Episode56

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Stories for Discussion

Basic PHP Security - [Joe] - SQL injections, lols, etc

Sniffing panties Ethernet Undetected - [Joe/Nick] - This is amazingly trivial yet this guy made an article about it like it was something new...??? [Larry] - There is some good commentary in Chapter 4 of Wireshark & Ethereal Network Protocol Analyzer Toolkit. DNS = bad!

MySpace Gets Goatse! - [PaulDotCom] - This was just funny. I love the email from the myspace usah...

Five Hackers Who Left a Mark on 2006 - [Joe/Nick] - David Maynor is so dreamy! <33333 [PaulDotCom] - Agreed! But Johanna still steals my heart.... [Nick] Johanna == <33333333 [Larry] - What no love for Jon Ellch?

MOAB (Month Of Apple Bugs) Kicks off - [PaulDotCom/Nick] - So far we have seen vulnerabilities disclosed with Quicktime (2), and VLC. [Larry] - OMG! Pwnies! "Mac bugs come in pink." ™

MOAB Fixes Blog - [PaulDotCom/Nick] - An entire site dedicated to producing unofficial patches to each vulnerability disclosed through MOAB. Question: What does everyone think about this? Is this a good way to disclose? Should we install the patches from the above site? [Larry] - Yay! More third party patches! I'd certainly evaluate these patches for your environment, depending on your risk level.

Wave Bubble - [Larry] Hmm, so a clear indicator of some of the inherent vulnerabilities with wireless - the medium itself.

Wireless Forensics: Part One - Tapping the Air - [PaulDotCom] - In this article our good friend Raul Siles covers the challenges presented when do wireless captures for forensic purposes. It is very thorough, and even offers some commercial solutions for capturing data on all 14 channels. One question I've always had, is who is liable for the data? Such as, if I am working for a client, I sniff the air, but I also pick up the coffee shop next door, whose traffic contains someone's credit card number or other personal information. Hrmmmm... [Larry] Raul is officially a madman, This has to be one of the most detailed SecurtyFocus articles I've ever read. Definatley a good read.

Starting out in Securty - [Larry] - We get asked this one all the time, and Richard Bejtlich has some great responses.

23rd Chaos Communications Congress - [PaulDotCom] - CCC is a hacking group that has been around forever, and this years conference had some neat presentations:

Bluetooth Hacking Vid - This is the same one that was presented at Hack.lu. Not everything was new, for example a newer version of BTCrack was released. However a new tool for injecting keystrokes into bluetooth keyboards was released, called hidattack. Many Other Videos From 23c3 on Google Video. [Larry] - I need to test out the bluetooth Keyboard injection.

Bluejacking Video using a Nokia 770 - [PaulDotCom] - Warning, includes cute blond. [Larry] - From "The Real Hustle", which is a great show. Search youtube for more. They do a great job of explaining complex security concepts and hacks for the masses.

First MMS Vulnerability Disclosed - [PaulDotCom] - Apparently I should have made the trip to Berlin, as this was also released at CCC. More information, including exploits and presentation, can be found here

Adobe Acrobat Plugin - Multiple Vulnerabilities - [PaulDotCom/Nick] - This was also disclosed at CCC, and details multiple attack vectors, particularly XSS attacks, in the adobe reader browser plugins. As far as I can tell, these have all been fixed. [Nick] - Didn't I talk about this and predict this months ago on the show?! Yes.. yes I did.. :)

Blackhat Vids have been posted - [PaulDotCom] - All of the blackhat vids from 2006 have been posted. Check em' out!

Great Article on Secure Coding (delete/delete[] - [PaulDotCom] - Matasano does a great job of summarizing, full details available in the original advisory from The Art Of Secure Software Assessment.

Beware of Flash Phishing - [PaulDotCom/Nick] - Flash is truly evil. [Nick] - Fuck Flash

Nice List of popular web hacking articles/papers - [PaulDotCom] - Good stuff that we are either dealing with now, or will be dealing with very soon.

Roger G. Says Wireless Vulnerabilities are a big deal - [PaulDotCom] - I agree, but even more so when talking about mobile devices and WiMax, which break down the geographical limitations of 802.11.

Get Your LANMAN Rainbow Tables While they're hot! - [PaulDotCom] - Please, its 2007, Disable LANMAN Hashes! Do it on the servers and on the clients and force a password change. Do it now!