Episode80

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Tech Segment

"Just Plane Fun" - A "Bob" Story

Stories for Discussion

Medical Contractor Folds - [Larry] - This is a revisit of the whole mess about verifying about how your third parties handle your data. In this case, the vendor was responsible for at least 5 confirmed cases of data loss/breach. As a result, if a company breaches, you can possibly damage your business enough to go out of business. Another example is TJX, which just posted that they ate $118 million last quarter dealing with their breach. Here re some good cases for security in your organization!

Cisco VPN client vulnerabilities - [PaulDotCom] - These are both for windows only and affect versions 4.8 and 5.0. Most people are running as administrator anyhow, so it doesn't really matter. Is there a difference between administrator and "LocalSystem"?

SQL injection is easy - [Larry] - I bet Paul already added this, but I will say that google is clearly your friend in hunting some of these attacks down. [PaulDotCom] - Yea, we should make this a tech segment, however combine this with a tool like gooscan, and you can autoscript your way home. NEWSFLASH: the attackers have been doing this for a long time, and web application vulnerabilities are *almost* enough of a problem for the higher ups to actually pay attention to them.

Default Router config authentication bypass - [PaulDotCom] - Apparently a popular router in use in Mexico is deployed in such a configuration that it allows anyone to modify the config with things like:

Set a password (NUEVOPASS): http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NUEVOPASS&PASSWORD_CONF=NUEVOPASS 

10 things the WSJ can do to get you fired - [Larry] - Wow, we couldn't believe this story. It basically read as the top 10 ways to skirt around and violate your company's IS policies. All I can say is, take the article, and make sure that your policies address all 10 issues. Punish those who violate the rules. It you want to violate corporate policies, be aware that they are a real good way to get fired. I don't know about you, but my job is more important than having to get away with not doing my job right.

Ubuntu server were pwned - [PaulDotCom] - Hate it when that happens, " More than 15 outdated, unpatched Web applications running in parallel on separate servers contributed to the problem." Well, that'll do it every time!

Security via School of hard knocks - [Larry] - Learn form some of the mistakes these folks made. I suspect that these are the reasons that you listen to us, so that we can impart you all with some of our stories. Let's discuss some of the lessons learned from this article...

PHP Hacking site & Pheolite sites shut down because of new German hacking laws - [PaulDotCom] - This just plain sucks, but they are moving all of their web site to the Netherlands. So, what is the point of the German hacking law?