WEBVTT

1
00:00:00.120 --> 00:00:01.320
<v Speaker 1>Welcome to the deep dive.

2
00:00:01.520 --> 00:00:03.240
<v Speaker 2>Glad to be diving in today.

3
00:00:03.279 --> 00:00:07.599
<v Speaker 1>We're looking at network security, but maybe from a different angle.

4
00:00:07.719 --> 00:00:10.800
<v Speaker 2>Yeah, definitely, we're looking at it through the hacker's eye,

5
00:00:10.880 --> 00:00:11.240
<v Speaker 2>so to.

6
00:00:11.199 --> 00:00:14.880
<v Speaker 1>Speak, right actively hunting for those weaknesses before they get exploited.

7
00:00:15.160 --> 00:00:17.719
<v Speaker 2>Precisely, Our mission here is really to pull back the

8
00:00:17.719 --> 00:00:21.079
<v Speaker 2>curtain on what's called hack attacks testing, okay, and show

9
00:00:21.079 --> 00:00:24.120
<v Speaker 2>you how organizations can actually run their own security.

10
00:00:23.640 --> 00:00:28.120
<v Speaker 1>Audits, So figuring out how vulnerabilities.

11
00:00:27.359 --> 00:00:30.879
<v Speaker 2>Are found, exactly, how they're discovered, how systems are built

12
00:00:30.920 --> 00:00:34.479
<v Speaker 2>just to test for them, and you know what tools

13
00:00:34.520 --> 00:00:36.280
<v Speaker 2>bring these hidden dangers out into the light.

14
00:00:36.439 --> 00:00:38.920
<v Speaker 1>And why should this matter to you listening in.

15
00:00:39.200 --> 00:00:42.000
<v Speaker 2>Well, maybe you're prepping for a meeting or just trying

16
00:00:42.000 --> 00:00:43.399
<v Speaker 2>to get up to speed on this stuff.

17
00:00:43.240 --> 00:00:45.359
<v Speaker 1>Quickly, or maybe you're just curious.

18
00:00:45.119 --> 00:00:49.000
<v Speaker 2>Right understanding this gives you a fast track, a shortcut

19
00:00:49.159 --> 00:00:53.200
<v Speaker 2>really to grasping the complexity of digital security.

20
00:00:52.799 --> 00:00:56.479
<v Speaker 1>Equipping you with insights into why strong defenses are just

21
00:00:56.560 --> 00:00:57.600
<v Speaker 1>so critical today.

22
00:00:57.960 --> 00:01:01.000
<v Speaker 2>And for this deep dive, we're drawing on some pretty

23
00:01:01.000 --> 00:01:06.920
<v Speaker 2>specialized technical sources. Guides on audits using analytical tools the works.

24
00:01:06.719 --> 00:01:10.280
<v Speaker 1>Looking at how the pros find the holes ethically, of course.

25
00:01:10.120 --> 00:01:11.920
<v Speaker 2>Always ethically. It's about defense.

26
00:01:12.280 --> 00:01:15.319
<v Speaker 1>So where do we start with this digital detective work?

27
00:01:15.640 --> 00:01:17.519
<v Speaker 1>Building something called a tiger box.

28
00:01:17.680 --> 00:01:19.560
<v Speaker 2>It's the first step. Yeah, a tiger box.

29
00:01:19.640 --> 00:01:21.560
<v Speaker 1>And that's not just any old computer, right.

30
00:01:21.480 --> 00:01:26.920
<v Speaker 2>No, No, it's a system specifically designed tuned really to

31
00:01:27.000 --> 00:01:29.159
<v Speaker 2>find potential security weaknesses.

32
00:01:28.719 --> 00:01:30.799
<v Speaker 1>Like a custom lab for finding vulnerabilities.

33
00:01:30.840 --> 00:01:32.400
<v Speaker 2>That's a great way to put it. It's all about

34
00:01:32.439 --> 00:01:36.359
<v Speaker 2>proactive defense, finding the holes before the attackers do, okay,

35
00:01:36.480 --> 00:01:38.799
<v Speaker 2>and a really good tiger box A first rate one

36
00:01:39.040 --> 00:01:41.799
<v Speaker 2>almost always uses a multiple boot setup.

