Episode247

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Announcements

PaulDotCom Security Weekly - Episode 247 for Thursday June 9th, 2011.

Episode Media

MP3

Special Preview of Code 2600

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

7:30 PM

Directed by Jeremy Zerechak, Code2600 is billed as "the story of the rise of communication and computer technology in the United States as told through the events and people who helped to build and manipulate it. "Code 2600" is an exploration of the struggle to protect the complex information networks that have shaped our way of life from those who could potentially send the card house crashing down. It is a criminal and philosophical journey through the human integration of the world with our World, The Internet."

  1. What were your motives in making this film?
  2. Did you come away with any fresh insight as to how fragile the Internet really is? Or do you think the Internet is more resilient now than ever?
  3. What do you think will be more successful in keeping the Internet safe: Legislation or Technical controls?
  4. After making this film, do you think the Internet would be better protected by having the U.S. cede more control of the Internet and its maintenance over to outside countries?
  5. What do you think of the recent Anonymous attacks on Sony and Amazon?
  6. What scene did you wish you could have kept but had to cut?
  7. Where will this be premiering?
  8. How tough was it to get folks to be interviewed on camera for the film?
  9. Where was the film shot?
  10. Do you have any hacking experience? Did any of the interviewed folks offer to give you a demo?
  11. What other projects are you considering turning your attention to?

Guest Tech Segment: Tim Tomes on GXFR

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!


8:15 PM

Tim's a Captain and former Red Team leader for the Army, principle developer and maintainer of the Army's first Network Defense course, and adviser to the Army Cyber Leader College. Tim is also the author of GXFR and is on to give us a special tech segment on his Search Engine Based Domain Transfer Tool that uses Google.

Tim's Blog

Tim on Twitter

Gxfr screen.jpg

Stories For Discussion

Media

Watch the live video version of this segment above. For more videos and to subscribe to PaulDotCom TV visit http://pauldotcom.blip.tv

Download the Audio (MP3) Version of this segment here!

PaulDotCom Blog Roundup

  1. Search Engine Domain Transfer - GXFR

Larry's Stories

  1. RSA. Need I say more - [Larry] RSA finally comes clean. The question this I ask, is did they lie to us in the beginning, or did they just not know how badly they were compromised. Sounds like RSA will be replacing, for free some 40 million tokens. My question is (not knowing enough about the specific encryption), that is the 40 million are compromised, are they essentially ALL compromised? I wonder how this affects Travis' work with the tokens?
  2. Acer Hacked! - [Larry] - Well, not really. But yes. So, on a forum, an Acer employee gives up a support FTP site and account. It remains active for years. People log in, snoop around the site, and find other stuff, such as customer data. Man, we find stuff like this at customer sites (external and internal) all of the time. Set it and forget it I guess.
  3. Wow, people are stupid - [Larry] - Thanks @innismir! I guess folks will believe anything that the computer repair man tells them (or the computer for that matter). HI! I'M FROM THE INTERNET. I'M HERE TO HELP! So, man repairs computers, installs cam software to machines and maintains remote access. He then sends "system messages" to convince users to take their computing device into areas where they will likely be naked, while the computer is snapping cam photos and uploading offsite. System messages? stuff like "You should fix your internal sensor soon. If unsure what to do, try putting your laptop near hot steam for several minutes to clean the sensor."
  4. Who needs Metadata? - [Larry] - Thanks byte_bucket! So, in one thing that we talk about with HIPAA is the need to keep data with the same restrictions in Emergency situations as they are during regular times. Sounds like there is a bit of an emergency with a wildfire in AZ right about now, and thanks to this photo, we have a bunch of phone numbers. But wait, there's more! YAY credentials. Bob tells me there isn't too much interesting there, and that anonymous access works as well. I suppose that someone interested in hampering firefighting efforts might be interested in, or changing the logistical information.
  5. Why we secretly love Lulzsec - [Larry] Patrick, I personally think that you hit the nail on the head on this one. "LulzSec is running around pummeling some of the world's most powerful organizations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any." While I may not agree with Lulzsec's actions or ethics, they are certainly raising awareness, and hopefully cutting through the FUD.

Paul's Stories

  1. "I'm here to fix your computer" - And oh, btw, I'm going to put malware on your computer that takes pictures of you hoping you get naked in front of the computer. One of the messages "popped up" by the malware was this: ""You should fix your internal sensor soon. If unsure what to do, try putting your laptop near hot steam for several minutes to clean the sensor." Oh, and while your at it, you should take a shower too! Also, "Some victims, tricked by the pop-up warning, did take their computers with them into the shower". WTF?
  2. Citigroup Breach Exposed 210,000 customers - No, it was not "shower malware" but an attack on thier website. So, likely SQL injection. I mean, really? Why haven't we fixed this problem? Look, buy some basic web app testing software and find these holes, that will help. It won't solve the problem of poor coding, but maybe, just maybe, you can find the bugs before attackers do. Unless you don't care about breaches and they don't affect your bototm line, then just, well, carry on.
  3. Twitter URL Shortener - Secure? - Its not really security if you are just comparing to a list of known malware sites. Don't be fooled!
  4. IPv6 Day! - Came and went. Isn't everyone excited? I think IPv6 gives us new challenges and opportunities. As penetration testers, how do you scan 1 billion IP addresses? Tough problem to solve, DNS will be even more important than it is today. At the very least, discovery of hosts will need to be more creative.
  5. Hackers Infultrated by FBI? - According to Emmanuel Goldstein (AKA Eric Corely) of 2600 25% of the hacker underground, aka "cyber criminals" are FBI informants. Reminds me of my favorite TV show, Sapranos. Any criminal organization is bound to have informants. If you get "pinched" you are faced with jail time or ratting on your friends. Its a famous story line that now plays out in the "cyber criminal" community. We all remember "pussy" and andriana, who both met their fates once they were discovered as being a "rat", I wonder what happens in the computer underground to so-called informants? What is the defnition of "cyber whacking"?
  6. Blackhat talk to uncover Seimens flaws - You just can't hide information, especially in today's day and age. If you are vulnerable, people will find out. The best way to handle this is to fix your problems!

Darren' Stories

  1. 1 in 4 hackers are informants... Report that the FBI and US Secret service have created quite a army of informants that has led to a web of distrust and deceit in the underground black hat world. And when can we get some hacker images that don't have a CRT monitor in them... I haven't seen a CRT monitor actually in use for real since 1998