Security Weekly - Episode 355 for Thursday December 5th, 2013
- We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
- We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details!
- The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!
- Larry teaching SANS classes: Check out his SANS page for the details" 617 in DC in December, and in Orlando in March, Also 571 at RSA
Guest Interview: Jens 'Atom' Steube(@hashcat)
Before he wrote hashcat he was a bug hunter for fun, focusing on open source software. After 2005 he only did bug hunting on commercial software and therefore not allowed to disclose product names. In 2010 he started hashcat and since that time it's the only project he's been working on.
- how was hashcat conceived ?
- for the n00b, what is the difference between hashcat, and oclHashcat-Lite and oclHashcat/oclHashcat-plus - [Larry]
- describe the amount of research that goes into reverse engineering some of the storage algorithms> (for example Oracle spare4/sha-1) - [Larry]
- what are some of the new algorithms that are proposed for implementation in the future? - [Larry]
- whats the largest password cracking concept you've seen so far (cpu/gpu clusters)
- with the advent of quantum computing, how do you see password cracking evolving?
- Three words to describe yourself
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of Ass Grabby Grabby do you prefer to go first or second?
- Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?
Tech Segment: http://www.scriptalert1.com/ by Thomas MacKenzie (@twmackenzie) and Ryan Dewhurst (@ethicalhack3r)
Thomas works for NCC Group as a Security Consultant, conducting all different types of security assessments.
Ryan is a British Computer Security graduate, security enthusiast and Security Engineer for RandomStorm living in France. He is interested in Web Application Security and Information Security in general.
http://www.scriptalert1.com is a very simple and concise platform to explain Cross-Site Scripting, it's dangers and mitigation. Our aim is for penetration testers to include a link in their pen test reports to the resource and to get it to be the defacto description for semi-technical / tech savie managers.
- "Secure your Apache server from DDoS - I had to do this earlier today, go figure, and not on a live server. Web Mirror has improved!
- No security ever built into Obamacare site: Hacker - I <3 Dave Kennedy, he is my hero.
- "Pen tester scoops source code in bug hunt contest - I stole your source code, yet I don't get a bug bounty? WTF? There are rules to hacking? COME ON!
- Malware jumps 'air gap' between non-networked devices | Security & Privacy - CNET News - Fact or Fiction?
- Using The Human Perimeter To Detect Outside Attacks - My other computer is a human.
- SANS Technology Institute accredited for masters in security - Congrats!
- "Hacker-built drone can hunt - Drones hunting drones, YES....
- Shadow IT is undermining your security - All IT is shadowy now.
- OSIRT – WordPress OptimizePress hack (file upload vulnerability) - Oops
- Bypassing Seagate ATA Security Lock - This rules..
A request: can anyone provide me links to the "Cupid password breach" and not the Adobe one, as well as the new Facebook/Google/Twitter one as well. I ask because ou guys pulled through on the A5/1 rainbowtables.
- forget the high tech boogeyman... - [Larry] - Apparently while Dragos was ranting on abotu the boogeyman that is BadBIOS, someone went and tool a much more conventional approach and hacked all of his things….and then posted it to Pastie.
- From the “maybe Dragos isn’t so crazy department” - [Larry] - Researchers from Germany’s Fraunhofer Institute (ya know, the MP3 folks) created POC malware that can communicate using PC audio, using inaudible tones, at 65 feet for full control.
- Dlink user-agent bypass… - [Larry] - WOOHOO! they admit it and patched with a firmware update. The problem is, how many consumers update the firmware?
- Need some automation? - [Larry] - “Formally BackTrack scripts. For use with Kali Linux or BackTrack - custom bash scripts used to automate various pentesting tasks.” Love it.
- When your bug bounty goes bad - [Larry] - So this fine gentleman finds a bug in Prezi after they offer a bounty program. Prezi responds saying that the bug was “out of scope”. No soup for you. What was the bug? He recovered all of the Prezi source code by examining the (supposed to be non-)public github repository of the founder, found embedded credentials there that still worked against infrastructure used for their “commercial” product which allowed him to retrieve all of the product source code.
- Want an amazon drone? - [Larry] - Samy Kamkar (good guest for the show?) had some concerns about this whole Amazon drone thing, so he wrote some stuff to hack AR Drones (using the wifi connection that is used to control them) and turn captured drones into zombies. Sure, not the same drones that Amazon uses, but the RF and security concepts are the same at a base level.
- RF Safe Stop shuts down cars - [Larry] - Interesting. It is like a mini-EMP that shuts down car electronics, but allegedly does not permanently damage them. It uses L and S band radio frequencies (hello ham radio operators), and according to the company, it “added that it did not believe the RF Safe-Stop posed any risk to people using a pacemaker.” Riiiiiight.
- All Defcon videos posted online
- All Blackhat videos posted online including my talk, "Denying Service to DDOS Protection Services" which is(in my unbiased opinion) the best one!
- Schmoocon 2013 videos posted online
- How Many Zero-Days Hit You Today? An interesting article that provides a glimpse into the 0day market, by volume.
- Infamous Skynet Botnet Author Allegedly Arrested Apparently the author of the bitcoin mining tor based botnet was arrested in Germany. His/her twitter was unusually silent for the past few days, aside from a single tweet claiming that the authorities arrested the wrong person. Only time will tell, though.