37
00:01:41.519 --> 00:01:43.760
<v Speaker 1>Multiple operating systems on one machine.

38
00:01:43.879 --> 00:01:48.680
<v Speaker 2>Why because different operating systems have their own unique weak points, okay,

39
00:01:48.799 --> 00:01:51.560
<v Speaker 2>and you need different tools to probe them effectively. So

40
00:01:51.640 --> 00:01:55.480
<v Speaker 2>this multi system approach makes the audit way more comprehensive.

41
00:01:55.519 --> 00:01:56.480
<v Speaker 2>You don't miss as much.

42
00:01:56.719 --> 00:01:59.959
<v Speaker 1>Makes sense. So what os foundations are we talking about?

43
00:02:00.120 --> 00:02:03.519
<v Speaker 1>Our sources mention a few key ones, Windows two thousand.

44
00:02:03.159 --> 00:02:05.640
<v Speaker 2>Server yep, that's often part of the mix. And the

45
00:02:05.680 --> 00:02:10.319
<v Speaker 2>setup choices are critical, like FAT versus NTFS for the filesystem.

46
00:02:10.439 --> 00:02:12.120
<v Speaker 1>What's the difference there security wise?

47
00:02:12.240 --> 00:02:15.039
<v Speaker 2>Well, FAT is a simpler maybe good for smaller drives

48
00:02:15.120 --> 00:02:18.879
<v Speaker 2>or if you need MS dels access for recovery, but NTFS,

49
00:02:18.960 --> 00:02:22.400
<v Speaker 2>especially for anything over say four hundred megs, is much better.

50
00:02:22.599 --> 00:02:24.800
<v Speaker 2>It has transaction logs for recovery, so.

51
00:02:24.879 --> 00:02:26.840
<v Speaker 1>Less data loss if something goes wrong.

52
00:02:26.719 --> 00:02:30.639
<v Speaker 2>Exactly, and crucially better file security permissions. You get really

53
00:02:30.680 --> 00:02:31.840
<v Speaker 2>fine grained control.

54
00:02:32.080 --> 00:02:36.360
<v Speaker 1>And beyond the filesystem, things like active directory wyns, dns.

55
00:02:36.360 --> 00:02:39.360
<v Speaker 2>Oh yeah, those are vital. Active directory for managing users

56
00:02:39.360 --> 00:02:43.800
<v Speaker 2>in domains, wnzs for net bios names, dns for translating

57
00:02:43.879 --> 00:02:44.280
<v Speaker 2>names to.

58
00:02:44.240 --> 00:02:46.560
<v Speaker 1>IPS standard network stuff.

59
00:02:46.319 --> 00:02:48.840
<v Speaker 2>Standard, but also prime targets if they're not locked down.

60
00:02:49.000 --> 00:02:51.879
<v Speaker 2>Attackers use them to map your network or hijack services.

61
00:02:51.919 --> 00:02:55.759
<v Speaker 1>Gotcha, Okay. Moving beyond Windows, MACOSX Tiger is also mentioned.

62
00:02:55.800 --> 00:02:59.280
<v Speaker 2>Why include that because Apple's ecosystem, you know, people think

63
00:02:59.280 --> 00:03:03.280
<v Speaker 2>it's inherently cure. Yeah, but it has its own specific vulnerabilities,

64
00:03:03.360 --> 00:03:06.439
<v Speaker 2>different attack vectors, right, so you need tools like Apple's

65
00:03:06.439 --> 00:03:09.039
<v Speaker 2>developer tools to probe it properly and maybe set up

66
00:03:09.039 --> 00:03:11.120
<v Speaker 2>a port scanner infrastructure tailored for it.

67
00:03:11.240 --> 00:03:14.360
<v Speaker 1>And then there are the Nix systems Unix.

68
00:03:14.240 --> 00:03:20.960
<v Speaker 2>Linux, absolutely Essential, red Hat, Slackwar, Debian, Solaris, you name it.

69
00:03:21.039 --> 00:03:23.000
<v Speaker 1>Why are they so important.

