Episode44

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

This weeks music from Dj Jackalope!

Storytime With Twitchy

Twitchy warns us all about the risks of browsing the dynamic web world we live in today (Flash, Javascript, "Web 2.0", etc...). His recommendation for a web broswer is elinks. So, check it out!

Stories for Discussion

Firefox Updates - [Paul] - Yes we love firefox, however it has flaws too. Go to Help - Check For Updates... to get them.

ANOTHER IE 0day - [Paul] - Had to mention it, since Firefox announce some vulns. There is no patch for this one.

"Fantastic email from listener:

I just would like to let you guys know that my company has officially told everyone to stop using IE and install and use Firefox. Super busy today, because I am answering a lot of help desk tickets related to it, but it is worth because later on I will have less issues to deal with."

Craigslist Social Experiment - [Joe] - Interesting to see what kind of information people willingly give up with the hopes of getting laid <COUGH> FACEBOOK<COUGH>

Testing IPS - [Larry] - Apparently Govt. Comp. News used 85 attacks in Core Impact to test various IPS systems, ad were able to block all of them after some tuning to the IPS. We told you it was a great tool...

Cisco VTP Vulnerabilities Discovered - [Paul] - One of them is a heap overflow sent via a VTP update. 0wning the switch, yummy.

Tor servers in Germany Seized - [Joe, Larry] - Privacy is a crime in Germany if you say that it's linked to child porn

Embedded Device Workshop at Toorcon - [Paul] - This looks cool, teaches you how to build your own AP using Soekris and an atheros mini-pci card. Defintely check this out if you are going to Toorcon. Esp if you want to create a Mesh!

When you break up, change your passwords! - [Larry] - When you end a trusting relation ship (personal or otherwise), change your passwords! Think abot how often you revel your passwords to someone you trust, and then forget about...

Do You Pen-Test? - [Paul] - Pen tests are important, and this posting touches on many different areas, such as open-source tools that are more comprehensive (similar to Core), and internal pen testing teams.

Is WEP ever appropriate? - [Larry] - Well, what are your alternatives? Combine it with other methods for sure!

WiMax Security - Still an unknown - [Paul] - I think these problems will go beyond weak management protocols, which always seems to crop up in new products (like WiFi phones).

My favorite videogame - with cash prizes! - [Larry] - This ounds liek the hacking the network series. ATM spits out $2os, and bills account $5.

Apple Releases Patch For Quicktime - [Paul] - Mac users need to update. Why can't they release the driver patches? Why do they always release an update that fixes 25 security vulnerabilities? Why don't they have a reating system and patch the critical ones quicker? Am I the only one that believes Apples patch process is broken?

Whos watching the watchers? - [Larry] - When sending sensitive informaion off-site, encrypt it - even if it is your auditors! (Thanks Martin McKeay!)

Vista Still Vulnerable to pagefile attack found by Johanna - I'm light on the details here, but interesting that its vulnerable, and public all in the same week.

C64 Forensics? - [Larry] - Forensics on "antique" computers. Commit a crime, use a commodore 64. How the heck are we supposed to perform forensics analysys on these!

Analyzing malicious SSH login attempts - Fabulous article that takes a very close look at honeypot data collected from a system that wsa online for 22 days. Complete with recommendations.


Media Sanitization and Encryption - [Larry] - If you encrypt and remove every reference to the keys form the planet, shoul you need to wipe the data.

Stories of Interest

Wi-Fi toys posting chapters of their book - [Larry] - Cool, we all love free boks. Neat stuff, and neat site.

Cool OS X "Hacking" Tools - Not all security related, but cool none the less.

SD Card Flassh Add-on For your WRT - Cool hack.

Zotob authors jailed - [Larry] - 2 Moroccan men, 2 years in prison.

Schwarzenegger gets pwned - [Joe] - The real controversy here isn't Arnold's words so much as Phil Angelide's methods for obtaining the media. Angelide's staff claims it was accessed legally off a "taxpayer-funded, publicly available Web site."