Risky Business #242 -- Massive recon with HD Moore

PLUS Marcus Ranum talks password hashing, general auth approaches...
 
Join the discussion 6 Comments
June 15, 2012 -- 

On this week's show we chat with Rapid7's H D Moore about massive recon in both the IPv4 and IPv6 worlds. He's been busy basically banner grabbing the entire Internet and he's found some really, really weird stuff out there. There are some very interesting nuggets in that interview. Check it out.

This week's show is brought to you by Tenable Network Security so in this week's sponsor interview we're chatting with Tenable's CSO Marcus Ranum about why the hell people are still using fast hashing algorithms for password storage. We also talk about a couple of novel approaches to authenticating high-value clients in the finance world.

Normally we'd start off with the week's news segment with Adam Boileau, but he's off in Estonia at the moment, so filling in for him this week is his colleague at Insomnia Security, Mark "Pipes" Piper.

icon for podpress | Play in Popup | Download

Comments

TJ's picture
Submitted by TJ (not verified) on Fri, 06/22/2012 - 01:45.

Another great episode - thanks Patrick!

So, with IPv4 being scanned in 4 days for basically $0, when is Risky.Biz going to be IPv6 reachable? :)

/TJ

pleriche's picture
Submitted by pleriche on Tue, 06/19/2012 - 08:56.

Hey Pat - Very interesting interview with High Datarate Moore. But could you get him to speak a bit quicker next time - my gigabit toobs just weren't getting the load they like. Anyway, I've just pushed him though audacity and slowed him down by 25% for my low datarate ear toobs, and will try and catch a bit more of it on the train tomorrow.

JC's picture
Submitted by JC (not verified) on Wed, 06/20/2012 - 01:22.

Yep, I found myself rewinding it over and over. Interesting episode!

Thomas's picture
Submitted by Thomas (not verified) on Sat, 06/16/2012 - 19:13.

Nice one again, many thanks for the effort.

I wanted to add some comments on your discussion with Marcus and his suggestion to use public-keys instead of passwords:
There is a similar feature already out there and it is called "client-side SSL certificates". It is a good idea - but the same as with public-keys "all your eggs are in one basket".
You can certainly have different certs for different sites, but in the end it is still the same, you are just shifting the problem with passwords to the client then. I agree, you are better off, as all the passwords are no longer on the website, but we all know how good RSH worked a couple of years ago (even though I am not that old).

I think the only way is proper 2-way authentication. There are solutions out there, SecureId, YubiKey (have one of those!), SweKey, but why are they not properly supported on websites? I do not consider the mobilephone as a proper 2-way auth, as I see mobile phones as too unsecure nowadays.
The second factor needs to be a dumb device generating OTP tokens, thats it, or an encrypted USB key w/o fingerprint sensor.

mutex's picture
Submitted by mutex (not verified) on Sat, 06/16/2012 - 02:34.

This was a great podcast. Thanks for the effort.

Anonymoose's picture
Submitted by Anonymoose (not verified) on Fri, 06/15/2012 - 22:05.

Nice ep Pat.

No discussion of bcrypt/scrypt/PBKDF2 rather than salting hashes?

Been wondering for a while if you would circle back to the Aussie Data Retention / Cybercrime bill / rubberstamping of warrants?
Interesting to hear your previous discussions (inc. RuxCon) and then seeing some progression in the area since (numbers of warrants issued in 2010, UK bills - that you lampooned, etc).
Still feel the same way as before after a few more facts have come to light?
Thought about having SEN Ludlum back to carry on the last discussion?
I noticed he did just release a Watchmen themed blog post.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.