70
00:03:22.560 --> 00:03:26.439
<v Speaker 2>For that raw command line control? They give you incredible flexibility,

71
00:03:26.520 --> 00:03:31.840
<v Speaker 2>especially for server side vulnerabilities. They're powerful multi user multitasking.

72
00:03:31.120 --> 00:03:34.560
<v Speaker 1>Systems, so the multios approach really is about covering all

73
00:03:34.560 --> 00:03:37.439
<v Speaker 1>the bases like a Swiss army knife for security testing.

74
00:03:37.520 --> 00:03:40.719
<v Speaker 2>That's it exactly simulating attacks from every angle possible.

75
00:03:40.840 --> 00:03:44.560
<v Speaker 1>Okay, so we've built our tiger box, our digital skeleton key.

76
00:03:45.000 --> 00:03:47.120
<v Speaker 1>Now what are we looking for? What are those common

77
00:03:47.240 --> 00:03:48.400
<v Speaker 1>locks or back doors?

78
00:03:48.479 --> 00:03:51.400
<v Speaker 2>It's funny a lot of systems practically advertise their weaknesses

79
00:03:51.479 --> 00:03:53.280
<v Speaker 2>right from the start. The fault installs are a.

80
00:03:53.319 --> 00:03:55.560
<v Speaker 1>Huge one, just the basic setup. Why does that leave

81
00:03:55.599 --> 00:03:56.560
<v Speaker 1>things exposed?

82
00:03:56.919 --> 00:04:01.280
<v Speaker 2>It often comes down to usability versus security. Developers want

83
00:04:01.280 --> 00:04:02.199
<v Speaker 2>things to work out of the.

84
00:04:02.120 --> 00:04:05.159
<v Speaker 1>Box, so they leave services running reports open that aren't

85
00:04:05.199 --> 00:04:05.960
<v Speaker 1>strictly needed.

86
00:04:06.080 --> 00:04:10.560
<v Speaker 2>Precisely in every single default setting is a potential door

87
00:04:10.599 --> 00:04:15.120
<v Speaker 2>for an attacker. That the initial configuration is so so critical,

88
00:04:15.520 --> 00:04:17.079
<v Speaker 2>maybe even more than patching later.

89
00:04:17.279 --> 00:04:21.319
<v Speaker 1>Wow, and sticking with the basics. Weak passwords still.

90
00:04:21.079 --> 00:04:24.920
<v Speaker 2>A thing, oh, massively. Systems with accounts that have no password,

91
00:04:25.279 --> 00:04:27.480
<v Speaker 2>or policies that don't enforce strong ones.

92
00:04:27.360 --> 00:04:29.399
<v Speaker 1>Easy targets for guessing or dictionary attack.

93
00:04:29.519 --> 00:04:33.600
<v Speaker 2>Absolutely, even against encrypted password lists, you'd be amazed. Strong

94
00:04:33.639 --> 00:04:37.000
<v Speaker 2>password policies are just fundamental, non negotiable. Really.

95
00:04:37.240 --> 00:04:40.439
<v Speaker 1>Okay, now this next area sounds more technical, packet filtering

96
00:04:40.519 --> 00:04:42.399
<v Speaker 1>and spoofing. What's the danger there.

97
00:04:42.399 --> 00:04:46.600
<v Speaker 2>Well, if your network doesn't filter incoming packets properly, attackers

98
00:04:46.639 --> 00:04:49.639
<v Speaker 2>can perform IPR DNS spoofing. They pretend to be a

99
00:04:49.680 --> 00:04:51.480
<v Speaker 2>trusted computer on your network.

100
00:04:51.240 --> 00:04:52.959
<v Speaker 1>And once they're inside the trust zone.

101
00:04:52.800 --> 00:04:55.480
<v Speaker 2>They can potentially install back doors, set up ways to

102
00:04:55.480 --> 00:04:57.959
<v Speaker 2>get back in easily later, like keeping a hidden key

103
00:04:58.040 --> 00:04:58.680
<v Speaker 2>under the mat.

104
00:04:59.000 --> 00:05:04.240
<v Speaker 1>Nasty related to that bind flaws. Bine is the DNS software.

