From Paul's Security Weekly
Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 299 for Thursday August 6th, 2012
- We take two weeks off, then it is Episode 300 broadcast live on Friday August 31st in support of of a cure for Breast Cancer. We will broadcast live from 10am until 6PM Eastern time and the show will feature tech segments, round table discussions and special guests. Mark it on your calendars today!
- In other admin related news, we're leaving Ning and moving onwards. Ning was cool, but now its a haven for SPAM. I want to thank everyone for participating. In the meantime please follow us on Twitter (@pauldotcom), Facebook (https://www.facebook.com/therealpauldotcom), and add me on Google+ (Paul Asadoorian, I will have a good email account for that soon). Don't forget to join our mailing list http://mail.pauldotcom.com and look for a newsletter in the not-too-distant future.
Interview with Wade Alcorn
Wade is the Asia Pacific General Manager for the NCC Group and founder of BeEF -- the browser exploitation framework.
- How did you get your start in information security?
- What led you to create BeEF?
- How painful was the change from PhP to Ruby?
- What advice would you give folks looking to restructure their code?
- Larry is teaching SANS SEC 617 on Wirelss Pwnage, check out Larry's very own dedicated page on the SANS web site for a complete list, Next up is SANS at Syndey in November.
- Larry will be delivering the Keynote at Hack3rcon^3 Doomsday Eve. Hackers and prepping, what could be better?
- Kicking Out Bots with ModSecurity - This was a really cool idea and usage of a WAF. Sure, we give WAFs crap, okay, we give them a lot of crap. However, adding a hidden field into the mix and using it as validation of a true user, rather than a bot, it a great idea. Full details on Xavier's rootshell.be blog.
- Lotus Domino Scanner - Pop quiz, what does NSF stand for? While I haven't seen Lotus Notes in some time, there seems to be a steady stream of vulnerabilities and tools, including some additional functionality which uses wordlists to enumerate the Lotus Domino databases.
- Photo suggests Apple out to 'screw' hardware hackers - So Apple supposedly is coming out with its own "security screw" to prevent others from performing maintenance on iDevices. How long before someone figures out how to take a soda can and pop into a device? Place a wager?
- Security researcher cracks Microsoft's BlueHat prize-winning ROPGuard tool - Someone write an exploit that works against MS EMET 3.5. Goes to show you that this is an arms race, and there is really no winners when it comes to targeted attacks.
- Your career is over after a breach? Another Myth - So the story goes Rich BAich was the CISO of Choicepoint when they had a breach. Rich just got a job as Wells Fargo's CISO. Congrats to Rich, but a couple of things I'd like to point out. First, your career is not over just because there was a breach. Its over when you are grossly negligent and incompetent in handling the breach. Second, W-T-F Wells Fargo never had a CISO? THAT is scary.
- Hacking Embedded Devices: UART Consoles - MWR Labs - Nice article on how to use the serial console to hack embedded devices. They cover some techniques to trick the device into letting you access the serial console. Good to see more of this research being done.
- Cybersecurity Bill Fails in US Senate | SecurityWeek.Com - The privacy versus security debate will rage on forever. It will be interesting to see if any bills make it through, and which side of the coin they will fall, either stripping us of our rights or being ineffective at providing security. Tough to have legislation that protects people's rights and provides security. I can't help but think of London or even Las Vegas, and how security cameras add to the security element, but leave you feeling creeped out (though, that could be a lot of other things in Vegas anyhow).
- About Exploit Exercises - I haven't played around with it yet, but this looks like a nice resource to learn about exploitation, tutorials and VMs for you to practice on. Sweet! Let us know what you think.
- Reuters Hacked Due To Old WordPress Version - Old Wordpress, really? I don't know what's worse, knowing that you are vulnerable and not doing anything about it, or not knowing if you are vulnerable. I just hope you have employees that care your are vulnerable and do something about it.
- Huawei and Cyber Espionage - Everything is made in China, should we panic?
- Triple DDoS vs. KrebsOnSecurity - I was curious to see what vendors have that can help with DDoS attacks, looks like just an analysis of the software used to perform the attack is presented here. I wonder how anti-DDoS techniques work, and if this ties into offensive countermeasures. Answer: it depends.
- Using Git to pwn. - [Larry] - Epic win from Mr. Bowes! If you can fing the /.git folder on a website, download/clone it! Then, issue a few git commands and you have a copy of the affected code from the repository. This code could have all sorts of goodies contained. Thanks to the commenters, ther eis even a Google Dork: ".git" intitle:"Index of"
- Huawei gives the warm fuzzies - [Larry] - Huawei is working with UK intelligence agencies to allay fears of security issues and backdoors. While thats great and all, Huawei still doesn't provide any method of contact to corporate or agency focused group to report vulnerabilities. Just ask FX…
- Android Burp - [Larry] - The new version of Burp handles proxies for android phones much better. Android devices use proxies in unexpected ways, but they were able to figure out and spoof all of the information needed. Now it just works. :-) I suspect that Josh Wright had some influence here while writing his mobile security course.
- http://packetstormsecurity.org/files/115306/VL-652.txt YAY JOOMLA] - [Larry] - We rail on Joomla a bunch for security issues, but mostly due to plugins. This time, SQL injection on the base packages.
- Phishing ADP with Java - [Larry] - Hrm, has your ADP certificate expired? Did you get notified via e-mail? Well, if you did, and you clicked you got pwned, and some Java JRE exploits, and then, payroll gets pwned. Why? Most users that click ACTUALLY know what ADP is…
Jack's Rants and Random Stories
- Hey, look, a map of the Internet useless, but strangely interesting.
- Mike Rothman rants about tech media. My curmudgeonly soul brother nails it in this rant about the state of the tech media. Quote: "Tech media isn’t about reporting anymore. It’s about generating page views..."
- Gizmodo editor gets completely pwned. But should a single account really have this much power?
- Ukraine government takes down Demonoid. Out of all the things I've seen coming out of the Ukraine, I find it interesting that they choose to tackle piracy first.
- Battle.net hacked They lost password hashes, but it looks like they're handling info disclosure pretty well.
- CNN recaps Defcon's social engineering contest.[[Category:]]