to produce a reliable exploit or never develop because there it too little demand. Also, Core has said, "For the expert, who is using Metasploit by hand to test systems, we¿ll provide a way for a system with Meterpreter loaded on it through a Metasploit compromise to then have an IMPACT Pro agent loaded on it. ". While this is neat and I think I would use it, I'd like to see it go the other way too. Why can't they make a Core module to deploy a Meterpreter script? Hopefully that will be in the next revision. I'm in favor of Core implementing more of Metasploit's features, and well, if they have to integrate it to get it, then so be it, but I'd rather see them natively implemented in IMPACT rather than via an integrated 3rd party tool.
- Cisco ASA Authentication Bypass - [PaulDotCom] - So as Dave Aitel elluded to, who ever had this as an 0day must have had a field day with it. Cisco's ASASA platform is very popular, and this vulnerability gives you access to the Firewall/VPN concentrator, which is usually exposed to the Internet. It goes like this, "Users can bypass authentication by providing an an invalid, crafted username during an authentication request. Any services that use a AAA server group that is configured to use the NTLMv1 authentication protocol is affected." Oh so hot, this means TELNET, SSH, HTTPS, VPN users, etc... Cisco gave it a 7.1 CVSS Base score and said that there was no impact to integrity and availability. So wait, if I login to your firewall I can't change rules or wipe the config? What I also found interesting is that "This vulnerability was discovered during internal testing." This means we will never get the details on exploitation (and I've even gotten some docs from the support portal, and there is info hidden that is only available to Cisco employees).
- Huawei HG510 Security Fail - [PaulDotCom] - If I understand this one correctly, if you get a user to click a link while on the LAN side of their router you can hit the WAN side without authentication. So, I'm browsing a web page, it loads a script which makes me "click" a link. THe link leads to my public IP address and accesses the web interface of my router where all the CGI scripts can be accessed if the user is logged in. However, rebootinfo.cgi does not require authentication.
- Top 25 Most Dangerous Programming Errors - [PaulDotCom] - I'd like to debate this comment from @planetlevel "Blaming software developers for insecurity is the most divisive and counterproductive thing we could possibly do" Really? Thats like saying we can't blame motor vehicle operators for car crashes. Sure, sometimes its a manufacturing defect, but most of the time its because you made a mistake.
- 5 Reasons Your Security Program Is A Failure - [PaulDotCom] - Shack attack! Shack sums it up as 1) politics - And this one can byte you. The worst thing you can do is not play the game. You need to have backing and support from everyone in the organization, if it looks like a grass-roots movement, it won't go very far. 2) Lack of monitoring - For sure, getting a handle on all of your logs and doing something useful with the data, then presenting stats to management is challenging. 3) Lack tech skills - You can't pretend, you gotta know whats up. 4) Cutting edge - Get back to basics, don't worry about DLP, APT, OPP, or whatever. Get security done and keep it simple. 5) Compliance - We talked about this last week, its a good start.