105
00:05:03.959 --> 00:05:07.600
<v Speaker 2>Right right, the Domain Name Service software. Outdated versions are

106
00:05:07.639 --> 00:05:11.800
<v Speaker 2>notorious for vulnerabilities like what buffer overflows are a classic

107
00:05:12.519 --> 00:05:16.360
<v Speaker 2>an attacker sends too much data, crashing the program or worse,

108
00:05:16.639 --> 00:05:18.560
<v Speaker 2>tricking it into running malicious.

109
00:05:18.160 --> 00:05:19.879
<v Speaker 1>Code, giving them system access.

110
00:05:20.000 --> 00:05:23.399
<v Speaker 2>Potentially, Yes, finding old buy ing versions is a big

111
00:05:23.399 --> 00:05:24.439
<v Speaker 2>red flag in an audit.

112
00:05:24.720 --> 00:05:27.560
<v Speaker 1>Okay, what about SNMP community strings?

113
00:05:27.600 --> 00:05:31.319
<v Speaker 2>That sounds less dramatic, you'd think so, But SNMP, the

114
00:05:31.360 --> 00:05:35.199
<v Speaker 2>Simple Network Management Protocol, is used to manage network devices. Right,

115
00:05:35.600 --> 00:05:39.160
<v Speaker 2>many devices ship with the default community string, basically a

116
00:05:39.160 --> 00:05:41.360
<v Speaker 2>password set to public, and if you don't change it,

117
00:05:41.439 --> 00:05:44.759
<v Speaker 2>an attacker can query your devices, map out your network structure,

118
00:05:44.920 --> 00:05:49.199
<v Speaker 2>sometimes even reconfigure things remotely, or launch denial of service attacks.

119
00:05:49.240 --> 00:05:51.800
<v Speaker 1>Wow, okay, so a public is like leaving the front door.

120
00:05:51.639 --> 00:05:54.519
<v Speaker 2>Unlocked pretty much? Yeah, yeah, for anyone who knows to check.

121
00:05:54.600 --> 00:05:57.920
<v Speaker 1>And finally, in this category viruses, these are different, more passive.

122
00:05:58.240 --> 00:06:01.360
<v Speaker 2>Yeah, they're a bit different. They need a programmed to replicate.

123
00:06:01.519 --> 00:06:05.000
<v Speaker 2>They copy themselves into other executable files, sometimes even the

124
00:06:05.000 --> 00:06:05.839
<v Speaker 2>boot sector.

125
00:06:05.600 --> 00:06:07.480
<v Speaker 1>Of a hard drive, and then they activate right.

126
00:06:08.040 --> 00:06:12.000
<v Speaker 2>Activation, replication, payload delivery. That payload could be anything from

127
00:06:12.199 --> 00:06:15.319
<v Speaker 2>annoying messages to deleting all your data.

128
00:06:15.360 --> 00:06:19.240
<v Speaker 1>Often spread through email attachments right like those infamous.

129
00:06:18.759 --> 00:06:24.000
<v Speaker 2>Worms exactly, or pirated software Yeah, infected discs. Sometimes just

130
00:06:24.079 --> 00:06:27.319
<v Speaker 2>previewing an email in something like Outlook could trigger them.

131
00:06:27.360 --> 00:06:29.079
<v Speaker 2>Back in the day, no clicking.

132
00:06:28.759 --> 00:06:32.519
<v Speaker 1>Required, scary stuff. Let's make these vulnerabilities more real. Our

133
00:06:32.560 --> 00:06:36.319
<v Speaker 1>sources mentioned specific examples found by security tools. The ISO

134
00:06:36.480 --> 00:06:38.160
<v Speaker 1>Unicode vulnerability.

135
00:06:37.959 --> 00:06:42.439
<v Speaker 2>Yes a classic. This affected Microsoft's web server ISA.

136
00:06:42.600 --> 00:06:43.399
<v Speaker 1>How did it work?

137
00:06:43.639 --> 00:06:46.480
<v Speaker 2>By crafting a special web request like adding lots of

138
00:06:46.480 --> 00:06:49.399
<v Speaker 2>spaces in dot htr to a URL, you could trick

139
00:06:49.439 --> 00:06:51.480
<v Speaker 2>the server into showing you the contents of files. It

140
00:06:51.519 --> 00:06:54.800
<v Speaker 2>absolutely shouldn't have a subtle flaw huge impact.

