Drunken Security News – Episode 344

Have you heard of those scam phone calls from "Windows" where the person on the other end of the phone claims to know there's a problem with your computer ("Is it running more slowly lately?") and they even have you test it out by running some commands and referring to common files as viruses. Then they're so friendly that if you simply go to their web site and download a couple files, they'll clean it all up for you. Maybe one of the worst people they could possibly call would be the head guy at Black Hills Information Security, John Strand. Yep, and John was only too happy to give them just enough rope to hang themselves. Listen along for how John was also able to irritate the scammers. Then we tried to get going on the stories of the week and were off to a great start but very quickly got derailed with a story from Australia. Apparently the Australian government is looking to put a filter on the internet in their country that would completely block all perceived porn sites. If someone wants to be able to access porn web sites from inside Australia, they'd need to "opt out" of the filter by simply contacting the government. What could possibly go wrong with this idea? I'm certain that there wouldn't be any privacy issues whatsoever. Additionally, wasn't the internet basically invented for the purpose of porn consumption? Ok, back to the rest of the stories discussed. Remember a few weeks ago when we talked about a scumbag who intruded upon a family through their baby monitor and was able to shout at the baby and parents through the monitor. Well, the Federal Trade Commission (FTC) has slapped down a manufacturer of different brand of baby monitor and said they may no longer market their product as being "secure" until they fix these flaws. The flaws being that they say the feeds are private while anyone can view them on the internet at least in part because the authentication from the internet is clear-text and needs to be encrypted. Here we are already seeing where it seems like a great idea for manufacturers to internetify their product but don't completely understand all aspects of that or at least don't understand basic security needs. I don't know which is the chicken and which is the egg yet, but with the promise of IPv6, we're going to eventually see just about everything we own trying to have some sort of presence on the internet and these basic security precautions will need to be met. Allison alerted us to the fact that Burp Suite got an upgrade this week. I'm constantly amazed at how much Burp can do especially when you consider the $300 price. Sure, there's also ZAP available from OWASP for even cheaper (free) but I think Burp is one of those tools that just about everyone uses because of its awesomeness. If I had to pick out just one of the new features, I'd mention the "Plug 'n Hack". According to Portswigger: "This enables faster configuration of the browser to work with Burp, by automatically configuring the browser to use Burp as its proxy, and installing Burp's CA certificate in the browser." We also found out more details this week about another trojan called FinFisher by Gamma. The existence of FinFisher had been previously revealed but in a presentation by Mikko Hypponen, he talked about some of the things that the tool can do, including cracking WPA1 and WPA2, decrypting common email sites and even copying over a whole drive encrypted with TrueCrypt via a USB stick. Reportedly, the tool had only been available to governments in order to conduct their own national intelligence, but by now there's no way of knowing whether this has slipped out into the wild and in the hands of just anyone. At Black Hat this year, Mike Shema from Qualys talked about a new way to possibly prevent CSRF. As we've seen in the past, the only way to reliably prevent the attack is to place a token in the action and have the server validate that token. This requires that the developer of the application understand CSRF and understand an API for creating the token, and to also implement it properly. If you're in the training or penetration testing business, this sounds like a great thing for job security. However there are millions of developers worldwide and training all of them may take a while. Heck, look at how prevalent much simpler attacks like SQL injection and Cross Site Scripting are. Do we really think that we'll be able to "train away" CSRF? This is where Shema has the idea of "Session Origin Security" and put the token in the browser. Now instead of training millions of developers, we simply get about five browser developers to jump on board. But the gang was a little skeptical about other plugins to work around this as well as breaking valid sessions and backward compatibility. We also wondered whether it may make more sense to allow the browser to choose whether it wants the CSRF protection and turn it on by default and let the user turn it off if there's a good reason to. These all seem to be questions that Shema and his team are looking into. Jack told us about a post from Gunnar Peterson and the "Five Guys Burgers Method of Security". I don't think it means where it's so good for the first ten minutes and then you feel like crap about it for the next few hours. It's the idea that when you go to a Five Guys (and if you haven't yet, you should) they have two things, burgers and fries. They do these two things exceptionally well. They haven't morphed into also being a chicken place, and a fish place and a milkshake place and a coffee place and then letting the overall quality slip. They are focused on doing their two things and doing them extremely well. And I wondered if this is where so many in the security industry get frustrated and eventually burned out. As John brought up, the frustration often comes when there is so much compliance and documentation required, which yeah, I can see that as well. Who likes checking boxes and meeting with guys in ties to explain how you meet the PII, PCI, SOX and whatever other acronyms? I also wonder if there's also frustration in that we're hired to be "the security person" and we have areas that we're good at and enjoy. Whether that's network security, mobile security, web security or whichever. But due to budgets and many other reasons, we are expected to be experts in all areas, much unlike Five Guys. The Five Guys philosophy is if you want a great chicken sandwich, go to a chicken place. If you want a great milkshake, go to a milkshake joint. However in our jobs, we are the burgers and fries and chicken and fish and milkshakes and we're expected to be perfect at all of them. Anyway, it's an interesting take. Do you have a Web site? No? Ok, then you're probably safe. Robert "Rsnake" Hansen put together an infographic about all the different things that you need to worry about today when securing your web site. It started out as a joke but then got a bit too close to reality and finally just got head-shakingly scary. Finally, if you haven't already, check to see if your web site is "locked." Simply do a whois on your site and see if you have at a minimum a status of "ClientTransferProhibited." Some have said the recent NY Times hack was able to happen because the domain was not locked and the Syrian Electronic Army (SEA) was able to get the DNS credentials from someone and then change the DNS records to their own server. But if your DNS is locked, it'll take a bit more work to make the updates. Your registrar will go through additional validation steps before the DNS records are updated. This is likely enough that if someone is looking to hijack web sites, they'll realize yours isn't worth the both and move on to an easier target. With Congress possibly authorizing an attack on Syria and with the twelfth anniversary of the September 11, 2001 attacks upcoming, it would not be surprising to see another round of attacks on web infrastructure. So take this very easy step and protect your site. That's all for this week. As always, we'd love your feedback on the show and on these blog posts. If you have thoughts, ideas, suggestions or yes, even criticism please feel free to tweet it at either me (@plaverty9) or at Paul (@securityweekly). We do have blog comments turned off on the site intentionally. You can catch Security Weekly every Thursday night at 6 pm Eastern (US) time and coming up on episode 345, Rich Mogull from Securosis and Pete Finigan with a technical segment for us!