Episode53

From Paul's Security Weekly
Jump to: navigation, search

Episode Media

mp3

Stories For Discussion

Nmap Online: Oops - [Paul] - A message to all who wish to put up web applications for usage by security professionals/hackers: Make certain you application is secure and doesn't allow people to execute shell commands and scan your local subnet. See Nmap Online - [Larry] - Yes, security professionals can make mistakes. I wonder if they had tested it before hand. Another set of eyes is always a good thing.

Week of Oracle Exploits canceled - [Nick] - Guess money talks? - [Larry] - ...or a Cease and Desisst letter talks. I'm not sure how it would work with an Argentinian company though. Either way, potential threats of getting sued into the stone age would make me think twice. It just goes to prove that the vendors should not be able to control the vulnerability release. Of course, those 0-day vulnerabilities are still out there, not able to be disclosed, and who knows when we'll get a patch.

Hackers not afraid of being caught - [Nick] - Hackers have so many ways of protecting themselves. The motivation has changed. MONEY. [Larry] - Not to mention, if you own a few hundred thousand bots, it is no big deal to sacrifice a few for some loot. "Crunch all you want, we'll make more".

Government to investigate Spying program - [Nick] - The US Government will investigate the "Domestic Spying Program". Can you say encrypt everything everywhere no matter what?

Charges against Christopher Soghoian (Boarding Pass generator guy) dropped. - [Nick] - Funny as he sent me an email shortly before all this. Hah

Malware for Vista already? - [Larry] - nothing new for attacks, just same threats that Vista may not completely catch - webmail. Sure, it may require user intervention (Are you sure you want to run this?), but how many users click blindly without understanding? I wonder if the M$ exec is having second thougts about letting his children surf without AV protection.

Learn security the "hard" way - [Larry] - Some attractive individual sells you their laptop, they give you the password, and then later you discover VERY compromising pictures of said attractive individual on the laptop. Discover later the said attractive individual is actually a very popular TV personality. Oops. Clearly, you need to wipe your drives before sending them on, but you also need to be careful what you send to the digitial domain - chances are, if you post it on the internet (or possibly put it on media that gets shared/traded/sold) it will be out there for a LONG time. Can you say Gogle cache and archive.org?

Apple releases 31 patches - [Larry] - I found this interesting that the first one on the list was an Apple Airport vulnerability, which may be the same one discovered by Cache and Maynor (I'm still not sure). At least Apple did credit HD Moore. HD Moore also stated that the Airport vulnerability was the only one that they have patched to date out of the MOKB.

Oracle and Open Identity Protection project - [Larry] - I wanted to throw this one out for discussion, as I'm on the fence. Sure, Oracle will be leading the development, but it is allegedly "open" for review which might make a good thing. That being said, with Oracle's track record for impeccable security (note: sarcasm) are they the right nes to be developing security for identities?

Fan hacks Linkin Park frontman's cell - [Larry] - ...well at least his cell service. I'd love to hear more on how - password brute force, social engineering, etc. Apparently HACKERS ARE EVERYWHERE, as the alleged hacker is/was a 26 year old woman employed at Sandia National Laboratories (developers of security stuff), and her PC at work was used to access the singer's online account.

Paul's Stories:

http://www.zone-h.org/content/view/14395/31/

http://www.astalavista.com/?section=news&cmd=details&newsid=3046 -

http://www.professionalsecuritytesters.org/modules.php?name=News&file=article&sid=688 - Web 2.0 Testing For Nick :)

http://www.matasano.com/log/626/beansec-3-tomorrow-cambridge/ - Beansec! Check out Thomas Ptacek on Tenable Security interview with Ron Gula, and Dino Dai Zovi on Sploitcast!

http://www.professionalsecuritytesters.org/modules.php?name=News&file=article&sid=687 - VoIPSA, check it out...

Other Stories of Interest

Geeks dream: Human Wifi detector - [Larry] - apparently a 49 year old UK woman can sense the 2.4ghz spectrum. Now maybe not this geek's dream (I like mine younger at this point, and not already "prodded by 1,000 fingers), she certainly might be handy to have around on my next wireless pentest/rogue AP discovery.