141
00:06:55.079 --> 00:06:58.480
<v Speaker 1>And the outlook datehead or buffer overflow you mentioned previewing, Yeah,

142
00:06:58.519 --> 00:06:59.160
<v Speaker 1>that was wild.

143
00:06:59.560 --> 00:07:03.759
<v Speaker 2>Especially crafted email header could cause a buffer overflow and

144
00:07:03.839 --> 00:07:07.120
<v Speaker 2>run arbitrary code on your machine just by being retrieved

145
00:07:07.160 --> 00:07:08.480
<v Speaker 2>by Outlook from the server.

146
00:07:08.399 --> 00:07:10.360
<v Speaker 1>Before you even opened it, before.

147
00:07:10.120 --> 00:07:13.199
<v Speaker 2>You opened to previewed it. It bypassed the usual user

148
00:07:13.240 --> 00:07:15.079
<v Speaker 2>interactions deck very serious.

149
00:07:15.240 --> 00:07:19.680
<v Speaker 1>Then there's Windows and t RPC services. Depletion sounds like

150
00:07:19.720 --> 00:07:21.519
<v Speaker 1>it just crashes thing pretty much.

151
00:07:21.600 --> 00:07:25.279
<v Speaker 2>An attacker connects to certain RPC services, sends junk data,

152
00:07:25.639 --> 00:07:28.480
<v Speaker 2>and the system just keeps allocating memory and CPU until

153
00:07:28.519 --> 00:07:29.079
<v Speaker 2>it freezes.

154
00:07:29.199 --> 00:07:31.240
<v Speaker 1>A denial of service attack a simple.

155
00:07:30.959 --> 00:07:33.519
<v Speaker 2>Effective one, yeah, takes the system offline.

156
00:07:33.600 --> 00:07:36.120
<v Speaker 1>And it's not always these big dramatic exploits, is it.

157
00:07:36.120 --> 00:07:38.639
<v Speaker 1>What about registry and wind lug on key.

158
00:07:38.600 --> 00:07:42.399
<v Speaker 2>Permissions right, subtle but dangerous improper permissions on certain Windows

159
00:07:42.399 --> 00:07:45.519
<v Speaker 2>registry keys could let an attacker plant trojan horses that

160
00:07:45.600 --> 00:07:47.279
<v Speaker 2>run its startup or let.

161
00:07:47.240 --> 00:07:49.759
<v Speaker 1>Them escalate their privileges exactly.

162
00:07:49.360 --> 00:07:51.040
<v Speaker 2>Turn a regular user into an admin.

163
00:07:51.759 --> 00:07:55.839
<v Speaker 1>Sneaky stuff and anonymous FTP logins. That sounds like an

164
00:07:55.879 --> 00:07:56.600
<v Speaker 1>obvious one.

165
00:07:56.879 --> 00:08:00.199
<v Speaker 2>It is, but it's still common. If an FTP server

166
00:08:00.319 --> 00:08:03.879
<v Speaker 2>allows anonymous users and isn't configured very carefully, it could

167
00:08:03.920 --> 00:08:07.720
<v Speaker 2>potentially allow access to entire drives, basically handing over the

168
00:08:07.800 --> 00:08:08.639
<v Speaker 2>keys to your files.

169
00:08:08.720 --> 00:08:10.480
<v Speaker 1>Okay, so we know what we're hunting for. Let's talk

170
00:08:10.519 --> 00:08:14.120
<v Speaker 1>about the tools, the arsenal as our sources call it.

171
00:08:14.639 --> 00:08:15.680
<v Speaker 1>How do we group these?

172
00:08:16.079 --> 00:08:18.879
<v Speaker 2>We can break them down by function. First up, general

173
00:08:18.959 --> 00:08:20.600
<v Speaker 2>vulnerability scanners.

174
00:08:20.240 --> 00:08:22.519
<v Speaker 1>Like the Cerberus Internet Scanner CIS.

