Paul's Security Weekly - Episode 465 - 6:00PM
This week we interview Neil Wyler aka Grifter, we liked listener feedback so much we're going to do it again and talk about disclosure and evil domain squatting, in the stories of the week Chrome blocks flash and things get hacked.
Recorded May 19, 2016
Interview with Neil Wyler aka Grifter
Hacker, Geek, DEFCON & Black Hat CFP Review Board Member, DEFCON Contest\Village\Events Lead Goon, Black Hat Staff, DC801 Founder, 801Labs Hackerspace Founder
- Three words to describe yourself.
- If you were a serial killer, what would be your weapon of choice?
- If you wrote a book about yourself, what would the title be?
- In the popular game of ass grabby-grabby, do you prefer to go first or second?
- Choose two celebrities to be your parents.
Listener Feedback Segment
I went back and watched your episode on responsible disclosure after I inadvertently, found a vulnerability in a store's web site that allows you to access and modify the account details (name, address, phone number, e-email). The company was immediately notified and I was essentially told "Thanks but I'm being told I can't talk to you about this any further. I'm sorry." HackerOne had no information on disclosure to them, and they have yet to fix the issue (disclosed 16 April).My main questions are:
- If they don't fix it within the next few weeks, should I re-engage with them?
- If they still don't fix it, is there a "safest" way to disclose it?
I came up with a fairly novel/simple idea while dealing with a customer who very, very nearly got spear phished on the exceedingly common CEO/CFO wire transfer bit. On a side note, what I discovered in the process is that Vista Print is currently offering a 1 month free website/domain trial; I sent something to them and their partnered domain registrar Tucows warning them of the possibilities, but I’m doubtful I’ll hear anything back. The problem is that some attacker clearly created a phishing domain… more specifically substituting a ‘rn’ for an ‘m’ character in a quite lengthy domain name. Anyway, my idea was to run URLCrazy (or your favorite similarly named domain generator) and then blacklist all of those “discovered” domains on the anti-spam server. I’ve never heard of anyone suggesting this, but it would obviously avoid the need to buy 100+ domains while blocking all of those domains now and in the future. In case you are curious, the domain was just recently registered (yesterday) so checking the domain record for “newness” would have worked as well.
Stories of the Week - 7:00PM-8:00PM
In the Press:
- Microsoft Disables Wi-Fi Sense on Windows 10
- 2012 LinkedIn Breach Just Got a Lot Worse: 117 Million New Logins For Sale
- Ubiquiti Networks Gear Targeted By Worm
- SkinTrack Turns Your Arm Into a Touchpad. Here’s How It Works
- Apple bans Stefan Esser's iOS security info app
- OkCupid Study Reveals the Perils of Big-Data Science
- Google Chrome Will Switch Off Flash Content By Default
- Hacker Fans Give Mr. Robot Website Free Security Checkup
- TeslaCrypt's Master Key Released To The Public
- Vidyo Flaw Leaks Videos And Local Files
- You'll still be able to hack Linksys WRT routers with open source firmware despite new FCC rules
- Linkedin Zombies - The breach in 2012 revealed 6.5 million passwords, and now another 117 million show up from that same breach, many of which still work. Looks like Linkedin only forced a reset on the 6.5 compromised ons, not a full sweep.
- Teslacrypt shuts down, releases master decryption key - Woah. I didn’t even think that ransomware folks would go out of business...
- top 10 security podcasts … um, exotic liability? I mean good stuff, but the links are 404...
- When encryption is not enough for HIPAA - It is all out the window when you get robbed at knifepoint, tied to a tree and “coerced” into revealing the encryption passwords. Full disclosure: I used to work for the now CIO at BWH. (yes also an old article, but I stumbled across it today courtesy @SwiftOnSecurity)
- the “blank” Amazon dash IoT button - I wonder what we can do with these...
And an nmap pro tip from @AnarchistDalek on twitter:
scan with nmap <switches> -oX foo.xml then follow (or pipe) with/to xsltproc foo.xml -o bar.html and take in the beauty