This year’s CSAW and Threads events really show why NYU is a strong community for Cyber Security. I was nothing but the best when it comes to the list of speakers. Some of the key players expanded on their previous talks earlier in the year from Defcon, while others provided some sound interesting new ways to look at old security problems. I especially enjoyed Hank Leininger’s password topology talk.
CSAW was also very impressive. I had the privilege of seeing this event from the judges perspective for the High School Forensics (HSF) competition. All I can say is that some of these contestants were simply impressive. Not only was their forensic work top notch, but their reporting and quality of work performed was amazing for individuals with no professional experience. The winners of this contest really do deserve the scholarships they are awarded and I’m sure many of them will continue to be key players in the security scene for years to come. Congrats to all the teams especially The Cams Nugget and Electric Sheep.
There has been a large amount of security information and recent attacks posted in the media. We have Mandiant’s report on China as well as several issues concerning Java. The pure volume of information over the past year has made it difficult to keep up without a combination sources. As a result InfoSecAlways has done a few modifications to the site. Please check out the new “Security Feeds” in the right column (4th Block Down). This is a combination of about 20 different security RSS feeds piping into the blog now. You can check the site daily to get the latest news and updates in the industry.
Also, check out the links page as there are several new Threat and Vulnerability links added. These are great if you are looking for specific attacks, breaches, or threats.
Its about time! Foundstone Professional Services has been added to the Avert Labs research blog. So now the makers of all the free hacking tools are accessible online. Check it out there are already some great posts.
The other day I performed an external penetration test and obtained access using a default password (which is common) that was not changed. Afterwards I began looking up statistics on passwords and here is one of the links that was listed on a regular Google search.
Amazing that someone would to this day post such information out on a public website. Nice to know if this was my next external penetration target. Wait it gets better! Looking at the URL it was only obvious there had to be more so instead of going to the /pwc directory I modified the URL to go back one, which led me to these:
Thanks Ken for showing us all a perfect example of “What NOT to Do”! I especially enjoy the mention of the following:
Home directories /rc, /cg, /mailer
The mail server statistics that show me what appear to be system names and the number of entries in the etc/passwd file.
The large directory listing with a plethora of information
The nice picture of your license
A password hash U:4001 A:2B314469 N:noyd P:MWlJQdaJvoxaE G:15 C:6
So why did I post this?
Two reasons. One, I have a blog. Two because sometimes the best lesson you can learn is by seeing the mistakes of others. Of course I plan to send an email to Ken and show him this blog entry. If there is any follow-up to the story I will post another message.
I could not help reading the Security 2.0 posts by Mark Curphey and I especially liked the Business Activity Monitoring discussion. However, I see 2 major enemies that cause us pain every day and put organizations at great risk. In my mind neither of these has been addressed properly.
Enemy #1: Many internal penetration tests obtain the admin or root access by guessing passwords.
Enemy #2: What do I say? Unpatched systems are an initial point of entry for many attacks both internally and externally. Tools like Metasploit make it even easier.
Of course I’m not throwing out statistics, but I see first hand the results weekly. One can only hope that the Security 2.0 solution addresses the problems with passwords and patches.