175
00:08:22.639 --> 00:08:26.319
<v Speaker 2>Yeah, that's a good example. It's free, has a graphical interface,

176
00:08:26.399 --> 00:08:31.399
<v Speaker 2>mostly looks for common Internet service ISSUESGTP, SMTP, FTP plus

177
00:08:31.439 --> 00:08:32.960
<v Speaker 2>Windows NT problems.

178
00:08:32.559 --> 00:08:34.039
<v Speaker 1>And it generates reports.

179
00:08:33.720 --> 00:08:35.879
<v Speaker 2>Yep, ahml reports good starting points.

180
00:08:35.960 --> 00:08:40.039
<v Speaker 1>Okay. Then there's something called Internet Scanner more comprehensive.

181
00:08:40.120 --> 00:08:43.200
<v Speaker 2>Yeah. That one's more geared towards full network assessments. Lets

182
00:08:43.240 --> 00:08:46.840
<v Speaker 2>you define specific scan policies, really tailor the tests, and

183
00:08:46.879 --> 00:08:51.279
<v Speaker 2>the reports detailed often categorized by severity, helps you prioritize

184
00:08:51.279 --> 00:08:52.080
<v Speaker 2>what to fix first.

185
00:08:52.320 --> 00:08:55.720
<v Speaker 1>Makes sense. And the stat Scanner Yeah focuses on Windows

186
00:08:55.759 --> 00:08:56.480
<v Speaker 1>and heavily.

187
00:08:56.639 --> 00:09:00.000
<v Speaker 2>Yeah, claims to check for over one thousand NT vulnerability

188
00:09:00.519 --> 00:09:02.720
<v Speaker 2>and it has a neat auto fixed feature for some

189
00:09:02.759 --> 00:09:08.399
<v Speaker 2>common issues. Saves time, plus good reporting like executive summaries

190
00:09:08.440 --> 00:09:09.080
<v Speaker 2>for management.

191
00:09:09.279 --> 00:09:13.080
<v Speaker 1>All right, moving beyond general scanners, network mapping and discovery,

192
00:09:13.440 --> 00:09:14.679
<v Speaker 1>Tiger Suite comes up again.

193
00:09:14.840 --> 00:09:17.759
<v Speaker 2>Right, It's presented as a full toolkit. It has modules

194
00:09:17.759 --> 00:09:22.240
<v Speaker 2>for different tasks like system status, inter networking sniffers. These

195
00:09:22.279 --> 00:09:25.720
<v Speaker 2>capture and show you network traffic IP stats, TCP stats

196
00:09:26.080 --> 00:09:29.120
<v Speaker 2>good for diagnostics or seeing if spoofing is happening. Okay,

197
00:09:29.279 --> 00:09:33.080
<v Speaker 2>then it's discovery modules do things like finger DNS lookups,

198
00:09:33.440 --> 00:09:36.399
<v Speaker 2>who equeries that basic infogathering that's crucial early on.

199
00:09:36.559 --> 00:09:38.679
<v Speaker 1>And scanners within Tiger Suite yep.

200
00:09:38.519 --> 00:09:42.799
<v Speaker 2>Ping scanners, IP range scanners, port scanners, even stealth port

201
00:09:42.840 --> 00:09:45.320
<v Speaker 2>scanners to find active machines and open ports.

202
00:09:45.399 --> 00:09:48.440
<v Speaker 1>Quietly, got it, And you can't talk network discovery without

203
00:09:48.440 --> 00:09:49.240
<v Speaker 1>mentioning end map.

204
00:09:49.440 --> 00:09:52.519
<v Speaker 2>Absolutely not end map. The network mapper is world renowned,

205
00:09:52.879 --> 00:09:54.480
<v Speaker 2>famous for port scanning.

206
00:09:54.240 --> 00:09:56.159
<v Speaker 1>But also for detecting operating systems.

207
00:09:56.159 --> 00:10:00.639
<v Speaker 2>How does that work through TCPIP stack fingerprinting. It's fascinating.

208
00:10:01.200 --> 00:10:04.679
<v Speaker 2>End Map send specific probes and analyzes the subtle ways

209
00:10:04.679 --> 00:10:06.120
<v Speaker 2>different operating systems.

