Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 314 for Thursday January 3d, 2013
- Tom Clancy's new book, Threat Vector, makes mention to a Hack Naked T-shirt
- Welcome our latest official sponsor, The SANS Institute! You will be hearing a lot more about some of the different programs and curriculums at SANS over the course of next year.
- For the first time ever, BSides is coming to Rhode Island. Paul will be co-organizing BSides Rhode Island with the latest PaulDotCom
victimintern Patrick Laverty. Saturday, June 15 in Providence, Rhode Island. You can get in touch with us at BSidesRhodeIsland@gmail.com. Our Twitter handle is http://twitter.com/BSidesRI and our site is at http://www.securitybsides.com/BSidesRI
Check out our last year:
Adam Shostack Jeremiah Grossman Dan Geer Allan Paller Dr. Anton Chuvakin Thomas Ptacek Marcus Sachs Kevin Finisterre Nick Farr Gene Kim
- The Stogie Geeks Show! - For cigar enthusiasts, by cigar enthusiasts.
- Please subscribe to the PaulDotCom Insider Newsletter for all things PaulDotCom, discounts on training, and updates on cool stuff we're doing (like looking for people to help, take people under our wings and teach them security, etc...)
- We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.
- Larry teaching SANS SEC617 all over and coming to a city near you in 2013
Interview: Eric Cole
- Does state sponsored hacking really go on, does it change anything, and does it really matter?
- Do targeted attacks happen to everyone? What can we do to prevent them? How much resources should you dedicate to protecting from targeted attacks?
- Ban on demanding Facebook passwords among new 2013 state laws | Reuters - I would be totally creeped out if my employer asked for my Facebook password. Does that even need to be a law?
- Security flaw found in app used for 'safe sexting' - Why is that people just love to expose themselves on the Internet? Snapchat, Wickr and other apps such as Facebook's Poke have become popular among teens who believe they are a "safe" way to send explicit pictures of themselves to friends. The reason they believe these apps are safe is because videos and texts sent via them are deleted after a short period of time determined by the sender. Get this though, the app would leak the email address based on a bad password (you need to just know the username), also you could see who the person had been sexting with by visiting a URL based on the username. I guess thats what happens when you let your fourth grader be in charge of web app security.
- NYC mayor pins crime rate spike on iPhone - I can't even believe I read this, what a backwards view on security..
- Hacker at Public Works went unnoticed for days - Tell me this is not a page right out of one of your pen tests. This is somehow news?
- Facebook Patches Webcam Vulnerability After Receiving Hacker Tip - Took them 4 months to fix it, ouch! In the mean time, millions of people were spied on while typing in front of their computer, OMG the horror!
- Best Book Bejtlich Read in 2012 - Always love to buy the books on his list, so everyone should go out and buy SSH Mastery by Michael W Lucas and For the President's Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush by Christopher Andrew.
- Microsoft Rushes Out ‘Fix It’ For Internet Explorer 0-day Exploit - I guess we will never stop hearing about IE 0-Day.
- Security Researcher Compromises Cisco VoIP Phones With Vulnerability - Dark Reading - This is one of the best hacks I've seen in some time. I think some of the stuff we talk about is cool, but not-so-practical. This allows you to tap into people's phones and turn them into listening devices. Now that's interesting!
- c0decstuff: Defeating Windows 8 ROP Mitigation - The cat and mouse game between attackers and Microsoft has always been a battle. However, over the years exploits are harder to write, and time will tell if we've hit a plataue. What if Microsoft really can't make it more difficult for attackers to exploit vulnerabilities? What if we can't add to the time it takes to exploti stuff?
- Metasploit: 5 Tips to Ensure Safe Penetration Testin - I completely disagree with the analogy that vulnerabilities are just "unintentional APIs". That is a ridiculous claim. Vulnerabilities are weaknesses, and accessing them is usually going against the way the program was intentionally written. It also sometimes causes something to crash, for example a buffer overflow is sorta like a controled crash. The lines between what is a "reliable" exploit and what is not are blury. There are many factors that will change the behavior of an exploit (esp. ones that involve any type of memory manipulation, as memory is volitile if you can remember that from your first computer course). There are really only two categories of reliability, ones that allow commands to run without causing a crash and those that don't. And really what I mean is that command execution in a web app is almost always more reliable than a buffer overflow or memory corruption. However, fingerprinting the target is extremely important, get that wrong and you could just crash the system anyhow.
- Celebrity hacker gets ten years - This story caught my eye for a few reasons. One, Scarlett Johansen is smoking hot and I just watched the Avengers (Which I really liked). Okay, so this guy used the tried and true method of hacking the security question to change the password on someone's account. We really need to do a better job of educating people about the security question, its really just another password and should be treated as such. Google two-factor authentication is the way to go and will prevent this type of attacks, implement it on all your systems now. As penetration testers we do the same thing, recon and guess passwords and/or "secret" questions (more like "secret" answers). The hacker did other things like forward all of your email to him. This may sound like fun and easy thing to do in order to kill a weekend, but it landed him 10 years in prison (not so fun unless your into being shanked and raped).
DEFCON Documentary Sneak preview - [Larry] - Should be neat. 20 years in the making. Jason Scott and crew have released a 20 minute tease of the documentary.
IE 0-day - [Larry] - A fix is out… and it only affects IE 6, 7 and 8 (not 9 and 10). This of course is still prevalent in may places where newer browsers are unsupported by certain mission critical applications. Sigh. How do developers/vendors get away with this?
Inclusion in Tactical Countermeaseures? - [Larry] - Seeding your real data with fake data, then alerting on it when it moves, or gets published elsewhere. Interesting concept. I'd even argue that access of this data should trigger alarms, because just maybe if it is accessed, it is outside of "normal" filtered means.
- Finding svn Files During Pentesting - SANS article by last week's guest, Tim Medin on being able to find source code on servers because developers leave the .svn directories (Subversion version control) on the production server. This allows people to load the source of files in a browser. But no, you still can't just View Source on a php file and see the source code.
- Adrian "Irongeek" Crenshaw keeps a zoo of web shells that he has found which are just fascinating to me and often fun to pull apart. Plus, they're a great web server management tool. Thank you to whoever wrote them.
Jack's Stories from the Porch
- TurkTrust, a Turkish CA issued some bogus intermediate CAs, and one was used to sign fraudulent google.com certificates. I think this is a Bad Thing.
- Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt according to the New York Times. Of course, the headline "Outmaneuvered at Their Own Game, Newspapers Struggle to Adapt" works, too. I love the irony.
- Study: 94 Percent of Healthcare Organizations Breached at least according to a Ponemon study (it might be right anyway). And six percent are unaware?
- All current versions of the Ruby on Rails Web framework have a SQL injection vulnerability good thing nothing important uses that framework.