210
00:10:05.799 --> 00:10:08.519
<v Speaker 1>Respond, even if no ports are open exactly.

211
00:10:09.200 --> 00:10:13.480
<v Speaker 2>It looks at tiny differences in things like icmperror messages

212
00:10:13.679 --> 00:10:16.720
<v Speaker 2>or initial TCP window sizes. It can often tell you

213
00:10:16.759 --> 00:10:21.159
<v Speaker 2>the OS, sometimes even the version just from these tells incredible.

214
00:10:21.159 --> 00:10:25.799
<v Speaker 1>Okay, what about more specialized tools for testing or even attacking?

215
00:10:25.879 --> 00:10:29.200
<v Speaker 2>Chaping, ah taping, that's an advanced packet crafter. You can

216
00:10:29.240 --> 00:10:31.320
<v Speaker 2>build network packets exactly how you want.

217
00:10:31.120 --> 00:10:33.600
<v Speaker 1>Them, and it can do idle host scanning. What's that?

218
00:10:33.840 --> 00:10:37.799
<v Speaker 2>Also called dumb scanning. It's a very stealthy technique. You

219
00:10:37.879 --> 00:10:40.759
<v Speaker 2>spoof packets as if they're coming from some inactive machine

220
00:10:40.759 --> 00:10:41.879
<v Speaker 2>on the network.

221
00:10:41.600 --> 00:10:44.039
<v Speaker 1>So the target doesn't see your real address exactly.

222
00:10:44.080 --> 00:10:46.799
<v Speaker 2>The responses go to the idle host and you infer

223
00:10:46.879 --> 00:10:50.360
<v Speaker 2>information based on how that host behaves. It's complex, but

224
00:10:50.519 --> 00:10:52.960
<v Speaker 2>very sneaky. Also great for firewall testing.

225
00:10:53.120 --> 00:10:58.879
<v Speaker 1>Wow. Then there's cybercop Scanner CASL Custom Audit Scripting language.

226
00:10:58.480 --> 00:11:01.120
<v Speaker 2>Right that lets auditors write their own little scripts to

227
00:11:01.159 --> 00:11:02.840
<v Speaker 2>send very specific custom packets.

228
00:11:02.879 --> 00:11:03.720
<v Speaker 1>Why would you need that?

229
00:11:03.799 --> 00:11:07.120
<v Speaker 2>To test how systems react to unusual or malformed traffic,

230
00:11:07.600 --> 00:11:09.759
<v Speaker 2>Like craft a weird ping packet and see if the

231
00:11:09.759 --> 00:11:12.759
<v Speaker 2>firewall drops that are led it through fine grained control.

232
00:11:13.039 --> 00:11:17.639
<v Speaker 1>And cybercop also had a crack program sound ominous?

233
00:11:17.799 --> 00:11:20.120
<v Speaker 2>It does what it sounds like. Yeah. It takes encrypted

234
00:11:20.120 --> 00:11:22.639
<v Speaker 2>password lists from a system and tries to guess the

235
00:11:22.639 --> 00:11:26.519
<v Speaker 2>passwords using dictionary files, lists of common words, names, etc.

236
00:11:26.879 --> 00:11:29.039
<v Speaker 1>Really highlights the danger of simple passwords.

237
00:11:29.080 --> 00:11:30.440
<v Speaker 2>Absolutely a stark reminder.

238
00:11:30.639 --> 00:11:35.559
<v Speaker 1>Okay, nearly there Advanced audit and reporting systems SAINT successor

239
00:11:35.639 --> 00:11:36.120
<v Speaker 1>to SATAN.

240
00:11:36.600 --> 00:11:41.200
<v Speaker 2>Yes, SAINT the Security Administrator Integrated Network Tool. It builds

241
00:11:41.200 --> 00:11:45.679
<v Speaker 2>on the older SATAN tool designed to assess network security comprehensively.

242
00:11:45.759 --> 00:11:47.240
<v Speaker 1>How does it organize findings?

243
00:11:47.519 --> 00:11:51.279
<v Speaker 2>It classifies them by severity red for critical, yellow for serious,

244
00:11:51.679 --> 00:11:54.440
<v Speaker 2>brown for potential issues, green for okay.

245
00:11:54.399 --> 00:11:56.919
<v Speaker 1>And it checks against known lists yep.

246
00:11:56.879 --> 00:12:00.159
<v Speaker 2>Like the SANDS Top twenty Internet security vulnerabilities, very so

247
00:12:00.279 --> 00:12:02.000
<v Speaker 2>for prioritizing.

248
00:12:01.240 --> 00:12:03.679
<v Speaker 1>And SARAH Security Auditor Research Assistant.

249
00:12:03.919 --> 00:12:07.039
<v Speaker 2>Sarah's strength is remotely probing systems and storing all the

250
00:12:07.120 --> 00:12:09.080
<v Speaker 2>findings in a database for analysis.

251
00:12:09.320 --> 00:12:11.600
<v Speaker 1>Does it integrate with other tools, Yes, that's.

252
00:12:11.440 --> 00:12:13.720
<v Speaker 2>A key feature. It can use end map, for instance,

253
00:12:13.919 --> 00:12:16.320
<v Speaker 2>for better OS fingerprinting, combining strengths.

254
00:12:16.519 --> 00:12:19.480
<v Speaker 1>So, taking a step back, what's the big picture of

255
00:12:19.519 --> 00:12:20.799
<v Speaker 1>how all these tools work?

256
00:12:21.120 --> 00:12:25.840
<v Speaker 2>Fundamentally, whether they're commercial or open source, they run modules.

257
00:12:26.240 --> 00:12:31.440
<v Speaker 2>These are like mini tests specific checks for known vulnerabilities.

258
00:12:30.639 --> 00:12:32.480
<v Speaker 1>And they sometimes try to exploit them.

259
00:12:32.360 --> 00:12:35.759
<v Speaker 2>Sometimes, yes, in a controlled way. It's not just about

260
00:12:35.960 --> 00:12:38.840
<v Speaker 2>thinking there's a vulnerability, it's about proving it exists and

261
00:12:39.000 --> 00:12:42.519
<v Speaker 2>understanding the potential impact it confirms the weakness.

262
00:12:42.600 --> 00:12:45.720
<v Speaker 1>Okay, so we've really covered a lot today, from building

263
00:12:45.759 --> 00:12:49.200
<v Speaker 1>those tiger boxes, understanding common weaknesses.

264
00:12:48.720 --> 00:12:51.000
<v Speaker 2>Right through to using this whole arsenal of tools to

265
00:12:51.120 --> 00:12:51.919
<v Speaker 2>actually find them.

266
00:12:52.000 --> 00:12:53.480
<v Speaker 1>It's been a deep dive for sure.

267
00:12:53.679 --> 00:12:55.559
<v Speaker 2>And the main thing to remember, I think, is that

268
00:12:55.720 --> 00:12:59.159
<v Speaker 2>this isn't a one off task. Security auditing isn't something

269
00:12:59.200 --> 00:13:00.519
<v Speaker 2>you just do once and forget.

270
00:13:00.679 --> 00:13:01.799
<v Speaker 1>It has to be continuous.

271
00:13:01.960 --> 00:13:07.080
<v Speaker 2>Absolutely, Threats evolve constantly, systems change. It's an ongoing process

272
00:13:07.399 --> 00:13:11.279
<v Speaker 2>essential for protecting digital assets. You can't just check the box.

273
00:13:11.919 --> 00:13:14.399
<v Speaker 1>So here's a final thought to leave everyone with. In

274
00:13:14.480 --> 00:13:19.320
<v Speaker 1>a world where systems are constantly being probed, tested, poked at,

275
00:13:19.799 --> 00:13:22.559
<v Speaker 1>how does the very act of identifying these vulnerabilities, even

276
00:13:22.559 --> 00:13:25.240
<v Speaker 1>when we do it ethically like we've discussed, how does

277
00:13:25.279 --> 00:13:29.159
<v Speaker 1>that fundamentally change the landscape of digital trust and privacy

278
00:13:29.279 --> 00:13:29.840
<v Speaker 1>for everyone?

279
00:13:30.240 --> 00:13:32.440
<v Speaker 2>H That's a deep one, something to chew on